AFD - 2019 Universal registration document

RISK MANAGEMENT

Risk management

criteria allow for protection measures to come into effect in line with security requirements during the design and active use stages of a given system. The most sensitive information systems regularly undergo a security approval certification procedure. The management of security incidents is overseen by a specific directive that sets management rules for a security incident. This makes it possible to coordinate (i) Ǿ the procedure for managing IT incidents (to ITIL standards), (ii) Ǿ the “user” incident alert system run by the IT Support Department, and (iii) Ǿ the Security Department (SEC). The Security Department coordinates all immediate responses to security incidents. The RSSI may request the activation of a crisis unit if the nature of the incident so requires. The AFD Group has a Business Continuity Plan (BCP) intended to cover all of the AFD Group’s business lines and activities, including its Proparco and Sogefom subsidiaries. This plan is intended to ensure the continuation of the Group’s business in the aftermath of a disaster of low likelihood but with critical impact. The plan is formalised in three framework documents applicable to the entire group: the business continuity policy, the crisis management plan and the business continuity plan. These documents are supplemented by procedures for each essential activity. The business continuation policy was updated in 2017 to include a new class of activity recovery (level Ǿ 5 availability) providing the means to characterise activities that do not support service interruptions. Continuity procedures are grouped into “BCP kits” provided for each structure operating one of the vital functions. These procedures describe the actions required for implementing the plan, as well as the manual operating modes to be used in case of any long-term unavailability of business premises or IT tools. AFD also has a “pandemic” plan which describes the principles and ways of maintaining business activity in the event of a global or local pandemic. The Information and Telecommunications Recovery Plan (PRIT), which covers the risk of an extended IT system outage, includes an IT infrastructure that reactivates the AFD Group’s applications and essential systems. The PRIT system covers all of the business lines’ IT continuity requirements by duplicating 70% of the Group’s Information System and 100% of production data. This includes all systems essential to users’ “core business” activity for the first month of loss. The remaining 30%, corresponding to non-essential systems, are re-established within three months. Improvements to the PRIT engaged in 2018 cut the time needed to activate the emergency platform by 70%. The upgrading of the technical platformwhich began in 2019 but is ongoing in 2020. A Flood Risk Prevention Plan (PPRI), intended to cover the risk of the Seine bursting its banks and mitigate the impact of such In 2019, AFD did not suffer any cyberattack crises. Emergency and business continuation plan

P continuation of the project to overhaul measures to prevent and manage conflicts of interests within the group with the aim of streamlining the roles and responsibilities of each of the players involved in preventing and managing conflicts of interest and reviewing internal procedures. Insurance – Coverage of risks run by AFD AFD has a “Civil Liability” insurance policy that also covers Proparco, a “Directors and Officers civil liability” policy, a “labour relations” policy, a “first excess property damage” policy that also covers Proparco and VAL, an “all exhibition risks – works of art” policy, and a “Directors and Officers civil liability specific to supplementary pension scheme management (IGRS) risk policy (1) ”. All of the network’s agencies are covered by locally underwritten insurance policies (multi-risk residential and office, and civil liability for office activities). These policies are accompanied by vehicle insurance covering head office (head office policy) and the network (local policies) plus “worldwide” “individual accident” insurance guaranteeing disbursement of share capital in case of death or disability caused by an accident with a vehicle belonging to or rented by AFD. 4.3.6.4 IT-related risks Information systems security The Security Department oversees all aspects of ICT risks, including IS security. The head of the department is also responsible for AFD Group’s IT system security (RSSI). An analysis of ITC risks is carried out at least once a year under the IS risk governance system. Security risks are extracted from it and processed under the IT security management system (SMSI), in compliance with ISO Ǿ 27001. The SMSI provides a framework for addressing AFD’s IT-related risks, from appraisal of the risks to implementing remedial measures and ongoing IT system security checks. After the annual risk analysis, AFD’s operational risk map and the triennial security project plan are updated. The steering bodies use this plan to determine the security upgrades for the IT system. The information systemsecurity policy (ISSP), which is compliant with ISO Ǿ 27001 and ISO Ǿ 27002, defines the 90 Ǿ security rules needed to protect AFD’s information systems. The application of each rule is stipulated by a set of internal security standards and procedures, in compliance with good practices in the field. This ISSP is accompanied by an IT user charter which has been enforceable for all users since it was included in the rules and regulations. Measures to raise awareness of ISS, in the form of regular talks and digital training, ensure that all Group users are familiar with the main rules for use. Under the ISSP, all information systems and business line applications are classified according to four security criteria, namely availability, integrity, confidentiality and proof. These

4

(1) This insurance contract has been transferred to and is managed by the HR Department.

99

UNIVERSAL REGISTRATION DOCUMENT 2019