2021 Universal Registration Document

2 RISK FACTORS AND INTERNAL CONTROL Risk factors

Risk factors 1. Risk identification and assessment 1.1. Risks are identified and the implementation of associated mitigation plans assessed and monitored on an ongoing basis by the various operational and functional units via the risk management system. This system is based on regular weekly, monthly and annual cycles that are followed at every level of the organisation, corresponding to monthly, annual and multi-year planning horizons (see description in Section 3.3.2 of this chapter, page 46). These cycles help the Group maintain an overall view that takes into account opportunities and risks at every level (strategy, operations, human resources, compliance, etc.). They are synchronised so as to facilitate higher-level consolidation. All engineering methodologies used by the Group’s business lines are predicated on the risk-based approach, helping disseminate this culture at every level of the organisation. Every year, when the annual cycles take place, information gathered at Group level is used to update the general mapping of risks. This exercise, coordinated by the Internal Control Department, consists of identifying the risks that could limit Sopra Steria’s ability to achieve its objectives and complete its corporate plan, as well as assessing their likelihood of occurrence and their impact should they occur, on a financial, strategic, operating and reputational level. This assessment is based on contributors’ perceptions, analysis of historical and forecast data and monitoring of changes in the external environment. The main operational and functional

managers are involved through interviews and validation workshops. The risk mapping covers all internal and external risks and includes both financial and non-financial issues. Risks are assessed on a scale of four levels: very low, low, possible, almost certain in terms of likelihood; and low, moderate, significant, critical in terms of impact. The time frame used is five years. Specific mapping for corruption and influence-peddling risks and risks relating to duty of vigilance are taken into account in this general risk mapping. The results are reviewed and approved by Executive Management and presented to the Audit Committee of the Board of Directors. The most significant risks specific to Sopra Steria are set out below by category and in decreasing order of criticality (based on the crossover between likelihood of occurrence and the estimated extent of their impact), taking account of mitigation measures implemented. As such, this presentation of residual risks is not intended to show all Sopra Steria’s risks. The assessment of this order of materiality may be changed at any time, in particular due to the appearance of new external factors, changes in operations or a change in the effects of risk management measures. For each risk, a description is provided explaining in what ways it could affect Sopra Steria as well as the risk management measures put in place, such as governance, policies, procedures and checks.

Summary overview of risk factors 1.2. The table below shows the results of this assessment in terms of residual materiality on a scale of three levels, from least material ( l ) to most material ( lll ).

Category/Risk

Residual materiality

Page

Risks related to strategy and external factors Strategic positioning and marketing Loss of business from a major client or vertical

Page 39 Page 39 Page 40 Page 40

lll

ll ll ll

Acquisitions

Attacks on reputation

Risks related to operational activities Cyberattacks, systems security, data protection

Page 40 Page 41 Page 42

lll lll

Resilience to a major systemic event

Sale and delivery of projects and managed/operated services

ll

Risks related to human resources Ability to attract and retain employees SNFP (1)

Page 43 Page 43

lll

Development of skills and managerial practices SNFP (1)

ll

Risks related to regulatory requirements Compliance SNFP (1)

Page 44

l

SNFP Statement of Non-Financial Performance : This risk also relates to the provisions of Articles L. 225-102-1 III and R. 225-105 of the French Commercial Code, which cover the Company’s (1) Statement of Non-Financial Performance.

It should be noted that the Group is not directly exposed to Ukraine, Belarus or Russia, with the exception of a small non-trading entity in the latter country, which is currently being closed.

38

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2021