Groupama // Universal Registration Document 2022

3

CORPORATE GOVERNANCE AND INTERNAL CONTROL Internal control procedures

The working methods and the definition of the responsibilities of the key internal audit functions of the entities were formalised in dedicated policies approved in 2021 by the Boards of Directors of most of the Group’s entities, consistent with the principles of the Internal Audit policy of the Group and Groupama Assurances Mutuelles. The function is managed, under the responsibility of the Group Internal Audit Director, principally through an annual agreement and a working group (WG), which met three times in 2022.

(b) Within Groupama Assurances Mutuelles Implementing the internal control system at the level of the functional and operational activities of Groupama Assurances Mutuelles is the responsibility of the various officers in charge of these activities under the authority of the Executive Committee. The area of responsibility of each of these Managers is determined by the delegations of authority approved. The implementation of the internal control system of the corporate entity Groupama Assurances Mutuelles is handled by an employee of the Group Risk Management, Control, and Compliance Department. Monitoring of entities Every subsidiary is subject to ongoing monitoring by the departments of the division to which it is attached: Group Financial Department for financial subsidiaries; ❯ Group Insurance and Services Department for the Non ‑ Life insurance subsidiaries, the French service subsidiaries, and Groupama Supports & Services; ❯ Groupama Gan Vie’s Senior Management for the life insurance subsidiary and the distribution subsidiaries Gan Patrimoine and Gan Prévoyance; ❯ International Subsidiaries Department for foreign subsidiaries. ❯ (c) An ARCC Operation Committee (ComOp) brings together the regional mutuals and the main subsidiaries of the Group’s France scope, with regular reports to the Group Executive Committee. This specific monitoring is supplemented at Group level by cross ‑ functional management of all of the entities, particularly in the following areas: Activity monitoring and financial reporting On behalf of the Group, the various Group Analysis and Management Control Departments (within the Group Financial Control Department) implement procedures for activity monitoring (performance indicators) and financial reporting for all regional mutuals, French and international subsidiaries, and Groupama Assurances Mutuelles. The aim is transparency of results and an understanding of trends in these areas for the Groupama Assurances Mutuelles Executive Management and the entities. This approach is based on a process of management planning that is common to all entities. It is implemented and coordinated by the Group Financial Control Department and is based on core Group standards for developing forecasts, approved by the Executive Management and updated regularly. The internal control procedures for financial reporting are specified in chapter 6 of this Universal Registration Document. In addition to this monitoring process, business reviews are conducted twice a year for Group subsidiaries in France and internationally with the Executive Management of Groupama Assurances Mutuelles. These exchanges ensure, in particular, that the Company’s strategic guidelines conform to the Group framework.

3.5.2.2

Internal control and risk management systems within the entities and Groupama Assurances Mutuelles

(a) Within the entities The risk control and internal control system specific to the entities is organised around two complementary systems: risk management and internal control of each entity; ❯ internal or operational auditing of every entity. ❯ These systems are adapted to each entity based on its organisation, activities, and resources and the local regulations abroad, under the authority of its Executive Management. Regarding organisation and governance, the French entities subject to the Solvency 2 regulations have specified in their risk policies the roles and responsibilities of the administration and executive management bodies, key functions, and operational or support departments involved in risk management. As under the Group model, the entities regularly hold specialist risk Management committee meetings and reinforce the level of maturity of the following four key functions, defined under Solvency II: The Group Risk Management, Control, and Compliance Department supports the entities in monitoring and rolling out Group standards. The entities’ Permanent Control plans are integrated into the community operational risk management tool according to the Group methodology. This tool also enables collection of incidents, assessment of operational risks, and management of action plans. All of the Risk Management and Permanent Control/ Compliance Managers of the Group’s entities supplement the plan and meet regularly within the framework of information exchange and best practices bodies (workgroups, theme ‑ based workshops, and training), directed by the Group Risk Management, Control, and Compliance Department. the “risk management” key function; ❯ the “compliance verification” key function; ❯ the “audit” key function; ❯ the “actuarial” key function. ❯

63

Universal Registration Document 2022 - GROUPAMA ASSURANCES MUTUELLES