SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

7

Risks and control Internal control

secure information systems with access rights granted on „ the basis of allocated roles and responsibilities, to maintain effective segregation of duties. Saint-Gobain subsidiaries have an obligation to comply with the basic security rules issued by the Group Information Systems Department.

developing controls that are proportionate to the risks „ involved in each process; communicating the objectives of internal control to „ employees and implementing controls; permanent oversight of and regular checks on the „ effectiveness of internal control. This process is described in the Internal Control Reference Framework (see paragraph 2.4.2) and applies to all Group subsidiaries. Oversight controls and effectiveness checks may lead to corrective action being taken, and to changes, as needed, to the internal control and risk management system.

Internal control and risk 2.1.2 management process

Within Saint-Gobain, internal control is a continuous and ongoing process that integrates risk management procedures. It involves four key stages: analyzing the main identifiable risks; a Group risk mapping „ is updated each year and is submitted to and analyzed by the Audit and Risks Committee and the Board of Directors;

Organization of internal control and the risk 2.2 management system

Everyone within the organization has some responsibility for internal control and risk management, from general management down to the employees of the individual entities. The Board of Directors of 2.2.1 Compagnie de Saint-Gobain Regular reports on the Group’s internal control and risk management are submitted to the Board of Directors after being reviewed by the Audit and Risks Committee (see Chapter 6, Section 1 – Corporate Governance). The Audit and Risks Committee is specifically tasked with monitoring the process of preparing financial information and the effectiveness of the internal control and risk management system. It also reviews the risks map prepared by the Internal Audit and Business Control Department. It provides regular reports to the Board of Directors on the performance of its mission and informs the Board promptly of any issues encountered (see Chapter 6, Section 1 – Corporate Governance). Group General Management 2.2.2 The Group’s general management oversees implementation of the internal control process and the existence and appropriateness of internal control and risk management monitoring systems within the subsidiaries. Internal Audit and Business 2.2.3 Control Department The Internal Audit and Business Control Department is tasked by the Group’s general management with designing the Group’s internal control and risk management system and with coordinating the roll-out of the system, in conjunction with the Company’s corporate departments, the General Delegations and the Sectors.

The Internal Audit and Business Control Department also seeks to deliver added value to the Group and enhance its performance. Its general remit is to provide systematic, methodical assurance that the internal control systems are relevant and effective, and to make recommendations for reinforcing them. With that in mind, and in connection with its move to digital, in 2017, the Internal Audit and Business Control Department introduced some new tools in audit assignments: a performance-oriented tool for process analysis that can „ be used to analyze and represent an entity’s organizational structure and its processes, to identify bottlenecks and irregularities in process flows; a compliance-oriented tool for data analysis that is useful „ in targeted searches for inconsistencies with business control rules. Compared with the historical approach to auditing by extrapolation from samples of a limited size, these two highly complementary tools enable extensive analysis of the populations in question (transactions, master data, access rights, etc.), meaning that more robust conclusions can be drawn. Together, they illustrate the shift towards higher value-added audit assignments. The Internal Audit and Business Control Department organizes oversight of internal control and risk management systems based on four principal components, which are: the compliance statement, the audit results, the action plan follow-up system and the fraud and incident monitoring system. The results of this oversight are reported to the Audit and Risks Committee. The Internal Audit and Business Control Department plays a key role in the Group Compliance Program.

192 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017