HERMÈS - 2020 Universal registration document

RISKS AND CONTROL RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

Group Management

internal audits and monitors the implementation of the s recommendations; identification and analysis of risks and ensuring the implementation s of action plans; it ensures the deployment of internal controls suited to Group s ventures. The audit and risk management department joined the prevention and insurance department on 1 January 2020 in order to increase synergies in terms of risk identification and management. Risk mapping now includes an insurance section in order to look at risks alongside the corresponding insurance coverage. The duties of the audit and risk management department also consist of: carry out a continuous improvement initiative as regards the internal s control and risk management systems; work alongside the Group’s various departments in order to promote s the upstream handling of the main risks, as well as emerging risks, and runs the risk mapping approach of the main businesses, distribution subsidiaries, support functions and cross-cutting subjects. The risk mapping methodology is regularly reviewed: in 2017 and in 2020, specialised external firms supported this continuous improvement process. The audit and risk management department thus ensures that it has a relevant, effective and motivating methodology for its contacts. Covid-19 has not had any impact on the risk mapping programme, which was carried out remotely; coordinate a network of around 60 internal control managers, in s France and abroad, within the métiers , distribution subsidiaries and support activities. This coordination includes awareness-raising about internal control best practices. In 2020, given the specific circumstances related to Covid-19, internal control was stepped up, in particular through increased use of digital channels. The face-to-face seminar organised every two years gave way to virtual meetings, three in 2020, with all of the Group’s internal controllers, in which the Group’s Chief Financial Officers and representatives of the Group’s central departments also took part. More than 80 participants joined the conference in this way in July. The audit and risk management department continues to participate regularly in seminars and Group training sessions in order to promote management awareness of risk management and internal control best practices. An audit charter has formalised the duties and responsibilities of the internal auditors and their professional conduct since 2010. It sets out the way in which their audit engagements are conducted. In 2013, a risk charter that sets out the principles and rules implemented with regard to risk management, and an internal control charter that formalises the roles and responsibilities of the people involved in internal control, were added to the system. These charters are reviewed regularly. Lastly, the Director of Audit and Risk Management attends Audit and Risk Committee meetings. She meets with the Audit and Risk Committee six times a year, including once without the presence of third parties. This session is dedicated to discussions on the work carried out by the audit and risk management department and the resources at its disposal. Each year, the Director of Audit and Risk Management presents her

The Group Management designs risk management and internal control procedures commensurate with the Company’s size, business operations, geographical footprint and organisation. In addition to establishing procedures for delegating authority established at different hierarchical levels, Group Management has ultimate responsibility for guaranteeing the quality and effectiveness of the risk management and internal control systems and its adequacy for meeting the Group’s strategy objectives. To this end, it is provided with audit reports and the risk mapping of subsidiaries, métiers and support functions, and regularly meets with the audit and risk management department (A&RMD). It therefore oversees the system as a whole to safeguard its integrity and, where applicable, initiate any corrective measures needed to remedy any failures. The Audit and Risk Committee was established in 2005 within the Supervisory Board pursuant to Article L. 823-19 of the French Commercial Code ( Code de commerce ), and without prejudice to the powers of the Supervisory Board, which it does not supersede. The roles and duties of the Audit and Risk Committee were formally documented in rules of procedure drawn up by the Supervisory Board in 2010 and regularly updated. The latest version is available at https://finance.hermes.com/en/governing-bodies-rules-procedure-articles- association/. In 2017, the rules of procedure were amended, in order to incorporate the procedure for approving services other than the certification of financial statements, and submitted for the approval of Audit and Risk Committee. Each meeting of the Audit and Risk Committee gives rise to written minutes that must be approved. At each meeting of the Supervisory Board, the Chairwoman of the Audit and Risk Committee gives the Board a report of the work of the Audit and Risk Committee. The functioning and work of the Audit and Risk Committee were evaluated in late 2019 as part of the three-year formal self-assessment of the Supervisory Board. This was supplemented in 2020 by a self-assessment conducted by the Chairwoman of the Audit and Risk Committee, exclusively for this Committee (see section 3.6). As part of its oversight of the risk management and internal control system, the Audit and Risk Committee has access to information relating to internal audit, internal control, and risk management, in particular through regular presentations of the risk mappings of the Group’s entities, and the corresponding action plans. A list of the work carried by the Audit and Risk Committee in 2020 is provided in section 3.5.2. The audit and risk management department reports to the Group’s Executive Vice-President of Governance and Organisational Development, which guarantees its independence, and has unlimited authority to review any matter at their discretion. The A&RMD consists of a core team of experienced auditors, and runs a decentralised network of internal controllers. It performs three main roles for the Group: Audit and Risk Committee Audit and risk management department

4

2020 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

345