EDF / 2019 Universal registration document

2. Risk factors and control framework Risks to which the Group is exposed

Furthermore, EDF Inc. is a member of NEIL (Nuclear Electric Insurance Limited) – a mutual nuclear insurance company in the United States, so as to cover the activities of CENG (Constellation Energy Nuclear Group) in the United States. Premiums The total amount of Group insurance premiums for all types of cover was €236 million in 2019. Focus on the 3rd line of 2.1.3 control: the Group’s audit unit The Group’s audit unit is composed of all of the audit resources of the Group exercising an internal audit activity. Pursuant to a decision of the Chairman and CEO this function is supervised by the Group Audit Director. It includes the Internal Audit Department (“IAD” reporting to the General Secretary) and audit teams specific to each of the main French and foreign subsidiaries. The relationship between the IAD and the various audit teams and their respective prerogatives take into account whether the teams belong to EDF or Enedis, for which the relationships are adapted to ensure compliance with the principle of management independence. The IAD carries out functional supervision of the business line (co-appointment and peer assessment of Audit Directors of the subsidiaries by the IAD – excluding Enedis –, exchanging best practices, training, sharing tools and methods, etc.). At the end of 2019, the Group audit unit consisted of 70 FTE  (1) . Operating standards for EDF and controlled subsidiaries The IAD applies the international standards defined by the Institute of Internal Auditors and monitors their compliance. The missions, powers and responsibilities of the auditors as well as the rights and duties of the audited parties are defined in a charter that was issued in July 2019. It sets out the fundamental principles governing audits, the procedures for drawing up the programme, the types of assurance assignments entrusted to it, and the duties of the audited parties and auditors. It includes a code of ethics applicable to the entire sector. This Code is intended to promote a culture of ethics and serves to reiterate that the auditor must comply with and apply certain basic principles relevant to the profession and the conducting of internal audits. The Internal Audit Department has direct access to the Chairman and Chief Executive Officer; it reports on assignments to the Audit Committee, which gives an opinion on the risk-based internal audit universe, reviews the performance of audits and verifies the adequacy of the workload and resources dedicated to internal audits. Auditors are trained in the same methodology, in line with international standards and are evaluated at the end of each mission.

The IAD’s processes for all activities (from the definition of the audit programme to the monitoring of action plans) are outlined and steered. The audit unit regularly submits voluntarily to evaluation by IFACI  (2) . The last evaluation of 2018 stated, as previously, that the audit practices were compliant with the international standards of the profession. Functioning procedures The Group’s audit unit conducts audits of the entities and controlled subsidiaries, Business Units, projects and cross-functional functions. These audits include a review of the robustness of internal control and are carried out every three to five years depending on their level of significance. The IAD conducts corporate cross-functional audits, whereas the Audit Departments of the subsidiaries only conduct audits within their scope. The IAD is the only entity competent to carry out audits of BUs/projects involving a corporate level risk. The audit program is drawn up on the basis of the Group’s priority risk universe; all Group BUs, projects and processes must be audited on a regular basis. All audits give rise to recommendations which, once validated by the audited parties and their management, become the subject of action plans drafted by the aforementioned management and audited parties. These action plans are sent for opinion to the IAD, which subsequently monitors them, starting no later than six months after the audit report is circulated. A half-yearly summary report recaps the main findings of the corporate audit and the follow-up of action plans. The half-yearly report also presents the results of the audit programme, the satisfaction of the audited parties, the activity of the sector as well as an assessment of skills and the budget. Furthermore, it identifies any recurring or generic problems observed in several audits and which merit special attention. Finally, it provides an audit-based view of the Group’s level of risk control. This report is presented to the Chairman and Chief Executive Officer, the Executive Committee, and then to the Audit Committee and the Board of Directors. External controls 2.1.4 Like all listed companies, the EDF group is subject to review by the AMF. As a company majority owned by the French State, EDF is also subject to control by the Cour des Comptes (French Court of Auditors), State Controllers, the Inspectorate of Finance, Economic Affairs Committees or ad hoc Committees of inquiry of the French National Assembly and Senate. According to law, the Statutory Auditors certify the annual financial statements (statutory and consolidated financial statements) and perform a limited review of the Group’s half-yearly condensed consolidated financial statements. Their report includes the verifications on the information on corporate governance required by the Articles L. 225-237-3 et seq. of the French Commercial Code ( Code de commerce) . In the light of its activity, EDF is also subject to control, in France, by the Energy Regulation Commission (CRE) and the French Nuclear Safety Authority (ASN).

Risks to which the Group is exposed 2.2 The Group operates in a fast-changing environment that entails numerous risks of various kinds: they may be strategic or operational; some are exogenous, others are endogenous and inherent to the Group’s business lines. Their consequences may be manifold and may affect the Group’s operating results, the Group’s financial position and its ability to finance its strategy or development, affect its internal or external stakeholders or environment, or impact its reputation.

Risks are divided into five categories, described in sections 2.2.1 to 2.2.5 respectively. Section 2.2.1 “Market regulation, political and legal risks” describes the risks related to changes in public policy and regulation in the countries and territories where the Group operates, as well as the legal risks to which the Group is exposed. Section 2.2.2 “Financial and market risks” describes the risks arising from exposure to the energy markets in which the Group operates, as well as risks related to changes in the financial markets and the reliability of related information. Section 2.2.3 “Group transformation and strategic risks” describes the risks related to the Group’s ability to adapt, particularly in terms of strategy and skills, in response to the needs for transformation brought about by climate change, new competition, and technological and societal changes.

The Group describes hereinafter the specific risks to which it considers itself exposed. The principle of specificity leads us to describe in this section only those risks for which the specificity of the EDF group is a key factor. For risks that are not specific to the Group, the absence of a risk description in this section does not exclude the Group from taking the risk into account.

(2) Institut français de l’audit et du contrôle interne (French Institute of Audit and Internal Control). (1) Full-Time Equivalent.

110

EDF | Universal registration document 2019

www.edf.fr