Areva - Reference Document 2016

A1

REPORT OF THE CHAIRMAN OF THE BOARD OF DIRECTORS

4. System of internal controls

network of internal control coordinators appointed in each of the business units, whose main objectives are: p to ensure the distribution of information concerning decisions made and their application by the entities (“top-down”); and p to roll up specific points requiring attention from the entities to the committee (“bottom-up”). The Risk and Internal Audit Department is in charge of monitoring and updating the performance of the internal control system for the group’s governing bodies, particularly through the self-audit exercise. In connection with this mission, it provided support to operational management, the functional departments and the shared service centers to strengthen existing systems by means of preventive and corrective actions. The person responsible for internal accounting and financial controls is tasked more specifically with issues related to internal accounting and financial controls, and works closely with the Risk and Internal Audit Department. Top-down information: ○ the group’s relevant departments and entities are informed of resolutions by the corporate decision-making bodies, ○ the group monitors laws and regulations on nuclear safety, occupational safety, health, the environment, accounting and taxation, and disseminates this information throughout the group as appropriate. Applicable organizational memos, rules, standards and procedures are rolled out under an existing standard for the organization and procedures, which is now applied in the two subgroups (NewCo and New NP). Communications with stakeholders are framed in plans designed to ensure and uphold the quality of the information provided. p the members of the ExComs of the subgroups (NewCo and New NP) identified and formalized the list of the group’s major risks and designated a “referring” member for each of them. More specifically, this member is in charge of verifying the existence of an appropriate action plan and reporting on its progress to the Risk Committee, the Executive Committees and the company’s governing bodies; p based on this work, themain risk factors identified are described in the Reference Document in the section on riskmanagement and insurance (see Section 4. Risk factors ). Matters pertaining to nuclear safety and industrial safety, which are an absolute priority for the group, are discussed in that section; p in addition, in 2016, which saw significant changes in the group’s consolidation scope and organization involving a number of entities, all of the management and control bodies were attentive during this first period of transition to strict compliance with applicable rules and to the proper functioning of all of the processes that go into making the internal control system robust. In addition, the Safety, Health, Security and Environment Department is tasked with supervising industrial risk management and, on a practical level, working with the p

controls and streamline access to the management information system. The main purpose of this tool is to secure the access management process by ensuring that user roles are defined according to best practices for the separation of duties and by automating their management with the SAP Governance, Risk and Compliance suite (SAP GRC). INTERNAL CONTROL STEERING AND PRACTICES Internal control relies on all of these elements as well as on the practices of all employees, which are themselves based on the group’s commitments (Code of Ethics, compliance with the principles of sustainable development, etc.). “Best practices” are identified to facilitate their dissemination and sharing so as to ensure effective continuous improvement in matters of internal controls. The internal control function jointly coordinated by the Internal Audit Department and the Finance Department within the Internal Control Committee relies on a 4.2.7. Bottom-up and top-down information channels have been established to communicate relevant and reliable information in a timely manner. Bottom-up information: ○ accounting and finance information is reported and processed following specific processes and using shared tools to check and record the data ( i.e. a single, secure software program for reporting and consolidation shared by the entire group and supervised by the Finance Department), ○ the achievement of performance objectives by the business units and functional departments and the execution of the transformation plans through progress on related action plans are followed up on a monthly basis through the Monthly Business Reviews and on a quarterly basis through the Quarterly Business Reviews, particularly by the ExComs of the two new subgroups, NewCo and New NP; p 4.4.1. RISK IDENTIFICATION AND MANAGEMENT The group drew up a business risk model when it was established to take into account the potential impact of events on the achievement of the group’s strategic and operational objectives. AREVA’s Risk and Internal Audit Department, working with the risk managers of the business units (which themselves have a network of risk managers in their operating entities), carries out an annual update. In 2016, the update was reviewed by the Risk Committee and approved by the ExComs of both subgroups (NewCo and New NP). The business risk model was presented to the Audit and Ethics Committee of the Board of Directors. In particular: p the operational and functional management teams have approved the assessment of risk in their operations. For example, all of the group’s entities collected, analyzed and measured the risk factors of their respective operations. They also prepared mitigation plans and management procedures to minimize the risk and have designated the people in charge and the schedule for completion; 4.3. DISSEMINATION OF INFORMATION 4.4. MANAGING RISK AND SETTING OBJECTIVES

329

2016 AREVA REFERENCE DOCUMENT