Hermès // 2022 UNIVERSAL REGISTRATION DOCUMENT

RISK FACTORS AND MANAGEMENT RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

Self‑assessment of internal control The self‑assessment of internal control, which began in 2005, is now a mature process within the Group. It is based on questionnaires completed by all controlled subsidiaries. This system contributes to the dissemination of the internal control culture within the Group. It also provides support for assessing the level of internal control and assessing the extent to which operational and functional risks are properly addressed. If the control processes are found to be ineffective, the subsidiaries are required to draw up an action plan to remedy the situation. The subsidiaries self‑assess each year using four questionnaires available on the intranet in the dedicated “CHIC” IT tool (Check your Hermès Internal Control). They are administered by the audit and risk

management department. The self‑assessment is based on a general internal control questionnaire (CHIC Practices), the guidelines for which are drawn up in line with the AMF “Reference Framework”. A questionnaire specific to cash management (CHIC Trésorerie), a questionnaire on operating procedures in the retail network (CHIC Boutique) and a questionnaire on operational procedures governing online sales (CHIC E‑commerce) are also part of the system. These questionnaires are updated on an annual basis, in order to include any new risks and controls identified as key at Group level. The results are reported in a dedicated IT tool where they are centralised and analysed by the audit and risk management department, in order to identify areas for improvement and internal control priorities for the following year. They are shared with the departments concerned in order to define action plans for all the Group’s subsidiaries. Finance, Human resources, Control environment, Information systems, Communication, Ethics and compliance, Sustainable development, etc. 9 Sales, Shipping and deliveries, Returns and refunds, Storage, Customer data, etc. Customer relationship management, Checkout closing, Stock‑taking, Safety/security, etc. Management of bank accounts, Processes and payment means, Regulatory compliance, E‑payments, etc. 7 7 an exchange rate policy approved by the Group’s Supervisory Board (this policy presents all the authorised financial instruments, the horizon and the hedging ratios); s intra‑group agreements signed by each subsidiary concerned, which structure the relationship between the Hermès Group and its subsidiaries and specify the management policy and rules applicable to all financial flows (cash flows, foreign currency transactions, etc.) that may generate liquidity or market risk; s Examples of themes addressed External firms regularly conduct audits on technical issues related to payment security. In 2021, a global audit of the cash management system and, in 2022, a cybersecurity audit of the Group's cash applications complemented the usual audits by the audit and risk management department. Information systems The use of tools adapted to Hermès’ needs facilitates the preparation and control of information. The consistency of information system urbanisation and architecture is managed at Group level. The projects follow a methodology that includes mandatory milestones, in particular that of the Architecture Committee, which ensures the coherence and compliance of projects, including with regard to security (compliance with the Group process of integration of security in projects – ISP). a Group cash management policy, approved by the Hermès International Supervisory Board, which sets out the authorised investment vehicles and all the criteria for managing liquidity and counterparty risk. s

CHIC Questionnaires

Number of themes *

Practices

12

E‑commerce

Boutique

4

Cash and cash equivalents

* The themes are then sub‑divided into several questions addressing all related procedures in an exhaustive manner.

The internal control officers are involved in the self‑assessment, and are in charge of monitoring the action plans. The audit and risk management department checks and compares the responses given by subsidiaries to the questionnaires with its own assessment when performing audits. It ensures that the controls have been correctly undertaken, and that corrective action plans have been implemented. Internal control procedures The internal control processes are described in the Group procedures. They are defined at Group level, then rolled out and adapted by each division to the specific contexts and local regulations. All Group employees have access to them via a secure intranet website. Group procedures cover the Company’s main cycles (purchases, sales, treasury, inventory management, fixed assets, human resources, information systems, safety and security, closing of financial statements, compliance, etc.). The audit and risk management department updates them regularly, in collaboration with the experts in their respective fields and the internal control officers. The strengthening of procedures relating to remote sales and e‑commerce continued in line with the momentum of this activity. More specifically, extremely stringent cash management procedures have been put in place. The treasury security rules manual details the following procedures: a treasury management procedure that defines the roles and responsibilities between Group treasury and the subsidiaries; s rules for opening and operating bank accounts, called “prudential rules”, for each of the Group’s companies, which are constantly updated and include among others the monitoring of authorised signatories; s

2022 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

391