EDF_REGISTRATION_DOCUMENT_2017

2.

RISK FACTORS AND CONTROL FRAMEWORK Control of Group risks and activities

the need to audit the main Group entities at intervals suited to their importance ■ in order to assess in particular that their internal control is correctly implemented; the main accounting and financial processes and “Group Head” processes ■ (human resources, information systems); major projects; ■ risks of the Group’s risk mapping which were not addressed by the ■ aforementioned audits at intervals suited to the critical nature of the risk; monitoring of Executive Management decisions. ■ Digital tools have been developed to support the auditors in exploiting bulk data and targeting discrepancies. All audits give rise to recommendations which, once validated by the audited parties and their management, become the subject of action plans drafted by the aforementioned management and audited parties and are sent to the Audit Department. In the next 12 to 18 months, the Audit Department will ensure the application of these corrective actions or any other action decided by management in order to put a halt to any irregularities detected. The audit is deemed to be concluded satisfactorily only when the irregularities have been corrected. Conversely, any unsatisfactory conclusion or conclusion with reservations will result in an appropriate management alert. These principles are applied in the same terms by the entire audit unit. A half-yearly summary report is prepared. It summarises the significant events of the audits carried out by the unit, the main findings of the corporate audit and the corresponding recommendations, as well as the final results of the corporate audits carried out during the period. Furthermore, it identifies any recurring or generic problems observed in several audits and which merit special attention on the part of Management. It provides an audit-based vision of the level of control of the Group’s risks. This report is presented to the Chairman and Chief Executive Officer, the Risk Committee and thereafter to the Audit Committee and the Board of Directors. External control 2.2.1.5 Like all listed companies, the EDF group is subject to review by the AMF (French Financial Markets Authority). As a company majority owned by the French State, EDF is also subject to control by the Cour des comptes (French Court of Auditors), State Controllers, the Inspectorate of Finance, Economic Affairs Committees or ad hoc Committees of inquiry of the French National Assembly and Senate. According to law, the Statutory Auditors certify the annual financial statements (parent company and consolidated financial statements) and perform a limited review of the Group’s half-yearly condensed consolidated financial statements. Their report includes the verifications on the information on corporate governance required by the article L. 225-237-3 and seq. of the French Commercial Code. In the light of its activity, EDF is also subject to control, in France, by the Energy Regulation Commission (CRE) and the French Nuclear Safety Authority (ASN). Delegations of authority and technical 2.2.1.6 authorisations The Chairman and CEO delegates some of his/her powers to the members of the management team, in coherence with the organisation of the Group and with the responsibilities assigned to the heads of these entities The organisation put in place for procurement is designed to ensure proper control of the processes. Procurement contracts are signed, depending on the thresholds, either by the Chairman, a Group Executive Director or any of their delegates following signature by the Procurement Department Director or any of their delegates. Signature by the Procurement Department Director or their delegates formally recognises that the instrument complies with the procurement process. Each Group Executive Director is expected to reinforce the internal control system for procurement instruments submitted for their signature and those procurement instruments directly handled by their Management.

The Chairman and CEO has delegated the nuclear operator liability to the Group Executive Director for the Nuclear and Fossil-fuel Fleet Department and the Group Executive Director for the New Nuclear Engineering and Projects Department, who then sub-delegated it to the Directors of the divisions involved which have, in their turn, sub-delegated it to unit managers. Authorisations are issued by each facility manager, who must ensure beforehand that the associated skills have been assessed. These requirements apply to all persons carrying out work, both for staff of EDF and service providers. The Legal Department prepares and updates delegations of authority. In addition, a “Group delegation of powers” instruction was updated in 2017 and aims to inform and educate EDF entities on the nature, consequences and management rules for delegations of powers.

2.2.2

IMPLEMENTATION OF SYSTEMS FOR THE CONTROL OF RISKS AND ACTIVITIES

General control systems 2.2.2.1 Risks mapping and the report on internal 2.2.2.1.1 control, security of assets, ethics and compliance Each entity of the Group (65 entities in 2017 covering the scope of EDF SA and ■ the controlled subsidiaries) prepares an annual internal control report, mainly consisting of a self-assessment of risk management and activities that concern them, and the description of the actions for making progress. Each internal control report gives rise to a commitment by the Director of the entity on the level of control achieved and the actions undertaken. In 2017, the internal control report template was extended to give rise to a single report including internal control, reporting on security of assets and ethics and compliance reporting. Particular attention was therefore paid to these two subjects in the 2017 fiscal year. The part relative to ethics and compliance fulfils the requirements of the ■ Group Ethics and Compliance policy, including: the ethics alert system, prevention of the risk of corruption (control of the integrity of business relations, supervision of gifts and invitations); financial ethics (prevention of the risk of money laundering and financing of terrorism, prevention of market abuse, compliance with the EMIR (1) regulation); prevention of breaches of competition law; prevention of conflicts of interest; compliance with rules on the protection of personal data; fraud prevention; preventing bullying and discrimination; compliance with sectoral regulations (REMIT (2) regulations on integrity and transparency in energy markets, regulations concerning dual-use goods); compliance with international sanctions programmes. The part relative to security of assets fulfils the requirements of the policy ■ on security of assets in coping with malicious acts, including: the safety of individuals during international travel, the security of material assets and the security of intangible assets (identification, classification and protection of sensitive information). Other than these topics, self-evaluations report more generally on the control of all of their “business” activities and all of the requirements of the other cross-functional areas listed in the Group policies, with the aid of an internal control guide updated each year, in coherence with the AMF reference framework. Lastly, self-evaluations report requirements relative to accounting and financial internal control (see section 2.2.2.3).

European Market Infrastructure regulation (EMIR): European regulation on market infrastructures. (1) Regulation on Wholesale Energy Market Integrity and Transparency (REMIT°. (2)

128

EDF I Reference Document 2017