AFD_REGISTRATION_DOCUMENT_2017

RISK MANAGEMENT

4

Risk management

AFD also has a “pandemic” plan which describes the principles and ways of maintaining business activity in the event of a global or local pandemic. The Information and Telecommunications Recovery Plan (PRIT), which covers the risk of an extended IT system outage, has an IT infrastructure that reactivates the AFD Group’s applications and essential systems. The PRIT system covers all of the business lines’ IT continuity requirements by duplicating 70% of the Group’s Information System and 100% of production data. This includes all systems essential to users’ “core business” activity for the first month of loss. The remaining 30%, corresponding to non-essential systems, are re-established within three months. 4.3.6.5 Tax risk AFD did not undergo any tax audits in 2017. In a letter dated 7 October 2016, the tax authority conducted a comprehensive assessment of all of Proparco’s tax returns for the period from 1 January 2014bto 31 December 2015. An audit began on 20 October 2016band was completed at the end of 2017. The General Directorate of Public Finance issued a proposed non-material correction. At the closing date, the notice In addition to the risks described above, the permanent control system covers all of the operational risks to which the Group is exposed in relation to Basel categories 1bto 7 (as described in sectionb4.2.4.3). This system for monitoring and mitigating all operational risks is based on: P operational risk mapping, which is the main tool used to measure and monitor these risks; P a system for reporting operational incidents, key controls, and action plans developed across the most significant risk zones. Specifically, incidents are recorded to ensure corrective action is implemented to avoid repeat incidents, and to further develop risk mapping and deploy new controls, where applicable. Permanent control provides regular reports to the Group’s Risk committee and Internal Control Committee (COCINT). b of assessment had not been received. 4.3.6.6 Other operational risks

The information system security policy (ISSP), which is compliant with ISOb27002, defines the 90bsecurity rules needed to protect AFD’s information systems. The application of each rule is stipulated by a set of internal security standards and procedures, in compliance with good practices in the field. This ISSP is accompanied by an IT user charter which has been enforceable for all users since it was included in AFD’s rules and regulations in September 2015. An ISS awareness-raising for all Group users ensures that they are familiar with the main terms of use. The management of security incidents is outlined in a specific directive that sets the management rules to be applied in such a situation in connection with the IT production teams and user support. The RSSI may request the activation of a crisis unit if the nature of the incident so requires. The AFD Group has a Business Continuity Plan (BCP) intended to cover all of the AFD Group’s business lines and activities, including its Proparco and Sogefom subsidiaries. The system aims to ensure the continuation of the Group’s activities following a disaster that is unlikely to occur but would have a critical impact. The plan is formalised in three framework documents applicable to the entire group: the business continuity policy, the crisis management plan and the business continuity plan. These documents are supplemented by procedures for each essential activity. In 2017, the business continuity policy was changed. It now includes a new class of activity recovery (levelb5bavailability) for activities that do not support service interruptions. Continuity procedures are grouped into “BCP kits” provided for each structure operating one of the vital functions. These procedures describe the actions required for implementing the plan, as well as the manual operating modes to be used in case of any long-term unavailability of business premises or information tools. The 16bstructures of the AFD Group, including Sogefom and Proparco, are asked at least annually to revise their business impact assessments (BIAs) and update their degraded procedures. Each person in charge of entities registered in the BCP is responsible for applying the procedures of his or her BCP Kit once the plan has been triggered. In 2017, AFD did not suffer any cyberattack crises. P Emergency and business continuation plan

78

REGISTRATION DOCUMENT 2017

www.afd.fr