Aéroport de Paris - 2018 Registration document

RISK MANAGEMENT AND CONTROL 04

RISK MANAGEMENT AND INTERNAL CONTROL SYSTEM

Description of the risk management and internal control system The cornerstone of the system

With regard to crisis management, Groupe ADP’s system aims to ensure continuity of the Group’s operational control and the quality of its response to sudden, unexpected events. It must contribute to optimally keep the activities at satisfying levels of quality while remaining in compliance with the security and safety obligations. The Group’s management continuity and crisis management system is described in a booklet. Crisis exercises are also carried out several times per year to test the system’s effectiveness, with feedback enabling improvements to be made. Internal control The aim of internal control is to contribute to risk management, the effectiveness of Group operations and the efficient use of its resources. Groupe ADP’s approach is to deploy the internal control system through cross-entity processes based on: ◆ existing management systems in some entities; In 2018, all entities with a quality and management system are certified to ISO 9001 and ISO 14001, 2015 version; ◆ internal control systems deployed for the others. Insurance The financial consequences of some risks can be covered by insurance policies where their order of magnitude justifies this and providing that cover is available on acceptable terms and conditions. The Legal and Insurance Department oversees the general policy on Group insurance (see below), manages the use of insurance within the Group and provides coordination and expertise in this area in France and worldwide. Periodic monitoring of the system The risk management and internal control systems are monitored by: ◆ the monitoring of major incidents and incidents due to unacceptable risks; ◆ the Audit Department; ◆ external structures, such as the Statutory Auditors and other relevant organisations, notably Government services. Major incidents Major incidents or incidents due to unacceptable risks are identified by the Group’s entities (100% owned subsidiaries). A review of these declared incidents is sent to the Chairman & Chief Executive Officer and Chief Operating Officer semi-annually. Internal audit It aims to provide, in complete independence, the Company and the Group with reasonable assurance over the degree of control over its operations, provide advice on improvements and contribute to creating added value. Certified by IFACI since 2008, the Corporate Audit and Internal Control Division assesses the operation of the risk management and internal control systems. Through its recommendations, it contributes to improving safety and optimising the overall performance of the Company and its subsidiaries.

◆ Groupe ADP has adopted ethics and compliance as governance principles. The implementation of the ethics and compliance programme is managed by the Ethics Department, which was created in 2018 and which reports to the Chairman and CEO, and by the Legal and Insurance Department. This programme is described in the “Governance and ethics” paragraph of the “Social, environmental and societal responsibility information” 2018 Management report chapter. ◆ Two charters manage the global system within the group. These concern: ◆ risk management and internal control: the charter indicates that the group applies the provisions of the AMF reference framework published in 2007 and updated in July 2010; ◆ internal audit: the charter is based on international standards and the internal audit code of ethics distributed in France by the French Institute for Audit and Internal Control (IFACI) and which constitutes the international reference framework for internal audit. ◆ Risk management guidelines describing the methodology for the Group make up the final element of the system. Risk Management This system aims to provide all stakeholders with an overall, fair vision of the Group’s major risks and their level of control. Risk mapping is updated every year. It enables the Group to identify the major risks and prioritise and deal with them and to monitor the actions identified. Risks are assessed according to their impacts and frequency, given the existing control measures. They are then prioritised according to their critical level. Major risks and risks deemed unacceptable 1 are the subject of priority handling. After a review in the Risks and Internal Control Operational Committee (CORCI), the Group mapping is submitted to the Comex, then presented to the Audit and Risk Committee and the Board of Directors. Group risk management takes account of the CSR challenges identified by the materiality study carried out in 2018 is described in the “Social, environmental and societal responsibility information” 2018 Management report chapter. Business continuity and crisis management Groupe ADP has put in place a business continuity and crisis management system in order to improve the management of external risks. For this, it is supported by a Group Policy on Business Continuity (PGCA). Its aim is to guarantee services that are essential for the Company’s operations. For each of these, the PGCA indicates the objectives, principles, responsibilities and main procedures. It is reflected in a business continuity plan (PCA) for each of the platforms (Paris-Charles de Gaulle, Paris-Orly and Paris-Le Bourget) and for each of the essential support activities for airport operations (IT systems and human resources). A pandemic plan completes the approach.

1 The Group defines the risks that, whatever their level of criticality, are unacceptable. These are subject to specific monitoring and the different entities are required to be extremely vigilant with regard to them.

14

AÉROPORTS DE PARIS ® REGISTRATION DOCUMENT 2018