Fiscal 2020 Universal Registration Document

5. Corporate governance

5.4.3.2 Risk coverage
5.4.3.2.1 Insurance coverage

Sodexo’s general policy is to transfer non-retained risks, especially intensity risks, to the insurance market. Insurance programs are contracted with reputable insurers.

The main insurance programs are as follows:

  • liability insurance, which covers against personal injury, property damage or consequential loss caused to third parties. This category notably includes operational, product, after-delivery and professional liability insurance. Since June 1, 2016, Sodexo has implemented a worldwide liability insurance program benefiting all countries in which the Group operates, including the USA and Canada;
  • property insurance, which mainly covers the risk of fi re and explosion, water damage, natural disasters, and (in some countries) acts of terrorism. As a general rule, the sum insured is equal to the value of the insured property; however, some insurance contracts cap the amount paid out under the policy;
  • workers’ compensation. In countries with no government-provided coverage (primarily the United States, Canada and Australia), Sodexo has contracted workers’ compensation programs;
  • crime insurance dedicated to Benefits & Rewards Services, to partially transfer to the insurance market the risks of fraud, falsification and theft ;
  • marine cargo insurance for covering loss or theft of goods during their shipment;
  • employment practices liability which provides coverage for wrongful termination, sexual harassment, discrimination and workplace torts. This program was originally implemented in the USA and Canada, but has been expanded globally from June 1, 2017;
  • cyber risk insurance, which responds to cyber events such as intrusion, denial of service attacks, data breach. It covers the forensics, privacy breach and data restoration costs as well as any business interruption arising out of a cyber event.

In addition, Sodexo maintains compulsory insurance as legally required in the countries where it operates.

5.4.3.2.2 Self-Insured Risks

Retained or self-insured risks correspond to the deductibles specified in the insurance programs contracted by Sodexo. They consist for the most part of frequency risks (i.e., risks that recur regularly) but from time to time may also include intensity risks (i.e., risks representing substantial amounts). In some countries, these retained risks correspond to deductibles under employer’s liability, workers compensation, third-party automobile and property insurance. In North America, deductibles range from 5,000 U.S. dollars to 5,000,000 U.S. dollars per occurrence. Outside North America, deductibles generally range from 7,500 euro to 2,000,000 euro per occurrence. Sodexo also self-insures frequency risks and low amplitude risks through two captive insurance companies. The American company, incorporated in the State of Hawaii, manages the deductibles of the Workers’ Compensation, Automobile Liability and General Liability insurance programs. The Irish company, based in Dublin, provides:

  • direct insurance and re-insurance for motor own damage and third party liability risks up to 500,000 euro per claim and 2,500,000 euro in aggregate per year;
  • reinsurance on the property insurance program for up to 3,000,000 euro per claim and in aggregate per year.
5.4.3.2.3 Placing of risk and total cost

On the occasion of its most recent policy renewals, Sodexo maintained the scope and level of its coverage, as regards in particular, general liability insurance and professional liability insurance, especially for risks associated with Facilities Management activities.

The total cost of the main insurance programs and self-insured risks (excluding workers’ compensation) of fully-consolidated Group companies, represents around 0.25% of consolidated revenue.

5.4.3.3 Description of internal control process, including controls relating to the preparation and accounting disclosure

The risk management and internal control approach applied within the Group consists of:

  • the identification and assessment of risks;
  • the description of the control environment, both at Group and subsidiary levels;
  • documentation and self-assessment of these controls, both at local and Group level;
  • independent testing of the effectiveness of these controls, by independent persons.

A very large number of Group entities prepare a detailed report (Company Level Control Report) on their control environment based on the five components of the reference framework and which includes an evaluation of the subsidiary’s principal risks, a description of risk management measures and an assessment of their effectiveness.

The most significant Group entities go beyond this initial phase, and evaluate the effectiveness of additional controls determined by their own risk assessment (Process Level Controls). Some of these controls are also subject to effectiveness tests performed by independent persons (Group Internal Auditors).

An executive summary of the status of internal controls and the progress achieved is submitted to the Audit Committee at the end of the fiscal year.