Hermès // CSR Extract 2023

4

RISK FACTORS AND MANAGEMENT RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

4.3.3 A CONTROLLED RISK MANAGEMENT SYSTEM

The consolidated Group risk mapping is prepared every three years and was updated in 2023. The risk mappings of subsidiaries, métiers and cross‑functional areas, as well as individual assessments by Executive Committee members, feed into it. This mapping is the subject of a specific Executive Committee workshop. It is also shared with the Audit and Risk Committee. The Group risk mapping is also used as a starting point for the audit and risk management department’s audit plan. In the areas of fraud and corruption: awareness‑raising campaigns for the functions most exposed to the risk of fraud are conducted on a regular basis. Awareness‑raising, identified as an effective fraud prevention tool, is rolled out and adapted to the types of fraud (risk of system intrusion, “CEO fraud”, etc.). Information on safety is regularly reported to the Group Safety Committee, as well as to the Audit and Risk Committee. An ad hoc security system has also been introduced and is monitored by the Group safety department; s the corruption risk mapping was updated in 2020 with the help of a specialist external firm and with the collaboration of the legal compliance department, which is responsible for its management, as described in chapter 2 “Corporate social responsibility and non‑financial performance”, § 2.8.2.2.1. s The audit and risk management department can modify its audit programme and carry out ad hoc assignments in order to deal with new risks, particularly in the event of an alert issued by a Group division. Cross‑functional audits can thus be carried out. In order to better anticipate changes in issues relating to companies, technologies, the environment, the economy and governance, the audit and risk management department actively monitors emerging risks externally and has initiated prospective studies since 2019. As in 2022, a forward‑looking day was organised in 2023. It brought together 120 of the House’s employees around presentations and collective workshops. Enhanced by a forward‑looking operational project conducted for a métier , the objective of the approach is to cultivate a mindset that is resolutely oriented towards the future and to raise awareness among participants of the multiplicity of trends already at work and the issues that could arise in the short, medium and long term. Finally, an IT platform for the sharing of incidents enables assessment of changes in certain risks and early detection of any signs of potential weakness. This prevention tool contributes to the continuous improvement of the control system, as closely as possible to reality. Several times a year, the audit and risk management department conducts an analysis of the incidents reported by the subsidiaries and métiers . It is communicated to the Group’s internal control officers and internal control departments, including incident statistics for the period and a reminder of the Group’s procedures and related best practices.

Major risk identification

Risk re assessment

Risk ranking

Risk management system at Hermès International

Definition of a risk control strategy

Management of main risks

The Group’s risk management process is based upon the preparation of risk mappings as well as a range of complementary tools that facilitate identification of risks and definition of actions to better control them. Set up in 2004, the mapping initiative has been rolled out to the main entities, and also to cross‑functional areas, under the supervision of the audit and risk management department. The methodology applied is regularly updated and enables a precise assessment of the risks specific to the Group. These mappings serve to identify, evaluate and systematically rank the main risks. An insurance section compares the risks with the corresponding insurance coverage. They are an operational awareness‑raising and management tool and are a lever for improving performance. They contribute to effective management by providing a summary and shared vision of risks and defining operational action plans and the responsibilities of each person. The entities periodically update their risk mapping, under the supervision of the audit and risk management department. Each year, between 5 and 10 risk mappings are carried out at the level of the distribution subsidiaries, métiers or cross‑functional areas in the Group. The internal control officers within the entities are the local relays for the mapping initiative. They participate in the initial risk analysis, while updating and monitoring the action plans.

2023 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL EXTRACT FROM 2023 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

408