Fiscal 2020 Universal Registration Document

5. Corporate governance

The first line of defense mainly consists of our operational managers who identify and manage risks within their activities. They put controls and action plans in place for the risks identified.

The second line of defense is our support functions who are there to support operators in their risk management. They define the procedures and standards and provide standardized tools and processes to enable operational staff to put in place the appropriate controls.

The third line of defense is internal audit, which gives an independent evaluation of the risk management and internal control process to the Executive Committee and Board of Directors. It makes recommendations to the first and second lines of defense for the improvement of risk management and internal control and carries out monitoring in relation to action plans.

Sodexo has put in place a robust procedure for the identification and assessment of major risks, designed to ensure that risks are evaluated and managed at the appropriate level within the organization. Measures to manage risks are implemented either at the site, country, regional or global level, depending on their nature.

The Group’s internal control procedures rely on the fundamental principles defined by the Board of Directors. Approach to Risk Assessment

Sodexo uses a hybrid risk assessment approach, both “bottom-up” from operators and “top-down” from senior management.

On an operational level, the leadership Committees of each of Sodexo’s main entities carry out an annual risk assessment, facilitated by risk and internal control managers. The results of these assessments are recorded in a global risk management tool. Risks thus identified are owned and managed at the local level.

Additionally, a series of interviews with Sodexo’s senior leaders across the world is carried out by Group internal audit on an annual basis to identify key risks impacting Sodexo’s business and the achievement of its objectives.

The results of all the risk assessments and the senior leader interviews are evaluated in the development of the Group risk profile which comprises the principal risks that might impact Sodexo’s Strategic Agenda. The profile is shared with Sodexo’s Executive Committee for comment, before being submitted to the Audit Committee and the Board of Directors. Risk Assessment Methodology

Sodexo assesses its risks in 3 stages using a standard global methodology:

  • risk Identification: the first step is the identification of risks that may impact Sodexo’s ability to achieve its objectives, whether it be at site, country, regional or global level. Several risk identification methods are used, including surveys and risk registers, but the recommended and most widely used method for both bottom-up and top down assessments is by individual interview with key stakeholders;
  • risk evaluation: risks identified in the previous step are then evaluated using three risk criteria:
    • impact – the effect or consequence the risk will have,
    • likelihood – the frequency or probability of the risk occurring,
    • level of control – the level of control already in place to reduce the risk;
  • risk prioritization: following evaluation, risks are then prioritized for further actions to treat them.

The main risk factors to which the Group is exposed are described in section 5.4.3 of this Universal Registration Document. Link between internal control and risk assessment

As described above, risk assessment is used to identify, evaluate and prioritize risks. Once they have been assessed, risks are treated to reduce their effect. Ways of treating risks include putting in place action plans and implementing controls. Controls therefore form an important part of the range of measures that can be used to mitigate risks, and Sodexo’s internal control procedures are part of an ongoing process of managing the Group’s risk exposure.

Sodexo’s risk management and internal control system is based on the internal control reference framework recommended by the French securities regulator (Autorité des marchés financiers – AMF). The five components of the reference framework are the control environment (integrity, ethics, competencies, etc.), evaluation of risks (identification, analysis and management of risks), control activities (methods and procedures), information and communication (collection and sharing of information) and monitoring (follow-up and eventual updating of processes).