Société Générale / Risk Report - Pillar III

3 RISKMANAGEMENT ORGANISATION RISK MANAGEMENT ORGANISATION

departments of subsidiaries and branches, the Group Tax Department, which ensures compliance with tax laws in France and abroad, the Group Corporate Social Responsibility Department, which is responsible for defining and proposing a CSR (Corporate Social Responsibility) policy for the Group and the Group Security Department, which manages the security of the Group in cooperation with the Corporate Resources and Digital Transformation Service Unit with regard to information systems security, and the Group’s central administration services, and, when necessary, supports the Secretary of the Board of Directors. The Human Resources and Communication Division monitors the p implementation of compensation policies, amongst other things. The Corporate Resources and Innovation Division is specifically p responsible for defining information system security policies. The Group Internal Audit Division is in charge of internal audits, p under the authority of the Head of Group Internal Audit. According to the latest voluntary census (31 December 2019) with respect to full-time equivalent (FTE) employees: the Group Risk function had 5,568 FTE employees (including 1,617 p FTE employees within the Group Risk Division); the Compliance function had approximately 3,705 FTE employees; p the Information System Security function had approximately 457 p FTE employees. Risk reporting and assessment systems The Group’s data aggregation system operates at two levels, with clearly defined responsibilities. The teams of Business Units or Support Units and entities provide data collection and quality functions for both local and Group consolidation needs, as well as a first level of aggregation when necessary. The central teams of the Finance Department and the Risk Department aggregate this data and produce Group-wide risk indicators and reports. Since 2015, the Group has defined architectural principles relating to Finance and Risk information systems. The TOMFIR principles (Target Operating Model for Finance & Risk) revolve around the following objectives: the production of risk indicators is based on data from Business p Units and certified entities (Golden sources), with granularity of the contract, of accounting quality, updated daily and fed by the operational systems of the entities; the Group-level information system manages its own data p aggregation rules to avoid multiplying local developments at BU and entity level. It is based on Group-wide benchmarks, subject to the benchmarks of Business Units and entities; the IS architecture must address Finance and Risk uses to meet local p needs and needs shared with the Group. These architectural principles are applied to the following four main application areas: the mutual Finance and Risk information system for credit risk and p the calculation of RWA; interest rate and liquidity risk calculation chains; p the market risk calculation chain; p the counterparty risk calculation chain on market operations. p

ontributes to the definition of risk policies, taking into account - the aims of the businesses and the relevant risk issues, defines or validates the methods and procedures used to - analyse, measure, approve and monitor risks, implements a second-level control to ensure the correct - application of these methods and procedures, assesses and approves transactions and limits proposed by - business managers, defines or validates the architecture of the central risk - information system and ensures its suitability to business requirements; The Finance Division is organised according to three levels of p supervision, each attached to a Chief Financial Officer: French Retail Banking, and International Retail Banking and - Financial Services, Global Banking and Investor Solutions, - Cross-business functions, bringing together all the areas of - expertise that are key to the operations of the Finance Division; It also carries out extensive accounting and finance controls. As such: The Group Accounting Department is responsible for - coordinating the mechanism used to draw up the Group’s consolidated financial statements, The Experts on Metrics and Reporting Department is - responsible for producing the regulatory reports of the Group, The Mutualised Accounting and Regulatory Activities - Department within the pooled operations division is responsible for accounting, regulatory and tax production and coordinating the continuous improvement and management of processes for entities within its scope (o.w. Societe Generale SA), The Finance Control Department is responsible for the - second-level permanent control system over all of the Finance Processes, The Asset and Liability Management Department is in charge - of the ALM function for the Group, structural interest rate, Group liquidity, and exchange rate risks, as well as the operational management of ALM for the Societe Generale Parent Company (SGPM); The other cross-business functions provide various tasks for the Finance Division, in particular with the Finance Division of the Group Service Units, Group Investor Relations and Financial Communication, Human Resources and the Corporate Secretary. The Finance Departments of the Business Units and Service p Units, which report hierarchically to the Group Finance Division, ensure that the financial statements are prepared correctly at the local level and control the quality of the information in the financial reports (accounting, management control, regulations, etc.). The Group Compliance Division, which has been reporting to p General Management since 1 June 2017, ensures that the Group’s banking and investment activities are compliant with all laws, regulations and ethical principles applicable to them. It also ensures the prevention of reputational risk. The Corporate Secretary includes the Group Legal Department, p which notably monitors the security and legal compliance of the Group’s activities, relying where applicable on the legal

24

PILLAR 3 - 2020 | SOCIETE GENERALE GROUP |