Universal Registration Document Fiscal 2025

6.2 Risk management and internal control organization

6.2 Risk management and internal control organization

6.2.1 Key participants and roles

The key participants in Sodexo's risk management and internal control system are organized according to the Three Lines of Defense model, which defines the roles and responsibilities for managing and overseeing risk. The diagram below illustrates how these three lines work together.

SODEXO’S RISK MANAGEMENT AND INTERNAL CONTROL MODEL

Structure of Sodexo’s risk management and internal control system

Board of Directors / Audit Committee

Role: Oversee the risk-management and internal-control process.

Sodexo Executive Committee

  • Role: Implement actions and manage internal risks.
  • Reporting: Provides regular updates on risk management and internal control.

Lines of defence

  1. First line – Operational management
    • Segment Directors.
    • Regional Managers.
    • Site Managers.
    • Other operational functions.
  2. Second line – Support / transverse functions
    • Human Resources.
    • Health & Safety.
    • Tech, Data, Digital & Innovation.
    • Risk Management & Internal Control.
  3. Third line – Internal Audit
    • Role: Conducts internal audits of Sodexo operations, ensuring compliance with internal and external standards.

External auditors / Regulatory bodies

Participate in assessing and validating internal control and provide an external view of the company’s risk-management practices.

Operational management

The first line of defense is primarily composed of operational directors and managers, who are responsible for identifying and managing risks within their activities. They put controls and action plans in place for the risks identified.

Support and transversal functions

The second line of defense consists of global support functions who are there to support operators with their risk management. They define the procedures and standards and provide standardized tools and processes to enable operational staff to put in place the appropriate controls.

Internal Audit

The third line of defense is Internal Audit, which provides an independent assessment of the risk management and internal control system to the Sodexo Leadership Team and Board of Directors. It issues recommendations to the first and second lines of defense to strengthen risk management and internal control, and monitors the related action plans (see 6.6).