The Sodexo Leadership Team has overall responsibility for establishing procedures to manage risk. Its role includes designing and leading on the internal control system, with support from senior leaders and the second line of defense functions in their own area of expertise.
Sodexo’s Board of Directors role is to provide oversight of the risk management and internal control system, and ensure that it is functioning effectively. As a specialized Board Committee, the Audit Committee follows up in detail on Sodexo’s principal risks and the efficacy of the controls used to mitigate them (see 7.2.1.5) and reports back to the main Board.
Sodexo has put in place a robust procedure for the identification and assessment of major risks, designed to ensure that risks are evaluated and managed at the appropriate level within the organization. Measures to manage risks are implemented either at the site, country, regional or global level, depending on their nature.
The Group’s internal control procedures rely on the fundamental principles defined by the Board of Directors.
Sodexo uses a hybrid risk assessment approach, both “bottom-up” from operators and “top-down” from senior management. On an operational level, the leadership Committees of each of Sodexo’s main entities carry out an annual risk assessment, facilitated by risk and internal control managers. The results of these assessments are recorded in a global risk management tool. Risks thus identified are owned and managed at the local level.
Additionally, a series of interviews with Sodexo’s senior leaders across the world is carried out by Group Internal Audit on an annual basis to identify key risks impacting Sodexo’s business and the achievement of its objectives.
The results of all the risk assessments and the senior leader interviews are evaluated in the development of the Group risk profile which comprises the principal risks that might impact Sodexo’s strategic priorities. The profile is shared with the Sodexo Leadership Team for comment, before being submitted to the Audit Committee and the Board of Directors.
Sodexo assesses its risks in three stages using a standard global methodology:
The main risk factors to which the Group is exposed are described in section 6.3.
As described above, risk assessment is used to identify, evaluate and prioritize risks. Once they have been assessed, risks are treated to reduce their effect. Ways of treating risks include putting in place action plans and implementing controls. Controls therefore form an important part of the range of measures that can be used to mitigate risks, and Sodexo’s internal control procedures are part of an ongoing process of managing the Group’s risk exposure.
Sodexo’s risk management and internal control system is based on the internal control reference framework recommended by the French securities regulator (Autorité des marchés financiers – AMF) . The five components of the reference framework are the control environment (integrity, ethics, competencies, etc.), evaluation of risks (identification, analysis and management of risks), control activities (methods and procedures), information and communication (collection and sharing of information) and monitoring (follow-up and eventual updating of processes).
