Groupe Renault - 2020 Universal Registration Document

01

INTERNAL CONTROL AND RISK MANAGEMENT GROUPE RENAULT

Cross-functional risks 1.5.2.4 Risk of cyberattack and failure of information systems - high risk with impact > probability The conduct of the Group’s activities depends, continuously and increasingly, on the proper functioning of its IT and information systems. Developments in the Group’s strategy and its new challenges (cloud strategy, digitization, Industry 4.0, development of connected services or strengthening of the cybersecurity regulatory environment in particular) are tending to increase its exposure to threats and making cybersecurity a major challenge. The main risks that could adversely affect its activities, its systems, or those associated with connected services offered to its customers as part of the Group’s product and service offer, are related to: cybercrime: global computerized attacks or attacks targeting the P Group’s interests or, as a side effect, national interests. These attacks, in a context of strong growth, may aim to access sensitive data (strategic, products, services or personal data), to steal or alter them, to block services or even all of the Group’s Information Systems; incidents that could affect the continuity of services hosted in our P infrastructures and those of our partners and suppliers; non-compliance with IT standards or practices required by P legislation, external authorities or contracts with suppliers. The materialization of these risks, despite the continuous strengthening of systems aimed at controlling them, could have major financial impacts related to the temporary suspension of the Group’s activities – of all types – (revenues, earnings) or to penalties. Adverse impacts could also affect the Group’s image, the confidence of third parties and customers toward the Group and its brands. In addition, the Group’s increased marketing of connected vehicles and services (see in particular sections 1.4.1 and 1.4.2) is accompanied by the emergence of risks of a comparable nature, for which insufficiently robust and sustainable management could lead to adverse impacts on safety and the reliability of data, services or vehicles. Risk management The general control of these risks is currently provided at an operational level by: the deployment of Group security policies and the continuous P enrichment of the process of defining security requirements according to the level of criticality of the applications and data handled; the deployment of an evolving action plan based on a security P master plan and an annual risk mapping. The security master plan was updated and presented to the Audit, Risks and Compliance Committee (CARC) in 2020; the establishment of insurance coverage for cybersecurity. P

Risk of shortcomings in product or service quality - medium risk The quality of the Group’s products and services could be considered insufficiently competitive by potential customers in the face of the competition, which would adversely affect the satisfaction of its customers or partners, and negatively affect its sales, revenues, costs or reputation. This risk is specifically considered within the stringent environment of major changes in the automotive technologies implemented by the Group as part of its strategic plan (see in particular the presentation of the new products in 2020 and 2021 in section 1.4.2. of this Document as well as the "vehicle of tomorrow" mentioned in section 1.4.1). Risk management Control of this risk was enhanced by the launch of a specific Customer Satisfaction plan (see section 1.4.3) that is managed by the Quality and Customer Satisfaction department; it relies in particular on quality assurance systems implemented within the Group’s operating activities as well as on functional safety organization and activities and general product safety, aiming to protect against the risks linked to the physical integrity of people involved in road use, starting with the users of the Group’s products and services. The Group has also set up a market monitoring system that allows it to very quickly learn about sources of customer dissatisfaction and act accordingly. This is done in particular through such measures as enhanced recall processes in order to ensure the correction of quality problems, especially those that could have potential regulatory or safety consequences. Insufficient reinforcement of the Renault brand - medium risk The Renault brand is recognized for its products in the small car segment, with the success of the CLIO and the CAPTUR, and in the electric vehicle segment with the ZOE, which was the biggest-selling electric vehicle in Europe in 2020. To meet ambitions for value creation in the upper segments, particularly the C and C+ segments in line with the strategy announced at the end of 2020, the Renault brand must improve its image with customers in those segments. Risk management The organization set up at the start of 2021 with the division into four Business Units, one of which dedicated to the Renault brand, should make it possible to ensure that brand strategy is perfectly coordinated and consistent across all business lines from upstream to downstream, with stricter centralized governance. The Renault brand will be able to rely on the launch of 14 new models in its range by 2025, all of which will be offered in electric or hybrid versions. The refocusing of sales on value instead of volume, with a precise roll-out plan in the network, should enable the image to be strengthened to the required level.

108 GROUPE RENAULT I UNIVERSAL REGISTRATION DOCUMENT 2020

Find out more at group.renault.com