Universal Registration Document 2020

2. Risk factors and control framework

4B – Hydraulic safety violations.

The hydroelectric facilities operated by the Group present risks with potentially serious consequences for people, property and the environment that could have a financial and reputational impact on the Group.

Criticality in view of the control actions undertaken: Intermediate.

The Group’s hydraulic structures present specific risks with potentially very serious consequences: breakage, overflow during floods, operating manoeuvres. Hydropower safety comprises all the measures taken when designing and operating plants to reduce risks and hazards to people and property associated with water and the presence or operation of facilities. Hydropower safety is the major and permanent concern of the producer. It falls under the purview of the Group’s CSR “nuclear safety, health and security” issue (see section 3.3.1). It involves three main activities:

  • measures to address the major risk associated with dam or reservoir failures, through the regular monitoring and maintenance of facilities under the supervision of public authorities, mainly the French regional environment, land use and housing authorities (Directions Régionales de l’Environnement, de l’Aménagement et du Logement – DREAL). Of the largest dams, 67 of them are subject to a special administrative procedure implemented by the competent prefect;
  • the management of facilities during periods of exceptionally high water levels, in order to ensure safety at the facilities and for the surrounding communities;
  • control of operational risks: changes in the level of the water bodies or the flow of water courses downstream of the works.

EDF regularly monitors and maintains its dams, including through continuous monitoring. The real-time readings and analysis, at each site, of multiple data(settlement, pressure, leakage measurements, combined with the visual inspection of the concrete and an inspection of the mechanical parts, etc.) enable EDF to conduct a regular assessment on the state of its dams. In Grenoble and Toulouse, EDF teams can analyse the largest dams or those dams that are the hardest to access, remotely and in real time, using a series of sensors.

Furthermore, for each of the large dams, a danger study, including a complete examination, is conducted every ten or fifteen years (for one class A dam and one class B dam respectively). This examination requires draining or an inspection of the submerged parts with sub-aquatic equipment. These operations are carried out under the strict control of the French State authorities (Service de Contrôle et de Sécurité des Ouvrages Hydrauliques (Hydraulic Works Control and Safety Department) within each DREAL (French regional environment, land use and housing authority)).

At the organisational level, the Hydropower Safety Inspector prepares an annual report for the Chairman and CEO of EDF, to which he or she reports directly, as well as to those involved in hydropower safety (see section 1.4.1.3.1.3 “Hydropower safety"). Issued after analyses, inspections and assessments carried out by theHydropower Safety Inspector, this report aims to give an opinion on the level of hydropower safety of the Group’s installations and provide a basis for reflection and progress to ensure its improvement and consolidation. This report is made public on the Group’s website.

4C – Occupational health or safety violations (employees and service providers).

The Group is exposed to health and safety risks in the workplace, both in terms of its employees and those of its service providers.

Criticality in view of the control actions undertaken: Intermediate.

Human resources and their related skills are a major challenge for the Group and its service providers. The industrial nature and diversity of the Group’s activities reinforce the crucial importance of complying with the rules and taking into account the various risks that may affect people working in the Group’s industrial facilities in order to protect health and safety in the workplace.

The risk of work-related accidents or occupational illnesses cannot be excluded in all of the Group’s areas of activity. The occurrence of such events may lead to law suits against the Group and may result in the payment of damages, which could be significant.

To address this risk, the Group has for many years taken the steps necessary to comply with the health and safety laws and regulations in the various countries in which it operates, and considers that it has taken the measures required to ensure the health and safety of its employees and that of its subcontractors.

Each Group entity has action plans aimed at continuously improving health and safety at work. Actions are also carried out at the level of the Group as a whole: defining and promoting vital rules, the day-long shutdown on 20 October 2020 to jointly discuss the persistence of fatal accidents (see section 3.3.1.3 “Health and safety of employees and subcontractors”).Chaque entité du Groupe porte des plans d’actions visant à améliorer en permanence la sécurité et la santé au travail. Des actions sont également menées à l’échelle du Groupe dans son ensemble : définition et promotion des règles vitales, journée d’arrêt du 20 octobre 2020 pour mener des réflexions collectives face à la persistance d’accidents mortels (voir section 3.3.1.3 « Santé et sécurité des salariés et des sous-traitants »).

4D – Attacks against assets, including cyberattacks.

The Group is exposed to risks of failure of or damage to its tangible or intangible assets, including its information system. In particular, these risks may arise from malicious actions, including cybercrime.

Criticality in view of the control actions undertaken: Intermediate.

The facilities or assets operated by the Group or its employees may be the target of external attacks or malicious acts of any kind. An attack or malicious act committed on these facilities could have consequences such as injury to persons and/or damage to property, the Group being held liable on the grounds of measures judged to be inadequate and interruptions to operations. The Group would also be forced to make additional investments or incur additional costs if laws and regulations relating to the protection of sensitive sites and critical infrastructures became more stringent.

The Group operates multiple, interconnected and complex information systems (databases, servers, networks, applications, etc.) that are essential to the conduct of its commercial and industrial activity, the preservation of its human, industrial and commercial assets, and the protection of personal data (of customers and employees) which must adapt to a rapidly changing context (digital transition, development of teleworking, new ways to share work in extended companies with suppliers, changes in regulations, etc.).

The frequency and sophistication of information system hacking and data corruption incidents are increasing worldwide. The impact of a malicious attack – or any other failure resulting in the unavailability of information systems – may have a negative impact on the Group’s operating activity, financial, legal and asset situation or reputation.

The EDF group has defined an Asset Security policy in the face of malicious acts and an Information System Security policy to prevent this risk and limit its impact in the event of an attack. These policies are supplemented by guidelines on the protection of personal data. However, the Group cannot rule out an attack on its information systems that would have consequences on the Group’s operational activity, its finances, its legal position, in particular with regard to the integrity of personal data, or its reputation.

A charter for the use of IT resources is annexed to the Company’s internal regulations. IS security training courses adapted to different profiles (users, project managers, IS security managers, etc.) are offered to employees. The Audit Committee of the Board of Directors receives reports on cyber security risk management. Several dozen security audits are carried out each year by external PASSI qualified IS security audit companies (IS security audit providers) by the ANSSI (French National Agency for Information Systems Security), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Center)reports on IS security incidents on a monthly basis.

In 2020, the main actions deployed in the areas of cybersecurity, protection of intangible assets and, more generally, the company’s resilience to the risks of damage to information systems are:

  • continuing to notify cybersecurity objectives to the Directors of the Group’s main entities;