MRM // 2021 Universal Registration Document

2.

RISK FACTORS

Risk management

2.1

The Company must address both generic risks arising from the economic or regulatory environment, or from the day-to day running of a business, together with risks specific to its business activities, business sector or structure. As these risks are constantly changing, they need to be identified, updated and regularly monitored. Risk management should not aim for an entire hypothetical elimination of risks, but instead should define what level of risk control is required in order for the Company to continue its day-to-day activities and implement its strategy. The Company implemented a risk management tool. This tool provides a full risk map and identifies the risks to which the Group is exposed, records and assesses current procedures and puts in place actions to add to or optimise risk response. This work was undertaken by general management, in collaboration with administrative and financial management and asset management. It was then presented and subject to an in-depth review at the Audit Committee meeting of 27 February 2020. This mapping will now be updated and reviewed on a regular basis. The risk map has identified 42 risks under 6 main categories: • 7 risks linked to the economic environment, consumer habits and purchasing behaviour; • 9 fnancial risks;

• 5 environmental, social and governance (ESG) risks; • 2 IT risks. M.R.M. has ranked the identified risks based on (i) their probability of occurrence, and (ii) the estimated scale of their negative (financial, legal and/or reputational) impact. The risk occurrence probability is based on its probability of occurrence over a 12-month period, based on a subjective assessment conducted as part of the risk management process described above. This is also divided into three levels: low, moderate and high. When assessing the estimated scale of the negative impact, the Company takes into account the prevention, mitigation and protection measures that it has put in place, thereby measuring the “net” impact of the risk. This is also divided into three levels: low, moderate and high. The risks that the Company deems as the most significant are those identified with one of the following combinations: • net impact listed as “moderate”, with a “moderate” or “high” risk of occurrence; • net impact listed as “high”, with a “moderate” or “high” risk of occurrence. In accordance with the so-called “Prospectus” regulation (EU) 2017/1129 which came into force on 21 July 2019, detailed in Section 2.2, M.R.M. sets out what it deems to be the most significant risks to which it is exposed and which could have an adverse effect on its business, financial position or results, or on its ability to meet its objectives.

• 11 operational risks; • 8 legal and tax risks;

Main risk factors

2.2

The risks detailed below are presented: • in the form of net risks (gross risks offset by prevention, mitigation and protection measures); • by category; and

• by decreasing order in each category (with the top risks being those which have the greatest impact). Risk priority is measured based on a combination of the probability of the risk materialising and its potential net impact on M.R.M.

M.R.M. 2021 UNIVERSAL REGISTRATION DOCUMENT

29