Universal Registration Document - Fiscal 2023

6. Risk management

COMPETITION
Sodexo faces both established competitors and new digital entrants at the local, national and international levels: risk of market share loss and loss of growth momentum.
Category : Clients/Consumers
Impact Examples of Mitigating Activities
Sodexo operates in a highly competitive environment. If it cannot meet client needs, then it may lose contracts to competitors, resulting in a lack of growth of revenues and lower profitability.
  • Creation of further multichannel offers to better respond to consumer
    expectations.
  • Investment in digital technology including digital applications,
    innovative food solutions such as restaurant delivery and digital retail
    services, robotics to enhance cleaning and the use of artificial
    intelligence to improve services help Sodexo enhance the consumer
    experience and take advantage of the opportunities created.
  • Strategic acquisitions to expand Sodexo’s offers.
  • Strengthening of commercial teams on the ground.
  • Competitor benchmarking.
  • Sector studies.
CLIENT CONTRACT EXECUTION, INCLUDING INFLATION MANAGEMENT
Risks relating to the execution of a client contract: poor service delivery, non-fulfilment of contractual and performance obligations, over delivery of additional services not defined in the contract, poor management of food and labor costs, inability to pass through inflation.
Category : Operations
Impact Examples of Mitigating Activities
Poor service delivery to clients or non-fulfilment of contract obligations could lead to client dissatisfaction, possible contractual penalties and ultimately the loss of the client. Over-delivery of additional services not defined in the contracts and without related invoicing could lead to a shortfall in revenues and loss of profitability on the contract. Poor management of food and labor costs could result in reduced profitability on the contract. In Fiscal 2023, there has been a progressive slowdown in food inflation, but it still remains a constant focus. As such, if Sodexo is not able to pass inflation through to the client via indexation clauses, or is able to do it, but not quickly enough, then it could result in loss of profitability on contracts.
  • Definition of operational standards and best practices that are shared to
    improve performance (e.g. Innov'Challenge and the Innovhub).
  • Tools such as the Site Management System to ensure proper training of
    employees and the execution of quality inspections.
  • DRIVE: integrated food management process.
  • Robust price revision process to manage contractual inflation with our
    clients.
  • Active procurement management to limit cost inflation relative to
    market indices.
  • Active operational mitigation plans in all countries: enhanced labor
    scheduling, reengineered menus, food waste reduction.
  • Dynamic retail price reviews.
  • Strict monitoring of under performing contracts.
TECHNOLOGY & INFORMATION SECURITY
Risks around managing the confidentiality, availability and integrity of Sodexo’s information technology assets; managing cloud systems and third-party suppliers, managing Sodexo and client data; risks from external cyber threats.
Category : Operations
Impact Examples of Mitigating Activities
On a daily basis, Sodexo IT systems process the data of 430,000 Sodexo employees and 80 million consumers in the Foodservices business. In addition, Pluxee's employee benefit and engagement platforms process the data of 500,000 clients, and 1.7 million merchants. The demand for new innovative and efficient services in both On-site Services and the benefits and engagement business creates a fast changing and highly interconnected architecture. Sodexo is also a target for cyber criminals who want to exploit any weaknesses and gain access to the data of the thousands of clients, consumers, suppliers and merchants, to whom Sodexo is connected. Within this challenging environment, information security issues such as poor data integrity, loss of data confidentiality and lack of availability of key systems, or collaboration services, could result in high cost and/or high-volume impacts such as:
  • inaccurate financial reporting;
  • contractual penalties;
  • regulatory fines;
  • reputational damage with shareholders, clients, consumers, suppliers
    and employees.
  • Group Information and Systems Security Policy aligned to ISO 27001
    framework, with detailed security directives on key topics (e.g. security
    by design, cloud services, incident management).
  • Investment in security infrastructure, tools and services such as multifactor
    authentication, laptop encryption, anti-malware, global proxy
    deployment, email monitoring and endpoint detection and response.
  • Events and incidents monitored through a Security Operations Centre.
  • Vulnerability scanning deployed.
  • Global cyber incident management and response process.
  • Global cloud strategy focused on using trusted partners to provide
    secure and efficient services.
  • Security awareness training for users using phishing simulation
    campaigns.
  • Company-wide collaboration on security and compliance topics such as
    data privacy, cyber threats, new technologies and IT internal controls
    facilitated by formal governance Committees and cross entity network