GROUPAMA / 2020 UNIVERSAL REGISTRATION DOCUMENT

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

The Group Risk Management/Controland ComplianceDepartment supports the entities in monitoring and rollinogut Group standards. The entities’ permanent control plans are integrated into the community operational risk management tool according to the Group methodology.This tool also enables collection of incidents, assessment of operational risks, and management of actiopnlans. All of the Risk Management and Permanent Control/Compliance Managers of the Group’s entities supplement the plan and meet regularly within the framework of information exchange and best practices bodies (workgroups, theme-based workshops, and training), directed by the Group Risk Management, Control, and Compliance Department. An ARCC Operation Committee brings together the regional mutuals and the main subsidiaries of the Group’s France scope, with regular reports to the Group Executive Committee. Within Groupama Assurances Mutuelles (b) Implementing the internal control system at the level of the functional and operational activities of Groupama Assurances Mutuelles is the responsibility of the different officers in charge of these activitiesunder the authorityof the ExecutiveCommittee.The area of responsibilityof each of these Managers is determinedby the delegations of authority approved. The implementationof the internal control system of the corporate entity Groupama AssurancesMutuellesis handledby an employeeof the GroupRisk Management/Control and Compliance Department. Monitoring of entities (c) Every subsidiary is subject to ongoing monitoring by the departments of the division to which it is attached: Group Finance Department for financial subsidiaries; ❯ Group Insurance and Services Department for the Non-Life ❯ insurance subsidiaries, the French service subsidiaries, and Groupama Supports & Services; Groupama Gan Vie’s Executive Management for the life ❯ insurance subsidiary and the distribution subsidiaries Gan Patrimoine and Gan Prévoyance; International Subsidiaries Department for foreign subsidiaries. ❯ This specific monitoring is supplemented at Group level by cross-functionalmanagementof all of the entities, particularlyin the following areas: Activity monitoring and financial reporting On behalf of the Group, the various Group Analysis and Management Control Departments (within the Group Financial Control Department) implement procedures for activity monitoring (performance indicators) and financial reporting for all regional mutuals, French and international subsidiaries, and Groupama Assurances Mutuelles. The aim is transparency of results and an understanding of trends in these areas for the Groupama Assurances Mutuelles Executive Management and the entities. This approach is based on a processof managementplanning that is common to all entities. It is implementedand coordinatedby the Group Financial Control Department and is based on core Group standards for developing forecasts, approved by the Executive Management and updated regularly.

The general audits of entities conducted in 2020 by the Group General Audit Department focused on three regional mutuals, two French insurance subsidiaries, one service subsidiary, one international subsidiary, and two “flash” audits. Three subsidiaries underwent processaudits as part of cumulativeaudits. Lastly, three cross-functional audits were conducted or initiated (on revisable contracts, cybersecurity, and the audit function). The audit conclusions are reported via a table of assessment of risks to which the Company is exposedon its key processesand a list of recommendations.These conclusions are shared with the Steering Committeesof the companies concerned and the Group ExecutiveCommitteefor the cross-functionalaudits. They are then presented to the Audit and Risk Management Committee of Groupama Assurances Mutuelles. At the end of 2020, the Group’s audit team had around 100 auditors across GroupamaAssurancesMutuelles, the regional mutuals, and the Group’s subsidiaries iFnrance and internationally. The workingmethodsand the definitionof the responsibilitiesof the key internal audit functions of the entities were formalised in dedicated policies approved in 2020 by the Boards of Directors of most of the Group’s entities, consistent with the principles of the Internal Audit policy of the Group and Groupama Assurances Mutuelles. The function is managed principally through an annual agreement and a working group (WG), which met three times in 2020. Within the entities (a) The risk control and internal control systemspecific to the entities is organised around two complementary systems: risk management and internal control of each entity; ❯ internal or operational auditing of every entity. ❯ These systems are adapted to each entity based on its organisation, activities, and resources and the local regulations abroad, under the authority of its Executive Management. Regarding organisationand governance,the French entities subject to the Solvency 2regulationshave specified in their risk policies the roles and responsibilities of the administration and Senior Management bodies, key functions, and operational or support departments involved in risk management. As under the Groupmodel, the entities regularlyhold specialistRisk Committee Meetings and reinforce the level of maturity of the following four key functions, defined under Solvency 2: the “Risk Management” key function; ❯ the “Compliance Verification” key function; ❯ the “Audit” key function; ❯ the “Actuarial” key function. ❯ Internal control and risk 3.4.2.2 management systems within the entities and Groupama Assurances Mutuelles

61 Universal Registration Document 2020 - GROUPAMA ASSURANCES MUTUELLES