Fiscal 2021 Universal Registration Document

6. Corporate governance

  • crime insurance specifically for to Benefits & Rewards Services, to partially transfer the risks of fraud, falsification and theft to the insurance market;
  • marine cargo insurance for covering loss or theft of goods during shipment;
  • employment practices liability which provides coverage for wrongful termination, sexual harassment, discrimination and workplace torts. This program was originally implemented in the USA and Canada, but has been expanded globally from June 1, 2017;
  • cyber risk insurance, which responds to cyber events such as intrusion, denial of service attacks, data breach. It covers the forensics, privacy breach and data restoration costs as well as any business interruption arising out of a cyber event. In a very tough market, the cyber risk insurance is reviewed regularly and implemented according to the best possible conditions.

In addition, Sodexo maintains compulsory insurance as legally required in the countries where it operates.

6.4.3.3.2 Self-Insured Risks

Retained or self-insured risks correspond to the deductibles specified in the insurance programs contracted by Sodexo. They consist for the most part of frequency risks (i.e., risks that recur regularly) but from time to time may also include intensity risks (i.e., risks representing substantial amounts). In some countries, these retained risks correspond to deductibles under employer’s liability, workers compensation, third-party automobile and property insurance. Deductibles range from 5,000 U.S. dollars to 5 million U.S. dollars per occurrence. Sodexo also self-insures frequency risks and low amplitude risks through two captive insurance companies. The American company, incorporated in the State of Hawaii, manages the deductibles of the Workers’ Compensation, Automobile Liability and General Liability insurance program as well as reinsurance on the General Liability. The Irish company, based in Dublin, provides:

  • direct insurance and re-insurance for motor own damage and third party liability risks;
  • reinsurance on the property, marine, general liability and cyber insurance program.

The maximum exposure of our captives on a single risk amounts to 7.5 million U.S. dollars per claim and in aggregate per year.

6.4.3.3.3 Placing of risk and total cost

On the occasion of its most recent policy renewals, Sodexo maintained the scope and level of its coverage, as regards in particular, general liability insurance and professional liability insurance, especially for risks associated with Facilities Management activities.

The total cost of the main insurance programs and self-insured risks (excluding workers’ compensation) of fully-consolidated Group companies, represents around 0.25% of consolidated revenue.

6.4.3.4 Description of internal control process, including controls relating to the preparation and accounting disclosure

The risk management and internal control approach applied within the Group consists of:

  • the identification and assessment of risks;
  • the description of the control environment, both at Group and subsidiary levels;
  • documentation and self-assessment of these controls, both at local and Group level;
  • independent testing of the effectiveness of these controls, by independent persons.

The internal control process is facilitated by a network of local internal control managers and coordinators embedded in the business, supported by a small central internal control team. Their role is to:

  • facilitate entity risk assessments by carrying out risk interviews;
  • assist in the documentation of controls with control owners;
  • support the implementation of new controls;
  • carry out entity testing of strategic controls relating to the control environment and process controls;
  • support Group internal audit in the follow-up of the implementation of its recommendations.

A very large number of Group entities prepare a detailed report (Company Level Control Report) on their control environment based on the five components of the reference framework and which includes an evaluation of the subsidiary’s principal risks, a description of risk management measures and an assessment of their effectiveness.

The most significant Group entities go beyond this initial phase, and evaluate the effectiveness of additional controls determined by their own risk assessment (Process Level Controls). Some of these controls are also subject to effectiveness tests performed by independent persons (Group Internal Auditors).

An executive summary of the status of internal controls and the progress achieved is submitted to the Audit Committee at the end of the fiscal year.

6.4.3.5 Description of internal controls relating to the preparation of accounting and financial disclosure

Group Finance is responsible for ensuring the reliability of financial and accounting information.

A process is in place to produce and analyze financial information at both operational sites and in the Group and local Finance teams.

Local Finance teams produce a monthly cumulative income statement starting at the beginning of the fiscal year, a balance sheet, and a statement of cash flows. They also regularly produce projections for the full year. Financial statements are consolidated on a monthly basis by Group Finance.