Hermès // 2022 UNIVERSAL REGISTRATION DOCUMENT

RISK FACTORS AND MANAGEMENT RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

A CONTROLLED RISK MANAGEMENT SYSTEM

4.3.3

The consolidated Group risk mapping is prepared every three years and was updated in 2020. The risk mappings of subsidiaries, métiers and cross‑functional areas, as well as individual assessments by Executive Committee members, feed into it. This mapping is the subject of a specific Executive Committee workshop. It is also shared with the Audit and Risk Committee. The Group risk mapping is also used as a starting point for the audit and risk management department’s audit plan. In the areas of fraud and corruption: awareness‑raising campaigns for the functions most exposed to the risk of fraud are conducted on a regular basis. Awareness‑raising, identified as an effective fraud prevention tool, is rolled out and adapted to the types of fraud (risk of system intrusion, “CEO fraud”, etc.). Information on safety is regularly reported to the Group Safety Committee, as well as to the Audit and Risk Committee. An ad hoc security system has also been introduced and is monitored by the Group safety department; s the corruption risk mapping was updated in 2020 with the help of a specialist external firm and with the collaboration of the legal compliance department, which is responsible for its management, as described in chapter 2 “Corporate social responsibility and non‑financial performance”, §2.8.2.2.1. s The audit and risk management department can modify its audit programme and carry out ad hoc assignments in order to deal with new risks, particularly in the event of an alert issued by a Group division. Cross‑functional audits can thus be carried out. In order to better anticipate changes in issues relating to companies, technologies, the environment, the economy and governance, the audit and risk management department actively monitors emerging risks externally and has initiated prospective studies since 2019. In the second half of 2022, the audit and risk management department organised a first forward‑looking day involving nearly 140 participants from diverse métiers and functions. The agenda was punctuated by various sessions including conferences led by experts in looking ahead, as well as working groups. The objective of this approach is to cultivate a mindset resolutely oriented towards the future and to raise awareness among participants of the multiplicity of trends already at work and the issues that could result from these in the short, medium and long term. Finally, an IT platform for the sharing of incidents enables assessment of changes in certain risks and early detection of any signs of potential weakness. This prevention tool contributes to the continuous improvement of the control system, as closely as possible to reality. Several times a year, the audit and risk management department conducts an analysis of the incidents reported by the subsidiaries and métiers . It is communicated to the Group’s internal control officers and internal control departments, including incident statistics for the period and a reminder of the Group’s procedures and related best practices.

Major risk identification

Risk re assessment

Risk ranking

Risk management system at Hermès International

Definition of a risk control strategy

Management of main risks

4

The Group’s risk management process is based upon the preparation of risk mappings as well as a range of complementary tools that facilitate identification of risks and definition of actions to better control them. Set up in 2004, the mapping initiative has been rolled out to the main entities, and also to cross‑functional areas, under the supervision of the audit and risk management department. The methodology applied is regularly updated and enables a precise assessment of the risks specific to the Group. These mappings serve to identify, evaluate and systematically rank the main risks. They are an operational awareness‑raising and management tool and are a lever for improving performance. They contribute to effective management by providing a summary and shared vision of risks and defining operational action plans and the responsibilities of each person. The entities periodically update their risk mapping, under the supervision of the audit and risk management department. Each year, between 5 and 10 risk mappings are carried out at the level of the distribution subsidiaries, métiers or cross‑functional areas in the Group. The internal control officers within the entities are the local relays for the mapping initiative. They participate in the initial risk analysis, while updating and monitoring the action plans.

2022 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

389