Aéroports de Paris - 2019 Universal registration document

RISK AND MANAGEMENT 03

RISK MANAGEMENT AND INTERNAL CONTROL SYSTEM

Description of the risk management and internal control system The basics This Group system is based on: ◆ two charters relating to:

Business continuity and crisis management Groupe ADP has implemented a business continuity and crisis management process for greater control of risks that have a major impact on business continuity. For this, it is supported by a Group Policy on Business Continuity (PGCA). The aim is to guarantee services that are essential for the Group’s operations. For each of these, the PGCA indicates the objectives, principles, responsibilities and procedures. To date, it has been rolled out: ◆ in France, as part of a business continuity plan (PCA) for each of the platforms (Paris-Charles de Gaulle, Paris-Orly and Paris-Le Bourget) and for each of the support activities essential to the smooth running of airport operations (IT systems and human resources); ◆ abroad, by means of an initial business continuity plan (PCA) for the Queen Alia platform (QAIA) in Amman, Jordan. With regard to crisis management, Groupe ADP’s system aims to ensure continuity of the Group’s operational control and the quality of its response to sudden, unexpected events. It must contribute to optimally keep the activities at satisfying levels of quality while remaining in compliance with the security and safety obligations. The Group’s management continuity and crisis management system is described in a booklet. Crisis exercises are also carried out several times per year to test the system’s effectiveness, with feedback enabling improvements to be made. Insurance The financial consequences of certain risks can be covered by insurance policies where their order of magnitude justifies it and providing that cover is available under acceptable terms and conditions (see “Group’s general insurance policy” below). The Legal and Insurance Division oversees the general policy on Group insurance (see below), manages the use of insurance within the Group and provides coordination and expertise in this area in France and worldwide. Periodic monitoring of the system The risk management and internal control systems are monitored by: ◆ the monitoring of major incidents and incidents due to unacceptable risks; ◆ the Corporate Audit and Internal Control Division; ◆ external structures (see below). Major incidents Major incidents or incidents linked to unacceptable risks are identified by the Group’s entities. A statement of reported incidents is sent annually to the Chairman and CEO and the Deputy CEO. Internal audit It aims to provide the Group, in complete independence, with reasonable assurance over the degree of control over its operations, provide advice on improvements and contribute to creating added value.

◆ management of risks and internal control: the charter indicates that the Group applies the provisions of the AMF’s reference framework; it was supplemented in 2019 by a note describing Groupe ADP’s new guidelines relating to internal control, ◆ internal audit: the charter is based on international standards and the Internal Audit Code of Ethics distributed in France by the French Institute for Audit and Internal Control (IFACI) and which constitutes the international reference framework for internal audit; ◆ two methodological guidelines relating to risk management and internal audit. It is also based on the Group’s ethical rules (section 15 of the 2019 Universal Registration Document) which are created by the governing bodies and communicated to all employees. Risk Management The aim of this system is to provide all of the stakeholders with a global overview of the Group’s major risks and their level of control (section “Risk factors” of this document). Risk mapping is updated every year. It enables the Group to identify the major risks and prioritise and deal with them and to monitor the actions identified. Risks are assessed according to their impacts and frequency, given the existing control measures. They are then prioritised according to their critical level. The major risks and so-called unacceptable risks 1 are subject to specific monitoring. After a review in the Risks and Internal Control Operational Committee (CORCI), the Group mapping is submitted to the Comex, then presented to the Audit and Risk Committee and the Board of Directors. The Group’s risk mapping takes into account the CSR challenges identified in the materiality study performed in 2018. Internal control The aim of internal control is to contribute to risk management, the effectiveness of Group operations and the efficient use of its resources. Internal control is based on both cross-functional deployment, applicable to all of the Group’s entities, and per entity, in particular through the management systems (ISO 9001). New guidelines have been drafted to strengthen the Group’s internal control, in particular with regard to international development. In this respect, key controls have been drafted on administrative, accounting and financial processes. These have led to the creation of a shared manual within the Group.

1 The Group defines the risks that, whatever their level of criticality, are unacceptable. These are subject to specific monitoring and the different entities are required to be extremely vigilant with regard to them.

18

AÉROPORTS DE PARIS ® UNIVERSAL REGISTRATION DOCUMENT 2019