PSA - 2019 Universal Registration Document

GROUPE PSA Risk management and internal control procedures

Participants and processes 1.4.4.

AT GROUP LEVEL 1.4.4.1. AND IN THE AUTOMOTIVE DIVISION FOR RISK MANAGEMENT There is an overallset of securityprocessesthat contributeto the Group’s riskmanagement system. The risk management systemis deployedGroup-wide. Each departmentis responsiblefor identifyingand checking the risks to which it is exposedand implementingthe necessaryaction plans tomitigatethoserisks. A METRIC review is conductedon an annual basis (year-end)by each representativeof the Group’s Protection network (ICRCs) within the ExecutiveCommitteeto which it belongs. This review assessesthe pastyear in termsof riskmanagementandcompliance and validates action plans for the coming year. This structure is crucial when it comes to enabling managers to gain a better understandingof the risks and challengesthat they are facingand to take gooddecisionswith the aim of protectingthe Company,its employees and its assets. The GroupProtection,Auditand RiskManagementDepartment is in charge of the Risk ManagementApproach and checks the CorrectApplicationof RiskManagementSystems. The principal risks in each department, i.e. those which are most critical (impact x probability),are reported by every department each half year in a “DepartmentTop-Risks”Report. The report is sent to the General Secretary via its Group Protection,Audit and Risk Management Department (DPAR). In addition,this departmentidentifiesthe Group’smain crossover risks once a year at interviews conductedwith a representative rangeof the Group’sexecutive officers andmanagers. The mapping of major risks “Group Top-Risks” (from the “Top ManagementRisks”and the aforementioned interviews)is reviewed everyyearby theGlobalExecutiveCommitteeandpresentedto the Supervisory Board’s Finance and Audit Committee. The Global ExecutiveCommitteevalidatesthe actionplansfor dealingwith the “GroupTop-Risks”. Specificriskmanagementandcontrolprocedurescoverparticular risks. The Group’s Code of Ethics is directly available to all Group employees via the Intranet portal. All employees are required formallyto acceptthe terms of the Code. An Ethics & Compliance Committeechairedby the GeneralSecretarymeets on a quarterly basis. For further information on the Group’s ethics policy, see Section 2.3.3 of this Registration Document. Anti-fraudmeasures are the responsibilityof the Group Ethics & Compliance Committee, which delegates their implementation, investigation,records management and reporting to the Group DPAR. TheDPAR,whichreportsto theGeneralSecretary,is responsiblefor definingand coordinatingon a global basis all actionsintendedto protect the employeesand tangible and intangibleassets of the Group(exceptfor Faurecia)againstthe risks arisingfrommalicious actsof all kinds. The Legal Affairs Department, which reports to the General Secretary, produces or checks the Group’s contractual commitments. It is also in chargeof organisingthe Group’sdefence in the event of disputeswith third parties. It thus helps limit and manage the legal risks to which the Groupis exposed.

The ManagementControl Department,which reports to the Chief FinancialOfficer,is responsiblefor overseeingthe Group’sbusiness and financialperformanceand proposesannual and medium-term targets for growth, operating margin and return on capital employed to Executive Management.It manages the process of preparing the Medium-TermPlan and the budget framework. It controlsthe results of the operatingdepartmentsand the Group’s projects,and producessummaryreports. It also carries out other finance-related tasks, particularlyfor the automotivebusiness,such as product costing and price provision, selling price control, checking project profitability, financial monitoring of industrial cooperationwithothercar manufacturers,negotiations for mergers, acquisitionsanddisposals, etc.,anddrawingup formalmanagement rulesand standards. The Group Protection,Audit and Risk ManagementDepartment checks that the risk management procedures are correctly applied. TheDPARverifiescompliancewithrules via audits.Theannualaudit plan, which is defined independently, is based on the “Group Top-Risks” and is subsequently submitted to Executive Management for approvalandpresentedto the SupervisoryBoard’s Finance andAuditCommittee. TheGroupProtection,AuditandRisk Management Department is also responsible for assessing the degree of maturity of the risk managementsystem and making recommendations for improving its effectiveness. A total of 65 audits were carried out in2019 acrossthe entire Group. The Supervisory Board’s control and oversight role. TheFinanceandAuditCommitteeof the SupervisoryBoardensures that the risk managementand internal control system operates effectively.The GeneralSecretaryreportsto the SupervisoryBoard on the systemsin placeand their degreeof maturity,as well as the “Group Top-Risks”map, with particular emphasis on risks which could have an impact on the Company’sfinancialand accounting information. The Board also reviews the Internal Audit Department’s organisationalandoperatingprinciples,expressesan opinionon the InternalAuditplan and is informedof the findingsof (i) the Internal Auditsperformedas part of the planand (ii) the follow-upauditsto checkthatdepartmentshaveimplemented the recommendations. AT THE GROUP AND AUTOMOTIVE 1.4.4.2. DIVISION LEVELSFOR INTERNALCONTROL Control environment To better meet regulatory requirements and consumer expectations,the Group set up a Compliancemanagementsystem whichdrawson the skills of five pairs of complianceofficersin the areas of competition,anti-corruption,personaldata, type approval, export control. Similar to regulatorybodies,each one is responsiblein its field for internallycommunicating externalrestrictionsandobligations(laws, regulations,consumercommitments)in the form of internal rules applicableto theCompany’s operational processes. ComplianceOfficers are answerableto the Head of Compliance Officewhoreportsdirectlyto theGeneralSecretaryunderthe aegis of the Ethics and ComplianceCommittee.Where necessary,they have direct accessto the Chairmanof the ManagingBoard and to the SupervisoryBoard.

22

GROUPE PSA - 2019 UNIVERSAL REGISTRATION DOCUMENT