SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

7

Risks and control Internal control

Corporate departments 2.2.4 Compagnie de Saint-Gobain’s corporate departments are responsible for setting up an internal control structure and defining internal control strategies and procedures in their area. To this end, they: identify and analyze the main risks associated with their „ internal processes; define appropriate controls based on those described in „ the Internal Control Reference Framework;

inform and train the employees responsible for internal „ controls within their area; analyze any internal control weaknesses or incidents and „ the results of internal audits. The corporate departments are also responsible for the internal control system within the Company entities.

Corporate departments Environment, Health and Safety (EHS) Department and Medical Department

Main responsibilities

Reference standards and/or measures EHS reference framework and standards „ Integrated EHS audits „ Self-diagnostic tool „ OSHAS 18001, ISOɸ14001 and ISOɸ50001 „ standards Minimum security rules „ Technical standards „ Development standard for secure web „ applications Note on the Cloud „ Datacenter security rules „ ISOɸ9001 standard with certification in „ Raw Materials, Precious Metals and Energy for Saint-Gobain Purchasing Purchasing process of the Internal Control „ Reference Framework (14 risks, 38ɸcontrols to be applied) ITAC reference bases „ SAP users control tool „

2017 key figures Industry audits: „

Promote and coordinate „ Group EHS policy

- 52 “12-step” audits - 121 “20-step” auditsɸ (1) Distribution audits: „ - 323ɸESPR auditsɸ (2)

Monitor the application of EHS „ reference framework principles

Information Systems Department

Define Group policy for „ information systems and computer network security Promote and coordinate an „ annual self-assessment plan Develop rules and best „ practices Manage the World-Class „ Purchasing program, an approach focusing on purchasing performance, department professionalization and supplier innovation Execute multi-business and „ multi-country purchasing Coordinate the purchasing „ function in France and conduct multi-business purchasing activities in France Define Group policy for property „ damage at industrial or distribution sites Define Group policy for „ insurance and monitoring its implementation Steering centralized insurance „ programs Define policy for financing, „ market risk control and banking relationships for the entire Group

See Chapterɸ7, Sectionɸ2.4.5, „ General doctrine on information systems security

Purchasing Department

Completion of more than 12,000 „ individual purchaser actions in 2017 15ɸinternal audit assignments on „ local and technical purchases 53 Buy/Techs executed in 16 „ different countries

Risk and Insurance Department

429ɸsite visits by prevention „ engineers

Prevention/ protection reference base „ “Risks Grading” self-assessment tool „ Doctrine memos „ Risks and Insurance Intranet „

1,372ɸsites that have performed „ their Risk Grading self-assessment 933 assessments of Building „ Distribution Sector sales outlets by, including 115 ESPR audits 20 prevention training sessions „ Regular field inspections „ 118,662ɸinternal/external foreign „ exchange transactions in 2017 22,785ɸinternal/external transfers „ issued in 2017

Treasury and Financing Department

Procedures reference base „ - for DTF activities - for subsidiary activities Daily reports (DTF) and monthly reports „ (subsidiaries and DTF)

Audits following a 12- and 20-step schedule for the Group’s industrial activities. (1) ESPR (Environment, Safety, Prevention of Risks) audit: specific to the Building Distribution Sector. (2)

194 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017