Hermès // 2021 Universal Registration Document

RISK FACTORS AND MANAGEMENT RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

Group Management

The audit and risk management department consists of a core team of experienced auditors, and runs a decentralised network of internal control officers. It performs a threefold mission for the Group: it identifies and analyses risks and ensures the implementation of s action plans; it conducts internal audits and monitors the implementation of the s recommendations; it ensures the deployment of internal controls adapted to Group’s s concerns. The prevention and insurance department joined the audit and risk management department on 1 January 2020 in order to increase synergies in terms of risk identification and management. Risk mapping now includes an insurance section in order to look at risks alongside the corresponding insurance coverage. The duties of the audit and risk management department also consist of: carrying out a continuous improvement initiative as regards the s internal control and risk management systems; working alongside the Group’s various departments in order to s promote the upstream handling of the main risks, as well as emerging risks, and running the risk mapping approach of the main businesses, distribution subsidiaries, support functions and cross-cutting subjects. The risk mapping methodology is regularly reviewed: in 2017 and in 2020, specialised external firms supported this continuous improvement process. The audit and risk management department thus ensures that it has a relevant, effective and motivating methodology for its contacts. The risk mapping programme for 2021 was conducted in full, for the most part remotely in the current healthcare context. The action plans resulting from the risk mapping are monitored each year by the network of internal control officers; coordinating a network of around 70 internal control officers, in s France and abroad, within the métiers , distribution subsidiaries and support activities. In 2020 and 2021, given the specific circumstances related to Covid-19, internal control was stepped up, in particular through increased use of digital channels. Four virtual meetings were held in 2021, enabling more than 80 participants, bringing together internal control officers, as well as Chief Financial Officers and representatives of the Group’s central departments, to connect. An audit charter has formalised the duties and responsibilities of the internal auditors and their professional conduct. It sets out the way in which their audit engagements are conducted. A risk charter, setting out the principles and rules for risk management, and an internal control charter, formalising the roles and responsibilities of its players, complete the system. These charters are reviewed regularly. Lastly, the Director of Audit and risk management attends Audit and Risk Committee meetings. She meets with this committee six times a year, including once without the presence of third parties. This meeting is dedicated to the presentation of the audit and risk management department’s activity report, and to discussions on its work and the resources at its disposal. In 2021, the audits were mainly carried out in accordance with the audit plan (see § 4.3.5 “Audit plan”), remotely or on site.

The Group Management designs risk management and internal control procedures commensurate with the Company’s size, business operations, geographical footprint and organisation. In addition to establishing procedures for delegating authority established at different hierarchical levels, Group Management has responsibility for guaranteeing the quality and effectiveness of the risk management and internal control systems. It thus ensures their adequacy for meeting the Group’s strategy objectives. To this end, Group Management is provided with audit reports and the risk mapping of subsidiaries, métiers and support functions, and regularly meets with the audit and risk management department. It therefore oversees the system as a whole to safeguard its integrity and, where applicable, initiate any corrective measures needed. The Audit and Risk Committee was established in 2005 within the Supervisory Board pursuant to Article L. 823-19 of the French Commercial Code ( Code de commerce ), and without prejudice to the powers of this Board, which it does not supersede. The roles and duties of the Audit and Risk Committee were formally documented in rules of procedure drawn up by the Supervisory Board in 2010 and regularly updated. The latest version is available at https://finance.hermes.com/en/governing-bodies-rules-procedure-articles- association/. The rules of procedure were amended and submitted for approval to the Audit and Risk Committee in 2021. Each meeting of the Audit and Risk Committee gives rise to written minutes that are approved. At each meeting of the Supervisory Board, the Chairwoman of the Audit and Risk Committee gives the Board a report of the work of the Audit and Risk Committee. The functioning and work of the Audit and Risk Committee were evaluated in late 2019 as part of the three-year formal self-assessment of the Supervisory Board. This was supplemented in 2020 by a self-assessment conducted by the Chairwoman of the Audit and Risk Committee. The self-assessment action plan continued in 2021 (see chapter 3 “Corporate governance”, § 3.7). As part of its oversight of the risk management and internal control system, the Audit and Risk Committee has access to information relating to internal audit, internal control and risk management. The risk mapping of Group entities and the corresponding action plans are regularly presented to it. A list of the work carried by the Audit and Risk Committee is provided in § 3.6.3.4. Audit and Risk Committee

4

Audit and risk management department

The audit and risk management department reports to the Group’s Executive Vice-President of Corporate Development and Social Affairs, which guarantees its independence, and has unlimited authority to review any matter at their discretion.

2021 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

349