With regards to the other subsidiaries of the Group (subsidiaries that are operators of regulated infrastructure and significant shareholdings), EDF representatives within the governing bodies make sure, for each subsidiary, that a system for controlling activities and risks is put in place. They provide regular information on the map of risks and internal control and audit activities (programme and main results). They can also check the effectiveness and appropriateness of each of these measures through aperiodic audit of the respective entities. The applicable principles are adapted for the operators of regulated infrastructure to ensure compliance with obligations related to their management independence.
The organisation of the Executive Management of EDF is described in section 4.3.1. “Members of the Executive Committee”. Each member of the Executive Committee is responsible for implementing all actions necessary to controlling the risks within their scope.
The Executive Committee meets at least twice a year as a Risk Committee, during which it examines in particular the mapping of Group risks, the assessment of internal control activities and audit activities (annual programme, results). It identifies the priority risks for the Group, shares their strategy for mitigation and designates the members of the Executive Committee who are its sponsors.
To strengthen the appraisal and monitoring of projects, the Group Executive Committee Commitments Committee(1) (CECEG) thoroughly examines the most significant projects in terms of the extent of the commitments and/or the risks incurred before decisions are made by the Executive Committee (see section 2.1.2.3 “Approval of commitments”).
The second line comprises all the Group’s support functions (Purchasing, Communication, Sustainable Development, Ethics and Compliance, Finance, Real Estate, Legal, Human Resources, Risks, Asset Security, General Services, Information Systems, Data Management). In particular, these support functions are responsible for organising and coordinating the implementation of Group policies.
Please note: aspects relating to the Group’s human resources, including in particular the control of risks relating to the health and safety of employees and service providers, are set out in detail in section 3.3.3 of the Universal Registration Document.
Each Group entity (53 entities in 2019 covering the scope of EDF and controlled subsidiaries) prepares an annual report on the control of its activities and risks based on a self-assessment, including a description of its improvement actions. Each report gives rise to a commitment signed by the Director of the entity on the level of control achieved and the actions undertaken.
The report includes internal control, the report on the safeguarding of assets and the ethics and compliance report.
The ethics and compliance section meets the requirements of the Group Ethics and Compliance policy, including: the ethics alert system, prevention of the risk of corruption (monitoring the integrity of business relations, managing gifts and invitations); financial ethics (prevention of the risk of money laundering and financing of terrorism), prevention of market abuse, and compliance with the EMIR regulation(2); prevention of breaches of competition law; prevention of conflicts of interest; compliance with personal data protection rules; combating fraud; combating harassment and discrimination; due diligence; compliance with sector-specific regulations (REMIT regulation(3) on integrity and transparency of energy markets, regulations on dual-use goods); compliance with international sanctions programmes.
The part relating to security of assets fulfills the requirements of the Security of Assets against Malicious Acts Group policy, including: the safety of individuals during international travel, the security of material assets and the security of intangible assets (identification, classification and protection of sensitive information).
In addition to these topics, self-assessments more generally report on the control of all their “business line” activities and all the requirements of the other cross-functional areas identified in Group policies, in line with their risk mapping. Within the Group, 90% of the entities subject to a “risk and control of activities” self-assessment report indicate that they have an ICP (internal control plan) defining a set of controls to be implemented annually.
Finally, the self-assessments report on the control of the requirements relating to accounting and financial internal control, in line with the AMF framework (see section 2.1.2.4 “Reliability of financial information - internal accounting and financial controls”).
The entities produce an annual risk map based on a methodology common to the entire Group. The process of constructing the risk map for the entities is based on:
Numerous discussions have taken place between the Group Risk Division and the entities, with the aim of querying the relevance of risks and the soundness of the control actions undertaken.
Methods and tools: Several methodological documents and tools are made available to the entities to support risk and internal control approaches:
On the basis of these reports, supplemented by a cross review with the Internal Audit Department, the EDF group Risk Department draws up the consolidated mapping of its major risks, including the overall assessment of internal control and providing Management and governance bodies with a consolidated and regularly updated view of the major risks and their level of control(4). These documents are validated by the Risk Committee and are presented to the Board of Directors after examination by the Audit Committee.
The Risk Committee identifies within the Group risk mapping, a smaller set of “priority risks” selected as a result of their operational or strategic importance.
(1) The composition of the Group Executive Committee Commitments Committee is the same as that of the Executive Committee.
(2) European Market Infrastructure regulation (EMIR): European regulation on market infrastructures.
(3) Regulation on Wholesale Energy Market Integrity and Transparency (REMIT).
(4) Group risk mapping notably includes environmental risks and risks related to climate change (physical risks and transition risks). These risks are described in section 2.2 “Specific risks to which the Group is exposed”; the strategic response to the challenges of climate change is described in section 3.3.2 “EDF, a responsible company with regard to the environment”.