Société Générale / Risk Report - Pillar III

4 INTERNAL CONTROL FRAMEWORK INTERNAL CONTROL

FIRST-LEVEL PERMANENT CONTROL Conducted within the BUs and SUs in connection with operations, first-level permanent controls guarantee the security and quality of transactions and operations. These controls are defined as a set of measures that are permanently in place to guarantee, at operational level, the compliance with rules, validity and security of transactions carried out. First-level permanent control consists of: risk prevention systems: controls performed on a regular and p continuous basis by the businesses or via automated systems when transactions are processed. They comprise a risk prevention framework: security rules and controls – automated or not – forming part of the processing of transactions, or controls included in operational procedures; controls performed by managers: line managers check the correct p functioning of all systems under their responsibility. In this respect, they are required to regularly apply formalised procedures to ensure the employees comply with rules and procedures and that the first-level controls are carried out effectively. The line managers may rely on controls carried out by dedicated teams, for example (i) on the most sensitive processes requiring stricter or industrialised controls, or to avoid self-controlling practices ( e.g. the establishment of customer relations in retail banking), and/or (ii) where the pooling of control tasks improves productivity. Whatever the choice of organisation, managers retain oversight of the processes carried out by the teams that report to them; they are responsible for their production quality and for correcting identified anomalies. A “first-level permanent control coordination” function is set up in each business line. It is responsible for the design and reporting of controls, as well as awareness-raising and training of employees with respect to control issues. SECOND-LEVEL PERMANENT CONTROL Second-level permanent control is one of the missions of the second line of defence. It involves ensuring the security and risk management of operations at all times, under the responsibility of operational management, through the effective application of established standards, defined procedures, methods and controls, as instructed. Second-level control has two parts: assessment of the architecture of the first-level control framework p by process/risk, comprising verification of the definition and efficient conduct of first-level controls,. This review also makes it possible to check the effectiveness and relevance of control implementation based on key controls and risk type, the existence of remedial action plans; review of the control execution quality and anomaly corrections. p The purpose of this work is to verify: the quality of control execution in terms of time, compliance - with procedures, operating methods and the appropriateness of samples (representativeness, selection method), frequency of execution and formal documentation, the quality of follow-up of anomalies identified: appropriateness - of the solution provided, efficiency of operational implementation, reaction time proportionate to the risk identified, etc; These reviews and checks form the basis for an opinion on (i) the effectiveness of first-level controls, (ii) the quality of their implementation, (iii) their appropriateness, notably in risk-prevention and response to control objectives defined in the library of normative controls, (iv) the definition of their implementation in practice, (v) the appropriateness of remedial plans to correct anomalies and the

quality of follow-up, so arriving at a conclusion as to the effectiveness of first-level controls. These controls are performed centrally by dedicated teams within Risk Service Unit (RISQ/CTL), Compliance Service Unit (CPLE/CTL) and Finance Service Unit (DFIN/CTL) and locally by the second-level control teams within the BU/SUs or entities. Internal audit Reporting to the Group Head of Inspection and Audit, the Inspection and Audit Service Unit (IGAD) is the Group’s third line of defense. The IGAD Service Unit comprises General Inspection (IGAD/INS), Internal Audit departments (IGAD/AUD) and a support function (IGAD/COO). To fulfil its mandate, the Group’s IGAD Service Unit has adequate resources from a qualitative and quantitative point of view. The Group’s Inspection and Audit Service Unit has about 1,100 employees. The Group Head of Inspection and Audit reports directly to the Group Chief Executive Officer, with whom it has regular meetings. The Group Head of Inspection and Audit meets regularly with the Chairman of the Board of Directors. The Audit and Internal Control Committee and the Risk Committee refer to the Group Head of Inspection and Audit on their initiative or at his request on any subject. The Group Head of Inspection and Audit participates in the Internal Control Committee and the Risk Committee meetings. Moreover, there are regular bilateral meetings between the Group Head of Inspection and Audit and the chairpersons of these Committees. The Inspection and Audit Service Unit, delivering its internal audit role, forms the third line of defense, strictly independent of the businesses and permanent control functions. This is defined in line with IIA (Institute of Internal Auditors) standards as an independent and objective activity that provides the Group with assurance as to how effectively it is controlling its operations, advises on improvements and contributes to the creation of added value. By carrying out this mandate, Inspection and Internal Audit help the Group to achieve its targets, by evaluating systematically and methodically, its processes for risk management, control and corporate governance and making proposals to increase their efficiency. The Inspection and Audit Service Unit exercises a key role in the Group’s risk management set-up and can assess any of its components. Under this mandate, the General Inspection and Internal Audit assess the quality of risk management within an audited scope, the appropriateness and effectiveness of the permanent control framework, management’s risk awareness and compliance with codes of conduct and expected professional practices. Beyond its internal audit role, General Inspection has a mandate to undertake any type of analysis or research mission, be involved in the assessment of strategic projects or intervene on specific subjects as requested by General Management. The General Inspection also supervises the roll-out of data-analysis initiatives within the scope of Inspection and Audit activities. This mission is ensured via a dedicated data-lab (INS/DAT), under the responsibility of an Inspection Managing Director ("Inspecteur principal") . The General Inspection also supervises and coordinates the Service Unit’s relationship with regulators as third line of defense. Inspection and Audit teams work together on an annual risk assessment to define the Inspection and Audit plans for the upcoming year. IGAD teams regularly work together on joint assignments. They issue recommendations to correct flaws identified in risk management and generally improve operations and risk management within the Group. IGAD teams are subsequently in charge of monitoring the effective implementation of these recommendations.

30

PILLAR 3 - 2020 | SOCIETE GENERALE GROUP |