2021 Universal Registration Document

INTEGRATED PRESENTATION OF SOPRA STERIA Risk Management

Risk Management

Participants in internal control and risk management

Board of Directors Audit Committee

Executive Management

3rd line of control

External Audit

Internal Audit Department

1st line of control

2nd line of control

Functional management

Operational management All entities All geographies All activities

Internal Control Department

Identification of the Group’s main risks

The most significant risks specific to Sopra Steria are set out below by category and in decreasing order of criticality (based on the crossover between probability of occurrence and the estimated extent of their impact), taking account of mitigation measures implemented. This presentation of residual risks is not intended to show all Sopra Steria’s risks. The table below shows the results of this assessment in terms of residual materiality on a scale of three levels, from least material ( • ) to most material ( ••• ).

Category/Risk

Residual materiality

Risks related to strategy and external factors

•••

• Adaptation of services to digital transformation, innovation • Significant reduction in client/vertical activity • Acquisitions • Attacks on reputation

The internal control system and risk management policies implemented by the Group aim to lower the probability of occurrence of these main risk factors and their potential impact on the Group. Each of these risk management policies is laid down in detail in the “Risk factors and internal control chapter” of this document.

•• •• ••

Risks related to operational activities

•• ••• •••

• Cyberattacks, systems security, data protection • Extreme events and response to major crises • Marketing and execution of managed/operated projects and services

Risks related to human resources

•••

• Attracting and retaining employees – SNFP * • Development of skills and managerial practices – SNFP *

••

Risks related to regulatory requirements

•

• Compliance with regulations – SNFP *

It should be noted that the Group is not directly exposed to Ukraine, Belarus or Russia, with the exception of a small non-trading entity in the latter country, which is currently being closed.

* SNFP (Statement of Non-Financial Performance) This risk also relates to concerns addressed by the regulatory changes set out in Articles L. 225-102-1 III and R. 225-105 of the French Commercial Code, which cover the Company’s Statement of Non-Financial Performance

See Chapter 2 for more information

14

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2021