SFIL Annual financial report 2018

Management report I 1 15 Annual Financial Report 2018 SFIL Management report Report on corporate governance Consolidated financial statements in accordance with IFRS Annual financial statements in accordance with French GAAP Shareholders’ Meeting of May 29, 2019 General information activities. To this end, they regularly receive activity reports and the results of the controls carried out in terms of perma‑ nent control, compliance and periodic control. Furthermore, these reports are presented and discussed at meetings of SFIL’s Operational Risks and Permanent Control Committee and Executive Committee. The issues raised are the subject of proposed actions and decisions in order to ensure contin‑ uous improvement of the internal control system. 1.3 – FIRST LEVEL OF CONTROL: OPERATING UNIT CONTROLS As the first level of the internal control system, the employ‑ ees and managers of SFIL’s operating divisions are in charge of analyzing the risks involved in all the transactions they have initiated, organizing and conducting first-level con‑ trols for such transactions, verifying that internal control procedures in their division are adapted to such risks and contributing to their development. To this end, they rely on policies, procedures, limits and indicators with a clear separation of duties between the initiation of transactions and their validation, control or settlement. These policies, procedures, limits and indicators are defined by a number of internal committees, composed of employees from the operating, support and control functions and chaired by a member of SFIL’s Executive Committee. 1.4 – SECOND LEVEL OF CONTROL: PERMANENT CONTROL EXCLUDING COMPLIANCE 1.4.1. Organization and governance of the permanent control system, excluding compliance SFIL’s permanent control system (excluding compliance) aims to ensure the effectiveness and reliability of the risk control system, the effectiveness of the transaction control system and internal procedures, and the quality of account‑ ing and financial information and IT systems. Permanent control measures apply to all group divisions and activities (SFIL and CAFFIL). They are managed by the Operational Risks and Permanent Control division in such a way as to maintain synergies with the operational risk management, IT systems security and business continuity systems. This system relies on a network of correspondents within the operating divisions, who are responsible for the execution and monitoring of certain con‑ trols, on process owners, who are responsible for ensuring the internal control system’s effectiveness and robustness at all times for their scope, and on the Operational Risks and Permanent Control division, which steers the system and carries out a number of second-level controls. The Operational Risks and Permanent Control Committee, chaired by the Deputy Chief Executive Officer, is composed of all members of the Executive Committee. It meets quar‑ terly to review the monitoring, completion and adaptation of the permanent control plan: control of evaluation results, monitoring of action plans, additions, deletions or changes in controls and review of the frequency of these controls. It also considers the main issues linked to permanent control and broad areas of anticipated improvements in the internal control process. Via the presentation of the quarterly risk review to the Risks and Internal Control Committee, the Board of Directors is also informed of the permanent control results and the fol‑ low-up of the action plans. In addition, a detailed presenta‑ tion of the permanent control plan, areas to monitor closely and corrective actions implemented or to be implemented within the framework of the permanent control system is also given annually at a specific internal control committee meeting. This presentation was made to the Risks and Inter‑ nal Control Committee on January 24, 2019. 1.4.2. Permanent control system excluding compliance The management principles governing permanent control, excluding compliance, are described in the management policy for operational risks and permanent control. Perma‑ nent control is based on a control plan covering SFIL and CAFFIL’s various business activities. These controls are determined in liaison with the operating divisions and are reviewed every year in order to adapt them to the SFIL Group’s situation, by integrating: •  the results of controls carried out during the year (their adequacy in terms of the risks to be covered, their effec‑ tiveness, formalization and the relevance of the associated metrics); •  the review of incidents noted; •  the results of the operational risk mapping by process; •  the recommendations of the Internal Audit division, exter‑ nal auditors and the regulator; •  new activities and new processes at SFIL. Thus, this ongoing improvement effort makes it possible to develop the control plan by adapting it to the existing con‑ trols and if necessary adding new controls and/or removing redundant ones. The Operational Risks and Permanent Control division and its correspondents carry out or evaluate controls within their scope as often as required based on the criticality of the underlying risks. This evaluation takes the form of a commentary and supporting documentation. The results of the controls conducted or evaluated by the correspondents are reviewed by the Operational Risks and Permanent Con‑ trol division, which has the option of validating the control or not, on a case-by-case basis, particularly if the documen‑ tation is deemed insufficient. In the event the control results are unsatisfactory, action plans are systematically put in place to improve the result for subsequent periods. As of December 31, 2018, 132 permanent controls were in place. The frequency of these permanent controls is deter‑ mined with reference to the criticality of the underlying risks. 1.5 – SECOND LEVEL OF CONTROL: COMPLIANCE CONTROL 1.5.1. Organization and governance of the compliance control system SFIL’s Compliance division is in charge of managing compli‑ ance risk, as defined by article 10 of the arrêté of November 3, 2014, for all SFIL and Caisse Française de Financement Local activities. Compliance risk management aims to