Fiscal 2020 Universal Registration Document

5. Corporate governance

CLIENT CONTRACT EXECUTION

Risks relating to the execution of a client contract: poor service delivery, non-fulfilment of contractual and performance obligations, over delivery of additional services not defined in the contract, poor management of food and labor costs.

  • Risk Timeframe: Short/Medium Term
  • Category: Operational Efficiency
Impact

Poor service delivery to clients or non-fulfilment of contract obligations could lead to client dissatisfaction, possible contractual penalties and ultimately the loss of the client.

Over-delivery of additional services not defined in the contracts and without related invoicing could lead to a shortfall in revenues and loss of profitability on the contract.

Poor management of food and labor costs could result in reduced profitability on the contract.

In addition, the outbreak of the Covid-19 pandemic has led to significant variations in the scope and level of services delivered in existing contracts. Poor contract management could lead to costs being incurred, but with reduced revenue, leading to reduced profitability on the contract.

Examples of Mitigating Activities
  • Strict execution of Sodexo key processes defined for contract mobilization.
  • “I Promise”: tools and techniques to help site managers manage their contracts and improve the services they deliver.
  • Definition of operational standards and best practices that are shared to improve performance (e.g. Innovhub).
  • Tools such as the Site Management System to ensure proper training of employees and the execution of quality inspections.
  • DRIVE: integrated food management process.
  • STEP: Sodexo’s performance management framework.
  • Strict monitoring of loss-making contracts.Rigorous follow-up during the pandemic on the execution of services including active management of fixed costs and renegotiation of some terms and conditions.
TECHNOLOGY & INFORMATION SECURITY

Risks around managing the confidentiality, availability and integrity of Sodexo’s information technology assets; managing cloud systems and third-party suppliers, managing Sodexo and client data; risks from external cyber threats.

  • Risk Timeframe: Short/Medium Term
  • Category: Operational Efficiency
Impact

On a daily basis, Sodexo IT systems across 64 countries process the data of 420,000 Sodexo employees and 100 million consumers; including patients in hospitals and children in Childcare.

In addition, the demand for new innovative and efficient services creates a fast changing and highly interconnected architecture, while the scale of operations also makes Sodexo a target for cyber criminals who want to exploit its weaknesses and gain access to the data of the thousands of clients and suppliers, to whom Sodexo is connected.

Within this challenging environment, information security issues such as poor data integrity, loss of data confidentiality and lack of availability of key systems, or collaboration services, could result in high cost and/or high-volume impacts such as:

  • inaccurate financial reporting;
  • contractual penalties;
  • regulatory fines (e.g. GDPR, Brazilian data protection law LGPD, card payment information standard PCI-DSS);
  • reputational damage with shareholders, clients, consumers, suppliers and employees.

Moreover, the outbreak of the Covid-19 pandemic has resulted in an increase in cyber related criminal activity focused on key infrastructure and core IT services, as well as significant demand for remote working services.

Examples of Mitigating Activities
  • Group Information & Systems Security Policy aligned to ISO 27001 framework, with detailed security directives on key topics (e.g. security by design, cloud services, incident management).
  • Investment in security infrastructure, tools and services such as multi-factor authentication, laptop encryption, security risk assessments, security operations center and email monitoring.
  • Global Data Center consolidation strategy focused on using trusted hosting partners (e.g. Microsoft Azure) to provide secure and efficient services.
  • Company-wide collaboration on security and compliance topics such as data privacy, cyber threats, new technologies and IT internal controls facilitated by formal Governance Committees and cross entity network groups.
  • Globally coordinated cyber security initiatives to specifically address the potential Covid-19 impact and strengthen the resilience of remote working facilities.