HERMÈS - 2019 Universal Registration Document

OVERVIEW OF THE GROUP RISK FACTORS

They work according to an annual plan, shared with their department and the audit and risk management department, taking into account the Group’s internal control priorities and the risks specific to their company. Within their entity, their main tasks are to: review the main risks and the organisation of internal control; s verify the implementation of Group procedures in accordance with s local regulations; participate in self-assessment of internal control work; s spread the culture of internal control to all employees; s perform monitoring of the action plans of risk mapping; s follow up on the audit recommendations of the audit and risk s management department. Specialised committees Hermès Group has deployed specific processes to monitor certain risks through specialised committees or working groups. These committees meet on a regular basis. For example, committees focusing on real estate risks, safety, IT risks and treasury risks analyse the issues, and study the appropriate corrective measures so that they are deployed in the entities. They also check that existing control systems comply with Group procedures. The main operational contacts involved take part in these committees, as does the audit and risk management department, whose role is to facilitate the identification of risks and of the associated action plans. Since 2016, the Group Security Committee has been arbitrating on cross-functional topics of security and monitoring the functioning of the specialised committees. In addition, an ad hoc committee on the safety of transport, comprising the Group safety department, transport department, insurance department, audit and risk management department and the departments of the métiers concerned is also held on a regular basis to define actions to improve the transportation safety of products at Hermès. In 2017, Hermès Group introduced the “Compliance and Vigilance Committee”, comprising representatives of the compliance department, legal department, sustainable development department, industrial affairs department, audit and risk management department, commercial department and human resources department, in order to prepare a vigilance plan for all Group subsidiaries. A Director of Legal Compliance was appointed in 2017. His duties are detailed in section 2.8.2.2 on page 177 of this report. The Group’s operational staff The Senior Executives, the major functional and operating departments, and members of the Management Committees of the Group’s various entities serve as the main conduits for applying internal control and risk management; they are the main beneficiaries of the system and also key contributors to its proper operation.

The auditors work on the basis of an annual audit plan, validated by the Executive Management and the Audit and Risk Committee, which is adapted every six months, if necessary. The audit plan is powered by comprehensive risk analysis, including financial, operational and compliance, by the proposals of the Executive Committee and by the audit trails. It must allow a regular review of all Group entities and processes, with a frequency appropriate to the magnitude of the risks and the relative weight of the various Group entities. The audit and risk management department also carries out support assignments for the internal control roll-out within newly acquired entities. In order to conduct specialised audits, the audit and risk management department may call upon outside firms or use appropriate analysis tools notably in the context of preventing accounting fraud. The audit and risk management department regularly conducts integrated audits with Group experts. The audit and risk management department comprises a core team of experienced auditors and runs a decentralised network of internal controllers. It performs three main roles for the Group: carry out a continuous improvement initiative as regards the internal s control and risk management systems. It notably monitors the practices of other companies in such matters; works alongside the Group’s various departments in order to promote s the upstream handling of the main risks, as well as emerging risks, and runs the risk mapping approach of the main businesses, retail subsidiaries and support functions. The methodology for risk mapping is regularly updated. In 2017, this methodology was entirely revised by a specialist external firm; coordinate a network of around 60 internal control managers, in s France and abroad, within the métiers , in distribution and in support activities. This coordination includes awareness-raising about best internal control practices. Lastly, it also participates in the Group training sessions in order to promote an awareness of risk management and internal control best practices amongst the management. An audit charter has formalised the duties and responsibilities of the internal auditors and their professional conduct since 2010. It sets out the way in which their audit engagements are conducted. In 2013, the system was completed by a risk charter that formalises the principles and rules implemented with regard to risk management, and by an internal control charter that formalises the roles and responsibilities of the people involved in internal control. These charters are reviewed regularly. The Head of audit and risk management attends Audit and Risk Committee meetings. He meets with the Audit and Risk Committee six times a year, including once without the presence of third parties. He presents a report on the Audit and Risk Committee’s activity each year. Internal control managers Internal control managers oversee the implementation of the internal control system within their scope, métiers , distribution subsidiaries or support functions. They report to the CFO of their entity.

1

2019 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

61