2022 Universal Registration Document

R i sk and r i sk management Internal control and risk management

GROUPE ADP COORDINATED RISK MANAGEMENT SYSTEM

◆ the deployment of field tests by internal controllers. These campaigns make it possible to analyse the controlled processes and propose recommendations in order to strengthen their robustness, where necessary. As these controls are carried out on the Group’s entities in France and abroad, the latter enter them directly into a GRC (Governance, Risk, Control) tool, which enables the centralisation of responses and the associated documentation. Any discrepancy (self-assessment and field tests) gives rise to remediation plans followed by the Internal Control team at Groupe ADP’s registered office. To date, these systems relate in particular to accounting and financial processes, as well as ethics and data protection. The other processes will be rolled out in 2023 and 2024. Business continuity and crisis management Groupe ADP has implemented a business continuity and crisis management process for greater control of risks that have a major impact on business continuity. For this, it is supported by a Group Policy on Business Continuity (PGCA). The aim is to guarantee services that are essential for the group’s operations. It provides for different types of solutions (redundancy, fallback sites, downgraded mode, etc .). To date, it has been rolled out: ◆ in France, as part of a business continuity plan (PCA) for each of the platforms (Paris-Charles de Gaulle, Paris-Orly and Paris Le Bourget) and for each of the support activities essential to the smooth running of airport operations (IT systems and human resources); ◆ abroad, through the formalisation of business continuity plans (PCA) within the Group’s platforms. With regard to crisis management, Groupe ADP’s system aims to ensure continuity of the Group’s operational control and the speed and quality of its response to major events. It must contribute to optimally keep the activities at satisfying levels of quality while remaining in compliance with regulatory security and safety obligations. The Group’s crisis management system is based in particular on the existence of on-call teams trained in the various situations envisaged. Crisis exercises are also carried out several times per year to test the system’s effectiveness, with feedback enabling improvements to be made. Insurance and risk transfer The financial consequences of certain risks can be covered by insurance policies where their order of magnitude justifies it and providing that cover is available under acceptable terms and conditions (see “Group’s general insurance policy” below). The Legal and Insurance Division oversees the general policy on group insurance (see below), manages the use of insurance within the group and provides coordination and expertise in this area in France and worldwide.

2

Group mapping

Entity/business line mapping

Thematic mapping

From 2022, the Group has included an analysis of emerging risks, the identification of which results from a prospective analysis of the activity and the collection of “weak signals”. The various emerging risks detected are presented to the governance bodies and then discussed with the Stakeholder Council in order to understand and integrate the expectations of Groupe ADP’s partners. These forward-looking elements, as well as the thematic and business line mappings mentioned above, are part of the commitments made in the governance component of Groupe ADP’s Pioneers for Trust strategic roadmap. Internal control “ Internal control is a process implemented by the Board of Directors, management and staff of an organisation, intended to provide reasonable assurance as to the achievement of the following objectives: the achievement and optimisation of operations/reliability of financial and management information/ compliance with applicable laws and regulations ”, according to the COSO II. There are two types of controls: ◆ key controls, which are intended to reduce the risk associated with a critical objective for the Group’s entities; ◆ specific controls, which are specific to a Group legal entity. They are carried out on all Group entities (ADP SA and controlled subsidiaries). For the deployment of the internal control of each process, the organisation follows three main steps: ◆ the development of guidelines in which key controls are identified; ◆ self-assessments by the business lines;

159

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 2022