QUADIENT // 2021 Universal Registration Document

4 RISK FACTORS AND INTERNAL CONTROL Risk factors

Risk factors 4.1

Quadient carries out its business activities in a constantly worldwide changing environment. The COVID-19 pandemic which marked 2020 and continued into 2021, and now the crisis between Ukraine and Russia, potentially generates exogenous risks increasing the uncertainty and the criticality of certain risks which could affect the Group’s operating and financial performance. Quadient identifies the risk factors to which it is exposed using a formal risk management approach based on the reference framework of the internal control and risk management system, developed under the supervision of the French financial markets authority (AMF).

The risks factors presented below are the risks, that Quadient has identified at the date of this Universal Registration Document and considers may have a significant negative impact on its business, results, outlook, or reputation, should they occur. The list of these risks is, however, not exhaustive, and other risks, unknown at the date of this document, could occur and would have a negative effect on the Company’s business.

4.1.1

RISK MANAGEMENT FRAMEWORK

Risk assessment methodology

used to assess the level of maturity of the risk management for each risk using a scale from 1 (Optimal) to 4 (Low). Combined with the criticality level of each risk, the third criterion enables us to create a prioritization matrix of the remedial action plans to implement and monitor. The resulting global risk mapping is presented to Quadient's Risk Committee, shared with the Executive Committee members and appropriate improvement plans for the main residual risks will be designed and implemented at local and corporate level. Ultimately the results of the risk assesment were also presented to the Audit Commitee of the Board of Directors. COMPLIANCE CENTER OF EXCELLENCE Within the Transformation Department, the CSR and Compliance team leads and coordinates the risk management system through its Compliance Center of Excellence composed of subject-matter experts in the fields of information security, data privacy, legal, ethics, quality, environment, health and safety, and CSR. In 2021, the Compliance Center of Excellence has developed a common process and a methodology founded on a Governance Risk and Control (GRC) digital tool enabling: the consolidation of major risks from all our sites, ● regions, and business lines the disclosure of Quadient's policies, procedures and ● standards to all employees the management of compliance audits and corrective ● actions The Compliance Center of Excellence works with all Quadient's departments and more particularly with the Internal Control and Audit team in order to: link up the identified risks and Quadient’s policies, ● processes, standards, compliance programs and propose changes where appropriate contribute to defining the annual internal audit program ● Organization

Quadient has implemented a risk management policy to refresh revise regularly the global risk mapping addressing the Compagny's most material risks from a strategic perspective. In this respect, a risk management framework, under the oversight of the head of compliance has been set to ensure: the identification and assessment of the different risks ● encountered by the Company in the course of its business activities the assessment of the level of maturity of the ● management of each risk based on the existence and implementation of policies and means of control (organizational structures, processes, procedures) the definition and the follow-up of the main remedial ● action plans undertaken to mitigate these risks. The company's global risks mapping has been updated between December 2021 and March 2022. This exercise was the opportunity this year to revise the methodology to combine the vision of the top Management (executive committee, senior leaders), subject-matter experts (e.g., information security, data privacy, compliance, environment. This list is not exhaustive) and site managers performing risk assessments for their respective sites on various topics such as quality, environment, health & safety, Corporate Social Responsibility (CSR), information security and data privacy. More than 120 managers representing all of our regions, functions and business lines were involved into interviews and workshops for updating the global risk mapping for the company. About 20 individuals interviews and 12 workshops have been conducted to identify and compile the list of the main risks for the company. Once the list of risks compiled and all the persons interviewed, the participants of the workshops were invited to assess the risks according to the criteria established within the methodology. The first criterion relates to the level of impact of the risk rated from 1 (Low) to 4 (Very high) and the second one is tied to the probability of occurrence rated from 1 (Very rare) to 4 (Very likely). These two criteria are used to position the risks based on their criticality into our global risk mapping. A third criteria is

86

UNIVERSAL REGISTRATION DOCUMENT 2021