Universal Registration Document - Fiscal 2024

6.2 Risk management and internal control organization

6. Risk management

6.2 Risk management and internal control organization

Risk management and internal control organization

6.2.1 Key participants and roles

The key participants in the risk management and internal control system are organized using the Three Lines of Defense model, as shown below:

SODEXO’S RISK MANAGEMENT AND INTERNAL CONTROL MODEL

This diagram shows Sodexo’s risk management and internal control model.

The first line of defense is the operational management, which is made up of segment directors, district managers, and site managers. Operational management reports to Sodexo's leadership team.

On the second line of defense, there are the support/transversal functions, comprising finance, human resources, health and safety, supply management, tech, data and digital, risk management and internal control, and legal affairs.

The support/transversal functions also report to Sodexo's leadership team.

The third line of defense is Group Internal Audit, which informs the Board of Directors/Audit Committee and reports to the Board of Directors/Audit Committee.

External auditors and regulators report directly to the Board of Directors/Audit Committee.

Operational management

The first line of defense mainly consists of operational Directors and managers who identify and manage risks within their activities. They put controls and action plans in place for the risks identified.

Support and transversal functions

The second line of defense consists of global support functions who are there to support operators with their risk management. They define the procedures and standards and provide standardized tools and processes to enable operational staff to put in place the appropriate controls.

Internal Audit

The third line of defense is Internal Audit, which gives an independent evaluation of the risk management and internal control system to the Sodexo Leadership Team and Board of Directors. It makes recommendations to the first and second lines of defense for the improvement of risk management and internal control and monitors action plans (see 6.4.).