EDF / 2020 Universal Registration Document

2 RISK FACTORS AND CONTROL FRAMEWORK Risk management and control of activities Risk mapping and the report on the 2.1.2.1 control of activities and risks Report on the control of the activities and risks of the entities Each Group entity (54 entities in 2020 covering the scope of EDF and controlled subsidiaries) prepares an annual report on the control of its activities and risks based on a self-assessment, including a description of its improvement actions. Each report gives rise to a commitment signed by the Director of the entity on the level of control achieved and the actions undertaken. The report includes in particular internal control, the report on the safeguarding of assets and the ethics and compliance report. The ethics and compliance section meets the requirements of the Group Ethics and Compliance policy, including: the ethics alert system, prevention of the risk of corruption (monitoring the integrity of business relations, managing gifts and invitations); financial ethics (prevention of the risk of money laundering and financing of terrorism, prevention of market abuse, and compliance with the EMIR regulation (2) ); prevention of breaches of competition law; prevention of conflicts of interest; compliance with personal data protection rules; combating fraud; combating harassment and discrimination; due diligence; compliance with sector-specific regulations (REMIT regulation (3) on integrity and transparency of energy markets, regulations on dual-use goods); compliance with international sanctions programmes. The part relating to security of assets fulfils the requirements of the Security of Assets against Malicious Acts Group policy, including: the safety of individuals during international travel, the security of material assets and the security of intangible assets (identification, classification and protection of sensitive information). In addition to these topics, entity self-assessments more generally report on the control of all their “business line” activities and all the requirements of the other cross-functional areas identified in Group policies, in line with their risk mapping. Finally, the self-assessments report on the control of the requirements relating to accounting and financial internal control, in line with the AMF framework (see section 2.1.2.4 “Reliability of financial information, accounting and financial controls, organisation of financial risk management”). Entity risk mapping The entities produce an annual risk map based on a methodology common to the entire Group. The process of constructing the risk map for the entities is based on: the principle of management accountability discussed in section 2.1.1 “Control Environment”; a typology of risks, including internal or external risks and operational or strategic risks, as well as opportunities; a qualitative evaluation method of the impact, the probability and the level of control of each risk; the description of action plans for dealing with risks and the evaluation of their effectiveness. Numerous discussions have taken place between the Group Risk Division and the entities, with the aim of querying the relevance of risks and the soundness of the control actions undertaken.

Scope With regard to the scope of control (excluding subsidiaries managing regulated infrastructures), these purposes and principles are implemented by the entities or subsidiaries, who themselves ensure their implementation in the entities or subsidiaries they control. With regards to the other subsidiaries of the Group (subsidiaries that are operators of regulated infrastructure and significant shareholdings), EDF representatives within the governing bodies make sure that a system for controlling activities and risks is put in place. They provide regular information on the map of risks and internal control and audit activities (programme and main results). They can also check the effectiveness and appropriateness of each of these measures through a periodic audit of the respective entities. The applicable principles are adapted for the operators of regulated infrastructure to ensure compliance with obligations related to their management independence. The management bodies The organisation of the Executive Management of EDF is described in section 4.3.1. “Members of the Executive Committee”. Each member of the Executive Committee is responsible for implementing all actions necessary to controlling the risks within their scope. Risk Committee The Executive Committee meets at least twice a year as a Risk Committee, during which it examines in particular the mapping of Group risks, the assessment of internal control activities and audit activities (annual programme, results). It identifies the priority risks for the Group, shares their strategy for mitigation and designates the members of the Executive Committee who are its sponsors. The Group Executive Committee Commitments Committee To strengthen the appraisal and monitoring of projects, the Group Executive Committee Commitments Committee (CECEG) (1) thoroughly examines the most significant projects in terms of the extent of the commitments and/or the risks incurred before decisions are made by the Executive Committee (see section 2.1.2.3 “Approval of commitments”).

2.1.2

Focus on the 2nd line of

control: cross-functional control systems

The second line is made up of all the functional departments, which are responsible for leading and coordinating the implementation of the Group’s policies within their remit. The focus is specifically on the following cross-functional control systems: risk mapping and operations and risk management report, ethics and compliance programme, approval of commitments, reliability of financial information, crisis management and business continuity, insurance, etc. Please note: aspects relating to the Group’s human resources, including in particular the control of risks relating to the health and safety of employees and service providers, are set out in detail in section 3.3.1.3 “Health and safety of employees and subcontractors” of the Universal Registration Document.

(1) The composition of the Group Executive Committee Commitments Committee is the same as that of the Executive Committee. (2) European Market Infrastructure regulation (EMIR): European regulation on market infrastructures. (3) Regulation on Wholesale Energy Market Integrity and Transparency (REMIT): European regulation on the interity and transparency of wholesale energy markets.

99

EDF - UNIVERSAL REGISTRATION DOCUMENT 2020