Compagnies des Alpes // 2019 Universal Registration Document

2 RISK FACTORS Operational risks

2.3 Operational risks

2.3.1 RISKS OF CYBER ATTACKS In view of the growth of digital activities within companies, where each facet of a company’s operations depends on the security of its IT systems, the Group – like any other business – must be prepared to deal with any cyber attacks, cyber threats or cyber spying incidents. For a number of years now, the Group has taken measures to control its systems and protect them from risks such as data loss, the stoppage of certain operations, and damage to its reputation. In order to maintain the required performance levels and business continuity, a large number of projects have been implemented. They include: l the mapping of the sites; 2.3.2 RISKS OF IT SYSTEM FAILURE The Group is dependent on IT systems, particularly for its fi nancial activities, administration, ticketing and internal sales. The Group also uses e-commerce sites and sells electronic tickets and ski passes. It therefore closely monitors the integrity of its commercial and internal websites. For this reason, the Group has put in place an IT risk management policy which is coordinated by the IT Systems Department and its Head of Information System Security, with the support of the Risk, Insurance and Crisis Management Department. Visitor safety is a major concern for all managers and employees of the Group. The Group ensures that: l the equipment used is designed, manufactured, installed, operated and maintained in strict application of current standards, so that under normal conditions, or conditions reasonably predictable by a professional, normal safety conditions are respected and no person’s safety is put in jeopardy; l products (consumables and other products) comply with current regulations and standards; l all regulatory checks have been carried out and each facility is veri fi ed regularly before and during the sites’ operating season. The Group pays particular attention to the compliance and safety levels of themed items sold in Leisure parks stores. The toys in particular are subjected to a stringent control procedure to guarantee optimal safety during use. Audits are conducted on the quality assurance procedures at the main toy-maker and crockery factories (control of raw materials, manufacturing process, compliance with EC regulations, etc.). The Group relies on a network of partners in the areas of quality and safety who are responsible for monitoring and improving control processes. At the Group’s sites and at its headquarters, emergency 2.3.3 RISKS OF BODILY INJURY

l making the Group’s sales websites more secure; l Group-wide standards for suppliers,

l the tracking of spam and alerts; l raising the awareness of all users; l protecting the Group’s e-mail system; l the upgrade of all equipment that had become obsolete, and therefore sensitive.

Since marketing is becoming increasingly digital, the security of the IT systems used is primordial. To cope with any stoppage of a key system and optimise its resilience, the Group has put in place a range of protective measures, processes and regular analyses. They include the following: l data and network redundancy; l tracking of incidents; l backup and restoration of all application environments; l business recovery plans; l preventive maintenance plan. plans have been devised in case of a serious accident in order to limit the consequences as much as possible. A crisis management system is also in place. With its insurance broker’s prevention engineers, the Group regularly conducts civil liability prevention visits covering all its business- speci fi c risks, thus continuously improving the management of risks of bodily injury. At Leisure parks, numerous checks are conducted by the technical teams to ensure a totally safe visitor experience: l checks and certi fi cation by an independent body before the start of the season, and subsequently for the preparation of winter maintenance: in each country, a government-approved body veri fi es all of the attractions, recreational areas and water slides twice a year. The control body produces a report and delivers a certi fi cation for each of the attractions. The check includes the proper operation of the attraction in its environment, and related external risks ( e.g. height criteria, embarking areas, internal procedures, etc.); l regular internal checks before opening to the public: daily, weekly, monthly, quarterly and annual internal checks are conducted. They cover all the points to be veri fi ed and are supervised by a superior before the facility is commissioned;

35

Compagnie des Alpes I 2019 Universal registration document