2022 Universal Registration Document

R i sk and r i sk management Internal control and risk management

2 . 2 I NTERNAL CONTROL AND R I SK MANAGEMENT

2.2.1 GENERAL PRESENTATION A global approach The risk management and internal control systems to which the management systems contribute, as well as the internal audit system constitute a global approach to control the group’s activities and objectives. Governance and scope The risk management and internal control systems are managed by the Audit, Internal Control and Risk Management Department (ASMR) which reports to the Audit, Security and Risk Management Department (ASM) of Groupe ADP. The governance of these systems is based on: ◆ the Board of Directors, which determines the directions taken by Aéroports de Paris SA’s activity and ensures they are followed (article 16 of the Articles of Association); ◆ the Audit and Risk Committee, an extension of the Board of Directors, whose mandate is specified in the rules of procedure of the Board of Directors; ◆ the Executive Committee (Comex), chaired by the Chairman and CEO, which takes part in directing Groupe ADP, both operationally and strategically, and debates any subject relating to its smooth running; ◆ the Risk and Internal Control Operational Committee (CORCI) which brings together the directors of the entities 1;

2

◆ the Group’s business lines; ◆ the network of “Audit Risk Management Internal Control” (ARC) coordinators appointed in each ADP SA entity, as well as the network of contacts within the Group’s subsidiaries (France and international). It is based on the model of “three lines of activity control”, invented by the IFACI (the French Institute for Audit and Internal Control) and the AMRAE (the French Association for the Management of Corporate Risks and Insurance). Governance of risk management functions within the Group Groupe ADP’s internal control and risk management systems also contribute to securing the Group’s activities: ◆ on the one hand, the risk management system aims to identify, assess and prioritise the Company’s main risks. As part of this work, controls may be put in place to remedy an identified weakness; ◆ on the other hand, internal control is based on the main risks identified. At the same time, these systems can be supplemented by “quality” procedures (ISO), elements of internal control. Lastly, internal audit ensures the robustness of internal control.

BOARD OF DIRECTORS AUDIT AND RISK COMMITTEE

EXECUTIVE COMMITTEE (COMEX) RISK AND INTERNAL CONTROL OPERATIONAL COMMITTEE (CORCI)

1 st LINE OF CONTROL

2 nd LINE OF CONTROL

3 rd LINE OF CONTROL

HR

INTERNAL AUDIT

LOCAL MANAGEMENT

Purchases

Legal

Actors involved in the business activity

EXTERNAL AUDITS REGULATION

Finance

RISK MANAGEMENT AND INTERNAL CONTROL RISK HEDGING BY INSURANCE

Management

ETHICS AND COMPLIANCE

IS …

Network of ARCcoordinators andmanagement systems

Source: Institut Français de l’Audit et du Contrôle Internes (IFACI)

157

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 2022