Groupama // 2021 Universal Registration Document

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

The general audits of entities conducted in 2021 by the Group General Audit Department focused on four regional mutuals, one French insurance subsidiary, one service subsidiary, two international subsidiaries, and two “flash” audits. Two specific thematic audits were also conducted. Lastly, two cross-functional audits were conducted or initiated (on commitment control and cyber security). The audit conclusions are reported via a table of assessment of risks to which the Company is exposed on its key processes and a list of recommendations. These conclusions are shared with the Steering committees of the companies concerned and the Group Executive Committee for the cross-functional audits. They are then presented to the Audit and Risk Management Committee of Groupama Assurances Mutuelles. At the end of 2021, the Group’s audit team had around 100 auditors across Groupama Assurances Mutuelles, the regional mutuals, and the Group’s subsidiaries in France and internationally. The working methods and the definition of the responsibilities of the key internal audit functions of the entities were formalised in dedicated policies approved in 2021 by the Boards of Directors of most of the Group’s entities, consistent with the principles of the Internal Audit policy of the Group and Groupama Assurances Mutuelles. The function is managed, under the responsibility of the Group Internal Audit Director, principally through an annual agreement and a working group (WG), which met three times in 2021. Within the entities (a) The risk control and internal control system specific to the entities is organised around two complementary systems: risk management and internal control of each entity; ❯ internal or operational auditing of every entity. ❯ These systems are adapted to each entity based on its organisation, activities, and resources and the local regulations abroad, under the authority of its Executive Management. Regarding organisation and governance, the French entities subject to the Solvency II regulations have specified in their risk policies the roles and responsibilities of the administration and Senior Management bodies, key functions, and operational or support departments involved in risk management. As under the Group model, the entities regularly hold Specialist Risk Management committee meetings and reinforce the level of maturity of the following four key functions, defined under Solvency II: Internal control and risk 3.4.2.2 management systems within the entities and Groupama Assurances Mutuelles

the “risk management” key function; ❯ the “compliance verification” key function; ❯ the “audit” key function; ❯ the “actuarial” key function. ❯

The Group Risk Management, Control, and Compliance Department supports the entities in monitoring and rolling out Group standards. The entities’ permanent control plans are integrated into the community operational risk management tool according to the Group methodology. This tool also enables collection of incidents, assessment of operational risks, and management of action plans. All of the Risk Management and Permanent Control/Compliance Managers of the Group’s entities supplement the plan and meet regularly within the framework of information exchange and best practices bodies (workgroups, theme-based workshops, and training), directed by the Group Risk Management, Control, and Compliance Department. An ARCC Operation Committee (ComOp) brings together the regional mutuals and the main subsidiaries of the Group’s France scope, with regular reports to the Group Executive Committee. Within Groupama Assurances Mutuelles (b) Implementing the internal control system at the level of the functional and operational activities of Groupama Assurances Mutuelles is the responsibility of the different officers in charge of these activities under the authority of the Executive Committee. The area of responsibility of each of these Managers is determined by the delegations of authority approved. The implementation of the internal control system of the corporate entity Groupama Assurances Mutuelles is handled by an employee of the Group Risk Management, Control, and Compliance Department. Group Insurance and Services Department for the Non-Life ❯ insurance subsidiaries, the French service subsidiaries, and Groupama Supports & Services; Groupama Gan Vie’s Senior Management for the life insurance ❯ subsidiary and the distribution subsidiaries Gan Patrimoine and Gan Prévoyance; International Subsidiaries Department for foreign subsidiaries. ❯ This specific monitoring is supplemented at Group level by cross-functional management of all of the entities, particularly in the following areas: Activity monitoring and financial reporting On behalf of the Group, the various Group Analysis and Management Control departments (within the Group Financial Control Department) implement procedures for activity monitoring (performance indicators) and financial reporting for all regional mutuals, French and international subsidiaries, and Groupama Assurances Mutuelles. The aim is transparency of results and an understanding of trends in these areas for the Groupama Assurances Mutuelles Executive Management and the entities. Monitoring of entities (c) Every subsidiary is subject to ongoing monitoring by the departments of the division to which it is attached: Group Finance Department for financial subsidiaries; ❯

59 Universal Registration Document 2021 - GROUPAMA ASSURANCES MUTUELLES