EURONEXT_Registration_Document_2017

CORPORATE GOVERNANCE

Management & Control Structure

ERM Framework The objectives and principles for the ERM process are set forth in the Company’s ERM Policy. The ERM process is based on best practices regarding the Internal Control and Enterprise risk management, including the Committee of Sponsoring Organisations of the Treadway Commission (“COSO”) initiative. It uses a bottom-up and top-down process to enable better management and transparency of risks and opportunities. At the top, the Supervisory Board and Managing Board discuss major risks and opportunities, related risk responses and opportunity capture as well as the status of the ERM process, including significant changes and planned improvements. The design of the ERM process seeks to ensure compliance with applicable laws and regulations with respect to internal control and risk management addressing both subjects in parallel. 2.2.1.1 Risk management Risk Appetite is the level and nature of risk the business is willing to accept in achieving its strategic objectives. Risk appetite sets the basis for the requirements for monitoring and reporting on risk. Overall risk appetite is recommended by the Managing Board to the Supervisory Board as part of setting and implementing strategic and operational objectives. Risk appetite is considered at an operational level and strategic level with quantitative and qualitative components. These components are used during the assessment process to develop the residual risks and support what is escalated to the Managing Board and Supervisory Board. Risk Identification involves the identification of threats to the Company as well as causes of loss and potential disruptions. Risks are composed of the following categories:  strategic: the effect of uncertainty on Euronext’s strategic and business aims and objectives;  financial: risks that can impact the way in which Euronext’s financial resources are managed and profitability is achieved;  compliance: risk of loss an organization faces when it fails to Act in accordance with industry laws and regulations, internal policies or prescribed best practices;  operational: the risk of loss or inefficiency resulting from inadequate or failed internal processes, people and systems, or from external events; key programmes or projects are not delivered effectively. An emphasis is put on operational risk due to the importance of operations and initiatives for Euronext. Risk Assessment is made in the possible event of an incident or a potential risk development. It aims to assess the risk qualitatively and quantitatively where possible, using supporting information, such as performance indicators. This assessment, defining the residual risk level, takes into account mitigation measures currently in place such as business continuity measures or insurance policies. The overall Risk Assessment phase is carried out by the risk management team (“RMT”) in conjunction with Risk Coordinators 2.2.1 SECOND LINE OF DEFENCE

(“RCs”) based on data and information produced by and collected from the relevant areas via the periodic and ad hoc reporting or upon request of the RMT as necessary. Assessments are discussed with the business areas. Mitigations for each risk will be identified, evaluated, and the residual risk will be assessed and reported. riskmanagement determines and implements the most appropriate treatment to the identified risks. It encompasses the following: avoidance, reduction, transfer and acceptance. Organizational units and employees perform risk management and implement mitigating actions as required by the risk appetite and escalation process. As noted, risks may remain after such management process is applied (see Risks section). Risk Reporting – The Supervisory and Managing Boards and a Business Risk Group (BRG), made up of senior managers, are informed in a timely and consistent manner about material risks, whether existing or potential, and about related risk management measures in order to take appropriate action. Reports are issued to the above mentioned groups of the Company on a regular basis. Ad hoc reports may be issued when a new risk or the development of an existing risk warrants escalation to the relevant Committees of the Company. ProgramDevelopment – Euronext continues to drive improvements to its risk management process and the quality of risk information generation, while at the same time maintaining a simple and practical approach. The roadmap for 2017 for the ERM evolution included 3 key elements:  embedding culture of risk management: Risk appetite discussions with the first line, key indicator discussions, Managing Board champions;  involvement in key initiatives related to Optiq® technology platform, MiFID II compliance, Data Governance and Agility for Growth initiatives;  framework evolution: ongoing risk appetite evolution, enhanced management reporting, further alignment of risk management and internal control approach for addressing risk and identifying controls. The 2018-9 roadmap will continue with the topics above and will additionally focus the use of key risk indicators, impactful scenario analysis and analysis of a risk tool. Euronext will continue to work on risk management and internal control alignment of approach for addressing risk and identifying controls. Euronext seeks to continuously evaluate and improve the operating effectiveness of the ERM process. 2.2.1.2 Internal Control Euronext has established a strong framework of internal control across its business areas and functions. This framework is based on ethical principles, established procedures and training of the key personnel who are responsible for implementing and overseeing it. The Internal control function as a second line of defence, aims at ensuring, in a permanent manner that identified risks are mitigated by controls, that controls are effective, documented and reported and that internal procedures exist and are updated on a regular basis.

2

51

2017 REGISTRATION DOCUMENT