GROUPAMA / 2019 Universal Registration Document

7 FINANCIAL STATEMENTS Consolidated financial statements and notes

5

Operating, legal, regulatory,

an informationsystems BCP; ● on the information system security policy and the associated ● sub-policies; on the system forsecuring people andproperty. ● Moreover,an insuranceprogrammeis in place, designedto provide liability protection and the protection of the assets of the regional mutuals,GroupamaAssurancesMutuellesand its subsidiaries.The policies are distributed among internal insurers and external insurers for the most significantrisks. The principal coverage is the following: employee insurance; ● third-party liability of corporate officers; ● professional third-party liability; ● operatingthird-partyliability; ● property damage insurance (property, offices, equipment,motor ● fleets, etc.); cyber risks. ● 5.2 The legal and regulatory risks are managed as part of the Group system compliance, which is defined in the Group compliance policy validatedby the governingbodies of the Group. The system in place, directed by the key function of ComplianceVerificationof Groupama Assurances Mutuelles, the Group Compliance Officer, aims to ensure that all Group practices comply with legal provisions, administrative regulations and requirements and professional standards, as well as the Group’s internal rules, charters andprocedures. The internal control proceduresdesigned to ensure the conformity of all GroupamaAssurancesMutuellesoperationsare based on the main mechanisms described below. and the French Commercial Code The Group Legal Department, under the supervision of the Company Secretary, manages Groupama Assurances Mutuelles’ legal affairs and those of its subsidiaries,and provides legal advice as needed to all the French legal entities of GroupamaAssurances Mutuelles.As such, it ensuresthe legal complianceof its operations and its Directors and senior executives. Internal checks on the effective implementation of administrative legal procedures are based on ongoingmonitoring systems on an individual entity basis. Legal and regulatory risks Compliance with company law 5.2.1

and tax risks Operational risks

5.1 Operational risks are managed in accordance with the principles and rules defined in the Group and Groupama Assurances Mutuellesoperationalrisk management policy (see point 1). The operational risk management system of Groupama is based on: the definition of internal management rules and operational ● procedures defining the manner in which the activities of Groupama AssurancesMutuelles must be conducted. They are appropriate to each business line and each key process. Operational risks are identified and associated permanent controls are formalised across the Group, at every stage of business line and functional processes,based on benchmarked Group processes and the Group classification of operational risks. The operationalrisk control system is based on three levels of control with responsibility and control plans appropriate for each level: internal-check type permanent monitoring of the operational ● level andpermanent management control, permanent controls operated by the Permanent ● Control/Compliance Function of each entity, periodiccontrolsundertakenby the internalaudit teamof each ● entity; on the definition and assessment of Group major operational ● risks and adaptationas entity major risks, which function on the basis of a network of risk owners with management and coordinationof the entire system by the Group OperationalRisk Managementand PermanentControlDepartmentand the Group ComplianceDepartment; on securing informationsystems in the face of the major risks of ● “information system failures” and “cyber risks” on the Group business continuity policy; this policy serves as a ● reference for crisis management systems and Business ContinuityPlans (BCP) being documentedwithin the entities.The process is based on the BIA approach (Business Impact Analysis), which makes it possible to best calibrate the means necessaryfor the resumptionof activity by identifyingthe critical businessactivities. Three BCPshave been identified: a humanresources BCP, ● a property BCP, ●

252

Universal Registration Document 2019 - GROUPAMA ASSURANCES MUTUELLES