Euronext - 2020 Universal Registration Document

Risk Management & Control Structure

Control Structure

OVERVIEW TABLE OF PRINCIPAL RISK CATEGORIES AND CORRESPONDING RISK APPETITE:

Strategic Risks Risks related to business activities

Operational Risks & Compliance Risks Risks related to the day-to-day operations

Financial Risks Risk appetite is defined as the level and nature of risk the business is willing to accept in achieving its strategic objectives. Euronext’s overall risk appetite is defined by the Managing Board and approved by the Supervisory Board as part of setting and implementing strategic and operational objectives. Euronext is willing to take risks in pursuit of its strategic objectives Euronext has a low appetite for risks that may impact its core business; Euronext has a low appetite with respect to compliance risk. Euronext is willing to take some financial risk, however aligned with the long-term nature of the business and maintaining its investment grade profile and capital requirements.

2

For material risks related to the above categories please refer to section 2.1.

Risk Reporting – The Supervisory and Managing Boards and a Business Risk Group (BRG), made up of Senior Managers, are informed in a timely and consistent manner about material risks, whether existing or potential, and about related risk management measures in order to take appropriate action. Reports are issued to the above mentioned groups of the Company on a regular basis. Ad hoc reports may be issued when a new risk or the development of an existing risk warrants escalation to the relevant Committees of the Company.

Risk Identification involves the identification of threats to the Company as well as causes of loss and potential disruptions. Risks are composed of the following categories: n strategic: the effect of uncertainty on Euronext’s strategic and business aims and objectives; risk of missed opportunities due to the method of execution decisions, inadequate resource allocation or failure to respond to changes in business development; n operational: the risk of loss or inefficiency resulting from inadequate or failed internal processes, people and systems, or from external events; key programmes or projects are not delivered effectively; n compliance: the risk of legal or regulatory sanctions, material financial loss, or loss of reputation which Euronext could suffer as a result of its failure to comply with laws, risk of loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices; n financial: the risk of loss inherent in financing method which may impair the ability to provide adequate return; that cash flow will not be adequate to meet financial obligations. An emphasis is put on operational and compliance risk due to the importance of operations and related licenses to operate as well as initiatives for Euronext. Risk Assessment is made in the possible event of an incident or a potential risk development. It aims to assess the risk qualitatively and quantitatively where possible, using supporting information such as performance indicators. This assessment, defining the residual risk level, takes into account mitigation measures currently in place such as controls, business continuity measures or insurance policies. The overall Risk Assessment phase is carried out by the risk management team (“RMT”) in conjunction with Risk Coordinators (“RCs”) based on data and information produced by and collected from the relevant areas via the periodic and ad hoc reporting or upon request of the RMT as necessary. Assessments are discussed with the business areas. Mitigation measures for each risk are be identified, evaluated, and the residual risk is be assessed and reported. Riskmanagemen t determines and implements themost appropriate treatment to the identified risks. It encompasses the following: avoidance, reduction, transfer and acceptance. Organizational units and employees perform risk management and implement mitigating actions as required by the risk appetite and escalation process. As noted, residual risks may remain after suchmanagement process is applied (see Risks section).

Set and launch objectives & strategies (commercial, financial & operational)

Identify & assets risks

Sustain & improve processes & infrastructure

Create and preserve value for stakeholders

Determine risk responses

Design & implement control

Monitor, report & escalate risks

Business Continuity Management – A component of efficient risk management is understanding that the identification of each risk that may be faced is an insurmountable task, therefore business continuity arrangements are necessary in order to respond to unforeseen events as quickly as possible, in the event of any disruption to our working environment. Effective Business Continuity Management and Disaster Recovery are vital in protecting and underpinning the reputation, efficiency, resilience and competitiveness of the Company, as well as the Company’s stakeholders. Business Continuity at Euronext is supported by the Business Continuity Steering Group and consists of representatives from the Company’s major departments. Its role is to approve the Business Continuity & Disaster Recovery and Crisis Management policies and procedures and to provide guidance to the BCM team in the development of its function. The Business Continuity framework and its implementation at Euronext is based on internationally recognized business continuity principles including those developed by the Disaster Recovery Institute International (DRII), the International Organization

59

2020 UNIVERSAL REGISTRATION DOCUMENT