UNIVERSAL REGISTRATION DOCUMENT 2023

7 FINANCIAL STATEMENTS Combined financial statements and notes

5.

Operational, legal, regulatory, and tax risks Operational Risks

5.2 Legal and regulatory risks Legal and regulatory risks are managed as part of the Group compliance mechanism, which is defined in the Group compliance policy ratified by the Group’s governance bodies. The system put in place is based on two departments with separate scopes of involvement: Group Compliance and Group Legal. A first level in support of operational teams and Directors, under the responsibility of the Group Legal Department, is responsible for: professional third ‑ party liability; ❯ general third ‑ party liability; ❯ property damage insurance (real property, offices, equipment, motor fleets, etc.); ❯ cyber risks and fraud. ❯ monitoring and compliance with all regulations (public or private standards) whatever the regulatory area with the exception of labour law and corporate taxation; ❯ legal securing of the Group’s businesses (products, distribution, communication, and consumer protection), projects, and operations; and ❯ advising and contributing to the optimisation of projects. ❯ A second level, intended to provide independent insight to the Group’s Directors and decision ‑ makers, under the responsibility of the Group’s Compliance Department, is responsible for: The aim of this system is to ensure that all Group practices comply with legal provisions, administrative regulations and requirements, and professional standards, as well as the Group’s internal rules, charters, and procedures. assessing non ‑ compliance risk. It covers the scope of customer protection, the fight against money laundering and the financing of terrorism, ethics and professional conduct, and conflicts of interest. ❯ establishing and validating the compliance system; ❯ verifying compliance; and ❯ 5.2.1 The permanent control procedures designed to ensure the compliance of all Groupama Assurances Mutuelles’ operations are based on the main mechanisms described below. Compliance and legal securing by the Group Legal Department The Group Legal Department is responsible for ensuring legal compliance and security in the following areas, either directly or through the Group’s legal function: provide regulatory monitoring for the Group at both national and European levels, assess the possible legal impact of regulatory developments (on the Group’s strategy, activities, development, innovation, and assets), and contribute to the Public Affairs Department’s lobbying actions; ❯ ensure that the Group’s businesses and operations comply with regulatory developments (including information and contribution to the training of employees, Group Directors, and networks); ❯

5.1

Operational risks are managed in accordance with the principles and rules defined in the Group and Groupama SA operational risk management policy (see point 1). Groupama’s operational risk management system is based on: the definition of internal management rules and operational procedures defining the manner in which the activities of Groupama SA must be conducted. They are specific to each business line and each key process. Operational risks are identified and associated permanent controls are formalised across the Group, at every stage of business line and functional processes, based on benchmarked Group processes and the Group classification of operational risks. The operational risk control system is based on three levels of control with responsibility and control plans appropriate to each level: ❯ internal ‑ check type permanent monitoring of the operational level and permanent management control, ■ permanent controls by the Permanent Control/Compliance Function of each entity, ■ periodic controls undertaken by the internal audit team of each entity; ■ the definition and assessment of major Group operational risks and adaptation into major entity ‑ level risks, which, as with insurance and financial risks, function on the basis of a network of risk owners with management and coordination of the entire system by the Group Operational Risk and Permanent Control Department and the Group Compliance Department; ❯ the securing of information systems in the face of major cyber risks; ❯ the Group’s business continuity policy; this policy serves as a baseline for crisis management systems and Business Continuity Plans (BCP) documented within the entities. The process is based on a BIA approach (Business Impact Analysis), which makes it possible to best calibrate the means necessary for the resumption of activity by identifying the critical business activities. Three BCPs have been identified: ❯ a human resources BCP, ■ a property BCP, ■ a BCP for information systems; ■ the information systems security policy and any related sub ‑ policies; ❯ the system for securing people and property. ❯ Moreover, an insurance programme is in place, designed to provide liability protection and the protection of the asset base of regional mutuals, Groupama Assurances Mutuelles and its subsidiaries. The contracts covering the most significant risks are split among internal insurers and external insurers. The principal coverage is the following:

employee insurance; ❯ third ‑ party liability of corporate officers; ❯

302

Universal Registration Document 2023 GROUPAMA ASSURANCES MUTUELLES