SFIL Annual financial report 2018

1 I Management report 28 SFIL Annual Financial Report 2018 dynamically monitor changes in operational risks. Changes in these indicators act as signals of (i) any increase in the level of operational risk, (ii) any decline in process perfor‑ mance or (iii) any internal control system dysfunction. Definition and monitoring of action plans The process managers define the actions to correct sig‑ nificant incidents, deficient controls or notable operational risks identified. The Operational Risks and Permanent Con‑ trol division regularly monitors these action plans. This pro‑ cess makes it possible to continuously improve the internal control system and reduce risks over time. IT security management The Operational Risks and Permanent Control division has introduced a range of measures governed by a policy and guidelines based on ISO 27000 requirements and applicable to all of SFIL’s operating divisions. These provisions aim to protect the Group’s data from any threat to its confidential‑ ity, integrity or availability. This policy and these guidelines define the principles applicable by security area, as well as the roles and responsibilities of the SFIL Group’s various security players. They are broken down into rules, proce‑ dures and operational processes determined in collabora‑ tion with the Technology and Organization division, and are subject to regular checks, in particular with regard to the management of access rights to SFIL’s applications and sys‑ tems and compliance with IT security principles. In addition, a three-year IT security plan has been defined in order to improve the existing IT security systems. It is monitored regularly. The IT security procedures and changes therein are moni‑ tored quarterly by the IT Security and Business Continuity Plan Committee and validated by the Operational Risks and Permanent Control Committee. Business continuity and crisis management The SFIL Group has developed an emergency and business continuity plan (PUPA). It comprises a set of measures and procedures designed to ensure, in various operational cri‑ sis scenarios including extreme shocks, that the services or other essential operational tasks that SFIL provides or performs continue, if necessary temporarily or in degraded mode. It also provides for the programed recovery of these activities so as to limit the losses caused by operation in degraded mode. This plan is based on a business impact assessment (BIA) that formalizes the needs of SFIL’s oper‑ ating divisions to enable them to restart and resume activi‑ ties based on their criticality. The SFIL Group’s PUPA system is structured around three systems: •  the operational business continuity plan, which is managed by the Operational Risks and Permanent Control division and documented in guidelines and operational proce‑ dures. These plans and procedures are regularly updated and tested. Disaster recovery sites have been selected for the Issy-les-Moulineaux and Lyon offices to enable the resumption and operational continuation of SFIL’s activi‑ ties. A number of tests on the functioning of these sites were carried out in April, May and June 2018. •  the IT disaster recovery plan (PSI), which is managed by the Technology and Organization division and documented icy, an emergency and business continuity plan (PUPA) and, where necessary, insurance policies to cover specific risks. 2.4.4. Risk measurement and management (excluding compliance risk) Collection of operational incidents SFIL has defined an operational incident and loss collection process governed by guidelines and procedures. The sys‑ tematic collection and analysis of operational incident data provides the information needed to assess the SFIL Group’s exposure to operational risk. This operational incident and loss collection process allows SFIL not only to comply with regulatory requirements but also to gather key data to improve the quality of its internal control system. Various collection thresholds have been defined and com‑ municated to SFIL’s operating divisions. The mandatory reporting threshold for financial impacts has been set at EUR 2,500. Responsibility for identifying and analyzing incidents lies with the operational risk correspondents, sup‑ ported by the Operational Risks and Permanent Control division. To this end, the SFIL Group uses a dedicated oper‑ ational risk management tool and, in particular, an incident collection module. Depending on the results of the incident analysis, preventive or corrective actions are taken in order to reduce SFIL’s exposure to operational risk. Operational risk identification and assessment Based on the incidents and losses collected, operational risks are mapped and the resulting mapping is regularly updated. This mapping consists of assessing the risks that each SFIL operating division incurs. In addition, SFIL is currently mapping its operational risks by process under a three-year plan to formalize the Group’s processes and activities, launched in the second half of 2016. It has defined four main types of activity (steering, asset acqui‑ sition, asset and liability management until maturity, and resource provision) and 39 major bank processes within these broad categories, 36 of which are subject to for‑ malization. As part of this plan, the Operational Risks and Permanent Control division has introduced a new meth‑ odology for identifying and assessing operational risks by process. This is deployed as and when the SFIL Group’s processes are formalized, in collaboration with the process manager and the operational risk correspondents of the divisions involved. As of end-2018, operational risk mapping had been com‑ pleted for 19 processes. This methodology makes it possi‑ ble to identify and assess the various process-associated risks, identify factors (systems or controls in place) to mit‑ igate them and determine the residual impacts in order to decide whether or not to accept them. In the event of non-acceptance of the risks, corrective or improvement actions must be implemented (strengthening of systems and procedures, strengthening of the perma‑ nent control plan and implementation of systems for mon‑ itoring and controlling risks). This new mapping of operational risks is being rolled out as SFIL’s processes are formalized, and is gradually replac‑ ing the mapping of operational risks by division. Monitoring of key operational risk indicators In addition to the operational risk mapping, which provides a regular, instant snapshot of the risk profile, the SFIL Group has implemented key risk indicators accompanied by alert thresholds. These indicators are used to continuously and