L'Oréal - 2018 Registration Document

2 Corporate Governance

RISK FACTORS AND CONTROL ENVIRONMENT

Within the Department, the Information Systems Security Department is responsible for the Information Systems Security Policy. Based on the international ISO 27001 standard, this policy covers the main topics of Information Systems security, including the protection of personal data, and describes the general principles to be applied for each of them. It enables all the Group’s Information Systems teams, and by extension, all employees, to share clear objectives, best practices and levels of control adapted to the risks incurred, notably, the risk of cyber attack. This policy is accompanied by an information systems security audit programme conducted by an outside firm. It is also supplemented by an Information and Communication Technologies Code of Conduct, and a Code of Good Practice for the use of social media. The Operations Division This Division comprises the departments in charge of Packaging and Development, Quality, EHS (Environment, Health and Safety), Production, Purchasing, Supply Chain, Information Systems (production), Digital Transformation and Industrial Strategy, the Group’s Safety Policy and its entire real estate portfolio. It defines the overall Operations strategy worldwide and establishes the standards and methods applicable in the areas of quality, safety, the environment and security for deployment in all of the countries in which the Group operates. It manages the Group’s comprehensive strategy to enable the teams in the Operational Divisions and regions to implement innovation, industrial and logistics policies suited to the markets. In line with the Group’s Code of Ethics, since 2011, the buyers have a practical and ethical guide The Way We Buy which aims at helping all employees in their relationships with the Group’s suppliers. In addition, the buyers have the Group guides, The Way We Compete and The Way We Prevent Corruption for which online training (e-learning) is provided. The standard for Management of suppliers and tender procedures specify the conditions for competitive tendering and for the registration of the main suppliers. The general terms of purchase are used as the framework for transactions with suppliers. The Purchase Commitments and Order Management standard is aimed at facilitating and strengthening control of the spending and investments of Group entities. In the area of the supply chain, the main assignments consist of defining and applying the sales planning, customer demand management, development and control of customer service processes, including through the management of physical order fulfilment, application of the general terms of sale, the follow-up of orders, management of customer returns and customer disputes as well as accounts receivable collection procedures. Measures are also recommended for the management of distribution centres and inventories, subcontracting, product traceability, business continuity plans and transportation.

Internal Audit is carried out by a central team that reports directly to the Chairman and Chief Executive Officer. This department carries out regular assignments to audit major processes and check on the application of Group principles and standards. Internal Audit assignments are submitted to the General Management and the Audit Committee for their approval and give rise, with their agreement, to the preparation of an annual audit plan. The size of the entities, their contribution to key economic indicators, pattern of development, historical precedence and the results of previous audits are factors that are taken into account when defining remits. The risk level assessment carried out by the area departments and experts in the different functions is also taken into account when putting together the annual audit plan. The Internal Audit Department carried out 48 assignments in 2018, 29 of which involved commercial entities representing almost 35% of the Group’s sales and 8 were carried out at plants contributing over 18% of the plants’ global production. The 2018 Internal Audit also covered a research centre, a sourcing centre and an International Marketing Department. Finally, 8 other assignments were carried out with regard to specific topics. An Audit report is systematically drafted, setting out the findings and related risks and giving an action plan of all the recommendations to be put in place by the audited entity. These action plans are followed up regularly by the Internal Audit Department which measures, and communicates to the relevant departments, the rate of progress made in actioning the recommendations. The Internal Audit Department uses the Group’s integrated Enterprise Resource Planning (ERP) software and has developed a number of specific transactions that help it better identify potential weaknesses in the most sensitive processes. Each year specific assignments focus on configuring certain key points of the Internal Audit in the ERP. The Internal Audit Department has Governance, Risk, Compliance (GRC) tool, which now enables it to carry out its assignments using an integrated tool and to consolidate in real-time the progress made in the action plans of the audited entities. The actual achievement of the audit plan, assignment results and progress of the action plans are presented to General Management and the Audit Committee each year. The audit results are shared with the Group’s Statutory Auditors. The remarks made by the external auditors as part of their annual audit are also taken into consideration by the Internal Audit Department when defining its assignments. Global IT Department The strategic choices in terms of systems are determined by the Group’s Global IT Department, whose main mission is to implement ERP management software which is used by the vast majority of the Group’s commercial subsidiaries, plants and logistics services. It also supports the digital transformation by developing the use of Cloud services (SaaS, Iaas, PaaS) and connected objects.

REGISTRATION DOCUMENT / L'ORÉAL 2018

114