2021 Universal Registration Document

2 RISK FACTORS AND INTERNAL CONTROL Risk factors

training), as well as in protection, surveillance and detection systems and to expand the involved teams. The organisation therefore permanently enhances its procedures in terms of cybersecurity monitoring and intelligence, to manage all security events around the clock, as well as vulnerability management, follow-up actions on computer emergency response team (CERT) reports, system obsolescence management, and the siloing and tightening of systems. Security tests on deliveries are permanently reinforced by means of processes, tools and employee training. Sopra Steria ensures the reliability of existing systems by way of preventive testing plans and regularly conducts intrusion tests to assess the resilience of new systems put into service during the year. The entire system is verified on a regular basis, in particular by way

of the annual audit programme and the certification audits for ISO 27001 and ISAE 34-02 covering the Group’s strategic and sensitive areas of operations. The Group reviews its policies and procedures, organisation and investments at least once a year, or as required whenever a security incident occurs, to adapt to changes in the context and risks, as despite everything these remain significant for the Group in view of the unprecedented escalation in threats. The Group has decided to further step up its investment: for more than a year now, it has been pursuing a reinforcement programme based on best practice and the best security solutions in its category, the two key aims of which are to improve the Group’s security response and shorten the time required to get IT systems up and running again following an attack.

RESILIENCE TO A MAJOR SYSTEMIC EVENT ❙

Risk description The Group may be faced with extreme events that could trigger a major crisis for it. This could be a systemic event such as political, economic or social crisis profoundly changing business conditions in one or more countries in which the Group operates, a major health crisis, natural phenomena relating to climate change, whose frequency will surely increase, a global cyberattack or a major incident making the Group’s physical and/or IT and communication infrastructures widely unavailable. Failings in prevention plans and/or crisis management processes or an inappropriate response to the crisis could have very major repercussions on an economic and operational level and seriously damage the Group’s reputation.

Risk management measures All risk prevention systems help to control crisis management. This concerns in particular those relating to human resources, management of projects and services and protection of IT systems and infrastructures. The Covid-19 pandemic has served as an opportunity to put the Group’s crisis management systems into effect. These are based on swiftly adapting the Group’s operations, with impetus provided at the highest level, in this case the adoption of dedicated governance with the aim of defining, coordinating and permanently monitoring remediation and crisis communication measures. These crisis management systems are also based on permanent interaction with entities’ management teams, who are in the front line in each country in which the Group operates, in order to react and quickly adapt the measures implemented by the Group. Despite this, the impact of an extreme event of the same or a different nature, which is typically rapid and severe, remains a significant risk for the Group on a five-year horizon.

More specifically, as regards the business continuity plan to ensure our ability to meet our commitments to clients and internal operating requirements, definition of the policy and choice of implementation of the Group’s production sites depend on these factors. The decision to increase the number of countries and regions in which it operates is an integral part of this policy to maintain security and reduce risk exposure, allowing for the management of emergency plans. A redundancy principle is applied for all critical infrastructures and all system components. In the event of outsourcing or subcontracting, the same level of service is demanded of our suppliers. The Group has strict prevention and security procedures covering areas such as physical security, power cuts at critical sites, and data storage and backups. These procedures and technical measures are re-evaluated on a regular basis in order to adapt corrective measures.

41

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2021

Made with FlippingBook - Online catalogs