L'Oréal - 2018 Registration Document

2 Corporate Governance

RISK FACTORS AND CONTROL ENVIRONMENT

BUSINESS RISKS \ INFORMATION SYSTEMS Risk identification

Risk management

To minimise the impact that this type of occurrence could have, the Global IT Department has introduced strict rules with regard to security for infrastructure, equipment and applications. Furthermore, in order to adapt to the development of new methods of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To address the growing threat of cybercrime, L’Oréal takes continuous steps to strengthen the resources dedicated to information system security. This plan relies in particular on anti-intrusion equipment, regular intrusion tests, an information system security audit programme, protecting sensitive equipment and providing global supervision for identifying irregularities. L’Oréal’s safety focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in systems for detecting and reacting to warnings and security incidents and in the periodic supervision of the effectiveness of such solutions. Furthermore, to mobilise its teams, in 2018, the Group carried out a worldwide awareness raising campaign, and deployed an online training programme on best practices with regard to safety intended for all the employees. 66% of employees had validated this e-learning programme as at 31 December 2018. The Group constantly and progressively deploys policies, training and data management tools as well as the associated organisational and technical measures. The Global IT Department has introduced strict rules with regard to data security (back-up, protection of, and access to confidential data). The Group’s principles governing the processing of personal data have been disseminated all over the world to raise the awareness of all employees about respect for ethical principles, and legal and regulatory requirements in the matter. An organisation based on a Group Governance Committee, a world Steering Committee and a network of Business Line, Zone and Country contacts responsible for personal data protection has been set up to coordinate the operational players involved. Specifically, the Group has appointed a Group Data Protection Officer (DPO) and set up a network of DPOs for all countries in the European Zone. This governance notably aims to monitor the Group’s compliance with the different legislation, such as the GDPR in Europe, by ensuring the mobilisation of all stakeholders and by adapting customer, supplier and business line processes to the Group’s rules and to applicable laws. Risk management

The day-to-day management of activities such as purchasing, production and distribution, invoicing, reporting and consolidation, as well as internal data exchange and access, relies on the proper functioning of all technical infrastructure and IT applications. As part of the digital transformation and ongoing development of information technologies and their applications, which are also factors of acceleration and mobility, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on being able to function in an increasingly virtual and digital environment. The malfunction or breakdown of these systems or the loss of data for exogenous or endogenous reasons (including intrusions, malicious acts, etc.) could have a significant impact on the Group’s business activities. The data collected and processed by L’Oréal and its partners, with a volume that increases along with the development of digital activities, may be used fraudulently, or be lost or degraded. Furthermore, personal data protection regulations are being reinforced throughout the world. Specifically, the European General Data Protection Regulation (GDPR) which entered into force in May 2018, provides for significant sanctions. Any breach of data integrity or confidentiality, notably personal data processed by L’Oréal or its partners, for exogenous or endogenous reasons (including intrusions, malicious acts, etc.) could have a significant impact on reputation and consumer confidence and, ultimately, on the Group’s business activities. BUSINESS RISKS \ RISK OF AN INTERNAL CONTROL FAILURE Risk identification L’Oréal has set up an Internal Control system (see section 2.8.1.2. “Internal Control Objectives”) which, however effective it may be, can only provide reasonable and not absolute assurance that the Company’s objectives can be achieved due to the inherent limitations of any control system. Thus, the Group cannot exclude the risk of an Internal Control failure likely to expose it notably to acts of fraud or corruption, that may have an impact on its activities, reputation and results. BUSINESS RISKS \ DATA Risk identification

Risk management

The components of the Internal Control and Risk Management system implemented are detailed in this chapter. In the areas of fraud and corruption, the deployment of a programme designed to raise awareness of fraud risk has been rolled out to all the Management Committees of the Group’s subsidiaries (setting out the main operational scenarios that could occur, the whistle-blowing systems and the existing procedures and controls) and helps to reduce the Group’s exposure to this risk. In addition, the Group deployed a comprehensive anti-corruption programme, notably including a specific guide, country-specific corruption risk mapping and an on-line e-learning training module which will round out the commitments and principles set out in L’Oréal’s Code of Ethics and described in the “Corruption prevention policy” (see section 3.3.4).

REGISTRATION DOCUMENT / L'ORÉAL 2018

132