Universal Registration Document 2024

RISK FACTORS AND INTERNAL CONTROL 2 INTERNAL CONTROL AND RISK MANAGEMENT

2.2

INTERNAL CONTROL AND RISK MANAGEMENT

2.2.1 GENERAL PRESENTATION A global approach The Group’s command of its activities and the objectives it has set itself is based on a combination of several systems such as risk management, internal control (including management systems) and internal audit. While these systems are necessarily independent, they are interrelated and form a comprehensive approach aimed at reducing the occurrence of risks. Governance and scope The risk management and internal control system, including the analysis for current and prospective risks, are managed by the Audit, Internal Control and Risk Management Department which reports to the Audit, Security and Risk Management Department of Groupe ADP. The Audit, Security and Risk Management Department is organised into three units to ensure the smooth operation of the internal audit, internal control and risk management and prospective analysis systems. The governance of these systems is based on: u the Board of Directors, which determines the directions taken by Aéroports de Paris SA’s activity and ensures they are followed (Article 16 of the Articles of Association); u the Audit and Risk Committee, an extension of the Board of Directors, whose mandate is specified in the rules of procedure of the Board of Directors; u the Executive Committee (Comex), chaired by the Chairman and CEO, which defines the strategic direction of Groupe ADP and debates any subject relating to its smooth running; u the Risk and Internal Control Operational Committee which brings together the directors of the entities; u the Group’s business lines;

u the network of “Internal Control, Audit, Risks and Ethics” coordinators appointed in each ADP SA entity, as well as the network of contacts within the Group’s subsidiaries (France and international). It is based on the model of “three lines of activity control”, invented by the French Institute for Audit and Internal Control ( Institut Français de l’Audit et du Contrôle Interne – IFACI) and the AMRAE (the French Association for the Management of Corporate Risks and Insurance ( Association pour le Management des Risques et des Assurances de l’Entreprise – AMRAE). Governance of risk management functions within the Group Groupe ADP’s internal control and risk management systems also contribute to securing the Group’s activities: u firstly, the management system for current and prospective risks aims to identify, assess and prioritise the Company’s main risks. Prospective analysis missions are used to anticipate new types of risks and opportunities in 10, 15 or even 20 years. As part of this work, controls may be put in place to remedy an identified weakness; u secondly, the internal control system applies in all the entities controlled by ADP SA, and in particular to administrative, accounting and financial processes, in addition to controls of processes corresponding to unacceptable risks on the Company's risk map (ethics and compliance, GDPR, workplace health and safety, etc.). Controls can also be performed on an ad hoc basis in response to weaknesses/risks identified by the internal audit team. At the same time, these systems can be supplemented by “quality” procedures (ISO), elements of internal control. Lastly, internal audit ensures the robustness of internal control.

Source: the French Institute for Audit and Internal Control.

123

UNIVERSAL REGISTRATION DOCUMENT 2024 w AÉROPORTS DE PARIS