Groupe Renault - 2020 Universal Registration Document

98 GROUPE RENAULT I UNIVERSAL REGISTRATION DOCUMENT 2020 Find out more at group.renault.com 01 INTERNAL CONTROL AND RISK MANAGEMENT GROUPE RENAULT Internal delegations and separation of offices In addition to command-line structures, the Group has set up a staff reporting system so that corporate function managers can provide leadership for their function correspondents throughout the Group. The decision-making process is based on a system of internal delegation that determines in which areas and at which levels operational managers may make decisions. All the rules for delegating decision-making authority are communicated to personnel via the intranet. Decision requests are tracked in a workflow that implements the rules specifying the persons to be involved, in accordance with internal control procedures or documented in the minutes of the committees responsible for making the decision. The principle of separation of offices and tasks is required at all hierarchical and functional levels within the Group, and within the computer systems, to facilitate independent control and to separate tasks and functions corresponding to operations, the protection of property and their booking for accounting purposes. Implementation of objectives Each year, the Internal Control department runs an internal control campaign in which self-assessment questionnaires are sent to the Group’s main entities. The CEOs of the entities validate these self-assessments and commit to defining and implementing action plans to remedy any internal control shortcomings identified. These action plans are subject to annual monitoring by the Internal Control department. The results of these self-assessments are presented to the Risks and Internal Control Committee and Audit, Risks and Compliance Committee once a year. Compliance tests are conducted on the basis of a sample of entities by the internal controllers of the Internal Control department to verify the quality of the self-assessments. This internal control system applies to the parent company and all significant entities, fully consolidated companies in particular. Entities with lower risk levels (entities not fully consolidated or unconsolidated entities) are subject to separate internal control systems. The work of the Internal Control department in 2020 included: continued action to improve the corruption prevention system and P support for the operational staff concerned; work designed to make "métier" prescribers more involved into P internal control self-assessment to better assess operational risks; the roll-out of training courses on internal control, in particular on P the method for analyzing the separation of duties with standard matrices on the main risky processes; more than 455 managers and 43 Management Committees have been trained over the last three years; definition of preventive and detection controls based on a data P analytics unit; review of the rules for delegation of authority, in particular P following changes in the Group’s method of governance. internal control as an essential feature of management and a key performance driver. The Tone at the Top in terms of internal control was reaffirmed by the circulation of an editorial signed by the Group CFO, positioning The priorities in 2021 will be to continue these underlying actions begun in previous years. The RCI Banque group’s specific 1.5.1.4 features in terms of internal control and risk management RCI Banque has a global internal control system which aims to identify, analyze and manage the main risks identified in relation to the Company’s objectives. The RCI Banque group’s Internal Control Committee has validated the general framework for this system, which is described in the Internal Control Charter. This Charter defines the system applicable to the French and foreign companies over which RCI Banque has effective control and specifies in particular: the general arrangements for managing internal control; P the local arrangements for subsidiaries, branches and P joint-ventures; the special arrangements for various functional areas. P Risk control at RCI is overseen on three levels by separate functions: the first line of control is exercised by the operational functions in P charge of day-to-day risk management as part of the activities in their area of expertise. These functions decide and are responsible for taking risks in the conducting of transactions and the objectives assigned to them. They exercise this responsibility in accordance with the management rules and the risk limits defined by the Corporate functional departments. The Corporate functional departments are in charge of risk definition, rules, management methods, measurement and monitoring at the corporate level. Each department, in its area of expertise, manages and oversees the risk management system via guidelines and country objectives. Risk is monitored by periodic dedicated committees in both the subsidiaries and centrally. These departments rely on local representatives for risk measurement and exposure monitoring and ensure that limits are respected at the group level; the second line of defense includes: P the Internal Control department and the internal controllers for P the Group entities, which control the level of compliance of transactions with the management rules defined in the procedures. More specifically, they verify the relevance of the first line of control, the Risk and Banking Regulations department, which oversees P the deployment of the Group’s risk governance policy, verifies the efficiency of risk management by the functional departments and of compliance with the limits and alert thresholds established and ensures that the Risk Committee of the RCI Board of Directors is notified when those thresholds are exceeded; the third line of defense is the internal audit function, which aims P to provide assurance to RCI Banque’s Board of Directors and Senior Management about the degree of control over transactions and the oversight exercised by the first two lines.