Universal Registration Document 2024

2.2 INTERNAL CONTROL AND RISK MANAGEMENT PROCEDURES

2.2.1 Objectives and organization⁽¹⁾

The internal control and risk management framework is fully integrated into the Groupe’s operational, financial and non-financial management. Its remit extends across all the Groupe’s activities and structures. The internal control and risk management policy defined by the Executive Management, is regularly monitored by the Audit and Financial Risks Committee together with the Strategic, Environmental and Social Committee, and relayed to all levels of the Groupe. This policy aims to provide reasonable assurance on the achievement of the Groupe’s objectives in terms of:

• reliability of financial and non-financial information;
• compliance with applicable laws and regulations;
• management of strategic, operational? financial and non-financial risks;
• efficacy and efficiency of operations, in line with the direction set by the Executive Management.

The objectives of this framework, as approved by the Executive Management and presented to both the Audit and Financial Risks Committee and the Strategic, Environmental and Social Committee, are to enable:

• continuous monitoring aimed at identifying risks and opportunities having a potential impact on the achievement of the Groupe’s strategic, operational, financial and non-financial objectives;
• appropriate communication about risks contributing to the decision-making process;
• regular monitoring of the internal control and risk management framework effectiveness.

The Groupe has a Secretary General function, which allows organized and centralized monitoring of the activities that constitute the internal control framework. The Secretary General is a member of the Groupe’s Management Committee. This function includes the Legal Department (managed by the Groupe General Counsel), the Compliance Department (managed by the Groupe Chief Compliance Officer), the Internal Audit, Internal Control and Risk Management Department (managed by the Groupe Internal Audit, Investigation & Risk Management Officer), the Human Resources Department (compensation and employee benefits, human resources information system management, employee-related matters and mobility) and the Insurance Department. The Chairman and Chief Executive Officer and the Secretary General participate in all meetings of the Strategic, Environmental and Social Committee. The Secretary General and the Groupe Internal Audit, Investigation and Risk Management Officer attend all Audit and Financial Risks Committee meetings and have easy access to its Chair and each of its members. Similarly, the Audit and Financial Risks Committee has direct access to the Groupe’s Risk Management and Internal Control department.

Since May 2024, the Chief Impact Officer has been overseeing Corporate Social Responsibility (CSR), including the CSR strategy, sustainability reporting, and key initiatives of the Groupe. The CSR Department is responsible for non-financial reporting and collaborates closely with other departments within the Groupe, particularly through the CSR Steering Committee. Additionally, the Chief Impact Officer regularly updates the Audit and Financial Risks Committee and the Strategic, Environmental, and Social Committee on regulatory changes in sustainability reporting, the status of ongoing projects, and the work being conducted with external sustainability auditors.

The expertise of the Secretary General and the CSR Department offers a comprehensive understanding of risks, which enhances the organization's goal of improved risk management through the implementation of an internal control system.

Furthermore, the Board of Directors, via the Audit and Financial Risks Committee, reviews the effectiveness of the Groupe's internal control and risk management framework and oversees the preparation of both financial and non-financial information.

The Groupe’s internal control and risk management system bases its structure on the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) guidelines, as well as the reference framework established by the AMF.

Thus, the Groupe has organized its internal control system around three lines model:

• first line: first line consists of operational managers within the entities, business units, shared services, and various countries and regions. These managers are responsible for managing risks as part of their daily operations. They act in accordance with relevant laws and regulations, ensuring adherence to the rules and guidelines established in Janus;
• second line: the second line functions are performed by the head office departments, which establish the policies, standards and procedures. These functions define and deploy the risk management framework and ensure compliance with laws and regulations, design controls to ensure compliance with Janus, monitor the adequacy and effectiveness of the internal control system, and facilitating the prompt remediation of any identified weaknesses ;
• third line: the third line is provided by the internal audit function, which provides independent assurance on the effectiveness of governance, risk management and internal control.

The Groupe’s internal control system also includes the Groupe’s whistleblowing system, which collects all types of alerts, whether internal or external.