6.4.2 Risk management and internal control organization
6.4.2.1 Key participants and roles
The key participants in the risk management and internal control system are organized using the 3 Lines of Defense model, as shown below :
SODEXO’S RISK MANAGEMENT AND INTERNAL CONTROL MODEL
This representation shows us the organisation and policies that aim to identify, assess, prevent and control these risks in order to limit their negative impacts.
At the top of the chain are the Board of Directors and the Audit Committee followed by the Executive Committee and three defense lines.
Operational management is the first line of defense and the support/transversal functions are the second line of defense, their role being to report to the Executive Committee any risks identified.
FIRST LINEOF DEFENSE.
Segment Directors, District Managers, Site Managers…
• Identify and manage risks within their activities.
• Put controls into place.
SECOND LINE OF DEFENSE.
Service Operations, Finance, Human Resources, Health & Safety, IT Security, Risk Management and Internal Control, Legal Affairs
• Support our operators in risk management
• Provide tools and processes.
THIRD LINE OF DEFENSE.
The third line of defense is internal audit, their role is to inform the Executive Committee and also to report to the Audit Committee.
• Regulators and External auditors are linked to the Audit Committee
Operational management
The first line of defense mainly consists of operational directors and managers who identify and manage risks within their activities.They put controls and action plans in place for the risks identified.
Support and transversal functions
The second line of defense consists of global support functions who are there to support operators in their risk management. They define the procedures and standards and provide standardized tools and processes to enable operational staff to put in place the
Internal audit
The third line of defense is internal audit, which gives an independent evaluation of the risk management and internal control system to the Executive Committee and Board of Directors. It makes recommendations to the first and second lines of defense for the improvement of risk management and internal control and monitors action plans (see 6.4.4).
6.4.2.2 Risk Management Governing Bodies
Executive Committee
Sodexo’s Executive Committee has overall responsibility for establishing procedures to manage risk. Its role includes designing and leading on the internal control system, with support from senior leaders and the second line of defense functions in their own area of expertise.
Board of Directors and Audit Committee
Sodexo’s Board of Directors role is to provide oversight of the risk management and internal control system, and ensure that it is functioning effectively. As a specialized Board Committee, the Audit Committee follows up in detail on Sodexo’s principal risks and the efficacy of the controls used to mitigate them (see 6.2.1.6) and reports back to the main Board.
Sodexo has put in place a robust procedure for the identification and assessment of major risks, designed to ensure that risks are evaluated and managed at the appropriate level within the organization. Measures to manage risks are implemented either at the site, country, regional or global level, depending on their nature.
The Group’s internal control procedures rely on the fundamental principles defined by the Board of Directors.