BIC_REGISTRATION_DOCUMENT_2017

GROUP PRESENTATION Risk management and internal control procedures implemented by the Company

Dissemination of relevant and 1.7.2.2. reliable information The Company has implemented efficient information dissemination processes and systems that allow accurate communication to the relevant level of responsibility and authority. The formats of these tools are diverse. They range from IT (Information Technology) solutions (including the Group intranet, the financial consolidation software, the integrated system implemented per continent, etc.) to existing procedures that include information management. These information tools aim to support the whole internal control system of the Company and to help the decision processes and follow-up for the achievement of Management’s objectives. Risk management process 1.7.2.3. Risk management, among its objectives, aims to address the existing risks that could potentially significantly impact the Company. All risks cannot be addressed. However, when addressed, the means used include internal mitigation processes and/or external insurance protection. This specific process leads to a three-step approach based on the following activities: risk identification and analysis; ● risk management; ● risk monitoring. ● a) Risk identification and analysis Risk identification and analysis is performed by the Risk Management Department. The identification process highlights the main risks arising from both external and internal sources. The driver for identification is the potential significant impact on the Company’s objectives, personnel, assets, environment or reputation. The risk identification and analysis process consists of two components: a bottom-up free approach and a top-down structured approach. Bottom-up approach Since 2015, within a framework defined by Group Risk Management, a self-assessment of significant risks is made at the subsidiary level on a voluntary reporting basis. Questionnaires are addressed to the representatives of the targeted level (local General Manager/local Chief Financial Officer). They are requested to complete and return the questionnaire to Group Risk Management whenever a risk must be notified. Top-down approach Following a recommendation of the Audit Committee and a request of the Leadership Team, in 2010 the Company initiated a project to improve formalization of risk management. This project enables to obtain a synthetic overview of major risks that the Group is or could be exposed to.

The approach that consisted in a risk mapping of the Group can be summarized as follows: risk identification through a questionnaire completed by each ● member of the Leadership Team and an individual interview led by the project team; synthesis of main risk areas; ● ranking of risks according to criteria in terms of potential impact ● and management effectiveness. The year following the Risk Mapping, an update reviews the status of prior risks identified. Every other year, the Risk Mapping is reviewed and reassessed with any potential new risk. In 2017, the Top-down approach also included questionnaires sent to contributors outside of the Leadership Team. Risks listed by this approach have been considered in the “Group Presentation” – section 1.6. “Risk factors” and are considered for the internal audit schedule. The Risk Management Department, as the process coordinator, challenges when required the answers received and the action plans mentioned in response to the identified risks. It also consolidates the documents and weighs the impacts to deliver a Group Risk Matrix. This matrix provides for all risk categories the impact for the Group and a summary is shared with the Audit Committee and the Statutory Auditors. It is also shared with the Chairman of the Board. The analysis and measurement of the identified risks are conducted for internal use. A similar methodology has been applied to the process of preparing financial statements and consolidation. b) Risk management The major risks identified in the Group risk mapping are managed by the Leadership Team. These risks were followed and monitored during the year. Progress and status of action plans related to certain key risks have also been reviewed and discussed at Board Meetings. The other risks continue to be monitored closely. In addition, different procedures exist (see section 1.7.2.4. “Internal Control procedures”). The Leadership Team, Categories, Continents and centralized departments such as Legal, sustainable development or Treasury, monitor risks on an ongoing basis. They are involved in the management of risks disclosed in the “Group Presentation” – section 1.6. “Risk factors”: the Group Treasury manages and monitors interest rate exposure ● and foreign exchange exposure daily; the Legal Department regularly monitors changes in ● laws/regulations and litigation in progress; the main industrial and environmental risks are considered by the ● category or country Management and the Sustainable Development Department; the significant strategic and operational risks are managed by the ● Leadership Team.

32

BIC GROUP - 2017 REGISTRATION DOCUMENT