GROUP OVERVIEW 1 Internal control and risk management The expert appraisers conducting replacement cost assessments may exposes Klépierre to the risk of a wide-scale system outage, which have underestimated the value insured, causing claim settlements to could generate significant costs associated with the potential loss of fall short of the losses incurred or, conversely, may have overstated business and the recovery of data. the value insured, causing the Group to pay unduly high insurance The data managed in Klépierre’s information systems may also be the premiums. subject of internal or external attacks, with financial (misappropriation In connection with its investments, Klépierre may encounter situations of funds, fines, etc.), reputational (disclosure of confidential and/ where third parties have arranged insurance insufficient to cover or strategic information about Klépierre, a partner or customer) losses or even have no insurance in certain cases; it being specified and legal consequences (disclosure of insider information). Risks that, as far as possible, Klépierre takes steps to establish additional associated with “internal malicious acts” are managed by the system policies to prevent the risk of insufficient insurance coverage. via authorization profiles (permitted transactions are automatically linked to a user profile). Risks associated with external malicious acts are monitored by auditing and threat prevention systems. 1.8.7 Risks related to information systems Awareness is raised amongst all Group employees, in the Code of The Klépierre Group’s core business activities are managed by an Professional Conduct and the Chart of Group IT Resources, regarding ERP system that is implemented in most countries. This centralized the importance of complying with the key mechanisms for securing structure strengthens the information system control framework but data (confidentiality and changing of passwords, recording sensitive data in databases that are automatically backed up, etc.). 1.9 Internal control and risk management The Klépierre Group’s internal control framework is predicated on the > compliance with the laws and regulations is assured by the general risk management and internal control principles laid down in introduction of professional conduct rules for employees, the reference framework published by the Financial Markets Authority especially in relation to data confidentiality, a Good Practice Code (AMF) in July 2010. for relationships with third parties and the use of information system resources. 1.9.1 Objectives and principles The internal control framework applies to all the (operational and corporate) entities in the Klépierre Group. Internal control is the organization of processes, procedures and The internal control framework designed to meet the various controls implemented by management for the ultimate purpose of objectives outlined above does not, however, provide any certainty ensuring overall control of risks and providing reasonable assurance that the objectives set will be achieved owing to the inherent that strategic goals will be achieved. In particular, this organization is limitations of all procedures. Even so, it aims to make a major predicated on: contribution towards attaining them. > applying instructions and guidelines laid down by the Executive Board; 1.9.2 Organization of risk management > making operations as efficient as possible and ensuring the and internal control Group’s internal processes work smoothly; > the reliability of internal and external information; 1.9.2.1 Management of the framework > complying with the laws and regulations. The Group’s risk management and internal control framework is Every manager is required to implement effective controls over the overseen by the Internal Audit & Control Department. It reports to activities for which such manager is responsible. the Executive Board and encompasses the risk management, periodic control and ethics & compliance functions. Every Klépierre Group employee contributes to the internal control The role of the Internal Audit & Control Department is to coordinate a framework in an environment in which: framework in which operational staff plays the leading role. To this end: > the description of the Group’s governance and organization of its > it raises their awareness and trains them in the principles of business lines and functions provides the general framework for internal control; achieving its objectives; > there is a repository of guidelines laying down and circulating the > it coordinates the measures they take; internal rules and procedures to be followed while systematically > it ensures that first and second-level control plans exist and are incorporating instructions about the controls to be carried out; integrated within formally defined procedures. > the principle of delegation represents the cornerstone of the The Internal Audit & Control Department is ultimately responsible for system. It is reflected in the use of correspondents who are ensuring the consistency and efficiency of internal control. Within the responsible for consistent implementation of the Group’s policies; business lines and foreign subsidiaries, it has direct access to the risk > duties are segregated by keeping the operational roles separate and internal control liaison officers, who form a functional network from supervisory roles; reporting to it. It is responsible for implementing risk monitoring and mitigation tools and systems, such as risk mapping and an incident database. Lastly, it handles reporting to the Executive Board and the Audit Committee. 32 KLÉPIERRE 2017 REGISTRATION DOCUMENT