GROUPAMA / 2020 UNIVERSAL REGISTRATION DOCUMENT

7 FINANCIAL STATEMENTS Consolidated financial statements and notes

5

Operational, legal, regulatory,

Moreover, an insuranceprogrammeis in place, designedto provide liability protection and the protection of the assets of the regional mutuals,GroupamaAssurancesMutuellesand its subsidiaries.The policies covering the most significant risks are split among internal insurers and external insurers. The principal coverage is the following: employee insurance; ❯ third-party liability of corporate officers; ❯ professional third-party liability; ❯ general third-party liability; ❯ property damage insurance (property, offices, equipment,motor ❯ fleets, etc.); cyber risks and fraud. ❯ 5.2 Legal and regulatory risks are managed as part of the Group compliance mechanism,which is defined in the Group compliance policy ratified by the Group’s governance bodies. The system put in place is based on two departments with separate scopes of involvement: Group Compliance and Group Legal. A first level in support of operationalteams and Directors,under the responsibility of the Group LegaDl epartment, is responsible for: monitoring and compliancewith all regulations (public or private ❯ standards) whatever the regulatory area with the exception of labour law and corporate taxation; legal securing of the Group’s businesses (products, distribution, ❯ communication, and consumer protection), projects, and operations; and advise and contributing to the optimisation of projects. ❯ A second level, intended to provide independent insight to the Group’s Directors and decision-makers,under the responsibilityof the Group’s Compliance Department, is responsible for: establishing and validating the compliance system; ❯ verifying conformity; and ❯ assessing non-compliancerisk; It covers the scope of customer ❯ protection, the fight against money launderingand the financing of terrorism, ethics and professional conduct, and conflicts of interest. The aim of this system is to ensure that all Group practicescomply with legal provisions, administrative regulations and requirements, and professional standards, as well as the Group’s internal rules, charters, and procedures. The permanent control procedures designed to ensure the compliance of all GroupamaAssurancesMutuelles’ operations are based on the main mechanisms described below. Legal and regulatory risk

and tax risks Operational risks

5.1 Operational risks are managed in accordance with the principles and rules defined in the Group and Groupama SAoperational risk management policy (see point 1). Groupama’s operational risk management system is based on: the definition of internal management rules and operational ❯ procedures defining the manner in which the activities of Groupama SA must be conducted. They are specific to each business line and each key process. Operational risks are identified and associated permanent controls are formalised across the Group, at every stage of business line and functional processes, based on benchmarked Group processes and the Group classification of operational risks. The operational risk control system is based on three levels of control with responsibility and control plans appropriate for each level: internal-check type permanent monitoring of the operational ■ level and permanent management control, permanent controls operated by the Permanent ■ Control/Compliance Function of each entity, periodic controlsundertakenby the internal audit teamof each ■ entity; the definition and assessment of major Group operational risks ❯ and adaptation into major entity-level risks, which, as with insurance and financial risks, function on the basis of a network of risk owners with management and coordinationof the entire system by the Group’s OperationalRisk and PermanentControl and Compliance Departments; ensuring the security of informationsystems in the face of major ❯ IT systems failure risk and cyber risks; the Group’s business continuity policy; this policy serves as a ❯ baseline for crisis managementsystemsand BusinessContinuity Plans (BCP) documented within the entities. The process is based on the BIA approach (Business Impact Analysis), which makes it possible to best calibrate the means necessary for the resumptionof activityby identifyingthe critical businessactivities. Three BCPs have been identified: a human resources BCP, ■ a property BCP, ■ an information systems BCP; ■ the information systems security policy and any related ❯ sub-policies; on the system for securing people and property. ❯

259

Universal Registration Document 2020 - GROUPAMA ASSURANCES MUTUELLES