Fiscal 2021 Universal Registration Document

Impact

Poor service delivery to clients or non-fulfilment of contract obligations could lead to client dissatisfaction, possible contractual penalties and ultimately the loss of the client.

Over-delivery of additional services not defined in the contracts and without related invoicing could lead to a shortfall in revenues and loss of profitability on the contract.

Poor management of food and labor costs could result in reduced profitability on the contract.

Increases in food inflation driven by rising commodity, transport and packaging costs, and labour inflation driven by a labour shortage in the food services sector could mean increased costs for Sodexo. If Sodexo is not able to pass the inflation through to the client via indexation clauses, or is able to do it, but not quickly enough, then it could result in loss of profitability on the contract.

Examples of Mitigating Activities

• Strict execution of Sodexo key processes defined for contract mobilization. 
• “I Promise”: tools and techniques to help site managers manage their contracts and improve the services they deliver. 
• Definition of operational standards and best practices that are shared to improve performance (e.g. Innovhub). 
• Tools such as the Site Management System to ensure proper training of employees and the execution of quality inspections. 
• DRIVE: integrated food management process. 
• STEP: Sodexo’s performance management framework. 
• Robust price revision process to manage contractual inflation with our clients. 
• Strict monitoring of loss-making contracts.

Impact

On a daily basis, Sodexo IT systems across 56 countries process the data of 412,000 Sodexo employees and 100 million consumers; including patients in hospitals and children in Childcare.

In addition, the demand for new innovative and efficient services creates a fast changing and highly interconnected architecture, while the scale of operations also makes Sodexo a target for cyber criminals who want to exploit its weaknesses and gain access to the data of the thousands of clients and suppliers, to whom Sodexo is connected. In the last year, there has been a surge in the number of international companies being targeted by sophisticated phishing and ransomware attacks.

Within this challenging environment, information security issues such as poor data integrity, loss of data confidentiality and lack of availability of key systems, or collaboration services, could result in high cost and/or high-volume impacts such as:

• inaccurate financial reporting;
• contractual penalties; 
• regulatory fines (e.g. GDPR, Brazilian data protection law LGPD, card payment information standard PCI-DSS); 
• reputational damage with shareholders, clients, consumers, suppliers and employees.

Examples of Mitigating Activities

• Group Information & Systems Security Policy aligned to ISO 27001 framework, with detailed security directives on key topics (e.g. security by design, cloud services, incident management). 
• Investment in security infrastructure, tools and services such as multi-factor authentication, laptop encryption, security risk assessments, security operations center and email monitoring. 
• Global Data Center consolidation strategy focused on using trusted hosting partners (e.g. Microsoft Azure) to provide secure and efficient services. 
• Company-wide collaboration on security and compliance topics such as data privacy, cyber threats, new technologies and IT internal controls facilitated by formal Governance Committees and cross entity network groups.
• Globally coordinated cyber security initiatives to specifically address and strengthen the resilience of remote working facilities.