SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

Risks and control Internal control

At the end of 2017, the Internal Audit and Business Control Department had 104 staff, working in the areas of audit, internal control and anti-fraud. Internal Audit and Business Control Department Main responsibilities Reference standards and/or measures 2017 key figures Internal control Develop and maintain the Internal „ Control Reference Framework Communicate and provide training „ on internal control and risk management Lead the annual compliance „ statement process Analyze incidents, „ Internal Control Reference „ Framework and associated practical data sheets or Group memos Internal Control briefs „ Webinars and training sessions „ 2017 Compliance Statement update „ (659 questionnaires sent)

Approximately 5,000 action plans „ open within ACTT2 database at the end of 2017 1,202ɸcorporate leaders and „ managers trained during 17 Business Control Forums in 16 different countries 18ɸwebinars delivered and 15 „ newsletters published Approximately 673ɸmembers of the „ Internal Control community

(Business Control Forumsɸ (1) ) Intranet and Internal Control „ Community (My SG) ACTT2 databaseɸ (2) „ Dashboard/QlikViewɸ (3) „ Risks universe „ Risks cartography „ Methodological tool for Group „ companies Risk database „ Audit plan „ Audit methodology „ 6 Essentialsɸ (4) „ Best practices library „ Process and data analysis toolsɸ (5) „ Auditor training Program „

self-assessments and audit results Monitor implementation of action „ plans Define and maintain the Group’s „ risk universe Perform risks map „ Update, maintain and take „ responsibility for the risk management methodology Ensure the relevance and „ effectiveness of internal control and computer security systems Check the accuracy of compliance „ statements Identify and share best practices „ Perform organizational advisory „ tasks at general management’s request Cross-functional audits according „ to the department’s main objectives

Risk management

68 existing maps, of which 24 „ were updated in 2017

Internal Audit

154 audits performed, including 69 „ with the process and data analysis tools 19 new best practice briefs published „ Entities covered every 5ɸyears „

Anti-fraud

Develop anti-fraud policies „ Ensure fraud prevention „ Investigate fraud incidents „

Training and awareness „ Fraud incident reports „

51 Directors and managers trained „

7

The Business Control Forums are training sessions delivered over one or two days by the Delegations, for executives and managers. The topics such as the fundamentals of internal control (1) and the fight against fraud, audit results and compliance statements, as well as case studies on various processes. Central database for monitoring compliance statements and action plans. (2) Online dashboard containing information on internal control (compliance statements results, implementation rate for action plans), audit assignments, computer security, risks and insurance, (3) fraud reporting, and financial data. Fraud detection audit methodology. (4) See paragraph 2.2.3 for further details on the tools for process and data analysis. (5)

193 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017