Groupama // 2021 Universal Registration Document

5 GROUP RISK FACTORS

Organisation of risk management within the Group

The Group Legal Department, under the supervision of the General Secretariat, provides, particularly on behalf of the business lines of Groupama Assurances Mutuelles and insurance organisations (French insurance subsidiaries as well as the regional mutuals), the following functions: monitoring and analysis of legislation and case law and other ❯ standards (FFA (French Insurance Federation) professional standards, ACPR (French Prudential Supervisory and Resolution Authority) recommendations, opinions issued by the French government’s “defender of rights” and the CCLRF (Banque de France’s Advisory Committee on financial legislation and regulation)) having an impact on the insurance business (marketing, consumer protection, communication, advertising, the development, subscription, execution and termination of insurance products, etc.); the necessary anticipation and support to implement new ❯ regulations for insurance; information (notes, circulars, working groups, dissemination of a ❯ quarterly legal newsletter on customer protection); ratification of new insurance policies developed by the business ❯ lines and other Group insurance subsidiaries, well as changes made to existing policies; development and approval of distribution, management ❯ delegation, and partnership agreements in connection with insurance, banking, and other services; legal and tax advice (taxation applicable to products and advice ❯ in the area of wealth management solutions); dealings with administrative authorities for inspections, and ❯ support during these inspections and any resulting consequences on the insurance business; building and running of training and awareness-raising sessions ❯ on the regulations applicable to the insurance business, intended for a variety of audiences (distribution networks, Managers, etc.). Regarding the application of the provisions of the French data protection law and the General Data Protection Regulation (GDPR), the compliance system relies on the Data Protection Officer (DPO) of the Group’s French entities declared to the French national data

protection commission (“CNIL”) and on the network of internal data relay protection officers (DRPO): one officer per entity and nine for Groupama Assurances Mutuelles in areas implementing processes. This network changes based on the Group’s organisational modifications. The role of the Group’s Tax Department is to provide information and monitor tax regulations for all of the Group’s entities. It is also regularly questioned about specific technical points and is involved in preparing the end-of-year financial statements. The Group’s internal control system is supplemented with the activities of the Group General Audit Department. The Group General Audit Department conducts several types of audits, including a general economic and financial audit of the Group’s entities, generally on a three-year basis and at the latest every five years, in addition to the operational audits conducted within the entities. For large entities, these audits may be conducted more frequently and cover smaller scopes. The Group General Audit Department also conducts on Groupama Assurances Mutuelles processes and on the Group’s cross-functional processes, in which several entities may be involved, with the support of the entities’ internal auditing departments. Lastly, the Group General Audit Department conducts audits on behalf of some entities as part of the pooling of the Audit key function with Groupama Assurances Mutuelles. The audit schedule of the Group General Audit Department is defined by the Executive Management of Groupama Assurances Mutuelles and validated by the Groupama Assurances Mutuelles Audit and Risk Management Committee and the Board of Directors of Groupama Assurances Mutuelles. Every mission involves a review of the risk and internal control system for the activity or entity audited, and a mission report is prepared presenting the observations, findings, and recommendations to the Executive Management of the audited entities. A regular summary of the missions is provided to the Executive Management of Groupama Assurances Mutuelles, the Audit and Risk Management Committee, and the Group Executive Committee for cross-functional audits. A quarterly report on the progress of the recommendations is given to the Groupama Assurances Mutuelles Board of Directors and its Audit and Risk Management Committee.

116 Universal Registration Document 2021 - GROUPAMA ASSURANCES MUTUELLES