ADP // 2021 Universal Registration Document

R I SK AND MANAGEMENT 2 RISK MANAGEMENT AND INTERNAL CONTROL SYSTEM

2.2.2 DESCRIPTION OF THE SYSTEM

Description of the risk management and internal control system The basics This group system is based on: ◆ two charters relating to:

Business continuity and crisis management Groupe ADP has implemented a business continuity and crisis management process for greater control of risks that have a major impact on business continuity. For this, it is supported by a Group Policy on Business Continuity (PGCA). The aim is to guarantee services that are essential for the group’s operations. It provides for different types of solutions (redundancy, fallback sites, downgraded mode, etc.). To date, it has been rolled out: ◆ in France, as part of a business continuity plan (PCA) for each of the platforms (Paris-Charles de Gaulle, Paris-Orly and Paris Le Bourget) and for each of the support activities essential to the smooth running of airport operations (IT systems and human resources); ◆ abroad, through the formalisation of business continuity plan (PCA) within the group’s platforms. With regard to crisis management, Groupe ADP’s system aims to ensure continuity of the Group’s operational control and the quality of its response to sudden, unexpected events. It must contribute to optimally keep the activities at satisfying levels of quality while remaining in compliance with the security and safety obligations. The Group’s management continuity and crisis management system is described in a booklet. Crisis exercises are also carried out several times per year to test the system’s effectiveness, with feedback enabling improvements to be made. Insurance and risk transfer The financial consequences of certain risks can be covered by insurance policies where their order of magnitude justifies it and providing that cover is available under acceptable terms and conditions (see “Group’s general insurance policy” below). The Legal and Insurance Division oversees the general policy on group insurance (see below), manages the use of insurance within the group and provides coordination and expertise in this area in France and worldwide. Periodic monitoring of the system The risk management and internal control systems are monitored by: ◆ the monitoring of major incidents and incidents due to unacceptable risks; ◆ the Corporate Audit and Internal Control Division; ◆ external structures (see below). Major incidents Major incidents or incidents linked to unacceptable risks are identified by the group’s entities and a statement of reported incidents is produced.

◆ management of risks and internal control: the charter indicates that the group applies the provisions of the AMF’s reference framework. It was supplemented in 2019 by a note describing Groupe ADP’s new guidelines relating to internal control to apply the best standards in these areas, ◆ internal audit: the charter is based on international standards and the Internal Audit Code of Ethics distributed in France by the French Institute for Audit and Internal Control (IFACI) and which constitutes the international reference framework for internal audit; ◆ three methodological guidelines relating to risk management, internal control and internal audit. It is also based on the group’s ethical rules which are created by the governing bodies and communicated to all employees. Risk Management The aim of this system is to provide all of the stakeholders with a global overview of the group’s major risks and their level of control (section “Risk factors” of this document). To this end, risk mapping is carried out annually. It allows us to identify the major risks, prioritize them, deal with them and follow up on the actions identified. Risks are assessed according to their impacts and frequency, given the existing control measures. They are then prioritised according to their critical level. The major risks and so-called unacceptable risks are subject to specific monitoring. After a review in the Risks and Internal Control Operational Committee (CORCI), the group mapping is submitted to the Comex, then presented to the Audit and Risk Committee and the Board of Directors. The group’s risk mapping takes into account the CSR challenges identified in the materiality study performed in 2017. Internal control The aim of internal control is to contribute to risk management, the effectiveness of group operations and the efficient use of its resources. Internal control is based on both cross-functional deployment, applicable to all of the Group’s entities, and per entity, in particular through the management systems (ISO 9001). New guidelines have been drafted in 2019 to strengthen the group’s internal control, in particular with regard to international development. In this respect, key controls have been drafted on administrative, accounting and financial processes. These have led to the creation of a shared manual within the group. They are the subject of annual self-assessment campaigns and field tests. These controls take into account the ethical issues that have been specifically identified in the internal control manuals. The approach will gradually be extended to the group’s other processes.

134

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 202 1