GROUPAMA / 2018 Registration document

CORPORATE GOVERNANCE AND INTERNAL CONTROL INTERNAL CONTROL PROCEDURES

In accordancewith the requirementsof Solvency 2,a gap analysis was conducted in 2018 on each of the policies to verify whether they should beupdated. The internal control system deployed by the Group is based on commonly accepted practices (1) It covers the first-level and second-levelpermanent control system as well as periodic control (or third-level control). Permanent controlis implemented by: operational units thatprovide first-level control; ❯ teams specifically dedicated to permanent control (risks, ❯ compliance with laws and regulations, accounting control, security of information systems, etc.) that provide second-level control.

The internal audit function periodically assesses the adequacy and proper functioningof the permanentcontrol systemand provides a third level of control. The various business lines are responsible for the risks that they generate through the operations that they carry out. They ensure and assume the first-level controls ontheir scope of responsibility. Second-level and third-level controls are usually the responsibility of the specialised departments: the Group Risk Management/Control and Compliance ❯ Department; the Audit Department. ❯ However, certain second-level permanent controls may be conducted by dedicated departments according to the organisation of the activity (Accounting Department, Information Systems SecurityDepartment, Legal Department, etc.).

3

INTERNAL CONTROL ORGANISATION

Governing bodies

LEVELS TYPES OF CONTROLS

3

Audit

Permanent Periodic

Permanent Control & Risk Management

2

Independent

Hierarchy

1

Employees/Operational Units

Operational

Principles of organisation 3.4.2.1 As the central body, GroupamaAssurancesMutuelles has defined a uniformpolicy frameworkto be put in place within the companies that takes into account their specific characteristics in terms of regulations, structure, organisation, and activity. The aim is to ensure the consistencyof the principles and rules of management of permanent control and periodic control, with a view to controllingthe risks that affect the Group, while taking into account the principle of proportionality as provided for in the Solvency 2 Directive. The Group General Audit Department and the Group Risk Management/Controland Compliance Department each manage and supervise the internal control system for the entire Group. In practice, they are in direct contact with the regional mutuals and the subsidiaries both nationally and internationally as well as with medium-sizedcompanies. Each of these companiesmust include

in its scope all of its own subsidiariesand manage and oversee the implementation and monitoring of internal control systems in accordancewith the principles andrules set out bythe Group. The Group Audit Department, under the responsibility of the Director of Audit, Risks, and Internal Control, and the Group Risk Management/Control and Compliance Department (DRCCG) report to the Deputy Chief Executive Officer of Groupama AssurancesMutuelles. The Group Audit Director and the Group Risk Management/Controland Compliance Director periodically report to the Audit and Risk Management Committee of the Groupama Assurances Mutuelles Board of Directors on the Group’s position and any work in progress in terms of internal control and risk management. It coordinates the actions of the Group Risk Management Department and the Group Operational Risk Management andPermanentControl Department.

Inspiredby the IFACI’s work and using the COSOas a reference. (1)

65

REGISTRATION DOCUMENT 2018 - GROUPAMA ASSURANCES MUTUELLES