GROUPAMA / 2019 Universal Registration Document

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

In accordancewith the requirementsof Solvency II,a gap analysis was conducted in 2019 on each of the policies to verify whether they should beupdated. The Group’s internal control system is based on commonly accepted practices (1) . It covers the level 1 and level 2 permanent control system as well asperiodic control (or level 3 control). Permanent control is implemented by: operational units that provide first-level control; ● teams specifically dedicated to permanent control (risks, ● compliance with laws and regulations, accounting control, security of information systems, etc.) that provide second-level control.

The internal audit function periodicallyassesses the adequacy and proper functioningof the permanentcontrol systemand provides a third level of control. The various business lines are responsible for the risks that they generate through the operations that they carry out. They ensure and assume thefirst-level controls on their scope of responsibility. Second-leveland third-levelcontrolsare usually the responsibilityof the specialised departments: the Group Risk Management/Control and Compliance ● Department; the Audit Department. ● However, certain second-level permanent controls may be conductedby dedicateddepartmentsaccordingto the organisation of the activity (Accounting Department, Information Systems Security Department, Legal Department, etc.).

INTERNAL CONTROL ORGANISATION

Governing bodies

LEVELS TYPES OF CONTROLS

3

Audit

Permanent Periodic

Permanent Control & Risk Management

2

Independent

Hierarchy

1

Employees/Operational Units

Operational

Principles of organisation 3.4.2.1 As the central body, GroupamaAssurancesMutuelles has defined a uniformpolicy frameworkto be put in place within the companies that takes into account their specific characteristics in terms of regulations, structure, organisation, and activity. The aim is to ensure the consistencyof the principles and rules of management of permanentcontrol and periodiccontrol,with a view to controlling the risks that affect the Group, while taking into account the principle of proportionality as provided for in the Solvency II Directive. The Group General Audit Department and the Group Risk Management/Controland Compliance Department each manage and supervise the internal control system for the entire Group. In practice, they are in direct contact with the regional mutuals and the subsidiaries both nationally and internationally as well as with medium-sizedcompanies. Each of these companiesmust include

in its scope all of its own subsidiariesand manageand oversee the implementation and monitoring of internal control systems in accordancewith the principles and rules set outby the Group. The Group Audit Department, under the responsibility of the Director of Audit, Risks, and Internal Control, and the Group Risk Management/Controland ComplianceDepartment(DRCCG)report to the Deputy Chief Executive Officer of Groupama Assurances Mutuelles. The Group Audit Director and the Group Risk Management/Control and ComplianceDirector periodically report to the Audit and Risk Management Committee of the Groupama Assurances Mutuelles Board of Directors on the Group’s position and any work in progress in terms of internal control and risk management. It coordinates the actions of the Group Risk Management Department and the Group Operational Risk Management and PermanentControl Department.

Inspired by the IFACI’s work and using the COSO as a reference. (1)

59 Universal Registration Document 2019 - GROUPAMA ASSURANCES MUTUELLES