AFD - 2018 Registration document

RISK MANAGEMENT

Risk management

Insurance – Coverage of risks run by AFD AFD has a “Civil Liability” insurance policy that also covers Proparco, a “Directors and Officers civil liability” policy, a “labour relations” policy, a “first excess property damage” policy that also covers Proparco and VAL, an “all exhibition risks – works of art” policy, and a “Directors and Officers civil liability specific to supplementary pension scheme management (IGRS) risk policy” (1) . All of the network’s agencies are covered by locally underwritten insurance policies (multi-risk residential and office, and civil liability for office activities). These policies are accompanied by vehicle insurance covering head office (head office policy) and the network (local policies) plus “worldwide” “individual accident” insurance guaranteeing disbursement of share capital in case of death or disability caused by an accident with a vehicle belonging to or rented by AFD. 4.3.6.4 IT-related risks An analysis of ITC risks is carried out at least once a year under the IS risk governance system. Security risks are extracted from it and processed under the IT security management system (SMSI), in compliance with ISO 27001. The SMSI provides a framework for addressing AFD’s IT-related risks, from appraisal of the risks to implementing remedial measures and ongoing IT system security checks. After the annual risk analysis, AFD’s operational risk map and the triennial security project plan are updated. The steering bodies use this plan to determine the security upgrades for the IT system. The information system security policy (ISSP), which is compliant with ISO 27001 and ISO 27002, defines the 90 security rules needed to protect AFD’s information systems. The application of each rule is stipulated by a set of internal security standards and procedures, in compliance with good practices in the field. This ISSP is accompanied by an IT user charter which has been enforceable for all users since it was included in AFD’s rules and regulations in September 2015. The charter will be updated in 2019 to include new uses of digital technology within the Group. Measures to raise awareness of ISS, in the form of regular talks and digital training, ensure that all Group users are familiar with the main rules for use. P Information systems security The Security Department oversees all aspects of ICT risks, including IS security. The head of the department is also responsible for AFD Group’s IT system security (RSSI).

Under the ISSP, all information systems and business line applications are classified according to four security criteria, namely availability, integrity, confidentiality and proof. These criteria allow for protection measures to come into effect in line with security requirements during the design and active use stages of a given system. The most sensitive information systems regularly undergo a security approval certification procedure. The management of security incidents is overseen by a specific directive that sets management rules for a security incident. This makes it possible to coordinate (i) the procedure for managing IT incidents (to ITIL standards), (ii) the “user” incident alert system run by the IT Support Department, and (iii) the Security Department (SEC). The Security Department coordinates all immediate responses to security incidents. The RSSI may request the activation of a crisis unit if the nature of the incident so requires. In 2018, AFD did not suffer any cyberattack crises. The AFD Group has a Business Continuity Plan (BCP) intended to cover all of the AFD Group’s business lines and activities, including its Proparco and Sogefom subsidiaries. The system aims to ensure the continuation of the Group’s activities following a disaster that is unlikely to occur but would have a critical impact. The plan is formalised in three framework documents applicable to the entire group: the business continuity policy, the crisis management plan and the business continuity plan. These documents are supplemented by procedures for each essential activity. The business continuation policy was updated in 2017 to include a new class of activity recovery (level 5 availability) providing the means to characterise activities that do not support service interruptions. Continuity procedures are grouped into “BCP kits” provided for each structure operating one of the vital functions. These procedures describe the actions required for implementing the plan, as well as the manual operating modes to be used in case of any long-term unavailability of business premises or IT tools. The sixteen entities making up AFD, Sogefom and Proparco, whose activities are deemed essential and are covered by the BCP, are asked at least annually to revise their business impact assessments (BIAs) and update their degraded procedures. Each person in charge of entities registered in the BCP is responsible for applying the procedures of his or her BCP Kit once the plan has been triggered. In March 2018 the updates were finalised and the BCP kits published. P Emergency and business continuation plan

4

(1) This insurance contract was transferred to the HR department which manages it.

87

REGISTRATION DOCUMENT 2018