Universal Registration Document - Fiscal 2023

6. Risk management

Information systems policies

The Group Information Systems and Technologies Department has defined three core objectives:

  • provide a first-class experience to our clients and consumers as well as to our own employees by making the best use of available technologies;
  • continuously improve Sodexo’s performance through productivity gains, extensive data analysis, respecting obligations of compliance and strong relationships with our partners (solution and cloud providers, integrators);
  • protect Sodexo’s digital assets in a context where cyber risk is increasingly pervasive and complex.

To meet these three core objectives, the Information Systems and Technologies Department has put in place numerous procedures, notably in the following areas:

  • Group Information Systems Governance;
  • Information and Systems Security;
  • Mobile Terminal Allocation and Security;
  • IS&T Capital Expenditure Programs;
  • Third Party Security.
Data protection policy

Sodexo’s Global Data Protection Policy describes how Sodexo entities collect, use, store, share, delete or otherwise process personal data and how data subjects can exercise their rights. This policy applies to the global organization of Sodexo entities when the European data protection law, namely, the General Data Protection Regulation (or “GDPR”) is applicable. This policy applies to the processing of personal data collected by Sodexo, directly or indirectly, from all individuals including, but not limited to Sodexo’s job applicants, our employees, clients, consumers, suppliers or subcontractors, our shareholders or any third parties (for further details of the compliance program relating to GDPR and other data protection laws, please refer to section 7.3.4).

Internal audit policy

Internal audit activities include reviewing and assessing the adequacy and effectiveness of governance, risk management and internal control systems and processes. This includes assessing:

  • the reliability of financial and non-financial information;
  • compliance with existing policies, procedures, laws and regulations;
  • the methods used to safeguard assets;
  • the effectiveness of governance, operations and the resources used.

The Internal Audit team is also responsible for alerting the Chairwoman of the Board and Chief Executive Officer, the Audit Committee and the Sodexo Leadership Team to any material risks and informing them of the causes of identified weaknesses.

The Internal Audit team has defined several procedures, primarily covering the identification of internal audit priorities for the coming fiscal year, the planning and execution of internal audits, the drafting of internal audit reports and the follow up of action plans to implement the team’s recommendations.

A series of internal audit performance indicators has been developed. These include such issues as the follow-up of internal audit recommendations that have been implemented, the average time required to issue internal audit reports, the annual audit plan completion rate, internal auditor rotation rates, the satisfaction rate among audited units.

Delegations of authority

Principles and policies in this area are supplemented by job descriptions, annual targets and, for senior executives, clearly defined delegations, which are reviewed annually and formally communicated to each executive by his or her superior. The Chairwoman and CEO delegates certain authority to the members of the Sodexo Leadership Team, who themselves delegate to members of their executive teams in regions and countries.

Delegations of authority cover business areas throughout the Group, and notably client contracts, procurement, investments and finance, strategy, people and organization, communications and brand.

Delegations of authority must comply with the Group’s policies.

Improvement indicators

Sodexo uses a range of financial and non-financial indicators to measure progress in such areas as client retention and business development, profitability of contracts and business, human resources and corporate responsibility. Group Finance coordinates the process and monitors operational improvement metrics for activities and entities using a Group dashboard.

Making progress in these areas is critical for future growth in underlying operating profit, operating cash flow and revenue.

The improvement metrics are presented each year to the Board of Directors and the Sodexo Leadership Team in order to track progress in the areas concerned.

For further details of corporate responsibility metrics in particular, please refer to section 2.5. An independent firm was selected by Sodexo to audit a representative selection of these social, environmental and societal indicators. The conclusions of this audit are presented in section 2.8.4 of this document.