REPORT OF THE CHAIRMAN OF THE BOARD OF DIRECTORS

A1

4. System of internal controls

controls and streamline access to the management information system. The main

purpose of this tool is to secure the access management process by ensuring that

user roles are defined according to best practices for the separation of duties and

by automating their management with the SAP Governance, Risk and Compliance

suite (SAP GRC).

4.2.7.

INTERNAL CONTROL STEERING AND PRACTICES

Internal control relies on all of these elements as well as on the practices of all

employees, which are themselves based on the group’s commitments (Code of

Ethics, compliance with the principles of sustainable development, etc.). “Best

practices” are identified to facilitate their dissemination and sharing so as to ensure

effective continuous improvement in matters of internal controls.

The internal control function jointly coordinated by the Internal Audit Department

and the Finance Department within the Internal Control Committee relies on a

network of internal control coordinators appointed in each of the business units,

whose main objectives are:

p

to ensure the distribution of information concerning decisions made and their

application by the entities (“top-down”); and

p

to roll up specific points requiring attention from the entities to the committee

(“bottom-up”).

The Risk and Internal Audit Department is in charge of monitoring and updating

the performance of the internal control system for the group’s governing bodies,

particularly through the self-audit exercise. In connection with this mission, it

provided support to operational management, the functional departments and

the shared service centers to strengthen existing systems by means of preventive

and corrective actions.

The person responsible for internal accounting and financial controls is tasked

more specifically with issues related to internal accounting and financial controls,

and works closely with the Risk and Internal Audit Department.

4.3.

DISSEMINATION OF INFORMATION

Bottom-up and top-down information channels have been established to

communicate relevant and reliable information in a timely manner.

p

Bottom-up information:

○

accounting and finance information is reported and processed following

specific processes and using shared tools to check and record the data (

i.e.

a single, secure software program for reporting and consolidation shared by

the entire group and supervised by the Finance Department),

○

the achievement of performance objectives by the business units and

functional departments and the execution of the transformation plans through

progress on related action plans are followed up on a monthly basis through

the Monthly Business Reviews and on a quarterly basis through the Quarterly

Business Reviews, particularly by the ExComs of the two new subgroups,

NewCo and New NP;

p

Top-down information:

○

the group’s relevant departments and entities are informed of resolutions by

the corporate decision-making bodies,

○

the group monitors laws and regulations on nuclear safety, occupational

safety, health, the environment, accounting and taxation, and disseminates this

information throughout the group as appropriate. Applicable organizational

memos, rules, standards and procedures are rolled out under an existing

standard for the organization and procedures, which is now applied in the

two subgroups (NewCo and New NP).

Communications with stakeholders are framed in plans designed to ensure and

uphold the quality of the information provided.

4.4.

MANAGING RISK AND SETTING OBJECTIVES

4.4.1.

RISK IDENTIFICATION AND MANAGEMENT

The group drew up a business risk model when it was established to take into

account the potential impact of events on the achievement of the group’s strategic

and operational objectives. AREVA’s Risk and Internal Audit Department, working

with the risk managers of the business units (which themselves have a network of

risk managers in their operating entities), carries out an annual update.

In 2016, the update was reviewed by the Risk Committee and approved by the

ExComs of both subgroups (NewCo and New NP). The business risk model was

presented to the Audit and Ethics Committee of the Board of Directors.

In particular:

p

the operational and functional management teams have approved the assessment

of risk in their operations. For example, all of the group’s entities collected,

analyzed and measured the risk factors of their respective operations. They

also prepared mitigation plans and management procedures to minimize the

risk and have designated the people in charge and the schedule for completion;

p

the members of the ExComs of the subgroups (NewCo and New NP) identified

and formalized the list of the group’s major risks and designated a “referring”

member for each of them. More specifically, this member is in charge of verifying

the existence of an appropriate action plan and reporting on its progress to the

Risk Committee, the Executive Committees and the company’s governing bodies;

p

based on this work, themain risk factors identified are described in the Reference

Document in the section on riskmanagement and insurance (see Section 4.

Risk

factors

). Matters pertaining to nuclear safety and industrial safety, which are an

absolute priority for the group, are discussed in that section;

p

in addition, in 2016, which saw significant changes in the group’s consolidation

scope and organization involving a number of entities, all of the management

and control bodies were attentive during this first period of transition to strict

compliance with applicable rules and to the proper functioning of all of the

processes that go into making the internal control system robust.

In addition, the Safety, Health, Security and Environment Department is tasked with

supervising industrial risk management and, on a practical level, working with the

2016 AREVA

REFERENCE DOCUMENT

329