Groupama // 2021 Universal Registration Document

7 FINANCIAL STATEMENTS Combined financial statements and notes

5.

Operational, legal, regulatory, and

Moreover, an insurance programme is in place, designed to provide liability protection and the protection of the asset base of regional mutuals, Groupama Assurances Mutuelles and its subsidiaries. The policies covering the most significant risks are split among internal insurers and external insurers. The principal coverage is the following: employee insurance; ❯ third-party liability of corporate officers; ❯ professional third-party liability; ❯ general third-party liability; ❯ property damage insurance (property, offices, equipment, motor ❯ fleets, etc.); cyber risks and fraud. ❯ 5.2 Legal and regulatory risks are managed as part of the Group compliance mechanism, which is defined in the Group compliance policy ratified by the Group’s governance bodies. The system put in place is based on two departments with separate scopes of involvement: Group Compliance and Group Legal. A first level in support of operational teams and Directors, under the responsibility of the Group Legal Department, is responsible for: monitoring and compliance with all regulations (public or private ❯ standards) whatever the regulatory area with the exception of labour law and corporate taxation; legal securing of the Group’s businesses (products, distribution, ❯ communication, and consumer protection), projects, and operations; and advising and contributing to the optimisation of projects. ❯ A second level, intended to provide independent insight to the Group’s Directors and decision-makers, under the responsibility of Legal and regulatory risk assessing non-compliance risk. It covers the scope of customer ❯ protection, the fight against money laundering and the financing of terrorism, ethics and professional conduct, and conflicts of interest. The aim of this system is to ensure that all Group practices comply with legal provisions, administrative regulations and requirements, and professional standards, as well as the Group’s internal rules, charters, and procedures. The permanent control procedures designed to ensure the compliance of all Groupama Assurances Mutuelles’ operations are based on the main mechanisms described below. the Group’s Compliance Department, is responsible for: establishing and validating the compliance system; ❯ verifying conformity; and ❯

tax risks Operational risks

5.1 Operational risks are managed in accordance with the principles and rules defined in the Group and Groupama SA operational risk management policy (see point 1). Groupama’s operational risk management system is based on: the definition of internal management rules and operational ❯ procedures defining the manner in which the activities of Groupama SA must be conducted. They are specific to each business line and each key process. Operational risks are identified and associated permanent controls are formalised across the Group, at every stage of business line and functional processes, based on benchmarked Group processes and the Group classification of operational risks. The operational risk control system is based on three levels of control with responsibility and control plans appropriate to each level: internal-check type permanent monitoring of the operational ■ level and permanent management control, permanent controls operated by the Permanent ■ Control/Compliance Function of each entity, periodic controls undertaken by the internal audit team of each ■ entity; the definition and assessment of major Group operational risks ❯ and adaptation into major entity-level risks, which, as with insurance and financial risks, function on the basis of a network of risk owners with management and coordination of the entire system by the Group’s Operational Risk and Permanent Control and Compliance Departments; ensuring the securing information systems in the face of the ❯ major “Cyber” risk; the Group’s business continuity policy; this policy serves as a ❯ baseline for crisis management systems and Business Continuity Plans (BCP) documented within the entities. The process is based on a BIA approach (Business Impact Analysis), which makes it possible to best calibrate the means necessary for the resumption of activity by identifying the critical business activities. Three BCPs have been identified: a human resources BCP, ■ a property BCP, ■ a BCP for information systems; ■ the information systems security policy and any related ❯ sub-policies; on the system for securing people and property. ❯

254

Universal Registration Document 2021 - GROUPAMA ASSURANCES MUTUELLES