IT Division
INFORMATION SYSTEM SECURITY
Risk Division
FINANCIAL RISKS (credit, market, etc.) OPERATIONAL
RISKS EXCLUDING COMPLIANCE AND
INFORMATION SYSTEM SECURITY Corporate
Secretary
LEGAL AND TAX COMPLIANCE
FINANCIAL AND ACCOUNTING
INFORMATION (forex, interest rate, liquidity) PERIODIC CONTROL
General Inspection
Functional Division Audits
Specialized Audits
Business line Audits
PERMANENT SUPERVISION
Group Internal Control Coordination Committee
Deputy Chief Executive Officer Chief Executive Officer
General Inspector
Business Line and Functional Division Internal Control Coordination Committee
Finance and Corporate Planning Division
STRUCTURAL RISKS
FALLS UNDER THE RESPONSIBILITY OF OPERATIONAL STAFF
Permanent control
THE FIRST LEVEL OF RESPONSIBILITY FOR PERMANENT CONTROL LIES WITH THE GROUP’S OPERATING STAFF
The permanent supervision of their activities by operational staff forms the cornerstone of the permanent control process. It is defined as all of the measures taken on a permanent basis to ensure the compliance, security and validity of transactions performed at operational level. As such, permanent supervision comprises two elements:
䡲 day-to-day security: all operational staff are required to permanently comply with the applicable rules and procedures governing all transactions carried out;
䡲 formal supervision: management is required to make regular checksusing written procedures to verify that staff are complying with the rules and procedures for processing transactions and for ensuring effective day-to-day security.
In order to ensure this system functions correctly, operational methods need to be formally defined and communicated to all Group staff. In addition, permanent supervision procedures are adapted for each Group entity according to their specific activities.
As detailed further in the report of its Chairman on internal control and risk management procedures, Crédit du Nord completes its system with second-level permanent controls, carried out by staff with that exclusive responsibility, and which are aimed at ensuring that all regulations in effect under the permanent supervision system are applied.
AT THE SAME TIME, THE FUNCTIONAL DIVISIONS CONTRIBUTE TO THE PERMANENT CONTROL OF THE GROUP’S
TRANSACTIONS
The Risk Division, with contacts in the Group’s business lines and subsidiaries, is responsible for implementing the credit, market and operational risk management system and ensuring risks are monitored in a coherent fashion across the Group.
SOCIETE GENERALE GROUP’S RISK FUNCTION COMPRISES MORE THAN 3,300 STAFF DEDICATED TO RISK MANAGEMENT AND PERMANENT CONTROL ACTIVITIES:
䡲 800 in the Group Risk Division,
䡲 2,500 in the Group’s different businesses and subsidiaries.
During 2008, it was decided to restructure the Risk Division in order to draw conclusions from the recent events that had affected Societe Generale and its environment (financial crisis, fraudulent transactions on market activities) and to adjust risk management based on the Group’s development. The main objectives of this new structure, which has been in place since January 1, 2009, are:
䡲 within the Risk Division, to strengthen the proactive management of all Group risks, by bringing together the portfolio risk research and analysis teams, while improving alert systems and procedures;
䡲 to better combine the market, credit and liquidity approaches, by grouping together the management of market risks with issuer and credit risks, which are the underlying risks on securitization products;
䡲 within the asset management arm, to strengthen the independence of the market and liquidity risk management function with regard to operational entities;
䡲 to unite the teams responsible for real estate loan risks;
䡲 to adapt risk monitoring to the increasing proportion of individual and business customers;
䡲 to reinforce the prevention and monitoring of operational risks.
Based on the monitoring framework defined by the Risk Committee, a set of specific procedures has been compiled for each type of risk.
In the case of counterparty risks andin response to the crisis affecting financial institutions, the Group has implemented, as from end-2007, an enhanced supervision system for the management of its limits and exposures to bank counterparties;
IN THE CASE OF MARKET RISK:
䡲 positions and risks taken in the course of the Group’s market
monitoring; these positions and risks are compared with the defined limits, including an alert system, for all activities;
䡲 monitoring and checks on gross nominal position amounts (based on alert thresholds which apply to all instruments and desks) helps to detect any possible rogue trading;
䡲 daily summaries of risk exposure are produced, highlighting any cases where limits have been exceeded;
䡲 the market parameters used to calculate risks and results are verified regularly;
䡲 precise methods for measuring risks have been defined;
䡲 the Risk Division validates the valuation models used to calculate risks, transaction results and the amount of reserves;
䡲 an annual report summarizing all key events in terms of market risk – and in particular the use of limits – is sent to the General Management and the business line management teams.
These procedures are regularly adapted to accommodate changes in regulations, the rapid growth of increasingly sophisticated businesses and new risk factors. Some controls are further reinforced through targeted action plans.
IN THE CASE OF OPERATIONAL RISKS:
A unified set of procedures, tools and methodologies has been implemented. This enables the Group to identify, evaluate (both quantitatively and qualitatively) and manage its operational risk.
It is based notably on:
䡲 Risk and Control Self-Assessment, the aim of which is to identify and measure the Group’s exposure to the different categories of operational risk in order to accurately map the levels of intrinsic and residual risk (i.e. having taken into account the quality of risk prevention and control systems);
䡲 Key Risk Indicators or KRIs, which provide upstream alerts as to the risks of operational losses;
䡲 scenario analyses, which consist in estimating infrequent but severe potential losses to which the Group could be exposed;
䡲 data collection and analysis of internal losses and losses incurred in the banking industry following the materialization of operational risks.
On this basis, the Group’s various entities are able to define and implement the necessary actions to ensure that operational risk is maintained at or reduced to an acceptable level.
An information systems security manager coordinates the risk control related to information systems at Group level Fully conscious of the increasing exposure of its information systems to external risks as a result of the growing number of
Report of the Chairman on Internal Control and Risk Management procedures
maintained and reinforced its different organizational, monitoring and communication initiatives relating to information systems security. The security system is coordinated by a Group information systems security managerand has been rolled out within the Group’s different business divisions. At operating level, the Group uses a central unit that manages alerts and monitors security levels using a multitude of both internal and external sources for information and supervision purposes.
The security network is regularly updated to keep abreast of technological developments and the appearance of new threats or risks. It is governed by the “Strategic Security Initiatives”
validated by the General Management and all businesses which are part of the Functional Division Supervision Committee.
The need to adapt the information system security network to the risks inherent to banking activity has been taken into account, especially within the framework of operational risk management. A four-year security action plan, covering major security initiatives, was approved in July 2008 and will be monitored on a biannual basis by the Group’s Executive Committee. Moreover, employees are regularly informed of and trained in the procedures and approach to adopt in order to deal with risks linked to the use of IT systems.
Structural risk (interest rate and exchange rate)
management comes under the responsibility of the Group Finance Division
The Finance Committee, a General Management body, validates the methods used to analyze and measure risks, as well as the exposure limits for each Group entity. It also provides advice to both the business lines and entities.
The Group Finance Division’s Capital, Assets and Liabilities Department is responsible for establishing Group standards on structural risk, second level controls, the consolidation of structural risk and its reporting to the Finance Committee.
Each entity is responsible for its interest rate and exchange rate risks, complying with Group standards and the limits set by the Group Finance Division. The entities’ Finance Divisions are responsible for monitoring and managing this risk, preparing the necessary reports and analyzing structural risks.
The Group’s Corporate Secretary is responsible for the consistency and efficiency of the Group’s compliance control system.
He is assisted in this role by a Group compliance committee notably comprising the individual heads of compliance appointed within each business line, who carry out similar functions at local level via a co-ordinated network and organizational structure. Clear roles and responsibilities have also been defined for the Group’s subsidiaries, branches or major entities.
The compliance of the Group’s operations is monitored on a regular basis within this structure by the heads of compliance, with the support of:
䡲 the Compliance Department, which verifies that all compliance rules and principles applicable to the Group’s banking and investment services activities are observed, and that all staff respect codes of good conduct and individual compliance;
䡲 the Legal and Tax Departments, which monitor all fiscal and legal aspects, including legal compliance, of the Group’s activities.
These central departments report to the Group’s Corporate Secretary. They are represented by local staff within each operational entity and, in certain subsidiaries and offices, by departments exercising the same type of function. The central teams are responsible for compliance monitoring and training as well as for the distribution of relevant information throughout the Group.
Under the new amended regulations, the Group’s existing procedures have been extended to meet the stricter compliance requirements for new products and services, and for the reporting and resolution of anomalies.
Finally, over and above its usual regular initiatives, Societe Generale continues to make targeted efforts to raise awareness among staff and provide training in the prevention of compliance risks.