UNIVERSAL REGISTRATION DOCUMENT 2023

3 CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

3.5.3.3 Cross ‑ functional committees In addition to the specific Risk Management Committees (CRG, specialised committees by risk category, and capital management committee), the Group Risk Management and Compliance Director chairs two cross ‑ functional committees, allowing him to coordinate two important areas involved in the control of the Group’s risks: the partial internal model and data quality. Internal Model Group Committee (CGMI) The CGMI, led by the Group Actuarial Department (in charge of modelling) and by the Group Risk Management, Control, and Compliance Department (in charge of independent validation of the model), is a body for decision ‑ making and discussions between the various departments involved in or concerned by the internal model. As such, it takes an active role in the process of validating and changing the internal model. Its responsibilities are defined and detailed in the internal model policy. It reports to the Group Insurance Risk Management Committee, which has a role of consultation and guidance in such matters. It reports to the Group Risk Management Committee, the final decision maker with regard to major changes to the model, before approval by the Board of Directors. Group Data Quality Committee (CGQD) The CGQD, coordinated by the Group Management Control function, defines the Group data quality policy, verifies its operational implementation and manages projects necessary to improve data quality. Under the internal model, the CGQD ensures that the data quality (completeness, accuracy, relevance) is sufficient both for entry of the model into calibration and after calibration. It is supported by a network of data Managers and data owners (by entity and for each Group department concerned), who are in charge of controls applied to the collection process. The CGQD prepares a Group report and reports directly to the Group Risk Management Committee (see above). Non ‑ compliance risk is a cross ‑ Group operational risk, and the non ‑ compliance risk control system is one of the essential components of internal control organised within the Group. Compliance covers essentially the themes of the Group’s core business as non ‑ life insurance, mutual certificates, and distribution of banking and finance products, governed in particular by the French Insurance Code, Monetary and Financial Code, Consumption Code, and Commercial Code, the AMF General Regulation, as well as the regulations established by the supervisory authorities of these activities. In this context, the main themes and risks covered are as follows: the protection of customers; ❯ the fight against money laundering and terrorist financing; ❯ ethics and professional conduct/conflicts of interest/the fight against corruption and influence peddling/the duty of care of parent companies and whistleblowing rights; ❯ internal fraud; ❯ personal data protection. ❯ (a) (b) 3.5.4 GROUP COMPLIANCE

(b)

Group Insurance Risk Management Committee (CRAG)

(c) The Group insurance risk management committee is made up of the deputy CEO in charge of the Group Insurance and Services Department (Chairman), the heads of the insurance, agricultural, PSO management and coordination, reinsurance, Group actuarial, and Group risk management, control, and Compliance Departments, representatives of the international subsidiaries and Groupama Gan Vie. It is responsible for proposing the policy and rules governing the acceptance and retention of insurance risks to the Group Risk Management Committee. In this context, it: identifies and evaluates insurance risks; ❯ examines the commitment levels at the Group level and the main guidelines; ❯ defines stress test scenarios on insurance risks, evaluates their consequences, and proposes a modus operandi in case of occurrence; ❯ monitors governance and the performance of the internal model for insurance risks ( e.g. decision for major change of the model); ❯ checks the proper application of the process for development and compliance of new products (life and non ‑ life) with the Group risk management policy; ❯ alerts the Group’s Executive Management where appropriate. ❯ Composed of the heads of the Group Risk Management, Control, and Compliance Department and the Groupama Assurances Mutuelles departments that are “owners” of the main identified operational risks and chaired by the General Secretary, it is responsible for: identifying and assessing operational risks (including compliance and reputation) and overseeing their consideration within the entities; ❯ defining and checking the budgets and operational risk limits consistent with the Group risk tolerance; ❯ monitoring all Group operational risks, particularly major Group operational risks; ❯ defining the policy for hedging against operational risks (operating risk insurance, BCP, etc.); ❯ alerting the Group’s Executive Management where appropriate. ❯ Group Operational Risk Management Committee (CROG)

3.5.3.2

Capital Management Committee

The main objectives of this committee are:

validation of the capital management policy; ❯ monitoring of the implementation of the capital management plan; ❯ monitoring of the Group’s solvency risk; ❯ validation of the internal assessment of risks and the solvency of all Group entities at Group level. ❯

65

Document d’Enregistrement Universel 2023 GROUPAMA ASSURANCES MUTUELLES