6. Risk management
6.2. Risk management and internal control organization6.2 Risk management and internal control organization
6.2.1 Key participants and roles
The key participants in the risk management and internal control system are organized using the Three Lines of Defense model, as shown below:
SODEXO’S RISK MANAGEMENT AND INTERNAL CONTROL MODEL.
This diagram shows Sodexo's risk management and internal control model.
The first line of defense is operational management, which consists of segment directors, district managers, and site managers. Operational management reports directly to the Sodexo leadership team.
The second line of defense consists of support/transversal functions, which include finance, human resources, health and safety, supply management, IT security, risk management and internal control, and legal affairs. The support/transversal functions also report to the Sodexo leadership team.
The third line of defense is the group internal audit, which informs the Sodexo leadership team and reports to the board of directors/audit committee.
External auditors and regulators report directly to the board of directors/audit committee as well.
Operational management
The first line of defense mainly consists of operational directors and managers who identify and manage risks within their activities. They put controls and action plans in place for the risks identified.
Support and transversal functions
The second line of defense consists of global support functions who are there to support operators with their risk management. They define the procedures and standards and provide standardized tools and processes to enable operational staff to put in place the appropriate controls.
Internal audit
The third line of defense is internal audit, which gives an independent evaluation of the risk management and internal control system to the Sodexo Leadership Team and Board of Directors. It makes recommendations to the first and second lines of defense for the improvement of risk management and internal control and monitors action plans (see 6.4.).