AFD // 2021 Universal Registration Document

RISK MANAGEMENT Risk management

The Information and Telecommunications Recovery Plan (PRIT), which covers the risk of an extended IT system outage, includes an IT infrastructure that reactivates the AFD Group’s applications and essential systems. The PRIT system covers all of the business lines’ IT continuity requirements by duplicating 70% of the Group’s Information System and 100% of production data. This includes all systems essential to users’ “core business” activity for the first month of loss. The remaining 30%, corresponding to non-essential systems, are re-established within three months. Improvements to the PRIT engaged in 2018 cut the time needed to activate the emergency platform by 70%. The update of the technical platform was carried out in 2020, including the company messaging system. A Flood Risk Prevention Plan (PPRI), intended to cover the risk of the Seine bursting its banks and mitigate the impact of such a contingency on AFD’s two main head office buildings, has also been introduced. The Security Department (SEC) and its Resilience and Information Security (RSI) unit, which are part of the General Secretariat, have full responsibility for updating and controlling the BCP; the head of this department is also responsible for the Group’s business continuity management plan (BCMP). The SEC Director is responsible for crisis management and coordinates and synchronises the resumption of business once the BCP is triggered. The seventeen entities composing AFD, Sogefom and Proparco, whose activities are deemed essential and are covered by the BCP, are asked to regularly revise their business impact assessments (BIAs) and update their degraded procedures. Each person in charge of entities registered in the BCP is responsible for applying the procedures of his or her BCP Kit once the plan has been triggered. A major update of the BCP will be undertaken in 2022 to integrate Covid feedback. A permanent standby mechanism at the level of the General Secretariat and Executive Committee (EXCOM) is in place to enable AFD to respond rapidly to a major disaster. The mechanism provides for a crisis unit led by an EXCOM member to be activated when in need. In case of a major disaster, the crisis unit decides whether to activate the BCP. The mechanism also covers Proparco and Sogefom. The BCP triggering tests were carried out in early 2021, including the reactivation of the company messaging system, as part of the PRIT checks. The business continuity plan, in its “pandemic” form, was effectively activated in all AFD regions in order to take into account the Covid situation. In this context, the monitoring and crisis management system has proven its worth. The business continuity plan made it possible, in particular, to switch all sites and staff to teleworking, without disrupting the processes. The Covid BCP remained in operation in 2021. The plan was audited by the General Inspection Department (IGE) at the end of 2021.

The information systemsecurity policy (ISSP), which is compliant with ISO ɸ 27001 and ISO ɸ 27002, defines the 90 ɸ security rules needed to protect AFD’s information systems. The application of each rule is stipulated by a set of internal security standards and procedures, in compliance with best practices in the field. This ISSP is accompanied by an IT user charter which has been enforceable for all users since it was included in the rules and regulations. Measures to raise awareness of ISS, in the form of regular talks and digital training, ensure that all Group users are familiar with the main rules for use. Under the ISSP, all information systems and business line applications are classified according to four security criteria, namely availability, integrity, confidentiality and proof. These criteria allow for protection measures to come into effect in line with security requirements during the design and active use stages of a given system. The most sensitive information systems regularly undergo a security approval certification procedure. The management of security incidents is overseen by a specific ISS incident management policy that sets management rules for a security incident. This makes it possible to coordinate (i) ɸ the procedure for managing IT incidents (to ITIL (1) standards), (ii) ɸ the “user” incident alert system run by the IT Support Department, and (iii) ɸ the Security Department (SEC). The Security Department coordinates all immediate responses to security incidents. The RSSI may request the activation of a crisis unit if the nature of the incident so requires. The AFD Group has a Business Continuity Plan (BCP) intended to cover all of the AFD Group’s business lines and activities, including its Proparco and Sogefom subsidiaries. This plan is intended to ensure the continuation of the Group’s business in the aftermath of a disaster of low likelihood but with critical impact. The plan is formalised in three framework documents applicable to the entire group: the business continuity policy, the crisis management plan and the business continuity plan. These documents are supplemented by procedures for each essential activity. The business continuation policy was updated in 2017 to include a new class of activity recovery (level ɸ 5 availability) providing the means to characterise activities that do not support service interruptions. Continuity procedures are grouped into “BCP kits” provided for each structure operating one of the vital functions. These procedures describe the actions required for implementing the plan, as well as the manual operating modes to be used in case of any long-term unavailability of business premises or IT tools. AFD also has a “pandemic” plan which describes the principles and ways of maintaining business activity in the event of a global or local pandemic. In 2021, AFD did not suffer any cyberattack crises. Emergency and business continuation plan

4

NBP : (1) Information Technology Infrastructure Library

111

2021 UNIVERSAL REGISTRATION DOCUMENT