GROUPAMA / 2018 Registration document

CORPORATE GOVERNANCE AND INTERNAL CONTROL INTERNAL CONTROL PROCEDURES

The general audits of entities conducted in 2018 by the Group General Audit Department focused on three regional mutuals, one insurance subsidiary, two service subsidiaries, and three international subsidiaries. Three subsidiaries underwent process audits as part of cumulative audits. Lastly, two cross-functional audits were conducted (one on brokerage activity and one on health benefits). The audit conclusions are reported via a table of assessment of risks to which the Company is exposedon its key processesand a list of recommendations. These conclusions are shared with the Steering Committees of the companies concerned and the Group ExecutiveCommitteefor the cross-functionalaudits. They are then presented to the Audit and Risk Management Committee of Groupama Assurances Mutuelles. At the end of 2018, the Group’s audit team had around 100 auditors across Groupama Assurances Mutuelles, the regional mutuals, andthe Group’ssubsidiaries in France and internationally. The working methods and the definition of the responsibilities of the key internal audit functions of the entities were formalised in dedicated policies approved in 2015 by the Boards of Directors of most of the Group’s entities, consistent with the principles of the Internal Audit policy of the Group and Groupama Assurances Mutuelles. The function is managed principally through an annual agreement and a quarterlyworkinggroup (WG).

The entities’ permanent control plans are integrated into the community operational risk management tool according to the Group methodology.This tool also enables collection of incidents, assessmentof operationalrisks, andmanagementof action plans. All of the Risk Management and Permanent Control/Compliance Managers of the Group’s entities supplement the plan and meet regularly within the framework of information exchange and best practices bodies, directed by the Group Risk Management, Control, and Compliance Department. An ARC operation committee brings together the regional mutuals and the main subsidiaries of the Group’s France scope, with regular reports to the SteeringCommittee. Within GroupamaAssurances Mutuelles (b) Implementing the internal control system at the level of the functional and operational activities of Groupama Assurances Mutuelles is the responsibility of the different officers in charge of these activities under the authority of the Executive Committee. The area of responsibilityof each of these Managers is determined by the delegations of authority approved. The implementation of the internal control system of the corporate entity Groupama Assurances Mutuelles is handled by an employee of the Group Risk Management/Controland ComplianceDepartment. Monitoring ofentities (c) Every subsidiary is subject to ongoing monitoring by the departmentsof the divisionto which it isattached: Group Finance Department for financial subsidiaries; ❯ Group Insurance and Services Department for the Non-Life ❯ insurance subsidiaries, the French service subsidiaries, and Groupama Supports &Services; Groupama Gan Vie’s Executive Management for the life ❯ insurance subsidiary and the distribution subsidiaries Gan Patrimoine andGan Prévoyance; International Subsidiaries Department for foreign subsidiaries. ❯ This specific monitoring is supplemented at Group level by cross-functional management of all of the entities, particularly in the followingareas: Activity monitoring and financial reporting On behalf of the Group, the various Group Analysis and Management Control Departments (within the Group Financial Control Department) implement procedures for activity monitoring (performance indicators) and financial reporting for all regional mutuals, French and international subsidiaries, and Groupama Assurances Mutuelles. The aim is transparency of results and an understanding of trends in these areas for the Groupama AssurancesMutuellesExecutiveManagementand the entities. This approach is based on a process of managementplanningthat is common to all entities. It is implementedand coordinatedby the Group Financial Control Department and is based on core Group standards for developing forecasts, approved by the Executive Management andupdated regularly. The internal control proceduresfor financial reporting are specified in chapter 5 ofthis registrationdocument.

3

Internal control and risk 3.4.2.2

management systems within the entities and Groupama Assurances Mutuelles

Within theentities (a) The risk control and internal control system specific to the entities

is organised around twocomplementary systems: risk management and internal controlof each entity; ❯ internal oroperational auditing ofevery entity. ❯

These systems are adapted to each entity based on its organisation, activities, and resources and the local regulations abroad, under the authority of its Executive Management. Regarding organisation and governance, the French entities subject to the Solvency 2 regulations have specified in their risk policies the roles and responsibilities of the administration and executive management bodies, key functions, and operational or support departments involved in risk management. As under the Group model, the entities regularly hold specialist Risk Committeemeetings and reinforce the level of maturity of the following fourkey functions, defined underSolvency 2: the “RiskManagement” keyfunction; ❯ the “ComplianceVerification”key function; ❯ the “Audit”key function; ❯ the “Actuarial”key function. ❯ The Group Risk Management/Control and Compliance Department supports the entities in monitoring and rolling out Group standards.

67 REGISTRATION DOCUMENT 2018 - GROUPAMA ASSURANCES MUTUELLES