Exclusive Networks // Sustainability Report 2022

Risks and opportunities Internal control and risk management

2.2.4

Internal control and risk management analysis process

This register is regularly updated to reflect changes in risks and the implementation of mitigation measures. The risk map established in 2021 was expanded in 2022 with the specific risk mapping for corruption. It will be updated in 2023, though there was no significant change to the main risks in 2022. The Internal Audit Department conducts regular reviews of risk management processes. These reviews cover the Group’s compliance with anti-corruption and export control laws and regulations, as well as key controls defined by internal control. These reviews give rise to a corrective action plan where necessary. Analysis of internal control The Group continues to improve its internal control framework, including by strengthening its governance, providing regular training for all relevant employees, and introducing improved technology to monitor the implementation of the controls. The operational and functional divisions play a key role in the internal control system. They work with the Internal Control Department to update the procedures specific to the processes under their responsibility. Thanks to regular dialogue between the Internal Internal Control department department and the operational and functional departments, it is possible to:  remain constantly alert to new risks that may arise or to changes in existing risks;  ensure the relevance of the controls in place;  identify any new controls that should be put in place to mitigate risks;  identify corrective actions where necessary.

The identification, assessment, prioritisation and management of the risks faced by the Group are closely and regularly monitored. The analysis of internal control and risk management is performed by the Internal Audit department, which, as an independent body within the Group, assesses the effectiveness of the main internal control processes of the Group’s audited entities. Risk analysis As part of the risk management process, the Risks & Compliance department, with input from the Executive Committee and the regional and local Management, establishes a register that presents the risks faced by the Group and provides guidance to senior management on the major risks as presented in section 2.1 “Risk Factors” of this Chapter 2. The information presented in this register includes:  a mapping of risks, allowing the Board of Directors and the Group’s Executive Management to have a visual representation of the probability of the occurrence of a risk and the impact on the Group (both quantitatively and qualitatively) should that risk occur, enabling it to better understand how to allocate resources and seek to strengthen mitigation actions;  an identification of significant risks in each category;  for each significant risk, an overview of its potential causes and consequences, and existing and planned mitigation measures;  an indication on the level of the probability of the occurrence for each risk identified and the impact on the Group should that risk occur; and  the identity of the risk owners and sponsors (members of the Executive Committee) who have been assigned as responsible for implementing mitigating actions under the Board of Directors’ supervision.

23

Exclusive Networks

Sustainability Report 2022