PERNOD RICARD - Universal Registration Document 2019-2020

4. RISK MANAGEMENT Internal control and risk management

Internal control and risk management 4.1 This section covering risk management and internal control follows corporate governance guidelines compliant with the French Financial Markets Authority (AMF) reference framework for risk management and internal control. Definition of internal control 4.1.1 The Group's internal control policies and procedures are designed to ensure:

The affiliate’s Chief Financial Officer is tasked by the Managing — Director of the affiliate with establishing appropriate internal control systems for the prevention and control of risks arising from the affiliate’s operations, in particular, accounting and finance risks, including error or fraud. Identification and management of risks 4.1.2.2 FY20 focused on: updating the Group’s internal control principles, a process that — involved various Group affiliates and functions; strengthening internal control within the Group, using various — approaches, including the continued development of data analytics to strengthen auditing methods; implementing the self-assessment questionnaire on internal control — and risk management. This questionnaire, which was updated during the financial year, complies with the french Financial Market Authority (AMF) reference framework for risk management and internal control, as does its application guide, itself updated in July 2010; and performing audits: 24 internal audits were conducted in FY20. — The purpose of these audits was to ensure that the Group’s internal control principles were properly applied in its affiliates. Furthermore, they made it possible to review the processes in place, best practices and potential areas for improvement in various cross-functional spheres (personal safety, review of strategy consulting purchasing processes, payment security and control of free products). All of the key areas for improvement identified were addressed in specific action plans drawn up at every affiliate and at Group level, which were validated by the Executive Board and the Audit Committee. Their implementation is regularly monitored and assessed by the Group’s Internal Audit Department. The work performed enabled the quality of internal control and risk management to improve within the Group. Key components of internal control 4.1.2.3 procedures The key components of internal control procedures are as follows: A formal delegation of authority procedure sets out the powers of the Chairman & CEO, as well as the powers delegated to members of the Executive Board. The internal control principles outline the common ground of all principles and rules that apply to all of the Group’s affiliates with respect to internal control for each of the 14 main operational cycles identified. The self-assessment questionnaire , which is regularly updated to comply with the AMF reference framework for risk management and internal control. In particular, it covers corporate governance practices, operational activities and IT support. Submitted to the Group’s affiliates, it enables them to assess the adequacy and effectiveness of their internal controls. Responses to the questionnaires are documented and reviewed by the Regions and the Group’s Internal Audit Department. This work is detailed in: a summary by affiliate and an overall Group summary, both of which — are provided to the Executive Board and the Audit Committee; and a letter of representation from every affiliate to the Chairman & CEO — of its parent company and a letter of representation from the various parent companies to the Chairman & CEO of Pernod Ricard. This letter is binding on the affiliates’ management with regard to the adequacy of their control procedures in light of identified risks.

that management, transactions and personal conduct comply with — guidelines relating to Group business conduct, as set out by the Group’s governing bodies and General Management, applicable laws and regulations, and in accordance with Group company values, standards and internal rules; that the accounting, financial and management information provided — to the Group’s governing bodies accurately reflects the performance and the financial position of the companies in the Group; and the proper protection of assets. — One of the objectives of the internal control systems is to prevent and control all risks arising from the Group’s business activities, in particular, accounting and financial risks, including error or fraud, as well as operational, strategic and compliance risks. As with all control systems, they cannot provide an absolute guarantee that such risks have been fully eliminated. Description of the internal 4.1.2 control environment Components of the internal control 4.1.2.1 system The principal bodies responsible for internal control are as follows: At Group level The Executive Board is the permanent coordination body for the — management of the Group. The Executive Committee ensures that the Group’s operations are — carried out and that its main policies are applied. The Internal Audit Department works under the Group Chief Executive — Officer and reports to the Executive Board and the Audit Committee. The internal audit team based at Headquarters is in charge of implementing the audit plan, with the support of the audit teams in the Regions. The audit plan is drawn up once the Group’s main risks have been identified and analysed. It is validated by the Executive Board and the Audit Committee and presents various cross-disciplinary issues that will be reviewed during the year, the list of affiliates that will be audited, and the main topics to be covered during the audits. The conclusions are then submitted to the Audit Committee, Executive Board and Statutory Auditors for examination and analysis. External Auditors . The Board of Directors selects the Statutory — Auditors to be proposed at the Shareholders’ Meeting on the basis of recommendations from the Audit Committee. The Group has selected Statutory Auditors who are able to provide comprehensive worldwide coverage of Group risks. At affiliate level The Management Committee is appointed by Headquarters or the — relevant Region and is composed of the affiliate’s Chairman & CEO and the Directors of its main functions. The Management Committee is responsible for managing the main risks that could affect the affiliate.

128

Pernod Ricard Universal Registration Document 2019-2020