1072019 Universal registration document and annual financial report - BNP PARIBAS

2CorPorate GovernanCe and internal Control

2

Internal control

Risk management related to climate change

Since the Paris Agreement in November 2015, the BNP Paribas Group has taken a number of steps to integrate climate change risk management and to support energy transition in line with the Paris Agreement.

The Group has made coal-related commitments such that it no longer finances the extraction of coal, whether via mining projects or via specialised coal mining companies without a diversification strategy, as well as coal-based power plant projects. In 2019, the Group decided that it would completely cease its financing of the coal industry by 2030 in the countries within the European Union, and by 2040 for the rest of the world.

The Group has also adopted a new sectoral policy on unconventional hydrocarbons. This concerns players whose main activity is the exploration, production, distribution, marketing or trading of shale gas and/or oil or bituminous sands. Projects primarily dedicated to the transportation and export of these hydrocarbons are no longer financed. In addition, the Group excludes all financing for exploration or gas or oil production projects in the Arctic.

The criteria relating to greenhouse gas emissions have been strengthened in sectoral policies and in specific credit policies.

Each year, the Group also calculates its financed energy mix. Indicators to this effect have been included in the Risk Appetite Statement of BNP Paribas.

Further information on climate change risk management can be found in Commitment 3 described in chapter 7 of the Universal registration document.

PERIODIC CONTROL In 2019, the General Inspection repeated its annual risk assessment exercise which was conducted for the first time in 2017. In 2019, all of the audit units (AUs) were reviewed based on previous years and by reinforcing cross-functional consistency checks by businesses/teams. In the end, the overall residual risk profile appeared broadly stable in 2019 compared to 2018.

A total of 930 missions were completed in 2019, or 97% of the goal for the year. According to the General Inspection s principles, the missions completed in 2019 focused on those AUs with the highest level of residual risks or with a specific regulatory audit cycle. They also focused on new AUs, in particular those which were created to cover the near-shoring platforms and finally those whose past audit coverage was judged to be inadequate and should be supplemented.

General Inspection improved its monitoring system by updating a multi- year audit plan. The aim of this plan was to organise coverage of the entire auditable scope with reasonable frequency, i.e. according to the criticality of the AUs. The duration of the audit cycle cannot exceed 5 years in any case. By convention, 2018 was considered as the first year of the five-year cycle. The goal is therefore to cover the entire scope by 2022 at the latest.

The auditable scope is represented by mapping 2,918 audit units. The updating of the risk assessment for each of them consists of an assessment of inherent risks, the quality of the GRC (Governance, Risk Management, Internal Control), and, lastly, the residual risk. Since the last mission sufficiently covered this, this serves as a starting point for the next coverage cycle.

The frequency of audit for each AU is based on the residual risk score. The frequency is shorter when the residual risk is assessed as high. If the AU is accompanied by a specific regulatory audit cycle, the applicable cycle is the shortest period between the regulatory cycle and that resulting from the Risk Assessment.

All the AUs were placed in order of priority by combining these different elements.

This exercise enabled a timetable up to 2022 to be drawn up for all the AUs. It was updated compared to the previous year to take into account changes in the mapping, risk assessment and effective coverage by the missions.

In line with the transformation and digitalisation of the Group, the General Inspection continues its efforts to develop the use of methods by the data analysis team as part of the execution of the audit.

The initiative is structured around a central team, with members in each of the audit hubs, and it covers different objectives.

One of these objectives is to improve operational efficiency by creating a library of cases to automate certain recurring analyses. At the end of 2019, 20 cases had been developed.

In 2019, the data analysis had deepened the coverage of the risks where certain audit missions proposing analyses are based on exhaustive data challenges and benefit from increased processing capacities.

The capacity of General Inspection to fulfil all of these missions is based on the one hand on the continued increase in its number of employees, which reached 1,446 FTE at 31 December 2019 (+3.7% in one year; +41% since the end of 2014).

General Inspection continues its policy of investing significantly in training to allow new employees to gain the skills base required to perform their role. All audit employees receive high level regulatory training and technical training depending on their role and investigation scope. Professional certifications are encouraged to demonstrate that skills have been validated and mastered. In the same vein, General Inspection deployed a tool intended for all inspectors and auditors to check their knowledge of its methodological principles.

General Inspection has launched an in-depth review of its audit guides. It has rewritten some of them and has reviewed the library tools so that it is better linked to regulatory changes and to ensure greater consistency between the different elements of audits carried out worldwide. The elements of the audits that have been rewritten are based as far as possible on the cases arising from the data analysis.

2020 will continue along the same lines as the previous year, with further work being undertaken on the nature and content of the performance of the missions. General Inspection will also improve its expertise in the auditing of models through the ramp-up of a dedicated team.