Groupama // Universal Registration Document 2022

5

GROUP RISK FACTORS Organisation of risk management within the Group

Regarding the application of the provisions of the French data protection law and the General Data Protection Regulation (GDPR), the compliance system relies on the Data Protection Officer (DPO) of the Group’s French entities declared to the French national data protection commission (“CNIL”) and on the network of internal data relay protection officers (DRPO): one officer per entity and 20 for Groupama Assurances Mutuelles in areas implementing processing operations. Each international subsidiary in the EU has also designated a DPO with its national supervisory authority. All of these players are coordinated by the France DPO, who serves as CPO (Corporate Privacy Officer) within the Group. This network changes based on the Group’s organisational modifications. The role of the Group’s Tax Department is to provide information and monitor tax regulations for all of the Group’s entities. It is also regularly questioned about specific technical points and is involved in preparing the end ‑ of ‑ year financial statements. The Group’s internal control system is supplemented with the activities of the Group General Audit Department. The Group General Audit Department conducts several types of audits, including a general economic and financial audit of the Group’s entities, generally on a three ‑ year basis and at the latest every five years, in addition to the operational audits conducted within the entities. For large entities, these audits may be conducted more frequently and cover smaller scopes. The Group General Audit Department also conducts on Groupama Assurances Mutuelles processes and on the Group’s cross ‑ functional processes, in which several entities may be involved, with the support of the entities’ Internal Auditing Departments. Lastly, the Group General Audit Department conducts audits on behalf of some entities as part of the pooling of the Audit key function with Groupama Assurances Mutuelles. The audit schedule of the Group General Audit Department is defined by the Executive Management of Groupama Assurances Mutuelles and validated by the Groupama Assurances Mutuelles Audit and Risk Management Committee and the Board of Directors of Groupama Assurances Mutuelles. Every mission involves a review of the risk and internal control system for the activity or entity audited, and a mission report is prepared presenting the observations, findings, and recommendations to the Executive Management of the audited entities. A regular summary of the missions is provided to the Executive Management of Groupama Assurances Mutuelles, the Audit and Risk Management Committee, and the Group Executive Committee for cross ‑ functional audits. A quarterly report on the progress of the recommendations is given to the Group Executive Committee and the Audit and Risk Management Committee of Groupama Assurances Mutuelles.

Each Group entity also has risk management, permanent control, and compliance functions. In addition to these three Risk Management Departments, departments such as the legal and Tax Departments also contribute to the management of the risks of the Group and its various entities. The Group Legal Department, under the supervision of the general secretariat, provides, in particular, on behalf of the business lines of Groupama Assurances Mutuelles and insurance organisations (French insurance subsidiaries as well as the regional mutuals), the following functions: helping in drawing up replies to supervisory authorities, with the Group Legal Department and relevant departments and entities; ❯ reports on non ‑ compliance risk management to the governance bodies of the Group and the companies. ❯ monitoring and analysis of legislation and case law and other standards (FFA (French Insurance Federation) professional standards, ACPR (French Prudential Supervisory and Resolution Authority) recommendations, opinions issued by the French government’s “defender of rights” and the CCLRF (Banque de France’s Advisory Committee on financial legislation and regulation)) having an impact on the insurance business (marketing, consumer protection, communication, advertising, the development, subscription, execution, and termination of insurance products, etc.); ❯ the necessary anticipation and support to implement new regulations for insurance; ❯ information (notes, circulars, working groups, dissemination of a quarterly legal newsletter on customer protection); ❯ ratification of new insurance policies developed by the Business Departments and other Group insurance subsidiaries, well as changes made to existing policies; ❯ development and approval of distribution, management delegation, and partnership agreements in connection with insurance, banking and other services; ❯ legal and tax advice (taxation applicable to products and advice in the area of wealth management solutions); ❯ dealings with administrative authorities for inspections, and support during these inspections and any resulting consequences on the insurance business; ❯ building and running of training and awareness ‑ raising sessions on the regulations applicable to the insurance business, intended for a variety of audiences (distribution networks, Managers, etc.). ❯ assists the business lines in drafting the level 1 control plans to strengthen non ‑ compliance risk management and draws up the corresponding level 2 control plans; ❯ implements and supervises, in collaboration with the Group’s entities, the prevention, identification, and management of conflicts of interest; ❯

137

Universal Registration Document 2022 - GROUPAMA ASSURANCES MUTUELLES