2.1 Risk management and control of activities
2.1.2 Principles of executionScope
Regarding the scope of control (excluding subsidiaries managing regulated infrastructures), these purposes and principles are implemented by the entities or subsidiaries, which themselves ensure their implementation in the entities or subsidiaries they control.
Regarding the Group’s other subsidiaries (subsidiaries that are operators of regulated infrastructure and significant shareholdings), EDF representatives within the governing bodies make sure that a system for controlling activities and risks is put in place. They provide regular information on risk mapping, internal control and audit activities (programme and main results). They can also check the effectiveness and appropriateness of each of these measures through a periodic audit of the respective entities. The applicable principles are adapted for the operators of regulated infrastructures to ensure compliance with obligations related to their management independence.
2.1.2 Principles of execution
All of the measures based on the three control lines provide the managers and governing bodies of the Group with a warranty appropriate for the identification and coverage of the main risks.
Executive Commitee
The 1st of control
50 operating entities
-
Are responsible for:
- meeting the requirements of the Group’s set of 40 policies;
- identifying risks related to their activities;
- basing and sizing control systems to identified risks;
- report formally and regularly through 1st level controls;
- implementing progress and risk treatment action plans.
The 2nd control line
Functional Support Departments
-
- define the common Group requirements through Group’s policies;
- define the control and self-assessments forms in their field;
- analyse the reliability of entities self-assessments;
- coordinate the progress and risk management action plans of their function;
- implement 2nd level controls organised within their functions.
The 3rd control line
Internal Audit
-
- independently assess the entire system;
- make recommendations to be incorporated by entities as improvement initiatives;
- provide the governance bodies with reasonable assurance that the system as a whole is effective (incorporating in particular the 1st and 2nd lines).
Each control line points at the Executive Commitee
External control includes all these elements.
1st line of control: management of operations
Report on the control of the activities and risks of the entities
Each Group entity (50 entities in 2022 covering the scope of EDF and controlled subsidiaries) prepares an annual report on the control of its activities and risks, which includes a self-assessment, and a response to the “Group’s essential improvement actions”. Each report gives rise to a commitment signed by the Director of the entity on the level of control achieved and an actions plan.
Entity self-assessments report on the control of all the entity’s “business line” activities and all the requirements of the other cross-functional areas identified in Group policies, in line with their risk mapping. The report particularly includes self- assessments on the control of the requirements relating to accounting and financial internal control, in line with the AMF framework (see section 2.1.3.5 “Reliability of financial information - internal accounting and financial controls”).
Within the Group, 88% of the entities subject to a “risk and control of activities” self-assessment report indicate that they have an ICP (internal control plan) including a set of controls to be implemented annually.
Entities risks mapping
The entities and affiliates produce an annual risk map based on a methodology ordinary to the Group. The process of constructing the risk map for the entities is based on:
- the principle of management accountability;
- a typology of risks, including internal or external risks and operational or strategic risks, as well as opportunities;
- a qualitative evaluation method for the impact, the probability and the level of control of each risk;
- action plans for dealing with risks and the evaluation of their effectiveness.
Numerous discussions take place between the Group Risk Department and the entities and subsidiaries to review the relevance of risks and the soundness of the control actions undertaken.
Methods and tools: Several methodological documents and tools are made available to the entities and affiliates to support those processes:
- a risk analysis methodological guide and a software package to support entity risk mapping;
- an internal control guide, a detailed self-assessment framework and a digital platform for sharing and summarising self-assessments.