SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

Risks and control Internal control

Reference standards and procedures 2.4 Compagnie de Saint-Gobain has developed internal control and risk management procedures for its own needs and those of its subsidiaries.

Each process contains a control/risk matrix used to refer specifically to risk types by control and contributing to understanding the control system.

Risk universe 2.4.1 The Group’s risk universe was updated in 2017. It comprises 13 main categories of risk, covering 64 subcategories (compared with 86 in 2016). The changes mainly relate to the amalgamation of digital technology and information systems on the one hand, and the separate treatment of legal and tax risks on the other, The Internal Control Reference Framework and the methodology are based on identifying risks as defined below.

7

Internal Control Reference 2.4.2 Framework There are three parts to the Internal Control Reference Framework: part 1 – Internal control and risk management at „ Saint-Gobain; part 2 – Risk universe; „ part 3 – The 18 internal control processes. „ Part 1 describes the Group’s internal control and risk management system, its implementation in the subsidiaries and the current oversight arrangements. Part 2 introduces the Group’s risk universe. The framework thus provides Directors with a means of identifying the risks for their entities. Part 3 contains all 548 controls, organized by process and sub-process. The controls identified as “Key controls” (around 200) are mandatorily implemented in all Group entities.

The Internal Control Reference Framework is reviewed regularly in response to developments in the Group and in regulatory changes. Furthermore, the Internal Control Reference Framework is available on the IABC (Internal Audit and Business Control) portal and on My SG (My Business Control), as well in iPhone/iPad-compatible interactive iBook format.

197 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017