GROUP OVERVIEW Internal control and risk management 1 The Klépierre Group aims to anticipate and manage the major risks 1.9.3 Risk assessment methodology likely to affect attainment of its objectives and compromise the compliance with the laws and regulations. Risks are cataloged as part 1.9.3.1 Identification and evaluation of a risk mapping process conducted by means of business processes of the risks at corporate level and support functions and updated periodically. During each update, the Internal Audit & Control Department ensures that the following Klépierre’s risks are identified and evaluated on the basis of risk objectives are achieved: mapping, done jointly with the various Group functions and business lines. > identify and assess the risks from strategic to operational level to protect the value, assets and reputation of the Group covering This mapping is updated on a regular basis. Each update involves the both the inherent risks and the “controllable risks”; following steps: > guarantee the existence of an owner for each risk identified, a risk > identification of the activities of the operational departments and treatment policy, and a treatment plan to achieve the target; support functions; > evaluate the oversight in place: risk indicators, risk reassessments > identification of the risks associated with each activity; at an appropriate frequency, advancement of treatment actions; > evaluation of the gross risk (prior to controls and measures) on the > learn lessons from incidents and risks that have arisen and basis of three impact criteria (image, financial and legal) and the continuously improve the internal control framework. frequency of occurrence of the risk; The periodic control function is handled by the Internal Audit & > identification of controls and containment measures for the risks Control Department, which is responsible for assessing the operation described by the operational teams and evaluation of these of the risk management and internal control frameworks, regularly controls and measures in terms of effectiveness and completeness; monitoring and making recommendations to enhance them. It plays > evaluation of residual risks after taking account of controls and a part in raising awareness and training managers in internal control, measures; but is not involved in introducing the framework or implementing it on a daily basis. Its analyses and observations help to guide the work of > preparation of action plans to be implemented, including the first the permanent control function and to identify areas for improvement and second level controls as well as the procedures. and strengthen procedures. A total of 125 individual risks, of which 37 are considered as main The periodic control function’s scope of action encompasses all the risks, have been mapped. They are categorized into 10 families of risks Group’s activities and risks across all of its units, including the activities which are the following: of subsidiaries and those outsourced contractually. In addition, > security and safety of individuals and assets; the identification of a risk automatically justifies the use of the periodic control function’s power to launch any investigation it deems > financing policy; necessary. In 2017, the Internal Audit & Control Department carried > investments and valuation; out or oversaw 32 shopping center audits and one corporate function audits. > regulatory, tax, insurance; The Ethics & Compliance function ensures that the Group complies > marketing and rental management; with ethical and professional standards, prevents insider trading and controls the anti-money-laundering and corruption measures taken. > management, process and tools; The Group introduced the Business Whistleblowing framework under > asset development and real estate management; which all employees can raise questions about the risk of compliance breaches that may be encountered by them. The Internal Audit & > communication and reputation; Control Department also ensured that the Group complies with both > procurement; the French “Sapin 2” Act and the Fourth Anti-Money Laundering European Directive. > human resources management. 1.9.2.2 Oversight and monitoring of the framework 1.9.3.2 Identification and evaluation of the risks Under the supervision of the Supervisory Board, the Executive Board in the shopping centers is responsible for the Group’s overall internal control framework. Our teams in the centers prioritize both risk identification and The Executive Board’s role is to lay down the general principles analysis. They are identified using the risk matrix, which comprises for the internal control framework, design and implement the the following risks, among other things: appropriate internal control system and the corresponding roles and responsibilities and make sure that it works smoothly, improving it > risks threatening the safety of visitors and buildings, structural where necessary. risks in particular; At least once every year, it reports to the Audit Committee on the > natural risks: extreme climate patterns (drought, snowfall, heat Group’s internal control framework, any changes in it and the findings waves and cold spells, storms), earthquakes, sea flooding, river of the work performed by the various framework participants. flooding, fire prevention, etc.; A presentation was given to the Audit Committee on the 2017 > technological risks: proximity to specific installations; business activities and the 2018 roadmap. Supervision also makes use of the comments and recommendations > risks related to materials and chemical products: asbestos, lead, made by the Statutory Auditors and by the regulatory/supervisory paints, cleaning products, etc.; bodies. Implementation of remedial action plans is monitored centrally > soil and water pollution: waste water quality, drainage systems, oil by the Internal Audit & Control Department and the Accounting separators, etc.; Department. > health risks: legionella, bacterial and virus infections, etc.; > noise and odor pollution. KLÉPIERRE 2017 REGISTRATION DOCUMENT 33