NATIXIS -2020 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Operational risk monitoring 3.2.6.3 Risk mapping Risk mapping is central to operational risk monitoring:

Analysis of changes in the risk profile of the businesses and support functions

RCSA

Incidents with financial, legal, and regulatory impacts

Control environment assessment

KRI

Qualitative evaluation of businesses and support function controls

Qualitative evaluation of business line and support function policies and procedures

Incidents

Qualitative assessment of the HR profile of support functions

Mitigation actions decided by Committees

Controls

P&P

HR

Qualitative assessment of businesses and support functions risks by the risk owners

Risk Map

Quantitative backtesting

RMS

Net Risk

Gross Risk

RCSA

Mitigation actions decided by Committees

Regulatory environment / Compliance Division

Permanent control / Compliance Division

Annual review of first level controls based on risk assessment Results of first level controls. Each control is associated with one or several risks

Domestic and international regulations

Non Compliance Risk

PCL1 & 2

PCL1 & 2

Financial industry businesses & Operational environment

External database, public incidents since 1995

Scenario analysis on major risks

Mitigation actions decided by Committees

Incidents database

KRI: Key Risk Indicator RMS: Risk Management System RCSA: Risk Control & Self Assessment HR: Human Resources P&P: Policies and procedures

Every year the department in charge of operational risks, in conjunction with the other control functions, works with each business line, entity and support function to map operational risks. The exercise involves identifying and descriptively analyzing risks, quantifying the risk situations (average frequency, average and maximum loss), and taking into account existing risk management mechanisms. This mapping is based on process analysis and is carried out for all the bank’s activities. Its consistency is verified through backtesting, in other words by using the incident history, as well as external data where relevant.

The risk mapping process serves to identify Natixis’ exposed business lines and its biggest risks in order to be able to manage them through corrective action and indicators. The mapping of “global and systemic risks” (extreme risk situations occurring infrequently, such as major natural disasters, pandemics, and attacks) draws on external data on incidents in the financial industry, especially for establishing frequency. Also factored in are assumptions on unrealized net revenue items, the effectiveness of risk management mechanisms, as well as contingency and business continuity plans.

150

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2020