2.1. Risk management and control of activities

2. Risk factors and control framework

2.1. Risk management and control of activities

Section 2.1 “Risk management and control of activities” describes the risk and activity control systems that apply to the entire Group.

Section 2.2 “Risks to which the Group is exposed” describes the most significant risks the Group believes it is exposed to, bearing in mind the Group’s specific characteristics.

2.1. Risk management and control of activities

This section presents the business control (internal control) and risk management systems applicable to the entire Group, highlighting the latest developments for 2019. These systems are part of the framework established by the Group’s policies. They also comply with the general principles set out in the AMF risk management and internal control reference framework (published on 22 July 2010). They are also based on developments in the main international reference frameworks, in particular COSO-2013.

2.1.1 Control environment

Framework: Group policy corpus

Since 2017, the EDF group has organised the control of activities and risks around the Group policies, validated and signed by the Executive Committee. This corpus defines all of the sustainable and cross-functional requirements to be implemented in all of the Group’s entities and subsidiaries. It deals with all cross-cutting themes common to the entire Group. Regular updates make it possible to adapt requirements to regulatory changes and strategic orientations.

Control system objectives

The system for controlling the risks and activities of the Group, defined in the “Functioning principles/Risk management and internal control” policy aims to:

  • identify and periodically reassess the significant risks and opportunities likely to impact the targets of the Group, in order to ensure the existence and control of relevant and effective action plans;
  • constantly ensure:
    • compliance with laws and regulations;
    • the smooth running of processes and projects;
    • the reliability of financial and non-financial information;
    • compliance with Group policies;
    • the control of risks and activities of any kind.
Principles of execution

The fundamental principles of execution are based on the three lines of control model:

  • 1st line of control: each manager at all levels is responsible for: identifying and controlling the main risks related to their activities, ensuring this control for the missions that they themselves have entrusted to their employees, to ensure that the control systems are appropriate and proportionate to the risks identified, and reporting on them formally and regularly to their own manager through self-assessments;
  • 2nd control line: the support functions define common requirements for the Group and supervise their control. Their contribution to the control of the Group’s activities is set out in section 2.1.2. Amongst them, the risk and internal-control functions organise the overall control measures and prepare reports intended for the Group’s governing bodies;
  • 3rd control line: the independent audit system can check the appropriateness and effectiveness of the measures for managing the risks and activities of the Group’s entities, check management of the main cross-functional processes and major projects of the Group, and more generally, check the level of control of theGroup’s risks (see section 2.1.3).

All of these measures based on the three control lines provide the managers and governing bodies of the Group with “reasonable assurance” concerning the identification and coverage of the main risks.


1st line

Operating entities

  • Comply with Group policy requirements
  • Implement 1st level controls adapted to their risks and issues
  • Carry out risk mapping and annual self-assessments of their control system
  • Implement progress and risk treatment action plans

2nd line

Functional Support Departments

  • Define and update the Group's cross-functional policies
  • Implement 2nd level controls organised within their functions
  • Analyse the reliability of entity self-assessments
  • Coordinate the progress and risk management action plans of their function

3rd line

Internal Audit

  • Independently assess the entire system
  • Make recommendations to be incorporated by entities in their internal control plans
  • Provide the governance bodies with reasonable assurance that the system as a whole is effective (incorporating in particular the 1st and 2nd lines)