Universal Registration Document 2021

2. Risk factors and control framework

Furthermore, the Excell plan launched in 2020 (see section 1.4.1.1.1 “The Excell plan”) aims to meet these challenges, in particular: strengthening the sector’s skills (welding plan and actions in connection with professional and educational structures), improving supplier selection and qualification processes, taking into account the “Ethics and human rights” and the “Territorial development” CSR issues (see sections 3.3.2 and 3.4.2), as well as increasing the number of more partnership-based contractual terms and conditions. In 2021, in this context, the Group set up a “Supplier policy panel” for the nuclear sector intended to coordinate the actions of the entities involved in the relationship with suppliers. GIFEN (1) is also a key player as a relay for the Group’s industrial policy.

Regarding contracts entered into between the Group and suppliers of equipment or services, improved contracting processes and management of the contracts that have been entered into, in particular through the implementation of vigilance actions at each stage, is a major issue in terms of controlling operations, deadlines and associated costs

The Contract Management function, led by the Contract Management Department, itself reporting to the General Secretary, aims to improve risk management and create opportunities in the management of contracts. This function calls on the involvement of Contract Managers from the departments throughout the contractual process. It is an additional line of defence in the management of contracts, along with Group top managers and the departments.

In response to the American and Chinese newly-adopted regulations and laws, and in order to ensure its compliance with these laws and decisions, the EDF group (EDF, NNB, Framatome, etc.) has taken precautionary measures in connection with the organisation of its nuclear projects, particularly in the United Kingdom.

4C : Endangerment of occupational health or safety violations (employees and service providers)

Summary : The Group is exposed to health and safety risks in the workplace, both in terms of its employees and those of its service providers.

Criticality : ●● Intermediate

a) Main risks

Human resources and their related skills are a major concern for the Group and its service providers. The industrial nature and diversity of the Group’s activities reinforce the crucial importance of complying with the rules and taking into account the various risks that may affect people working in the Group’s industrial facilities in order to protect health and safety in the workplace.

The risk of work-related accidents or occupational illnesses cannot be excluded in all of the Group’s areas of activity. The occurrence of such events may lead to lawsuits against the Group and may result in the payment of damages, which could be significant.

b) Control actions

The Group has for many years taken the steps necessary to comply with the health and safety laws and regulations in the various countries in which it operates, and considers that it has taken the measures required to ensure the health and safety of its employees and those of its subcontractors’.

Each Group entity has action plans aimed at continuously improving health and safety at work. Actions are also carried out at the Group level as a whole: definition and promotion of the vital rules and the BEST reference framework for health and safety management, one-day shutdown on 7 October 2021 to reflect collectively on the persistence of fatal accidents (see section 3.3.1.3 “Health and safety of employees and subcontractors”).

4D : Attacks against assets, including cyberattacks

Summary : The Group is exposed to risks of failure of or damage to its tangible and intangible assets, including its information system. In particular, these risks may arise from malicious actions, including cybercrime.

Criticality : ●● Intermediate

a) Impact on assets
Main risks

The Group’s assets consist of its staff and its tangible and intangible assets. The facilities or assets operated by the Group or its employees may be the target of malicious acts of any kind. These acts could have negative consequences on the Group’s operational activity, financial position, legal situation, assets and/or reputation.

The Group would also be forced to make additional investments or incur additional costs if laws and regulations relating to the protection of sensitive sites and critical infrastructures became more stringent

Control actions

The EDF group has defined an Asset Security policy for malicious acts to prevent this risk and limit its impact in the event of an attack. This policy is supplemented by procedures for the protection of people, property assets and intangible assets, and instructions and an IT tool for collecting security incidents. This policy and the procedure were updated in 2021 to take into account the changing threat environment. These policies and procedures are supported by a network of Asset Security Managers (RSP) who are members of the entity Codirs.

The main actions undertaken in 2021 regarding the protection of assets are:

  • coordination of the RSP network, training of new RSPs, letters (DSIE@eDF), support on request (e.g. security of premises, projects abroad and security, etc.) and presentations on current topics (IGI 1300 and secrecy protection, new tool for collecting security incidents, etc.);
  • drafting of a new version of the Group’s Asset Security policy to fight malicious acts and proposal to the Executive Committee of a list of 10 pieces of information that are Group confidential;
  • production of an e-learning course on the Asset Security policy to fight malicious acts;
  • updating of EDF’s procedures for implementing the Group’s Asset Security policy, in particular in the Classification and Protection of Information memoranda and the procedure for reporting security incidents. Implementation of the new security incident collection application. Numerous tools and meetings for change management from existing to new tools;
  • participating in steering the implementation of the NIS directives and the French Military Programming Act (LPM) in conjunction with ANSSI, DSIG and the entities involved;
  • contributing to the implementation of the obligations associated with the new version of the IGI 1300, an instruction involving significant changes for the Group:
    • participating in the finalisation of the IGI 1300 ministerial memoranda with the MTE and other relevant operators,
    • drafting IGI internal application memoranda,
    • assisting entities in the implementation of this instruction by ensuring that all regulatory obligations are properly implemented;
  • setting up a training course with the DGSI and the DRHG on radicalisation and religious issues in companies for HRDs, managers and lawyers (a webinar is being prepared);
  • helping to take into account Asset Security files during the development of IS applications, etc.;
  • contributing to the preparation of compliance files.

(1) The Groupement des industriels français de l’énergie nucléaire (French nuclear energy industry group), created in June 2018, aims to bring together all the parties involved in the French nuclear industry to ensure the attractiveness of the sector and maintain its skills.