GROUPAMA / 2020 UNIVERSAL REGISTRATION DOCUMENT

7 FINANCIAL STATEMENTS Consolidated financial statements and notes

acting as project owner of the EU tool for management of ❯ operating risks, MAITRIS,managingin particular the collectionof permanent control results, the incident database and the assessment of operational risks; establishing internal control at the Groupama Assurances ❯ Mutuelles entity; defining the business continuity policy (BCP) and implementing ❯ then overseeing the system within the entities; overseeing data quality control systems; ❯ validating the internal model; ❯ supporting the Group’s entities in adapting their operational risk ❯ management, permanent control and compliance systems (management, coordination, facilitation, informatioann, d training); reporting on the status of the Group’s Internal Control system, ❯ for the purposesof communicationto the governancebodies as well as the appropriatesupervisoryauthoritiesby the Director of the Group’s Risk Management/Control, and Compliance Department. The key role in verifying Groupama Assurances Mutuelles’ compliance, i.e. the Group Compliance Manager: develops the Group Compliance policy. The Compliance ❯ Manager is involved in drafting the Group remuneration policy, governance policy, and product surveillance policy, in conjunction with the relevant Groupama Assurances Mutuelles departments; oversees the Compliance functional line and those responsible ❯ for the key function of Compliance Verification by ensuring, where necessary, that legal, regulatory, and jurisprudential practices, conducted by the Group Legal Department, are implemented; regularly monitors compliance with Group policies, standards, ❯ and procedures and their effective implementation; identifies, assesses, oversees, and monitors the exposure to ❯ non-compliance risks (risk mapping, dashboards, risk sheets, etc.); assists the business lines in drafting the level 1 control plans to ❯ strengthen non-compliancerisk managementand draws up the corresponding level 2 control plans; implements and supervise, in collaboration with the Group ❯ entities, the prevention, identification, and management of conflicts of interest; helping in drawing up replies to supervisoryauthorities,with the ❯ Group Legal Department and relevant departments and entities; reports on non-compliancerisk managementto the governance ❯ bodies of the Group and the companies. Each Group entity has Risk Management,PermanentControl, and Compliance functions. Defining the information systems security policy and its implementation by entities fall under the remit of Groupama Supportand Services(G2S) which reports to the GroupOperational Risk Management and Permanent Control Department. In addition, the Group Management Control Department is responsible for the ongoing monitoringof results and achievement of the Group’s objectives based on a process of estimated management common to all entities.

The Group Risk Management and Permanent Control/Compliance functions are responsible for ensuring that all the Group’s entities comply with ExecutiveManagement’srequirementsin terms of the internal control and risk management system, as well as those of Solvency 2, Pillar 2. As regards risk management, the Group Risk Department works more specifically in areas related to financial and insurance risks, and risks connectedto the Group’s solvency; the OperationalRisk and Permanent Control Department works more particularly in areas related to the managementof operational risks, and the key role in GroupamaAssurancesMutuelles’compliance, i.e. the Group ComplianceManager,works in fields connectedto non-compliance and image-relatedrisks. Within this framework,these departments, according to their area of responsibility: assist administrative and Executive Management bodies in ❯ defining: the risk strategy, ■ the core components of the risk management system; ■ are responsible for the implementationand coordination of the ❯ risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s businesses; monitor and analyse the Group’s general risk profile; ❯ report on exposures to risk and alert the administration and ❯ Executive Management bodies in cases of major risks threatening the Group’s solvency; lead the Risk Committees; ❯ lead the working groups and bodies with the entities. ❯ More specifically, the Group Risk Department, as regards the risk management function, is responsible for: developing the Group risk management policy and the ❯ coordinating policies relating to insurance and financial risks together with the risk owners concerned; defining the process for setting the Group’s risk tolerance (risk ❯ limits); monitoring the Group’s major insurance and financial risks; ❯ assessing and rating insurance and financial risks, including ❯ sensitivity analyses and stress tests; implementing the ORSA process: internal assessment by the ❯ Company of its risks and its solvency situation; the implementation of the PRP (Preventive Recovery Plan); ❯ supporting the Group’s entities in adapting the risk management ❯ system. The Group Operational Risk Management and Permanent Control Department is responsible for: developing the Group’s internal control and operational risk ❯ management policies; developing the Group’s standards and reference sources ❯ (mapping of processes, operational risks, permanent control plans, referencebase of permanentcontrols) and overseeingthe system within the entities; monitoring and assessing operational risks (related to control of ❯ processes);

248

Universal Registration Document 2020 - GROUPAMA ASSURANCES MUTUELLES