6.3.3 Risk coverage
Group Insurance works closely with the relevant executives in the entities to:
- implement global insurance programs, negotiated at the Group level, available for all entities and supported by insurance companies recognized within the Insurance Industry for their financial solidity;
- put in place insurance coverage to protect the interests of employees, clients, shareholders and the Group;
- identify and evaluate the key insurable risks faced by Sodexo, with particular attention to the emergence of new risk factors associated with changes in our activities;
- reduce contractual risk, in particular by means of limitation of liability clauses or hold-harmless agreements;
- achieve the appropriate balance between risk retention (self- insurance) and the insurance market in covering the potential financial consequences of Sodexo’s risk exposure; and
- achieve optimization by financing some of the Group’s risks through the use of captive insurance companies.
6.3.3.1 Insurance coverage
Sodexo’s general policy is to transfer non-retained risks, especially volatile risks to the insurance market (as opposed to risks, where the frequency is more predictable). Insurance programs are contracted with highly rated global insurers.
The main insurance programs are as follows:
- liability insurance, which covers personal injury, property damage or consequential loss caused to third parties. This category notably includes operational, product, after-delivery and professional liability insurance. Sodexo has implemented a worldwide liability insurance program benefiting all countries in which the Group operates;
- property insurance, which mainly covers the risk of fire and explosion, water damage, natural disasters, business interruption or increased cost of work, and (in some countries) acts of terrorism. As a general rule, the sum insured is equal to the value of the amounts at risk; however, some insurance contracts cap the amount paid out under the policy;
- workers’ compensation. In countries with no government-provided coverage (primarily the United States, Canada and Australia), Sodexo has contracted workers’ compensation programs;
- marine cargo insurance for covering loss or theft of goods during shipment;
- employment practices liability which provides coverage for wrongful termination, sexual harassment, discrimination and workplace torts;
- cyber risk insurance, which responds to cyber events such as intrusion, denial of service attacks and data breach. Insurance coverage includes forensics, privacy breach and data restoration costs as well as any business interruption losses arising out of a cyber event.
In addition, Sodexo maintains compulsory insurance as legally required in the countries where it operates.
6.3.3.2 Self-Insured Risks
Retained or self-insured risks correspond to the deductibles specified in the insurance programs contracted by Sodexo. Sodexo mainly targets retention of frequency risks (i.e., risks that occur regularly) but from time to time may also include severity risks (i.e., risks representing substantial amounts). In some countries, these retained risks correspond to deductibles under employer’s liability, workers compensation, third-party automobile and property insurance. Sodexo also self-insures frequency risks and low severity risks through two captive insurance companies.
The American Company, incorporated in the State of Hawaii, manages the deductibles of the Workers’ Compensation, Automobile Liability and General Liability insurance program as well as reinsurance on the General Liability.
The Irish Company, based in Dublin, provides:
- direct insurance for motor own damage and motor third party liability risks, marine hull and cyber risks;
- reinsurance on property, marine cargo, general liability and automobile liability.
The maximum exposure of our captives on a single insurance program amounts to 14 million U.S. dollars per year.
6.3.3.3 Placing of risk and total cost
Following the most recent policy renewals, Sodexo maintained the scope and level of its coverage, securing superior coverage across all of Sodexo’s service offering.
The total cost of the main insurance programs and self-insured risks (excluding workers’ compensation) of fully-consolidated Group companies, represents around 0.25% of consolidated revenue.
6.3.4 Internal control process
The risk management and internal control approach applied within the Group consists of:
- identifying and assessing risks;
- describing the control environment;
- documenting and making a self-assessment of these controls;
- testing of the effectiveness of these controls by Internal Control managers.
In addition, Group Internal audit will independently test controls based on an annual audit plan (see 6.4).
The internal control process is supported by a network of local Internal Control managers embedded in the business, supported by a small central internal control team. Their role is to:
- facilitate entity risk assessments by carrying out risk interviews;
- assist in the documentation of controls with control owners;
- support the implementation of new controls;
- carry out local testing of controls relating to the control environment and process controls;
- support Group Internal Audit in the follow-up of the implementation of its recommendations.
