GROUPAMA / 2018 Registration document

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL INTERNAL CONTROL PROCEDURES

Group Risk Management Department (DRG) (a) In terms of risk management, as of the end of 2018, the Group Risk Management Department (DRG) has a dedicated team of eight people and is more specifically involved in areas related to financial andinsurance risks. In 2018, the main actions undertaken by the teams in the Group Risk Management Department focused on: assessment of the Group’s Major Risks, revision and ❯ strengtheningof reporting to theGroup’s governance bodies; preparation andcoordinationof specialised RiskCommittees; ❯ continued deployment of the RCAP (regulatory capital-adjusted ❯ profitability)project; completion of the annual system of assessment and collection ❯ of insurance andfinancial risksfor all of theGroup’s entities; definition of the common methodological principles of ❯ assessment and preparation of a generic ORSA report proposed by the Group Risk Management Department, which serves asa basis forthe entities to draw up their final report; support for the Risk Managers of the Group’s entities for the ❯ processesof assessing risksand finalisingtheir ORSA reports. Both at Group level and at the entity level in France and internationally, the ORSA process was presented as work progressed,with approvalssought at each stage from the Steering Committees of Groupama Assurances Mutuelles and Risk ManagementCommitteesof GroupamaAssurancesMutuellesand the entities. At the same time, the Boards of Directorsof the Group’s insurance companies were involved – directly or through the Audit and Risk ManagementCommittee upstream of the ORSA work (particularly through the validationof calculationassumptionsand the choice of scenariosadopted)– and examinedthe results then approvedtheir company’s report before transmission to the local control authorities inaccordancewith the regulations. Group Operational Risk Management and (b) PermanentControlDepartment (DROCPG) As of the end of 2018, the Group Operational Risk Management and Permanent Control Department (DROCPG) has a dedicated team of twelve people and is involved especially in the scope relating to the management of operations risks and permanent control activities and is also in charge of the coordination of work to validate the partial internal model, major changes, and the SCR calculation by theinternal model. In 2018, the major tasks undertaken by the teams in the Group OperationalRisk Managementand PermanentControl Department focused on: continued supporting and monitoring of the deployment of the ❯ Group deliverables of Pillar 2 in theGroup’s entities; assessment of operational risks particularly on the basis of the ❯ Group nomenclature and the Group assessmentmethodology; preparation for the upgrade of the common operational risk ❯ management toolOROp; support for the Group’s entities in the implementation of their ❯ Business Continuity Plan in line with the Group policy: testing

drills, workshops, plenary session of Managers in the entities, deployment of a crisis management solution, and provision of examples ofgood practices; updating the document referencesystem; ❯ management of the network of risk and internal control officers ❯ and the organisation of meetings to discuss experiences through regular workgroups and the COMOP (operational implementationcommittee)grouping together the Arc Managers of the main companies ofthe Group’s France scope. In addition to these actions to strengthen the risk and control system, the Group Operational Risk Management and Permanent Control Department and the Group Compliance Department worked together on the annual internal control questionnaire campaign. The purpose of this self-assessmentquestionnaireis to ascertain the status of the risk control and internal control systems and their level of deployment (at both entity level and Group level) and uniformly measure the progress of the Group’s entities. This status assessmentgives rise to the developmentand monitoringof improvement actionplans. Lastly, in addition to the Group OperationalRisk Managementand Permanent Control/Group Compliance Departments, a Research Division, reporting directly to the Group Risk Management and Control Director, completes the system; its primary responsibilities include conducting general studies on the subject of risk management and control, monitoring the emergence of new risks and tracking CRO Forum files (Chief Risk Officers – European Forum). Group General AuditDepartment (c) The objectives and the principles for operation and involvement of the Group’s General Audit Department and the internal audit function as well as the relationship between the various control levels (Permanent Control, Internal Audit in the Group entities and General Audit Department) are formalised in the Group internal audit policyof GroupamaAssurancesMutuelles. The Group General Audit Department operates across the entire Group with a staff of 13 auditors. The Group General Audit Department’s 2018 audit plan was approved by the Groupama AssurancesMutuellesBoard ofDirectors. The Group General Audit Department’s 2018 audit plan is organised onan annual basis around fourtypes ofmissions: general auditsof entities; ❯ cross-functionalprocess audits; ❯ audits of the Groupama Assurances Mutuelles departments; ❯ spot audits at the request of the executive management or ❯ provided forin the Group procedures. Concerning the general audits of entities, the audit plan is created on the basis of a risk-based approach, with a three-year coverage objective for regional mutuals. Audit missions are preceded by a preliminary analysis of the risks facing the entity, in order to concentrate the audit investigations on the most sensitive areas. The audit also studies the functioning of the links the entity maintains withthe Group andthe other entities.

66

REGISTRATION DOCUMENT 2018 - GROUPAMA ASSURANCES MUTUELLES