EDF / 2018 Reference document

2.

RISK FACTORS AND CONTROL FRAMEWORK Control of Group risks and activities

2.2

CONTROL OF GROUP RISKS AND ACTIVITIES

The objective of this section is to focus on control procedures related to activities or risks deemed significant, and on the main long-term procedures in place in 2018, highlighting changes and key initiatives developed during 2018. These internal control and risk management procedures fall within the framework defined by the corpus of Group policies. They also obey the general principles set out in the AMF’s risk management and internal control reference framework (published on 22 July 2010) and they are based on the changes made to the main international reporting guidelines, in particular COSO-2013.

All of these measures based on the three control lines provide the managers and governing bodies of the Group with “reasonable assurance” concerning the identification and coverage of the main risks. Scope With regards to the scope controlled (excluding those subsidiaries that are operators of regulated infrastructure), these objectives and principles are implemented by the departments or subsidiaries managed by the members of the Executive Committee, who make sure that they are implemented in the Divisions, operational units or subsidiaries that they control. With regards to the other subsidiaries of the Group (subsidiaries that are operators of regulated infrastructure and significant shareholdings), the representatives of EDF within the governing bodies make sure, for each subsidiary, that a system for controlling activities and risks is put in place. They provide regular information on the map of risks and internal control and audit activities (programme and main results). They can also check the effectiveness and appropriateness of each of these measures through a periodic audit of the respective entities. The applicable principles are nevertheless adapted for the operators of regulated infrastructure to ensure compliance with obligations relative to their management independence. Delegations of authority and technical 2.2.1.2 authorisations The Chairman and CEO delegates some of his/her powers to the members of the management team, in line with the organisation of the Group and with the responsibilities assigned to the heads of these entities. The organisation put in place for procurement is designed to ensure proper control of the processes. Procurement contracts are signed, depending on thresholds, either by the Chairman and CEO, a Group Executive Director or any of their delegates following signature by the Procurement Department Director or any of their delegates. Signature by the Procurement Department Director or their delegates formally recognises that the instrument complies with the procurement process. Each Group Executive Director is expected to reinforce the internal control system for procurement instruments submitted for their signature and those procurement instruments directly handled by their department. The Chairman and CEO delegates the nuclear operator liability to the Group Executive Director for the Nuclear and Fossil-fuel Fleet Department and the Group Executive Director for the New Nuclear Engineering and Projects Department, who then sub-delegate it to the Directors of the divisions involved, who in turn sub-delegate it to unit managers. Authorisations are issued by each facility manager, who must ensure beforehand that the skills of the sub-delegates have been assessed and that resources have been provided to them. These requirements apply to all persons carrying out work, both for staff of EDF and service providers. The Group Delegation of Authority Directive aims to inform and raise awareness among EDF entities of the nature, consequences and management rules of delegation of authority. The management bodies 2.2.1.3 The organisation of the Executive Management of EDF is described in section 4.3.1. "Members of the Executive Committee". Each member of the Executive Committee is responsible for implementing all actions necessary to controlling the risks within their scope. Risk Committee The Executive Committee meets at least twice a year on the occasion of a Risk Committee, where it examines in particular the mapping of the Group's risks and the assessment of internal control activities. It identifies the priority risks for the Group, shares their strategy for mitigation with regard to the strategy of the Group and designates the members of the Executive Committee who are its sponsors. The Risk Committee also examines the audit activities (annual programme, results).

2.2.1 General organisation 2.2.1.1 Framework: Group policy corpus

CONTROL ENVIRONMENT

Since 2017, the EDF Group has organised the control of activities and risks around the Group policies validated and signed by the Executive Committee. This corpus defines sustainable and cross-functional requirements for all Group entities and subsidiaries. It covers the following topics: Steering and Operation, Ethics and Compliance, Safety and Security, Sustainable Development, Human Resources, Purchasing, Real Estate and General Services, Legal, Finance and Markets, Communication, Information Systems and Digital Transformation. Regular updates make it possible to adapt requirements to regulatory changes and strategic orientations. Control system objectives The system for controlling the risks and activities of the Group, defined in the “Group functioning principles/Risk management and internal control” policy aims to: identify and periodically reassess the significant risks and opportunities likely to ■ impact the targets of the Group, in order to ensure the existence and control of relevant and effective action plans; constantly ensure: ■ compliance with laws and regulations, ■ compliance with Group policies, ■ the correct functioning of internal processes, notably those contributing to ■ the protection of the Group’s assets, the reliability of financial information, ■ and, generally, the control of risks and activities of any kind. ■ Principles of execution The fundamental principles of execution are based on the three lines of control model: first control line: each of the managers at every level, for the missions that are ■ assigned to them, is responsible for: identifying and managing the main risks related to their activities; ensuring this control for the missions that they assign to their staff; ensuring that the measures for controlling identified risks are proportionately supported; formally and regularly reporting, to their own manager, on risks identified and on control measures through self-evaluations; second control line: the support functions define common requirements for the ■ Group and supervise their control. Their contribution to controlling the activities of the Group is specified in section 2.2.1.4. "The second line of control of risks and activities: players and missions". Amongst them, the risk and internal-control functions organise the overall control measures and prepare reports intended for the Group’s governing bodies. The specific measures aiming to control risks and activities are detailed in section 2.2.2 "Implementation of systems for the control of risks and activities"; third control line: the independent audit system can check the appropriateness ■ and effectiveness of the measures for managing the risks and activities of the Group’s entities, check management of the main cross-functional processes and major projects of the Group, and more generally, check the level of control of the Group’s risks (see section 2.2.1.5).

128

EDF I Reference Document 2018