Groupe Renault - 2019 Universal Registration Document

01

INTERNAL CONTROL AND RISK MANAGEMENT GROUPE RENAULT

In terms of scope, the internal control system applies to the parent company and all significant entities, fully consolidated companies in particular. The risk management policy is applied at Group level for major risks. It is also rolled out at operating entity level (countries, commercial and/or industrial subsidiaries), for vehicle programs and global functions. Guidelines for the internal control system Internal delegations and separation of offices In addition to command-line structures, the Group has set up a staff reporting system so that corporate function managers can provide leadership for their function correspondents throughout the Group. The decision-making process is based on a system of internal delegation that determines in which areas and at which levels operational managers may make decisions. All the rules for delegating decision-making authority are communicated to personnel via the intranet. Decision requests are tracked in a workflow that implements the rules specifying the persons to be involved, in accordance with internal control procedures or documented in the minutes of the committees responsible for making the decision. Decisions concerning certain transactions, and notably those related to the capital of the subsidiaries, disposals/acquisitions, partnerships, cooperation, and limits on the hedging of raw materials and currency risks, along with general policies, are made following a special review by a committee of experts, which gives an opinion. The final decision was made by the Chief Executive Officer of Renault until October 11, 2019, then by the Acting Chief Executive Officer of Renault until the end of 2019. The principle of separation of offices and tasks is required at all hierarchical and functional levels within the Group, and within the computer systems, to facilitate independent control and to separate tasks and functions corresponding to operations, the protection of property and their booking for accounting purposes. Group ethics and corporate functions criteria The “Corporate Functions” define and issue the policies and standards to be deployed, which are then rolled out as procedures and operating methods to ensure that processes at operational level function in accordance with the principles outlined in the code of ethics, the Guide for preventing corruption and influence peddling and the dedicated Codes of Ethics. The Internal Control department distributes guidelines (Minimum Control Standards & Control Basic Rules) that list the main themes to be controlled and incorporated into the operational staff’s control activities. 1.5.1.4

Audit, Risks and Compliance Committee (CARC)

Executive Committee / Operational Review Committee

Risks and Internal Control Committee (CRCI)

Ethics and Compliance Committee (CEC)

1 st line

2 nd line

3 rd line

Internal Audit

Corporate Functions • Risk Management • Internal Control • Ethics/Compliance • Management Control • Accounting • Quality • HR • Legal • Environment, etc

Operational Management

• Functions • Regions • Programs

The internal control and risk management systems help to control operations and fulfill Group objectives: the internal control system aims to control processes so as to P provide reasonable assurance on the efficacy, preservation of assets, compliance and reliability of financial, accounting and management information; the risk management system identifies and assesses major risks P likely to hinder the business’ ability to fulfill its objectives in order to maintain these risks at a level judged acceptable by Senior Management; as part of its duties, Internal Audit assesses the functioning of the P internal control and risk management systems, and issues recommendations for improvement. The first two lines of defense report on internal control and risk management issues to dedicated committees: the Risks and Internal Control Committee ( Comité des risques et du contrôle interne , CRCI) and the Ethics and Compliance Committee ( Comité d’éthique et de conformité , CEC) presented in section 2.5.1. They occasionally report to the Executive Committee and the Operations Review Committee as part of thematic presentations. The aim of the Risks and Internal Control Committee is to regularly validate and assess the efficiency of the internal control and risk management systems. The second and third line of defense present the results of their work to the Audit, Risks and Compliance Committee (CARC), whose duties are defined in section 3.1.6. In the course of their duties, the statutory auditors assess the internal control of the preparation and processing of accounting and financial data and, when necessary, issue recommendations.

92 GROUPE RENAULT I UNIVERSAL REGISTRATION DOCUMENT 2019

Find out more at www.groupe.renault.com