Groupama // Universal Registration Document 2022

5

GROUP RISK FACTORS Organisation of risk management within the Group

As for the international scope, meetings (four times a year), led by the Group Risk Department, are organised to discuss methodologies, Group schedules, and the various risk issues of the subsidiaries and/or the Group with the Risk Managers of the international subsidiaries. The Group Risk Management and Permanent Control/ Compliance functions are responsible for ensuring that all the Group’s entities comply with Executive Management’s requirements in terms of the internal control and risk management system, as well as those of Solvency II, Pillar 2. The Group Risk Management Department is especially involved in areas related to financial risks, insurance risks, and risks associated with the Group’s solvency, the Group Operational Risk Management and Permanent Control Department is especially involved in the scope related to operational risk management, and the key function of compliance verification of Groupama Assurances Mutuelles, the Group compliance officer, is involved in the areas related to non ‑ compliance and image risks. Within this framework, these departments, according to their area of responsibility: assist administrative and Executive Management bodies in defining: ❯ the risk strategy, ■ the core components of the risk management system; ■ are responsible for the implementation and coordination of the risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s businesses; ❯ monitor and analyse the Group’s general risk profile; ❯ report on exposures to risk and alert the administration and Executive Management bodies in cases of major risks threatening the Group’s solvency; ❯ lead the Risk Committees; ❯ lead the working groups and bodies with the entities. ❯ As regards the risk management function, the Group Risk Department is responsible for: developing the Group risk management policy and the coordinating policies relating to insurance and financial risks together with the risk owners concerned; ❯ defining the process for setting the Group’s risk tolerance (risk limits); ❯ monitoring the Group’s major insurance and financial risks; ❯ assessing and rating insurance and financial risks, including sensitivity analyses and stress tests; ❯ implementing the ORSA process: internal assessment by the Company of its risks and its solvency situation; ❯ implementing the PRP (Preventive Recovery Plan); ❯ supporting the Group’s entities in adapting the risk management system. ❯

The Group Operational Risk Management and Permanent Control Department is responsible for: developing the Group’s internal control, operational risk management, and compliance policies; ❯ developing the Group’s standards and reference sources (mapping of processes, operational risks, permanent control plans, reference base of permanent controls) and overseeing the system within the entities; ❯ monitoring and assessing operational risks (related to control of processes); ❯ acting as project owner of the EU tool for management of operating risks, MAITRIS, managing in particular the collection of permanent control results, the incident database and the assessment of operational risks; ❯ establishing internal control at the Groupama Assurances Mutuelles entity; ❯ defining the business continuity policy (BCP) and implementing then overseeing the system within the entities; ❯ overseeing data quality control systems; ❯ validating the internal model; ❯ supporting the Group’s entities in adapting their operational risk management, permanent control and compliance systems (management, coordination, facilitation, information, and training); ❯ reporting on the status of the Group’s Internal Control system, for the purposes of communication to governance bodies and the appropriate supervisory authorities by the Group’s Director of Risk Management, Control and Compliance. ❯ Defining the information systems security policy and its implementation by entities fall under the remit of Groupama Support and Services (G2S) which reports to the Group Operational Risk Management and Permanent Control Department. The key role in verifying Groupama Assurances Mutuelles’ compliance, i.e. the Group Compliance Manager: develops the Group compliance policy. This function is involved in drafting Group compensation policies and governance and product oversight policies in conjunction with the Groupama Assurance Mutuelles Departments concerned; ❯ oversees the compliance functional line and those responsible for the key function of compliance verification by ensuring, where necessary, that legal, regulatory, and jurisprudential practices, conducted by the Group Legal Department, are implemented; ❯ regularly monitors compliance with Group policies, standards, and procedures for the systems within its scope and their effective implementation; ❯ identifies, assesses, oversees, and monitors the exposure to non ‑ compliance risks (risk mapping, dashboards, risk sheets, etc.); ❯

136

Universal Registration Document 2022 - GROUPAMA ASSURANCES MUTUELLES