Groupama // 2021 Universal Registration Document

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

As auditing is part of the internal control procedure, a Group and Groupama Assurances Mutuelles audit policy supplements the provisions of the internal control policy with its own operating rules and scope of operation. Risk management policies as well as a compliance policy, defining the overall framework for implementation and operation of the compliance system within the Group, complete the general internal control system. In accordance with the requirements of Solvency II, a gap analysis is conducted annually on each of the policies to verify whether they should be updated. The internal control system deployed by the Group is based on commonly accepted practices (1) . It covers the first-level and second-level permanent control system as well as periodic control (or third-level control). Permanent control is implemented by: operational units that provide first-level control; ❯

teams specifically dedicated to permanent control (risks, ❯ compliance with laws and regulations, accounting control, security of information systems, etc.) that provide second-level control. The internal audit function periodically assesses the adequacy and proper functioning of the permanent control system and provides a third level of control. The various business lines are responsible for the risks that they generate through the operations that they carry out. They ensure and assume the first-level controls on their scope of responsibility. Second-level and third-level controls are usually the responsibility of the specialised departments: the Group Risk Management, Control, and Compliance ❯ Department; the Audit Department. ❯ However, certain second-level permanent controls may be conducted by dedicated departments according to the organisation of the activity (Accounting Department, Information Systems Security Department, Legal Department, etc.).

THE INTERNAL CONTROL SYSTEM

Governance Bodies

LEVELS TYPES OF CONTROLS

3

Audit

Permanent Regularly

Permanent Control & Risk Management

2

Independent

Hierarchy

1

Employees/Operational Resources

Operational

Principles of organisation 3.4.2.1 As the central body, Groupama Assurances Mutuelles has defined a uniform policy framework to be put in place within the companies that takes into account their specific characteristics in terms of regulations, structure, organisation, and activity. The aim is to ensure the consistency of the principles and rules of management of permanent control and periodic control, with a view to controlling the risks that affect the Group, while taking into account the principle of proportionality as provided for in the Solvency II Directive. The Group General Audit Department and the Group Risk Management, Control, and Compliance Department each manage and supervise the internal control system for the entire Group. In practice, they are in direct contact with the regional mutuals and the subsidiaries both nationally and internationally as well as with medium-sized companies. Each of these companies must include Inspired by the IFACI’s work and using the COSO as a reference (1)

in its scope all of its own subsidiaries and manage and oversee the implementation and monitoring of internal control systems in accordance with the principles and rules set out by the Group. The Group Audit Department, under the responsibility of the Director of Audit, Risk Management, and Internal Control, and the Group Risk Management, Control, and Compliance Department (DRCCG) report to the Deputy Chief Executive Officer of Groupama Assurances Mutuelles. The Group Audit Director and the Group Risk Management, Control, and Compliance Director periodically report to the Audit and Risk Management Committee of the Groupama Assurances Mutuelles Board of Directors on the Group’s position and any work in progress in terms of internal control and risk management. It coordinates the actions of the Group Risk Management Department and the Group Operational Risk Management and Permanent Control Department.

57 Universal Registration Document 2021 - GROUPAMA ASSURANCES MUTUELLES