UNIVERSAL REGISTRATION DOCUMENT 2023

5 GROUP RISK FACTORS

Organisation of risk management within the Group

Similar mechanisms are in place at the entity level. In addition, a committee for the implementation and sharing of objectives, decisions, and best practices between the Group’s entities has been set up. This Audit, Risk management, Control, and Compliance operational implementation Committee (Comop ARCC) is run by the Group risk management, control, and Compliance Department and the Group General Audit Department, with the Group’s Legal Department also involved. It brings together the regional mutuals, the French insurance subsidiaries, and Groupama Supports & Services (G2S). As for the international scope, meetings (four times a year), led by the Group Risk Department, are organised to discuss methodologies, Group schedules, and the various risk issues of the subsidiaries and/or the Group with the risk Managers of the international subsidiaries. The Group Risk Management and Permanent Control/ Compliance functions are responsible for ensuring that all the Group’s entities comply with Executive Management’s requirements in terms of the internal control and risk management system, as well as those of Solvency II, Pillar 2. The Group Risk Management Department is especially involved in areas related to financial risks, insurance risks, and risks associated with the Group’s solvency, the Group Operational Risk Management and Permanent Control Department is especially involved in the scope related to operational risk management, and the key function of compliance verification of Groupama Assurances Mutuelles, the Group compliance officer, is involved in the areas related to non ‑ compliance and image risks. Within this framework, these departments, according to their area of responsibility: assist administrative and Executive Management bodies in defining: ❯ the risk strategy, ■ the core components of the risk management system; ■ are responsible for the implementation and coordination of the risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s businesses; ❯ monitor and analyse the Group’s general risk profile; ❯ report on exposures to risk and alert the administration and Executive Management bodies in cases of major risks threatening the Group’s solvency; ❯ lead the Risk Committees; and ❯ lead the working Groups and bodies with the entities. ❯ developing the Group risk management policy and the coordinating policies relating to insurance and financial risks together with the risk owners concerned; ❯ defining the process for setting the Group’s risk tolerance (risk limits); ❯ monitoring the Group’s major insurance and financial risks; ❯ As regards the insurance and financial risk management function, the Group Risk Department is responsible for:

The Group Operational Risk Management and Permanent Control Department is responsible for: assessing and rating insurance and financial risks, including sensitivity analyses and stress tests; ❯ implementing the ORSA process: internal assessment by the Company of its risks and its solvency situation; ❯ implementing the PRP (Preventive Recovery Plan); ❯ supporting the Group’s entities in adapting the risk management system. ❯ developing the Group’s internal control, operational risk management, and compliance policies; ❯ developing the Group’s standards and reference sources (mapping of processes, operational risks, permanent control plans, reference base of permanent controls) and overseeing the system within the entities; ❯ monitoring and assessing operational risks (related to control of processes); ❯ acting as project owner of the EU tool for management of operating risks, MAITRIS, managing in particular the collection of permanent control results, the incident database and the assessment of operational risks; ❯ establishing internal control at the Groupama Assurances Mutuelles entity; ❯ defining the business continuity policy (BCP) and implementing then overseeing the system within the entities; ❯ overseeing data quality control systems; ❯ validating the internal model; ❯ supporting the Group’s entities in adapting their operational risk management, permanent control and compliance systems (management, coordination, facilitation, information, and training); and ❯ reporting on the status of the Group’s internal control system, for the purposes of communication to governance bodies and the appropriate supervisory authorities by the Group’s Director of risk management, control, and compliance. ❯ Defining the information systems security policy and its implementation by entities fall under the remit of Groupama Support and Services (G2S) which reports to the Group Operational Risk Management and Permanent Control Department. The key role in verifying Groupama Assurances Mutuelles’ compliance, i.e. the Group Compliance Manager, is in charge of: coordinating the compliance function generally and the various Compliance Managers: oversee the operational deployment of procedures and corresponding tools; design the level 1 and 2 control plans to strengthen non ‑ compliance risk management; identify, assess, supervise and monitor exposure to businesses’ non ‑ compliance risks (risk map, dashboards, risk sheets, etc.); ❯ acting, where necessary, as a conduit for legal, regulatory and jurisprudential intelligence prepared by the Group Legal Department vis ‑ a ‑ vis the subsidiary; ❯

173

Document d’Enregistrement Universel 2023 GROUPAMA ASSURANCES MUTUELLES