SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

7

Risks and control Internal control

Implementation of the internal control and risk 2.3 management process in the Group’s entities

Compliance statement 2.3.1 The compliance statement is a self-assessment process which is used to periodically assess entities’ compliance with a limited number of Internal Control Reference Framework fundamentals. Directors of the operating entities, the heads of the IT centers and the heads of the shared service centers report annually to the Group’s General Management on the level of internal control within their entity or center, by filling out a questionnaire relating to the Internal Control Reference Framework. They also commit to taking all necessary actions to remedy any cases of non-compliance with the internal control reference framework. The compliance statements and action plans are centralized and tracked by the Internal Audit and Internal Control Department, which also prepares an executive summary of the information. They are reviewed if necessary with the heads of the Company’s Sectors, General Delegations and corporate departments. An annual report on compliance statements is submitted to Saint-Gobain’s Chairman and Chief Executive Officer, to whom the Internal Audit and Business Control Department reports, and to the Audit and Risks Committee of the Board of Directors. Action plans follow-up 2.3.2 An action plan management and monitoring database is used to centralize information about the measures implemented to remedy any non-compliance issues identified during the compliance statement campaign, and about the action plans drawn up following audits performed by the internal audit. This means that each Group company has access to a centralized operational platform it can use to manage its action plans by reporting the corrective measures taken and the progress made compared with the predefined implementation schedule. The corporate departments can also use the system to monitor these action plans. Compliance statements results, internal audit memoranda and changes to the related action plans are also monitored via a dashboard circulated to the heads of the Sectors, Activities and General Delegations.

Each entity is responsible for implementing an internal control system that is appropriate to its needs and aligned with the Group’s internal control system. The head of each entity is responsible for: the relevance and effectiveness of the internal control „ system in place within their entity; its compliance with the Group’s internal control system; „ appropriate management of the risks faced by their entity. „ This responsibility cannot be delegated and is exercised with support from the Company’s corporate and operational Directors and from the site Directors. To build a suitable internal control system for their business, the Directors of the entities have to follow the steps described below: introducing the fundamentals of internal control; „ implementing the controls described in the Internal „ Control Reference Framework; analyzing the main risks and extending the Internal Control „ by incorporating controls for dealing with the identified risks; deploying the internal control in all of the entities’ sites; „ overseeing the internal control and risk management „ system, specifically at the time of the compliance statement.

196 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017