EDF / 2018 Reference document

2.

RISK FACTORS AND CONTROL FRAMEWORK Control of Group risks and activities

2.2.2

IMPLEMENTATION OF SYSTEMS FOR THE CONTROL OF RISKS AND ACTIVITIES

Methods - Tools : a methodology guide is available to the entities in support of this approach. In addition, a Risk Management Information System (RMIS) has been deployed since 2016 and was made generally available to the whole Group in 2017 in order to promote and secure risk communication and consolidation. Group risk mapping On the basis of this reporting, supplemented by systematic cross-examination with the Internal Audit Division, the EDF group draws up a consolidated map of its major risks, including the overall assessment of internal control, in order to provide Management and governance bodies with a regularly updated consolidated view of major risks and their level of control (3) . These documents, prepared at the end of the year, are validated by the Risk Committee and are presented to the Board of Directors after examination by the Audit Committee. Since 2015, the Risk Committee has identified within the Group risk mapping a smaller set of “priority risks” selected as a result of their operational or strategic importance. The connection between these risks and the strategic project CAP 2030 has been given priority so that, as far as possible, risk control action plans may be included in the corresponding projects. Crisis management and business 2.2.2.1.2 continuity The crisis-management and business-continuity policy defines the organisation principles for crisis management and business continuity and specifies the entire system necessary to its implementation. This policy consists in particular of: making sure of the existence of organisations for crisis management and ■ permanent systems for raising alerts; checking the existence and regular update of relevant crisis-management ■ procedures, with regard to the risks involved; defining, for periods of crisis, coordination procedures with all stakeholders; ■ ensuring feedback from crises and crisis exercises is systematically applied in ■ order to avoid or reduce the consequences of similar crises; checking the existence of business continuity plans within each entity; ■ checking the implementation of professional development actions for all players ■ in the crisis. A crisis exercise programme allows these mechanisms to be tested in terms of their effectiveness and overall consistency. In 2018, particular attention was paid to adapting the Group's crisis organisation to the risk of a cyber crisis. Specific control systems excluding 2.2.2.2 accounting and financial information Control of energy market risks 2.2.2.2.1 The Group annually validates the entities' hedging strategies, as well as the associated risk limits, after consulting the Group Risk Department in accordance with the Group's energy market risk policy. This policy sets out: the authorised hedging strategies; ■ the governance and measurement system, clearly separating risk management ■ and control responsibilities and enabling the Group's consolidated exposure to be monitored; the risk control processes involving the Group’s Executive Management in the ■ event that risk limits are exceeded; a strengthened control system has been put in place for the EDF Trading subsidiary in the light of the specific nature of trading activities;

General control systems 2.2.2.1 Risk mapping and the report 2.2.2.1.1 on the control of activities and risks Report on the control of the activities and risks of the entities Each Group entity (60 entities in 2018 within the scope of EDF and its controlled subsidiaries) prepares an annual report on the control of its activities and risks, based on a self-assessment, and a description of its progress actions. Each report gives rise to a commitment signed by the Director of the entity on the level of control achieved and the actions undertaken. In 2018, the self-assessment framework evolved to identify more relevant and fewer control points in order to meet the simplification challenges of CAP 2030, thus promoting better managerial involvement. The report includes internal control, the report on the safeguarding of assets and the ethics and compliance report. The part relative to ethics and compliance fulfils the requirements of the Group Ethics and Compliance policy, including: the ethics alert system, prevention of the risk of corruption (control of the integrity of business relations, supervision of gifts and invitations); financial ethics (prevention of the risk of money laundering and the financing of terrorism, prevention of market abuse, compliance with the EMIR (1) regulation); prevention of breaches of competition law; prevention of conflicts of interest; compliance with rules on the protection of personal data; fraud prevention; preventing bullying and discrimination; compliance with sectoral regulations (REMIT (2) regulations on integrity and transparency in energy markets, regulations concerning dual-use goods); and, compliance with international sanctions programmes. The part relative to security of assets fulfils the requirements of the Security of Assets against Malicious Acts Group policy, including: the safety of individuals during international travel, the security of material assets and the security of intangible assets (identification, classification and protection of sensitive information). In addition to these topics, self-assessments more generally report on the control of all their "business line" activities and all the requirements of the other cross-functional areas identified in Group policies, in line with their risk mapping. Finally, self-assessments report on the control of requirements relating to internal accounting and financial control, in line with the AMF framework (see section 2.2.2.3 "The internal control procedures relating to reliability of financial and accounting information"). Entity risk mapping The entities produce an annual risk map based on a methodology common to the entire Group. The process of constructing the map of risks for the entities is based on: the principle management responsibility mentioned in section 2.2.1.1 "General ■ organisation" above; the typology of risks, for identification that is as broad as possible, including ■ internal and external risks, and operational and strategic risks, as well as opportunities; a qualitative evaluation method of the impact, the probability and the level of ■ control of each risk; the description of action plans for dealing with risks and the evaluation of their ■ effectiveness. Numerous discussions have taken place between the Group Risk Division and the entities, with the aim of querying the relevance of risks and the soundness of the control actions undertaken.

European Market Infrastructure regulation (EMIR): European regulation on market infrastructures.+ (1) Regulation on Wholesale Energy Market Integrity and Transparency (REMIT). (2)

Group risk mapping notably includes environmental risks and risks related to climate change (physical risks and transition risks). These risks are described in section 2.1 "Specific (3) risks to which the Group is exposed"; the strategic response to the challenges of climate change is described in section 3.3 "Other subject areas of the sustainable development policy".

132

EDF I Reference Document 2018