Groupama // Universal Registration Document 2022

7

FINANCIAL STATEMENTS Combined financial statements and notes

1.3 Group The Group General Audit Department conducts several types of audits, including a general economic and financial audit of the Group’s entities, generally on a three ‑ year basis and at the latest every five years, in addition to the operational audits conducted within the entities. For large entities, these audits may be conducted more frequently and cover smaller scopes. The Group General Audit Department also conducts on Groupama Assurances Mutuelles processes and on the Group’s cross ‑ functional processes, in which several entities may be involved, with the support of the entities’ internal auditing departments. Lastly, the Group General Audit Department conducts audits on behalf of some entities as part of the pooling of the audit key function with Groupama Assurances Mutuelles. The audit schedule of the Group General Audit Department is defined by the Executive Management of Groupama Assurances Mutuelles and validated by the Groupama Assurances Mutuelles Audit and Risk Management Committee and the Board of Directors of Groupama Assurances Mutuelles. Every mission involves a review of the risk and internal control system for the activity or entity audited, and a mission report is prepared presenting the observations, findings, and recommendations to the Executive Management of the audited entities. A regular summary of the missions is provided to the Executive Management of Groupama Assurances Mutuelles, the Audit and Risk Management Committee, and the Group Executive Committee for cross ‑ functional audits. A quarterly report on the progress of the recommendations is given to the Group Executive Committee and the Audit and Risk Management Committee of Groupama Assurances Mutuelles. The Group Risk Management and Permanent Control/ Compliance functions are responsible for ensuring that all the Group’s entities comply with Executive Management’s requirements in terms of the internal control and risk management system, as well as those of Solvency II, Pillar 2. As regards risk management, the Group Risk Department works more specifically in areas related to financial and insurance risks, and risks connected to the Group’s solvency; the Operational Risk and Permanent Control Department works more particularly in areas related to the management of operational risks, and the key role in Groupama Assurances Mutuelles’ compliance, i.e. the Group Compliance Manager, works in fields connected to non ‑ compliance and image ‑ related risks. Within this framework, these departments, according to their area of responsibility: assist administrative and Executive Management bodies in defining: ❯ the risk strategy, ■ the core components of the risk management system; ■ are responsible for the implementation and coordination of the risk management system, consisting particularly of the risk management policies and the processes for identifying, measuring, managing, and reporting the risks inherent in the Group’s businesses; ❯

More specifically, the Group Risk Department, as regards the risk management function, is responsible for: monitor and analyse the Group’s general risk profile; ❯ report on exposures to risk and alert the administration and Executive Management bodies in cases of major risks threatening the Group’s solvency; ❯ lead the Risk Committees; ❯ lead the working groups and bodies with the entities. ❯ developing the Group risk management policy and the coordinating policies relating to insurance and financial risks together with the risk owners concerned; ❯ defining the process for setting the Group’s risk tolerance (risk limits); ❯ monitoring the Group’s major insurance and financial risks; ❯ assessing and rating insurance and financial risks, including sensitivity analyses and stress tests; ❯ implementing the ORSA process: internal assessment by the Company of its risks and its solvency situation; ❯ implementing the PRP (Preventive Recovery Plan); ❯ supporting the Group’s entities in adapting the risk management system. ❯ The Group Operational Risk Management and Permanent Control Department is responsible for: developing the Group’s internal control and operational risk management policies; ❯ developing the Group’s standards and reference sources (mapping of processes, operational risks, permanent control plans, reference base of permanent controls) and overseeing the system within the entities; ❯ monitoring and assessing operational risks (related to control of processes); ❯ acting as project owner of the EU tool for management of operating risks, MAITRIS, managing in particular the collection of permanent control results, the incident database and the assessment of operational risks; ❯ establishing internal control at the Groupama Assurances Mutuelles entity; ❯ defining the business continuity policy (BCP) and implementing then overseeing the system within the entities; ❯ overseeing data quality control systems; ❯ validating the internal model; ❯ supporting the Group’s entities in adapting their operational risk management, permanent control and compliance systems (management, coordination, facilitation, information, and training); ❯ reporting on the status of the Group’s internal control system, for the purposes of communication to governance bodies and the appropriate supervisory authorities by the Group’s Director of risk management, control, and compliance. ❯

277

Universal Registration Document 2022 - GROUPAMA ASSURANCES MUTUELLES