Groupe Renault - 2019 Universal Registration Document

RENAULT: A RESPONSIBLE COMPANY

ANNUAL GENERAL MEETING OF RENAULT ON APRIL 24, 2020

GROUPE RENAULT

CORPORATE GOVERNANCE

FINANCIAL STATEMENTS

RENAULT AND ITS SHAREHOLDERS

ADDITIONAL INFORMATION

INTERNAL CONTROL AND RISK MANAGEMENT

Risk Management In 2019, the Risk Management department focused its activities on: updating the mapping of the Group’s major risks. This exercise P was carried out in light of the Group’s medium-term strategic plan, so that the latter could in particular continuously integrate action plans to address the risks identified; the strengthening of treatment plans and processes to improve P the control of the major risks identified previously; assistance to operating entities in the implementation of country, P industrial site and commercial subsidiary risk mappings, carried out with the operational risk managers of the relevant entities;

assistance to the Program or Project departments in creating risk P mapping for projects; assistance to the global functions. P In addition, awareness-raising actions for Group employees about risk culture and the fundamentals of risk management were continued by the Risk Management department (communication and training, in particular through e-learning modules). In 2020, the Risk Management department’s activities will continue to focus on these priority issues.

01

General framework for internal control and risk 1.5.3 management within the RCI Banque group

RCI Banque has a global internal control system which aims to identify, analyze and manage the main risks identified in relation to the Company’s objectives. The RCI Banque group’s Internal Control Committee has validated the general framework for this system, which is described in the Internal Control Charter. This Charter defines the system applicable to the French and foreign companies over which RCI Banque has effective control and specifies in particular: the general arrangements for managing internal control; P the local arrangements for subsidiaries, branches and P joint-ventures; the special arrangements for various functional areas. P Risk control at RCI is overseen on three levels by separate functions: the first line of control is exercised by the operational functions in P charge of day-to-day risk management as part of the activities in their area of expertise. These functions decide and are responsible for taking risks in the conducting of transactions and the objectives assigned to them. They exercise this responsibility in accordance with the management rules and the risk limits defined by the corporate functional departments. The Corporate Functional departments are in charge of risk definition, rules, management methods, measurement and monitoring at the corporate level. Each department, in its area of expertise, manages and oversees the risk management system via guidelines and country objectives. Risk is monitored by periodic dedicated committees in both the subsidiaries and centrally. These departments rely on local representatives for risk measurement and exposure monitoring and ensure that limits are respected at the group level; the second line of defence includes: P the Internal Control department and the internal controllers for P the Group entities, which control the level of compliance of transactions with the management rules defined in the procedures. More specifically, they verify the relevance of the first line of control,

the Risk and Banking Regulations department, which oversees P the deployment of the Group’s risk governance policy, verifies the efficiency of risk management by the functional departments and of compliance with the limits and alert thresholds established and ensures that the Risk Committee of the RCI Board of Directors is notified when those thresholds are exceeded, the third line of defense is the internal audit function, which aims P to provide assurance to RCI Banque’s Board of Directors and senior management about the degree of control over transactions and the oversight exercised by the first two lines. The risk management system covers all the macro processes of the RCI Banque group and includes the following tools: the list of the main so-called critical and significant risks for which P a pilot, appetite level, alert thresholds and limits are defined (Risk Appetite Framework). For each risk, a detailed analysis is performed that identifies the components of the risk and the management and oversight principles that keep it in line with the risk appetite level. These elements are reviewed at least once a year in connection with the RCI Banque group business model and strategy; the mapping of operational management rules contributes to risk P management; it is deployed in all of the RCI Banque group’s consolidated subsidiaries. This mapping is updated regularly by the central business activity departments. The level of control of operational management rules is assessed annually by the process owners in all subsidiaries; the incident collection database helps to identify malfunctions P that correspond to predefined criteria and enables the corrective and preventive measures required to control risks to be put in place. This database is used for internal and regulatory reporting purposes. The system sets thresholds for immediately communicating incidents to RCI’s Executive Committee, RCI’s Board of Directors Groupe Renault’s Ethics and Compliance Committee (CEC), the French Prudential Supervisory Authority (ACPR) and the European Central Bank.

95 GROUPE RENAULT I UNIVERSAL REGISTRATION DOCUMENT 2019