2022 Universal Registration Document

R i sk and r i sk management 2 Internal control and risk management

For the third line of control, the Group Audit Department carries out periodic monitoring of: ◆ Group risk management and internal control systems; ◆ internal process control. It assesses them and issues recommendations in the event of any deviation from regulations and any weaknesses observed. Lastly, internal audit provides General Management and the Audit and Risk Committee with overall assurance on the effectiveness of the Group’s first two lines of control and governance.

The scope of this Group risk management system covers the Aéroports de Paris company and its controlled entities. Within ADP SA, the first line of defence is embodied by the first level of responsibility, namely local management, which: ◆ applies the Group’s directives, policies or instructions; ◆ carries out key controls defined by the process pilots. The second line of defence is carried out by the entities in charge of cross-cutting processes (human resources, information systems, finance, accounting, legal, ethics, insurance, risk management, etc .).

2.2.2 DESCRIPTION OF THE SYSTEM

The basics This group system is based on: ◆ two charters relating to:

compliance. These risks are qualified as “unacceptable”. The related risk factors are indicated in bold below. The Group is strengthening its long-term control system, through a prevention approach, in order to reduce as much as possible the probability of this type of risk occurring. After a review in the Risks and Internal Control Operational Committee (CORCI), the group mapping is submitted to the Comex, then presented to the Audit and Risk Committee and the Board of Directors. In 2022, the risk assessment methodology evolved to strengthen communication on changes in risk management and thus facilitate the prioritisation of action plans. For each risk identified, the level of control is assessed in coordination with the internal control structuring process. The monitoring of the action plans and the securing of priority risks is managed by the risk management teams and the progress reports on these action plans are communicated to the governance. Within Groupe ADP, various risk mappings coexist: operational mappings, risk mappings by entity, “thematic” risk mappings and the annual Group risk mapping. Each risk mapping meets a specific need (management, regulatory or certification requirements, etc .) and is developed according to a defined objective. Risk mapping can therefore be developed on the basis of variable scopes in terms of: ◆ types of risks analysed, from the most specific to the most cross-functional (strategic, operational, external and non compliance); ◆ number of entities/activities taken into account in the analysis, from the most “local” to the broadest at Group level. The Group’s annual risk mapping is based on a consolidated analysis of operational mappings (risks by entity or business line and “thematic” risks: - corruption, human rights, climate, etc . -). In its analysis, it takes into account all types of risks to be analysed and the entire organisational scope and activities.

◆ management of risks and internal control: the charter indicates that the group applies the provisions of the AMF French Authority’s reference framework. It was supplemented in 2019 by a note describing Groupe ADP’s new guidelines relating to internal control to apply the best standards in these areas, ◆ internal audit: the charter is based on international standards and the Internal Audit Code of Ethics distributed in France by the French Institute for Audit and Internal Control (IFACI) and which constitutes the international reference framework for internal audit; ◆ three methodological guidelines relating to risk management, internal control and internal audit. It is also based on the group’s ethical rules which are created by the governing bodies and communicated to all employees. Risk Management The aim of this system is to provide all of the stakeholders with a global overview of the group’s major risks and their level of control (section “Risk factors” of this document). As such, risk mapping is carried out annually, involving all Group entities and functions. It allows us to identify the major risks, prioritise them, deal with them and follow up on the actions identified. Risks are assessed according to their impacts and frequency, given the existing control measures. They are then prioritised according to their critical level. In addition, in its internal rules and procedures, the Group is uncompromising with regard to the application of internal rules and standards in terms of risks related to security, ethics and

158

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 2022