GROUPAMA / 2018 Registration document

5 RISK FACTORS AND RISK MANAGEMENT RISK MANAGEMENT AND SENSITIVITY ANALYSES General Audit Department is confirmed by the Executive Management of Groupama Assurances Mutuelles and approved by the Audit and Risk Management Committee of Groupama Assurances Mutuelles and the Board of Directors of Groupama Assurances Mutuelles. Every mission involves a review of the risk and internal control system for the activity or entity audited; a report is prepared on the engagement presenting the observations, conclusions and recommendationsto the Executive Management of Groupama Assurances Mutuelles. A regular summary is presented to the Audit and Risk Committee. A report on the progress of the recommendations is communicated on a quarterly basis to the Groupama Assurances Mutuelles Executive Management as well as the Audit and Risk Management Committee ofGroupamaAssurancesMutuelles. The Group Risk Management, Permanent, and Compliance functions are responsible for ensuring that all Group entities comply with the requirements of Executive Management in terms of the internal control, compliance, and risk management system, as well as those of Solvency 2, Pillar 2. With regard to risk management, the Group Risk Management Department is especially involved in areas related to financial risks, insurance risks, and risks related to the Group’s solvency, the Group Operational Risk Management and Permanent Control Department is especially involved in the scope related to operational risk management,and the key function of Compliance Verification of Groupama Assurances Mutuelles, the Group compliance officer, is involved in the areas related to non-compliance and image risks. Within this framework, these departments,according totheir area of responsibility: assist the administrative and Executive Management bodies in ❯ defining: the risk strategy, ■ the structuringprinciplesof the riskmanagementsystem; ■ are responsible for the implementationand coordination of the ❯ risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s activities; monitor and analyse theGroup’s general riskprofile; ❯ report on exposures to risk and alert the administration and ❯ ExecutiveManagementbodies in case of major risks threatening the Group’s solvency; lead theRisk Committees; ❯ lead theworkinggroups and bodies withthe entities. ❯ More specifically, the Group Risk Department, as regards the risk management function, is responsible for: developing the Group risk management policy and the ❯ coordinating policies relating to insurance and financial risks together withthe risk owners concerned; defining the process for setting the Group’s risk tolerance (risk ❯ limits); monitoring themajor Group insuranceand financial risks(RMG); ❯ assessing and rating insurance and financial risks, including ❯ sensitivity analyses andstress tests; implementing the ORSA process: internal assessment by the ❯ Companyof its risks andits solvency situation;

supportingthe Group’s entities in adaptingthe risk management ❯ system. The Group Operational Risk Management and Permanent Control Department is responsible for: developing the Group’s internal control and operational risk ❯ management policies; developing the Group’s standards and reference sources ❯ (mapping of processes, operational risks, permanent control plans, reference source of permanent controls) and overseeing the systemwithin the entities; monitoring and assessing operational risks (related to control of ❯ processes); acting as project owner of the EU tool for management of ❯ operating risks, OROp, managing in particular the collection of permanent control results, the incident database and the assessmentof operationalrisks; establishing the internal control of the Groupama Assurances ❯ Mutuelles entity; defining the business continuity policy (BCP), respecting its ❯ implementation,overseeingthe system within theentities; ensuring data quality, interms of governanceand control plan; ❯ ensuring theinternal validation ofthe internal model; ❯ supporting the Group’s entities in adapting the operational risk ❯ management and permanent control systems (steering, coordination,facilitation, information, and training); reporting on the status of the Group’s Internal Control system, ❯ for the purposesof communicationto the governancebodies as well as the appropriatesupervisoryauthoritiesby the Director of the Group’s Risk Management/Control, and Compliance Department. The key function of Compliance Verification of Groupama Assurances Mutuelles, the Group Compliance Officer, is more specifically responsible for: developing the Group Compliance policy. This function is ❯ involved in drafting Group compensation policies and governance and product oversight policies, in conjunction with the Groupama AssuranceMutuelles Departments concerned; overseeingthe Compliancefunctional line and those responsible ❯ for the key function of Compliance Verification by ensuring, where necessary, that legal, regulatory and jurisprudential practices, conducted by the Group Legal Department, are implemented; regularly ensuring that local policies, when implemented,comply ❯ with the Group’s policies and procedures. (Group Legal Department ensures the compliance with the French laws and norms); identifying, assessing, overseeing, and monitoring the exposure ❯ to non-compliancerisks (risk mapping, dashboards,risk sheets, etc.); assistingthe business lines in drafting the level 1 control plans to ❯ strengthen non-compliance risk management, draw up the level 2 controlplans; implementingand overseeing, in collaborationwith all the Group ❯ companies, prevention, identification and management of conflicts of interest;

136

REGISTRATION DOCUMENT 2018 - GROUPAMA ASSURANCES MUTUELLES