EDF / 2018 Reference document

RISK FACTORS AND CONTROL FRAMEWORK Control of Group risks and activities

the two-tiered organisation of the energy markets risk control unit, the entities ■ carrying out operational control and the Group Risk Management Department ensuring second-level control. An annual review of the implementation of this policy is presented by the Group Risk Department to the Audit Committee of the Board of Directors. The expectations, main provisions and procedures for implementing this policy are described in section 5.1.6. "Market risk management and control". In addition, a Group REMIT directive defines the expectations for ensuring that the Group's entities comply with the European Regulation on the transparency and integrity of the wholesale energy market. Control of financial risks 2.2.2.2.2 The policy on financing, cash and the control of financial risks requires all entities of the Group to continuously and systematically identify financial risks (in particular, liquidity, interest rates, foreign exchange and counterparty). The Group Risk Department exercises 2 nd level control of these risks via: verification that the principles of the policy have been properly applied (preparing ■ work management frameworks, methodology, monitoring exposures, regular calculation of risk indicators and checking compliance with risk limits); the control of positions in the trading room in charge of cash management. For ■ these activities, a system of indicators and risk limits checked on a daily and a weekly basis is in place. The Markets Committee (a body that brings together the Finance and Investment Department and the Group Risk Department) checks and reviews on a quarterly basis, where necessary, requests for exemptions to the work management framework and requests for investment in new financial products. The policy on the constitution, management and control of the financial risks involving dedicated assets of EDF SA applies to the portfolio of dedicated assets which are managed by the Financial Department. The Group Risk Department prepares an annual risk mandate and specific working frameworks which define the principles for managing risks and the risk limits that are acceptable for this portfolio. Approval of commitments 2.2.2.2.3 The Commitments policy establishes that the Commitments Committee examines all of the commitment projects of the Group, excluding regulated subsidiaries, covering: investment, divestment, and merger and acquisition projects exceeding ■ €50 million; expenditure covering supplies, works or services of an amount exceeding ■ €200 million over the entire duration of contracts; long-term purchases or sales of energy and emission credits and CO 2 quotas for ■ annual volumes or amounts exceeding 5TWh for electricity, 10TWh for gas and €150 million for coal, oil, emission credits and CO 2 allowances; the multiannual programme to supply back-end reactors and services of the ■ nuclear fuel cycle; the annual programmes of commitments relative to decommissioning (including ■ operations for the transfer of obligations) or those at the back-end of the nuclear fuel cycle; strategic projects likely to commit the Group over the long term through several ■ investments below amounts of €50 million each. The projects presented include an in-depth analysis of risks according to a methodological standard for the analysis of defined risks. Whenever necessary, the proposed commitments are then reviewed by the Board of Directors as described in section 4.2.2.3 "Powers and duties of the Board of Directors". “Strategic disposal projects” are investigated separately and supervised by the Disposals Committee to preserve confidentiality and responsiveness. Security of Information Systems (IS) 2.2.2.2.4 The security of information systems is governed by the Information Systems Security Policy focusing on: strengthening the involvement of managers and the protection of assets associated with the information system; management of information systems security risks; taking new regulatory obligations into account (European regulations on the protection of personal data, Law on Military Programming, etc.). Internal control and cover of the risks specific to IS issues is coordinated by the Group Information Systems Department based:

on the IS Group Committee (which consists of the EDF SA information systems ■ department and the CIOs of the main subsidiaries) for approval of the cross-functional risk mapping and control actions to be implemented; and on the Group’s Information Systems Security Managers, for the consistency, ■ coordination and monitoring of control actions following on from the various checks and audits of information systems security. The main actions implemented in matters of IS security in 2018 are: transformation, through the publication of the Information Systems Governance ■ and Digital Transformation Policy, of the Group's CISO into a true "Group Cyber Security Director" who prescribes for all the Group's IS, able to launch cyber security audits while respecting business prerogatives; implementation of a cybersecurity communication plan for all users and a specific ■ awareness campaign for the Management Committees of the divisions and the Executive Committees of the subsidiaries; implementation of an annual cyber-security review involving Group Entities; ■ ongoing strengthening of the safeguarding of the most critical assets; ■ adaptation of the Group's crisis management system to better take into account ■ cyber incidents; tests of the Disaster Recovery Plan and the preparation of a "Group-wide" ■ cybersecurity crisis exercise for early 2019. The internal control procedures relating 2.2.2.3 Reporting Guidelines 2.2.2.3.1 The internal control manual was entirely restructured in 2011 with regard to control of accounting and financial information in order to bring it into line with the AMF (French Financial Markets Authority) reference framework as revised in 2010. It was also revised in 2015 and 2016 to fit into the Group’s new internal control dynamic. The fundamentals of governance, roles and responsibilities remain unchanged. The accounting standards used by the EDF group (the scope of the Group's consolidated financial statements are included in the notes to the consolidated financial statements (see section 6 "Financial statements") comply with the international standards published by the International Accounting Standards Board (“IASB”) approved by the European Union and applicable as at 31 December 2018. These international standards include the IAS (International Accounting Standards), IFRS (International Financial Reporting Standards) and the SIC and IFRIC interpretations. The accounting rules and methods are specified in the Group's accounting principles manual and summarised in the notes to the consolidated financial statements. The principles applicable to the preparation and reporting to the Group's Finance Department are defined in the Accounting and Financial Reporting policy. The measures to be taken concerning the control procedures are described in the Group Accounting and Financial Internal Control directive. The Finance Management Directors of the Departments of the business lines and Subsidiaries sit on the Management Committee of the entities to which they belong. With the exception of the operators of regulated infrastructure, they are appointed and evaluated jointly by operational management and the management of the Management Control function. A network of correspondents from the operational Departments and subsidiaries facilitates dissemination of the instructions and harmonised implementation throughout the various Group entities. Each EDF operational and functional Director makes a commitment each year with regard to the quality of the Internal Control system in the Accounting and Financial areas, the improvement goals for the coming period and the truthfulness and exhaustiveness of the accounting information for which they are responsible by preparing a commitment letter sent to the Group Accounting and Taxation Director. In return, each Director receives a letter assessing accounting quality from the Group Tax Accounting Director based on various evaluation elements (results of internal controls, accounting quality dashboard indicators, accounting assessment letter from the CSP2C, specific actions) which highlights the progress made and determines the improvement actions to be undertaken or continued. An indicator reference framework is used within EDF. It makes it possible to measure areas of conformity of the accounting information for each process. With regard to subsidiaries, each legal entity is responsible for the implementation of the Group's Accounting and Financial Internal Control Directive. to the reliability of financial and accounting information

2.

133

EDF I Reference Document 2018