1032019 Universal registration document and annual financial report - BNP PARIBAS

2CorPorate GovernanCe and internal Control

2

Internal control

■ General Inspection (third line of defence): the General Inspection is responsible for periodic control, performs the Internal Audit Function and contributes to the protection of the Group by independently acting as its third line of defence on all Group entities and in all areas. It includes:

■ centrally based inspectors who carry out their duties throughout the Group;

■ auditors distributed in the geographical or business line platforms (called hubs ).

The Inspector General, responsible for periodic controls, reports to the Chief Executive Officer.

■ Executive Officers: the Chief Executive Officer and the Chief Operating Officer ensure the effective management of the Company for regulatory and legal purposes. In practice, the Executive Officers make key decisions through specialised committees that allow them to rely on experts with a deep understanding of the issues to be addressed.

Executive Directors are responsible for the internal control system as a whole. As such and notwithstanding the powers of the Board of directors, the Executive Officers:

■ decide on the key policies and procedures serving as the basis for this system;

■ directly oversee the functions exercising independent control and provide them with the means to allow them to fulfil their responsibilities effectively;

■ define the Group s risk-taking policies, validate the most important decisions in this area and, if necessary, make the final decisions in the context of the escalation process. This process is implemented in accordance with the powers conferred to the Group Risk Officer, who may exercise his right of veto under the conditions set out in the Risk charter;

■ periodically evaluate and monitor the effectiveness of the internal control policies, systems and procedures and to implement the appropriate measures to remedy any deficiencies;

■ receive the main reports on internal control within the Group;

■ report to the Board of directors or its relevant committees on the operation of this system.

■ The Board of directors: the Board of directors exercises directly or through specialised committees (Financial Statements Committee, Internal Control, Risk Management and Compliance Committee, Corporate Governance, Ethics, Nominations and CSR Committee, etc.) key responsibilities in terms of internal control. Among others, the Board of directors:

■ determines, on the proposal of the Executive Officers, the strategy and guidelines of the internal control activity and ensures their implementation;

■ reviews the internal control activity and results at least twice per year;

■ regularly reviews, assesses and verifies the effectiveness of the governance system, including in particular, clearly defined responsibilities, and internal control, including in particular risk reporting procedures, and taking appropriate measures to remedy any failings uncovered;

■ validates the Risk Appetite Statement , approve and periodically review the strategies and policies for taking up, managing, monitoring and controlling risks and approves their overall limits.

The organisation of the Board of directors and its specialised committees is defined through its Internal rules. The Heads of General Inspection and the integrated functions exercising second-level control have the right to be heard, possibly without the presence of Executive Officers, by the Board of directors or one of its specialised committees.

Finally, among the specialised committees, the Internal Control, Risk Management and Compliance Committee (CCIRC) is essential in the Group s internal control system. Indeed, it assumes the following responsibilities:

■ analyses reports on internal control and on risk measurement and monitoring, reports on the activities of the General Inspection, and significant correspondence with the main regulators;

■ examines the strategic directions of the risk policy;

■ reports to the Board of directors.

COORDINATION OF INTERNAL CONTROL At the consolidated level, the coordination of internal control is ensured by the Group Supervisory & Control Committee, which is responsible, in particular, for ensuring consistency and coordination in the internal control system. It meets on a bi-monthly basis and brings together the Executive Officers, the Deputy Chief Executive Officer and the Heads of the integrated functions. The Deputy Chief Operating Officers overseeing an operating division have standing invitations to attend.

In those entities and territories that are significant for the Group, their Executive Officers are responsible for arranging this coordination, generally within the framework of the Internal Control Committees.

PROCEDURES The procedures are one of the key elements of the permanent control system alongside the identification and assessment of risks, controls, reporting and monitoring of the control system.

Written guidelines are distributed throughout the Group and provide the organisation and procedures to be applied as well as the controls to be applied. These procedures constitute the basic framework for internal control. The Risk Function, as part of the oversight of the permanent control system, regularly monitors the completeness of the procedures guidelines. The Group s cross-functional procedures framework (levels 1 and 2) is regularly updated through contributions from all divisions and functions. Regarding the control framework, investigations into the status of the system are included in the semi-Annual Report on permanent control.

Among the Group s cross-functional procedures, applicable in all entities, risk control is critically important in:

■ the procedures that govern the process for approving exceptional transactions, new products and new activities;

■ the procedure for approving credit and market transactions;