GROUPAMA / 2020 UNIVERSAL REGISTRATION DOCUMENT

5 GROUP RISK FACTORS

Organisation of risk management within the Group

establishing internal control at the Groupama Assurances ❯ Mutuelles entity; defining the business continuity policy (BCP) and implementing ❯ then overseeing the system within the entities; overseeing data quality control systems; ❯ validating the internal model; ❯ supporting the Group’s entities in adapting their operational risk ❯ management, permanent control and compliance systems (management, coordination, facilitation, informatioann, d training); reporting on the status of the Group’s Internal Control system, ❯ for the purposesof communicationto the governancebodies as well as the appropriatesupervisoryauthoritiesby the Director of the Group’s Risk Management/Control, and Compliance Department. The key role in verifying Groupama Assurances Mutuelles’ compliance, i.e. the Group Compliance Manager: develops the Group Compliancepolicy. This function is involved ❯ in drafting Group compensation policies and governance and product oversight policies, in conjunction with the Groupama Assurance Mutuelles Departments concerned; oversees the Compliance functional line and those responsible ❯ for the key function of Compliance Verification by ensuring, where necessary, that legal, regulatory, and jurisprudential practices, conducted by the Group Legal Department, are implemented; regularly monitors compliance with Group policies, standards, ❯ and procedures and their effective implementation; identifies, assesses, oversees, and monitors the exposure to ❯ non-compliance risks (risk mapping, dashboards, risk sheets, etc.); assists the business lines in drafting the level 1 control plans to ❯ strengthen non-compliancerisk managementand draws up the corresponding level 2 control plans; implements and supervise, in collaboration with the Group ❯ entities, the prevention, identification, and management of conflicts of interest; helping in drawing up replies to supervisoryauthorities,with the ❯ Group Legal Department and relevant departments and entities; reports on non-compliancerisk managementto the governance ❯ bodies of the Group and the companies. Each Group entity also has Risk Management,PermanentControl, and Compliance functions. In addition to these three risk management departments, departments such as Legal and Tax also contribute to the management of the risks of the Group and its various entities.

The Group Risk ManagementDepartment is especially involved in areas related to financial risks, insurance risks, and risks related to the Group’s solvency, the Group Operational Risk Management and Permanent Control Department is especially involved in the scope related to operationalrisk management,and the key function of ComplianceVerificationof GroupamaAssurancesMutuelles, the Group compliance officer, is involved in the areas related to non-compliance and image risks. Within this framework, these departments, according to their area of responsibility: assist administrative and Executive Management bodies in ❯ defining: the risk strategy, ■ the core components of the risk management system; ■ are responsible for the implementationand coordination of the ❯ risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s activities; monitor and analyse the Group’s general risk profile; ❯ report on exposures to risk and alert the administration and ❯ Executive Management bodies in cases of major risks threatening the Group’s solvency; lead the Risk Committees; ❯ lead the working groups and bodies with the entities. ❯ As regards the risk management function, the Group Risk Department is responsible for: developing the Group risk management policy and the ❯ coordinating policies relating to insurance and financial risks together with the risk owners concerned; defining the process for setting the Group’s risk tolerance (risk ❯ limits); monitoring the Group’s major insurance and financial risks; ❯ assessing and rating insurance and financial risks, including ❯ sensitivity analyses and stress tests; implementing the ORSA process: internal assessment by the ❯ Company of its risks and its solvency situation; the implementation of the PRP (Preventive Recovery Plan); ❯ supporting the Group’s entities in adapting the risk management ❯ system. The Group Operational Risk Management and Permanent Control Department is responsible for: developing the Group’s internal control and operational risk ❯ management policies; developing the Group’s standards and reference sources ❯ (mapping of processes, operational risks, permanent control plans, referencebase of permanentcontrols) and overseeingthe system within the entities; monitoring and assessing operational risks (related to control of ❯ processes); acting as project owner of the EU tool for management of ❯ operating risks, MAITRIS,managingin particular the collectionof permanent control results, the incident database and the assessment of operational risks;

111 Universal Registration Document 2020 - GROUPAMA ASSURANCES MUTUELLES