AFD - Universal Registration Document 2020

RISK MANAGEMENT Risk management

cut the time needed to activate the emergency platform by 70%. The update of the technical platform was carried out in 2020, including the company messaging system. A Flood Risk Prevention Plan (PPRI), intended to cover the risk of the Seine bursting its banks and mitigate the impact of such a contingency on AFD’s two main head office buildings, has also been introduced. The Security Department (SEC) of the General Secretary has full responsibility for updating and controlling the BCP, the director of which is responsible for the Group’s business continuity management plan (BCMP). The SEC Director is responsible for crisis management and coordinates and synchronises the resumption of business once the BCP is triggered. The seventeen entities composing AFD, Sogefom and Proparco, whose activities are deemed essential and are covered by the BCP, are asked at least annually to revise their business impact assessments (BIAs) and update their degraded procedures. Each person in charge of entities registered in the BCP is responsible for applying the procedures of his or her BCP Kit once the plan has been triggered. In October Ǿ 2020 annual updates were finalised and the BCP kits published. A permanent standby mechanism at the level of the General Secretariat and Executive Committee (EXCOM) is in place to enable AFD to respond rapidly to a major disaster. The mechanism provides for a crisis unit led by an EXCOM member to be activated when in need. In case of a major disaster, the crisis unit decides whether to activate the BCP. The mechanism also covers Proparco and Sogefom. BCP activation tests were conducted in early 2020. A full restore test of the company email system from backups was carried out in 2020 as part of the PRIT checks. The business continuity plan, in its “pandemic” form, was effectively activated in all AFD regions in order to take into account the COVID situation. In this context, the monitoring and crisis management system has proven its worth. The business continuity plan made it possible, in particular, to switch all sites and staff to teleworking, without disrupting the processes. An audit of the plan by the General Inspection Department (IGE) of AFD was begun in late 2016 and completed in February Ǿ 2017. The BCP will be audited again by the IGE in 2021. 4.3.6.5 Tax risk AFD did not undergo any tax audits in 2020. 4.3.6.6 Other operational risks In addition to the risks detailed above, the Group’s permanent control system seeks to cover all risks within the remit of Basel categories 1 to 7 to which the Group is exposed (risks relating to (i) Ǿ internal and (ii) Ǿ external fraud, (iii) Ǿ human resources; concerning (iv) Ǿ the Group’s financing activity, (v) Ǿ personal safety, (vi) Ǿ information systems and (vii) Ǿ management, processes and procedures).

Under the ISSP, all information systems and business line applications are classified according to four security criteria, namely availability, integrity, confidentiality and proof. These criteria allow for protection measures to come into effect in line with security requirements during the design and active use stages of a given system. The most sensitive information systems regularly undergo a security approval certification procedure. The management of security incidents is overseen by a specific ISS incident management policy that sets management rules for a security incident. This makes it possible to coordinate (i) Ǿ the procedure for managing IT incidents (to ITIL standards), (ii) Ǿ the “user” incident alert system run by the IT Support Department, and (iii) Ǿ the Security Department (SEC). The Security Department coordinates all immediate responses to security incidents. The RSSI may request the activation of a crisis unit if the nature of the incident so requires. The AFD Group has a Business Continuity Plan (BCP) intended to cover all of the AFD Group’s business lines and activities, including its Proparco and Sogefom subsidiaries. This plan is intended to ensure the continuation of the Group’s business in the aftermath of a disaster of low likelihood but with critical impact. The plan is formalised in three framework documents applicable to the entire group: the business continuity policy, the crisis management plan and the business continuity plan. These documents are supplemented by procedures for each essential activity. The business continuation policy was updated in 2017 to include a new class of activity recovery (level Ǿ 5 availability) providing the means to characterise activities that do not support service interruptions. Continuity procedures are grouped into “BCP kits” provided for each structure operating one of the vital functions. These procedures describe the actions required for implementing the plan, as well as the manual operating modes to be used in case of any long-term unavailability of business premises or IT tools. AFD also has a “pandemic” plan which describes the principles and ways of maintaining business activity in the event of a global or local pandemic. The Information and Telecommunications Recovery Plan (PRIT), which covers the risk of an extended IT system outage, includes an IT infrastructure that reactivates the AFD Group’s applications and essential systems. The PRIT system covers all of the business lines’ IT continuity requirements by duplicating 70% of the Group’s Information System and 100% of production data. This includes all systems essential to users’ “core business” activity for the first month of loss. The remaining 30%, corresponding to non-essential systems, are re-established within three months. Improvements to the PRIT engaged in 2018 In 2020, AFD did not suffer any cyberattack crises. Emergency and business continuation plan

4

107

2020 UNIVERSAL REGISTRATION DOCUMENT