Société Générale / Risk Report - Pillar III

4 INTERNAL CONTROL FRAMEWORK INTERNAL CONTROL

Within the internal control framework, these functions are tasked with continuously verifying that the security and management of risks affecting operations are ensured, under the responsibility of operational management, through the effective application of established standards, defined procedures, methods and controls as instructed. Accordingly, these functions must provide the necessary expertise to define, within their respective fields, the controls and other means of risk management to be implemented by the first line of defence, and to ensure that they are effectively implemented; they conduct second-level permanent control over all of the Group’s risks, employing the controls they have established, where

appropriate with other expert functions (e.g. sourcing, legal, tax, human resources, information system security, etc.) and by the businesses; the third line of defence is provided by the Internal Audit Division, p which encompasses the Internal Audit and General Inspection functions. This division carries out internal audits that are strictly independent of the business lines and the permanent control function; internal control coordination, under the responsibility of a Deputy p Chief Executive Officer, is also provided at Group level and is rolled out in each core business and Corporate Division.

2 ND LINE OF DEFENCE (LOD2)

1 ST LINE OF DEFENCE (LOD1)

3 RD LINE OF DEFENCE (LOD3)

Audit functions

Activities, Business & Functions

Risk Management Activities

Risk, Compliance and Finance functions

General Inspection and Internal Audit

2 ND LEVEL PERMANENT CONTROL

1 ST LEVEL PERMANENT CONTROL

PERMANENT CONTROL

A Deputy Chief Executive Officer is responsible for ensuring the overall consistency and effectiveness of the internal control system. This Deputy Chief Executive Officer also chairs the Group Internal Control Coordination Committee (Group ICCC), which comprises the Chief Risk Officer, the Chief Financial Officer, the Group Chief Compliance Officer, the Group Chief Information Officer, the Head of Group Internal Audit, and the Head of Internal Control Coordination. The Group Internal Control Coordination Committee met 13 times in 2019. It addressed the following issues: review of the effectiveness of permanent control in each Business p Unit (BU) and Service Unit (SU); review of the effectiveness and consistency of the Group internal p control framework; review of the Group quarterly permanent control dashboard prior to p its communication to the Group Audit and Internal Control Committee (CACI); transversal review of new technologies regarding control. p The structure implemented at Group level to coordinate the actions of participants in internal control is rolled out in all Business Unit (BU) and Service Unit (SU). All of the Group’s Business Unit (BU) and Service Unit (SU) have an Internal Control Coordination Committee. Chaired

by the Head of Business Unit (BU) and Service Unit (SU), these Committees bring together the competent Heads of Internal Audit and Permanent Control for the Business Unit (BU) and Service Unit (SU) in question, as well as the Head of Group Internal Control Coordination and the Heads of the Group-level control functions.

Permanent control system The Group’s permanent control system comprises:

first-level permanent control, under the responsibility of the p businesses, which aims to ensure, at the operational level, the security, quality, regularity and validity of transactions completed; second-level permanent control, independent from the p businesses, comes under three Corporate Divisions (Compliance, Risk and Finance Division). General management initiated in 2018 a program of transformation of the permanent control of the Group, which is under its direct supervision. Through a set of actions affecting the standards, the methods, the tools and the procedures, the training, etc., this program aims at strengthening the culture of control and at optimizing the risk control, so contributing to improve the quality and the reliability of services provided to our customers and partners. It progressed in 2019 as scheduled. It is planned to end at the end of 2020.

29

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020