Groupama // 2021 Universal Registration Document

5 GROUP RISK FACTORS

Organisation of risk management within the Group

The Group Risk Management Department is especially involved in areas related to financial risks, insurance risks, and risks related to the Group’s solvency, the Group Operational Risk Management and Permanent Control Department is especially involved in the scope related to operational risk management, and the key function of Compliance Verification of Groupama Assurances Mutuelles, the Group compliance officer, is involved in the areas related to non-compliance and image risks. Within this framework, these departments, according to their area of responsibility: assist administrative and Executive Management bodies in ❯ defining: the risk strategy, ■ the core components of the risk management system; ■ are responsible for the implementation and coordination of the ❯ risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s businesses; monitor and analyse the Group’s general risk profile; ❯ report on exposures to risk and alert the administration and ❯ Executive Management bodies in cases of major risks threatening the Group’s solvency; lead the risk committees; ❯ lead the working groups and bodies with the entities. ❯ As regards the risk management function, the Group Risk Department is responsible for: developing the Group risk management policy and the ❯ coordinating policies relating to insurance and financial risks together with the risk owners concerned; defining the process for setting the Group’s risk tolerance (risk ❯ limits); monitoring the Group’s major insurance and financial risks; ❯ assessing and rating insurance and financial risks, including ❯ sensitivity analyses and stress tests; implementing the ORSA process: internal assessment by the ❯ Company of its risks and its solvency situation; the implementation of the PRP (Preventive Recovery Plan); ❯ supporting the Group’s entities in adapting the risk management ❯ system. The Group Operational Risk Management and Permanent Control Department is responsible for: developing the Group’s internal control and operational risk ❯ management policies; developing the Group’s standards and reference sources ❯ (mapping of processes, operational risks, permanent control plans, reference base of permanent controls) and overseeing the system within the entities; monitoring and assessing operational risks (related to control of ❯ processes); acting as project owner of the EU tool for management of ❯ operating risks, MAITRIS, managing in particular the collection of permanent control results, the incident database, and the assessment of operational risks;

establishing internal control at the Groupama Assurances ❯ Mutuelles entity; defining the business continuity policy (BCP) and implementing ❯ then overseeing the system within the entities; overseeing data quality control systems; ❯ validating the internal model; ❯ supporting the Group’s entities in adapting their operational risk ❯ management, permanent control, and compliance systems (management, coordination, facilitation, information, and training); reporting on the status of the Group’s Internal Control system, ❯ for the purposes of communication to the governance bodies as well as the appropriate supervisory authorities by the Director of the Group’s Risk Management/Control, and Compliance Department. Defining the information systems security policy and its implementation by entities fall under the remit of Groupama Support and Services (G2S) which reports to the Group Operational Risk Management and Permanent Control Department. The key role in verifying Groupama Assurances Mutuelles’ compliance, i.e. the Group Compliance Manager: develops the Group Compliance policy. This function is involved ❯ in drafting Group compensation policies and governance and product oversight policies in conjunction with the Groupama Assurance Mutuelles departments concerned; oversees the Compliance functional line and those responsible ❯ for the key function of Compliance Verification by ensuring, where necessary, that legal, regulatory, and jurisprudential practices, conducted by the Group Legal Department, are implemented; regularly monitors compliance with Group policies, standards, ❯ and procedures and their effective implementation; identifies, assesses, oversees, and monitors the exposure to ❯ non-compliance risks (risk mapping, dashboards, risk sheets, etc.); assists the business lines in drafting the level 1 control plans to ❯ strengthen non-compliance risk management and draws up the corresponding level 2 control plans; implements and supervises, in collaboration with the Group’s ❯ entities, the prevention, identification, and management of conflicts of interest; helps in drawing up replies to supervisory authorities with the ❯ Group Legal Department and relevant departments and entities; reports on non-compliance risk management to the governance ❯ bodies of the Group and the companies. Each Group entity also has Risk Management, Permanent Control, and Compliance functions. In addition to these three Risk Management Departments, departments such as Legal and Tax also contribute to the management of the risks of the Group and its various entities.

115 Universal Registration Document 2021 - GROUPAMA ASSURANCES MUTUELLES