Euronext - 2020 Universal Registration Document

Risk Management & Control Structure 2 Control Structure

Supervisory Board Approves strategic objectives and validates risk appetite Reviews Euronext's risk management and internal control systems Assesses these systems effectiveness through its Audit Committee

Managing Board

External Auditors Regulator

Oversees the suitable design and sustainable implementation of Enterprise Risk Management (ERM) and internal control systems across the Company Defines and allocates risk appetite within the Group

1 st Line of Defence

2 nd Line of Defence

3 rd line of Defence

Business and Operations Management

Risk Management Internal Control Compliance Specialist Functions

Internal Audit

Identifies and manages risks for its scope and responsibility Maintains effective internal control day-to-day

Develops and promotes the ERM framework to support management in the identification, assessment, management, monitoring and reporting of risks Facilitates consistent and periodic reviews of the design and implementation of internal control systems

Provides independent assurance of effectiveness of risk management and internal control frameworks and activities in the Group

2.3.1

SECOND LINE OF DEFENCE

Euronext’s internal risk management and control is a process executed by the Managing Board, management and other employee stakeholders. It is designed to provide reasonable assurance regarding the achieving of objectives in the following categories: n effectiveness and efficiency of operations; n reliability of financial and non-financial information; n compliance with laws, regulations and internal policies; n safeguarding of assets, and identification and management of liabilities; and n strategic and business objectives. No major failings were identified over the course of 2020 in the Risk and Internal Control Program. Euronext’s first and second lines of defense perform their roles in risk assessment and reporting on risk management and control systems. The concluding results are reported in Group Risk Profile and discussed regularly at Managing Board meetings and with the Supervisory Board via the Audit Committee. Internal Audit, as the third line of defense, evaluates the design and effectiveness of Euronext’s governance, as well as its risk management and control systems. Audit reports are discussed with risk and process owners. The Head of Internal Audit attends Managing Board meetings on a regular basis to discuss its findings and recommendations. In 2020, the evaluation of the adequacy of Euronext’s internal risk management and control systems were discussed with the Audit Committee and Supervisory Board.

2.3.1.1 Risk Management On Group level, Risk Appetite is the type and amount of risk, on a broad level, Euronext is willing to accept in achieving its strategic objectives. Developing the Risk Appetite Statements is an exercise in seeking a balance between risk and opportunity. Risk Appetite is set for both risks related to daily business as usual operations and specific business initiatives. Risk Appetite sets the basis for the requirements for monitoring and reporting on risk. Risk appetite is considered at an operational level and strategic level with quantitative and qualitative components and cascaded into Business Lines and legal entities. These components are used during the assessment process to develop the residual risks and support what is escalated to the Managing Board and Supervisory Board.

58

2020 UNIVERSAL REGISTRATION DOCUMENT