Universal Registration Document Fiscal 2025

CLIENT CONTRACT EXECUTION, INCLUDING INFLATION MANAGEMENT	Risk level: high
CLIENT CONTRACT EXECUTION, INCLUDING INFLATION MANAGEMENT Risks relating to the execution of a client contract: poor service delivery, non-fulfillment of contractual and performance obligations, over delivery of additional services not defined in the contract, poor management of food and labor costs, inability to pass through inflation.
CLIENT CONTRACT EXECUTION, INCLUDING INFLATION MANAGEMENT Category: Operations
CLIENT CONTRACT EXECUTION, INCLUDING INFLATION MANAGEMENT Impact Poor service delivery to clients or non-fulfillment of contract obligations could lead to client dissatisfaction, possible contractual penalties and ultimately the loss of the client. Over-delivery of additional services not defined in the contracts and without related invoicing could lead to a shortfall in revenues and loss of profitability on the contract. Poor management of food and labor costs could result in reduced profitability on the contract. Food inflation continues to be monitored closely. If Sodexo is not able to pass inflation through to the client via indexation clauses, or is able to do it, but not quickly enough, then it could result in loss of profitability on contracts.	Risk level: high Examples of mitigating activities Definition of operational standards and best practices that are shared to improve performance (e.g. Innov’Challenge and the Innovhub). Tools such as the Site Management System to ensure proper training of employees and the execution of quality inspections. Use of workforce management systems to optimize staff planning. Robust price revision process to manage contractual inflation with our clients. Active procurement management to limit cost inflation relative to market indices. Active operational mitigation plans in all countries: enhanced labor scheduling, reengineered menus, food waste reduction. Strict monitoring of under performing contracts.

CLIENT CONTRACT EXECUTION, INCLUDING INFLATION MANAGEMENT

Risk level: high

Risks relating to the execution of a client contract: poor service delivery, non-fulfillment of contractual and performance obligations, over delivery of additional services not defined in the contract, poor management of food and labor costs, inability to pass through inflation.

Category: Operations

Impact

Poor service delivery to clients or non-fulfillment of contract obligations could lead to client dissatisfaction, possible contractual penalties and ultimately the loss of the client.

Over-delivery of additional services not defined in the contracts and without related invoicing could lead to a shortfall in revenues and loss of profitability on the contract.

Poor management of food and labor costs could result in reduced profitability on the contract.

Food inflation continues to be monitored closely. If Sodexo is not able to pass inflation through to the client via indexation clauses, or is able to do it, but not quickly enough, then it could result in loss of profitability on contracts.

Examples of mitigating activities

Definition of operational standards and best practices that are shared to improve performance (e.g. Innov’Challenge and the Innovhub).
Tools such as the Site Management System to ensure proper training of employees and the execution of quality inspections.
Use of workforce management systems to optimize staff planning.
Robust price revision process to manage contractual inflation with our clients.
Active procurement management to limit cost inflation relative to market indices.
Active operational mitigation plans in all countries: enhanced labor scheduling, reengineered menus, food waste reduction.
Strict monitoring of under performing contracts.

Download the table

TECHNOLOGY & INFORMATION SECURITY	Risk level: medium
TECHNOLOGY & INFORMATION SECURITY Risks relating to managing Sodexo and client/consumer data, maintaining the confidentiality, availability, and integrity of information assets, overseeing cloud systems and third-party suppliers, defending against external cyber threats, and addressing new risks introduced by the adoption of AI technologies.
TECHNOLOGY & INFORMATION SECURITY Category: Operations
TECHNOLOGY & INFORMATION SECURITY Impact Sodexo Information Technology systems process the data of 426,000 Sodexo employees and 80 million consumers in the Foodservices business. Additionally, with the increasing need for reliable data to be available anytime and anywhere, Sodexo’s technology, digital and data systems are becoming more complex and more interconnected. Sodexo may also be a target of external cyber threats, such as phishing and malware attacks, with the potential to disrupt key systems or underlying infrastructure, potentially impacting its ability to deliver services to clients. Within this challenging environment, information security issues such as poor data integrity, loss of data confidentiality and lack of availability of key systems, or collaborative services, could result in high cost and/or high-volume impacts such as: operational disruption; contractual penalties; regulatory fines; reputational damage with shareholders, clients, consumers, suppliers and employees.	Risk level: medium Examples of mitigating activities Group Information and Cyber Security Policies aligned with ISO 27001 framework, supported by comprehensive security directives covering critical areas such as cloud services and incident management. Ongoing investment in advanced security infrastructure, tools and services including multi-factor authentication, endpoint detection and response, device encryption, anti-malware solutions, global proxy deployment, and secure email gateways, thus strengthening cyber defenses. Continuous monitoring of security events and incidents through a dedicated Security Operations Center, enabling rapid detection and response. Proactive vulnerability management and remediation, supported by a Vulnerability Operations Center to identify and address security weaknesses. Application security is enforced through regular scanning and remediation activities, including Static Application Security Testing (SAST) and Software Composition Analysis (SCA). Global cyber incident management and response process ensures coordinated and effective handling of security incidents. Global cloud strategy prioritizes secure service delivery through collaboration with trusted partners and robust oversight. Comprehensive security awareness training for all users, leveraging phishing simulations, formal training modules, visual aids, and gamified learning to foster a strong security culture. Organization-wide collaboration on security and compliance, including data privacy, cyber threats, emerging technologies, and IT internal controls, facilitated by formal governance committees and cross-entity networks.

TECHNOLOGY & INFORMATION SECURITY

Risk level: medium

Risks relating to managing Sodexo and client/consumer data, maintaining the confidentiality, availability, and integrity of information assets, overseeing cloud systems and third-party suppliers, defending against external cyber threats, and addressing new risks introduced by the adoption of AI technologies.

Category: Operations

Impact

Sodexo Information Technology systems process the data of 426,000 Sodexo employees and 80 million consumers in the Foodservices business. Additionally, with the increasing need for reliable data to be available anytime and anywhere, Sodexo’s technology, digital and data systems are becoming more complex and more interconnected. Sodexo may also be a target of external cyber threats, such as phishing and malware attacks, with the potential to disrupt key systems or underlying infrastructure, potentially impacting its ability to deliver services to clients.

Within this challenging environment, information security issues such as poor data integrity, loss of data confidentiality and lack of availability of key systems, or collaborative services, could result in high cost and/or high-volume impacts such as:

operational disruption;
contractual penalties;
regulatory fines;
reputational damage with shareholders, clients, consumers, suppliers and employees.

Examples of mitigating activities

Group Information and Cyber Security Policies aligned with ISO 27001 framework, supported by comprehensive security directives covering critical areas such as cloud services and incident management.
Ongoing investment in advanced security infrastructure, tools and services including multi-factor authentication, endpoint detection and response, device encryption, anti-malware solutions, global proxy deployment, and secure email gateways, thus strengthening cyber defenses.
Continuous monitoring of security events and incidents through a dedicated Security Operations Center, enabling rapid detection and response.
Proactive vulnerability management and remediation, supported by a Vulnerability Operations Center to identify and address security weaknesses.
Application security is enforced through regular scanning and remediation activities, including Static Application Security Testing (SAST) and Software Composition Analysis (SCA).
Global cyber incident management and response process ensures coordinated and effective handling of security incidents.
Global cloud strategy prioritizes secure service delivery through collaboration with trusted partners and robust oversight.
Comprehensive security awareness training for all users, leveraging phishing simulations, formal training modules, visual aids, and gamified learning to foster a strong security culture.
Organization-wide collaboration on security and compliance, including data privacy, cyber threats, emerging technologies, and IT internal controls, facilitated by formal governance committees and cross-entity networks.

Download the table

Universal Registration Document Fiscal 2025

6 Risk Management