Universal Registration Document 2020

2.1 Risk management and control of activities

2. Risk factors and control framework

2.1 Risk management and control of activities

Section 2.1 “Risk management and control of activities” describes the risk and activity control systems that apply to the entire Group.

Section 2.2 “Risks to which the Group is exposed” describes the most significant risks the Group believes it is exposed to, bearing in mind the Group’ s specific characteristics.

2.1 Risk management and control of activities

This section presents the business control and risk management systems applicable to the entire Group for 2020. These systems, developed and implemented with due respect for the management independence of network infrastructure managers, are inline with the framework defined by the Group’s policies. They also comply with the general principles set out in the AMF risk management and internal control reference framework (published on 22 July 2010). They are also based on developments in the main international reference frameworks, in particular COSO-2013.

2.1.1Control environment

Framework: Group policy corpus

Since 2017, the EDF group has organised the control of activities and risks around the Group policies, validated and signed by the Executive Committee. This corpus defines all of the sustainable and cross-functional requirements to be implemented in all of the Group’s entities and subsidiaries. Regular updates make it possible to adapt requirements to regulatory changes and strategic orientations. A review of Group policies with regard to the raison d’être was undertaken in 2020.

Control system objectives

The system for controlling the risks and activities of the Group, defined in the“Functioning principles/Risk management and internal control” policy aims to:

  • identify and periodically reassess the significant risks and opportunities likely to impact the targets of the Group, in order to ensure the existence and control of relevant and effective action plans;
  • constantly ensure:
  • compliance with laws and regulations, including those relating to the management independence of network infrastructure managers,
  • the smooth running of processes and projects;
  • the reliability of financial and non-financial information;
  • compliance with Group policies;
  • and the control of risks and activities of any kind.
Principles of execution

The fundamental principles of execution are based on the three lines of control model:

  • 1st line of control: each manager at all levels is responsible for: identifying and controlling the main risks related to their activities, ensuring this control for the missions that they themselves have entrusted to their employees, to ensure that the control systems are appropriate and proportionate to the risks identified, and to report on them formally and regularly to their own manager through self-assessments;
  • 2nd control line: the support functions define common requirements for the Group and supervise their control. Their contribution to the control of the Group’s activities is set out in section 2.1.2. Amongst them, the risk and internal-control functions organise the overall control measures and prepare reports intended for the Group’s governing bodies;
  • 3rd control line: the independent audit system can check the appropriateness and effectiveness of the measures for managing the risks and activities of the Group’s entities, check management of the main cross-functional processes and major projects of the Group, and more generally, check the level of control of theGroup’s risks (see section 2.1.3).

All of these measures based on the three control lines provide the managers and governing bodies of the Group with “reasonable assurance” concerning the identification and coverage of the main risks.

1st line

54 operating entities

  • Meet the requirements of the Group’s set of 40 policies
  • Implement 1st level controls adapted to their risks and issues
  • Carry out an annual risk mapping and self-assessment of their risk management system
  • Implement progress and risk treatment action plans

2nd line

 

Functional Support Departments*

 
  • Define and update the Group’s 40 policies
  • Define the control and self-assessment sheets in their field for the operational entities / first line of control
  • Implement 2nd level controls organised within their functions
  • Analyse the reliability of entity self-assessments
  • Coordinate the progress and risk management action plans of their function

3rd line 

 

 

 

Internal Audit(see 2.1.3) 

 

 

 
  • Independently assess the entire system
  • Make recommendations to be incorporated by entities as improvement initiatives
  • Provide the governance bodies with reasonable assurance that the system as a whole is effective (incorporating in particular the 1st and 2nd lines)

* Group policies, implemented by the functional departments of the second line of control, cover the following areas: procurement and contract management, communication– institutional relations – partnerships, sustainable development, ethics and compliance, finance and markets, crisis management and business continuity, data management, real estate, legal affairs, project management, human resources, internal control, general services, safety and security of assets, information systems.