UNIVERSAL REGISTRATION DOCUMENT 2023

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

(c) Group General Audit Department The objectives and the principles for operation and involvement of the Group’s General Audit Department and the internal audit function as well as the relationship between the various control levels (permanent control, internal audit in the Group entities and General Audit Department) are formalised in the Group internal audit policy of Groupama Assurances Mutuelles. The Group General Audit Department operates across the entire Group with a staff of 15 auditors. The Group General Audit Department’s 2023 audit plan was approved by the Groupama Assurances Mutuelles Board of Directors. The Group General Audit Department’s audit plan is organised on an annual basis around four types of missions: general audits of entities; ❯ cross ‑ functional process audits; ❯ audits of the Groupama Assurances Mutuelles Departments of specific themes in the Group’s entities; ❯ spot audits at the request of the Executive Management or provided for in the Group procedures. ❯ Concerning the general audits of entities, the audit plan is created on the basis of a risk ‑ based approach, with a three ‑ year coverage objective for regional mutuals. Audit missions are preceded by a preliminary analysis of the risks facing the entity, in order to concentrate the audit investigations on the most sensitive areas. The audit also studies the functioning of the links the entity maintains with the Group and the other entities. The general audits of entities conducted in 2023 by the Group General Audit Department focused on five regional mutuals (including one specialised mutual), three French insurance subsidiaries (for general or thematic audits), one financial management subsidiary, and three international subsidiaries. Lastly, two cross ‑ functional audits were conducted or initiated on the AML/CFT and Motor insurance profitability. The audit conclusions are reported via a table of assessment of risks to which the Company is exposed on its key processes and a list of recommendations. These conclusions are shared with the Steering Committees of the companies concerned and the Group Executive Committee for the cross ‑ functional audits. They are then presented to the Audit and Risk Management Committee of Groupama Assurances Mutuelles. At the end of 2023, the Group’s audit team had around 100 auditors across Groupama Assurances Mutuelles, the regional mutuals, and the Group’s subsidiaries in France and internationally. The working methods and the definition of the responsibilities of the key internal audit functions of the entities were formalised in dedicated policies approved in 2021 by the Boards of Directors of most of the Group’s entities, consistent with the principles of the Internal Audit policy of the Group and Groupama Assurances Mutuelles. The function is managed, under the responsibility of the Group Internal Audit Director, principally through an annual agreement and a working group (WG), which met three times in 2023.

(b) At the same time, the Boards of Directors of the Group’s insurance companies were involved–directly or through the Audit and Risk Management Committee upstream of the ORSA work (particularly through the validation of calculation assumptions and the choice of scenarios adopted)–and examined the results then approved their company’s report before transmission to the local control authorities in accordance with the regulations. Group Operational Risk Management and Permanent Control Department (DROCPG) As at the end of 2023, the DROCPG had a dedicated team of 16 people, was involved especially in the scope relating to the management of operational risks and permanent control activities, and was also in charge of the coordination of work to validate the partial internal model, major changes, and the SCR calculation by the internal model. In 2023, the major tasks undertaken by the teams in the DROCPG focused on: assessing operational risks particularly on the basis of the Group nomenclature and the Group assessment methodology; ❯ developing and maintaining the community tool for operational risk management and control reporting and the ongoing support of the Group’s companies in its use; ❯ continuous improvement of business continuity measures by enriching the scenarios addressed to better understand the aspects relating to the risk of cyberattack; ❯ supporting the Group’s entities in the implementation of their Business Continuity Plan in line with the Group policy: testing drills, workshops, plenary session of managers in the entities, deployment of a crisis management solution, and provision of examples of good practices; ❯ managing the network of risk and internal control officers and organising meetings to discuss experiences through regular workgroups and the COMOP (Operational Implementation Committee), attended by the ARCC (Risk Management, Control, and Compliance Audit) Managers of the main companies of the Group’s France scope; ❯ carrying out work to update and align the control plans deployed in the entities. ❯ In addition to these actions to strengthen the risk and control system, the DROCPGs, the Group Compliance Department, and the Group Risk Management Department worked together on the annual internal control questionnaire campaign. The purpose of this self ‑ assessment questionnaire is to ascertain the status of the risk control and internal control systems and their level of deployment (at both entity level and Group level) and uniformly measure the progress of the Group’s entities. This status assessment gives rise to the development and monitoring of improvement action plans. Lastly, in addition to the Group Operational Risk Management and Permanent Control/Group Compliance Departments, a Research Division, reporting directly to the Group Risk Management and Control Director, completes the system; its primary responsibilities include conducting general studies on the subject of risk management and control, monitoring the emergence of new risks and tracking CRO Forum files (Chief Risk Officers–European Forum).

62

Universal Registration Document 2023 GROUPAMA ASSURANCES MUTUELLES