GROUPAMA / 2019 Universal Registration Document

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

Group Risk Management Department (DRG) (a) In terms of risk management,as of the end of 2019, the GroupRisk Management Department (DRG) has a dedicated team of eight people and is more specificallyinvolved in areas related to financial and insurancerisks. In 2019, the main actions undertaken by the teams in the Group Risk ManagementDepartmentfocusedon: assessment of the Group’s Major Risks, revision and ● strengthening of reporting to the Group’s governancebodies; preparation and coordination of specialised Risk Committees; ● completionof the annual systemof assessmentand collectionof ● insurance andfinancial risks forall of the Group’sentities; definition of the common methodological principles of ● assessmentand preparationof a genericORSA report proposed by the Group Risk ManagementDepartment,which serves as a basis for the entities to drawup their finalreport; support for the Risk Managers of the Group’s entities for the ● processes of assessing risks and finalisingtheir ORSA reports; the definition and implementationof a risk tolerance framework ● for the Group, to be rolled out within the entities in a second phase. Both at Group level and at the entity level in France and internationally, the ORSA process was presented as work progressed,with approvalssought at each stage from the Steering Committees of Groupama Assurances Mutuelles and Risk ManagementCommitteesof GroupamaAssurancesMutuelles and the entities. At the same time, the Boards of Directorsof the Group’s insurance companies were involved – directly or through the Audit and Risk ManagementCommittee upstream of the ORSA work (particularly through the validationof calculationassumptionsand the choice of scenariosadopted) –and examinedthe results then approvedtheir company’s report before transmission to the local control authorities in accordancewith the regulations. Group Operational Risk Management (b) and Permanent Control Department (DROCPG) As of the end of 2019, the Group Operational Risk Management and Permanent Control Department (DROCPG) has a dedicated team of thirteen people and is involved especially in the scope relating to the management of operational risks and permanent control activitiesand is also in chargeof the coordinationof work to validate the partial internal model, major changes, and the SCR calculationby the internalmodel. In 2019, the major tasks undertaken by the teams in the Group OperationalRisk Managementand PermanentControl Department focused on: continued supporting and monitoring of the deployment of the ● Group deliverables of Pillar 2 in the Group’s entities; assessment of operational risks particularly on the basis of the ● Group nomenclatureand the Group assessment methodology; the deployment of an updated version of the community ● operational risk management and controlreporting tool; support for the Group’s entities in the implementation of their ● Business Continuity Plan in line with the Group policy: testing

drills, workshops, plenary session of Managers in the entities, deployment of a crisis management solution, and provision of examplesof good practices; updating thedocument reference system; ● managementof the network of risk and internal control officers ● and the organisationof meetingsto discuss experiencesthrough regular workgroups and the COMOP (Operational ImplementationCommittee), grouping together the ARCC (Risk Management,Control, and Compliance Audit) Managers of the main companies of the Group’s France scope. In addition to these actions to strengthen the risk and control system, the Group Operational Risk Managementand Permanent Control Department and the Group Compliance Department worked together on the annual internal control questionnaire campaign.The purpose of this self-assessmentquestionnaireis to ascertain the status of the risk control and internal control systems and their level of deployment(at both entity level and Group level) and uniformly measure the progress of the Group’s entities. This status assessmentgives rise to the developmentand monitoringof improvement action plans. Lastly, in addition to the Group OperationalRisk Managementand Permanent Control/Group Compliance Departments, a Research Division, reporting directly to the Group Risk Management and Control Director, completes the system; its primary responsibilities include conducting general studies on the subject of risk managementand control, monitoring the emergence of new risks and tracking CRO Forum files (Chief Risk Officers – European Forum). Group General Audit Department (c) The objectives and the principles for operation and involvementof the Group’s General Audit Department and the internal audit function as well as the relationship between the various control levels (permanent control, internal audit in the Group entities and General Audit Department) are formalised in the Group internal audit policy of Groupama Assurances Mutuelles. The Group General Audit Department operates across the entire Group with a staff of 13 auditors. The Group General Audit Department’s 2019 audit plan was approved by the Groupama Assurances MutuellesBoardof Directors. The Group General Audit Department’s 2019 audit plan is organised on an annualbasis aroundfour types of missions: general auditsof entities; ● cross-functional process audits; ● audits of the Groupama Assurances Mutuelles departments; ● spot audits at the request of the executive management or ● providedfor in the Groupprocedures. Concerningthe general audits of entities, the audit plan is created on the basis of a risk-basedapproach,with a three-year coverage objective for regional mutuals. Audit missions are preceded by a preliminary analysis of the risks facing the entity, in order to concentrate the audit investigations on the most sensitive areas. The audit also studies the functioning of the links the entity maintainswith the Groupand the otherentities.

60 Universal Registration Document 2019 - GROUPAMA ASSURANCES MUTUELLES