Universal Registration Document 2021

2. Risk factors and control framework

Scope

Regarding the scope of control (excluding subsidiaries managing regulated infrastructures), these purposes and principles are implemented by the entities or subsidiaries, who themselves ensure their implementation in the entities or subsidiaries they control.

Regarding the Group’s other subsidiaries (subsidiaries that are operators of regulated infrastructure and significant shareholdings), EDF representatives within the governing bodies make sure that a system for controlling activities and risks is put in place. They provide regular information on the map of risks, internal control and audit activities (programme and main results). They can also check the effectiveness and appropriateness of each of these measures through a periodic audit of the respective entities. The applicable principles are adapted for the operators of regulated infrastructure to ensure compliance with obligations related to their management independence.

2.1.2 Principles of execution

All of these measures based on the three control lines provide the managers and governing bodies of the Group with “reasonable assurance” concerning the identification and coverage of the main risks.

 Executive Committee 

1st line of defense

 54 operational entities 

Are responsible for:

  • apply the 40 Group policies;
  • identify the risks related to their activities;
  • to back up and proportion the control systems to the identified risks;
  • report formally and regularly through 1st level controls;
  • implement progress and risk treatment action plans.

2nd line of defense

 Support functional departments 

  • Define the requirements common to the entire Group through Group policies;
  • Define the control and self-assessment sheets for their field;
  • Analyze the reliability of entity self-assessments;
  • Coordinate progress and risk treatment action plans for their function;
  • Implement 2nd level controls.

3rd line of defense

 Internal Audit 

  • Independently assesses the entire system;
  • Makes recommendations that the entities must integrate into progress actions;
  • Provides governance bodies with reasonable assurance of the effectiveness of the entire system (in particular including the 1st and 2nd lines).

 External controls 

1st line of control: management of operations
Report on the control of the activities and risks of the entities

Each Group entity (53 entities in 2021 covering the scope of EDF and controlled subsidiaries) prepares an annual report on the control of its activities and risks based on a self-assessment, which includes a description of its improvement actions. Each report gives rise to a commitment signed by the Director of the entity on the level of control achieved and the actions undertaken.

Entity self-assessments report on the control of all the entity’s “business line” activities and all the requirements of the other cross-functional areas identified in Group policies, in line with their risk mapping. The self-assessments report in particular on the control of the requirements relating to accounting and financial internal control, in line with the AMF framework (see section 2.1.3.5 “Reliability of financial information – internal accounting and financial controls”).

Within the Group, 83% of the entities subject to a “risk and control of activities” self-assessment report indicate that they have an ICP (internal control plan) defining a set of controls to be implemented annually.

Entities risks mapping

The entities produce an annual risk map based on a methodology common to the entire Group. The process for constructing the risk map for the entities is based on:

  • the principle of management accountability;
  • a typology of risks, including internal or external risks and operational or strategic risks, as well as opportunities;
  • a qualitative evaluation method for the impact, the probability and the level of control of each risk;
  • the description of action plans for dealing with risks and the evaluation of their effectiveness.

Numerous discussions take place between the Group Risk Department and the entities to review the relevance of risks and the soundness of the control actions undertaken.

Methods and tools: Several methodological documents and tools are made available to the entities to support risk and internal control processes:

  • a risk analysis methodological guide and a software package to support entity risk mapping;
  • an internal control guide, a detailed self-assessment framework and a digital platform for sharing and summarising self-assessments.