Groupe Renault - 2020 Universal Registration Document

97 GROUPE RENAULT I UNIVERSAL REGISTRATION DOCUMENT 2020 01 INTERNAL CONTROL AND RISK MANAGEMENT GROUPE RENAULT GROUPE RENAULT: A COMPANY THAT ACTS RESPONSIBLY CORPORATE GOVERNANCE FINANCIAL STATEMENTS RENAULT AND ITS SHAREHOLDERS ANNUAL GENERAL MEETING OF RENAULT ON APRIL 23, 2021 ADDITIONAL INFORMATION The Internal Audit department is certified by the French Institute of Audit and Internal Control (IFACI) (1) . This certification, in accordance with the standards for the professional practice of internal auditing ( référentiel professionnel de l’audit interne – RAI), comprises 25 general requirements divided into 100 detailed requirements across five categories: positioning, steering, audit processes, GRC (governance, risks and compliance) assessment program and professionalism. Governance The first two lines of defense report on internal control and risk management issues to dedicated committees: the Risks and Internal Control Committee ( Comité des risques et du contrôle interne , CRCI) and the Ethics and Compliance Committee ( Comité d’éthique et de conformité , CEC) presented in section 2.5.1. They occasionally report to the Executive Committee and the Operations Review Committee as part of thematic presentations. The aim of the Risks and Internal Control Committee is to regularly validate and assess the efficiency of the internal control and risk management systems. The second and third line of defense present the results of their work to the Audit, Risks and Compliance Committee (CARC), whose duties are defined in section 3.1.6. In the course of their duties, the statutory auditors assess the internal control of the preparation and processing of accounting and financial data and, when necessary, issue recommendations. The Group risk management system 1.5.1.2 The Group applies a risk management method based on one hand, on identifying and assessing risks of any kind, which are then mapped, and, on the other hand, on carrying out action plans to deal with these risks, and specifically their net impact and/or probability of occurrence, by means of: elimination, prevention, protection or transfer. This method applies to the Group, entities, vehicle programs and corporate functions. The mapping of major Group risks (descending and ascending) is presented to the Risks and Internal Control Committee, the Group Executive Committee and the Audit, Risks and Ethics Committee, which validate it. The major risk factors to which the Group is exposed are described in section 1.5.2. To carry out its duties, the Risk Management department relies, in particular, on two networks: one comprising managers mainly from the performance and P control function, for the operating entities (countries, commercial and/or industrial subsidiaries) and corporate functions, and from the quality assurance function, for the programs. These managers are known as Operational Risk Managers (RMO). They work with the Risk Management department on the operational implementation of risk management systems within the entities, the programs and corporate functions; Groupe Renault’s segments of activity. These experts are known as Expert Risk Managers (RME) and consult on the standardized risk management plans in their area of expertise. the other made up of experts who manage a specific area of risks. P These may be risks common to all companies or specific to one of To draw up the audit plan for the Company’s major risks, which is validated by Senior Management and approved by the CARC, the Internal Audit department uses risk maps to identify the most pertinent audit themes and assess risk coverage. Through its auditing task, the Internal Audit department provides the Risk Management department with insight on the effective level of control of major risks. The risk management policy is applied at Group level for major risks. It is also rolled out at operating entity level (countries, commercial and/or industrial subsidiaries), for vehicle programs and global functions. In 2020, the Risk Management department focused its activities on: updating the mapping of the Group’s major risks. This process was P carried out in a descending direction in relation to the Group’s medium-term strategic plan, which was developed during 2020, so that it will integrate the treatment plans responding to the identified risks; the strengthening of treatment plans and processes to improve P the control of the major risks identified previously; assistance to operating entities in the implementation of country, P industrial site and commercial subsidiary risk mappings, carried out with the operational risk managers of the relevant entities; assistance to the program or project departments in creating risk P mapping for projects; assistance to the corporate functions. P In addition, awareness-raising actions for Group employees about risk culture and the fundamentals of risk management were continued by the Risk Management department (communication and training, in particular through e-learning modules). In 2021, the Risk Management department’s activities will continue to focus on these priority areas. The Group internal control system 1.5.1.3 Group ethics and Corporate Function guidelines The “Corporate Functions” define and issue the policies and standards to be deployed, which are then rolled out as procedures and operating methods to ensure that processes at operational level function in accordance with the principles outlined in the code of ethics, the Guide for preventing corruption and influence peddling and the dedicated Codes of Ethics. The Internal Control department distributes guidelines (Minimum Control Standards & Control Basic Rules) that list the main themes to be controlled and incorporated into the operational staff’s control activities. French Institute for Audit and Internal Control (Institut français de l’Audit et du Contrôle interne). (1)