SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

7

Risks and control Internal control

Doctrine 2.4.3 The Doctrine Department is responsible for preparing all financial, administrative and management procedures applicable to Group companies. These procedures, accessible on the Group’s intranet, cover two main themes: Group Organization and Procedures, and Financial and Accounting Standards. Reports on the Doctrine Department’s activities are prepared twice a year for the Audit and Risk Committee.

Reference Manual. The EHS Handbook is intended as a tool to be available to all, and follows the continuous improvement cycle to describe and illustrate how to implement the chapters of the Reference Manual. Hence, it describes the requirements for each area and provides reference documents, examples of implementation or best practices. Furthermore, the EHS Department works with its network to develop and update Group EHS standards, which describe the minimum applicable requirements and/or methodologies. These tools help to ensure that risks are assessed and controlled on the same basis in all Group entities, irrespective of the country and the local laws and regulations (see Chapter 4, Section 1.3). Implementation guides, procedures, training packs, assessment questionnaires, and cross-audits of standards implementation and computer tools have been developed to support the application of the standards at the sites. General doctrine on information 2.4.5 systems security The Information Systems Department compiles rules and best practices concerning information systems and networks, based on four sets of compulsory minimum security rules in the following areas: infrastructure, with 15 minimum security rules (22 control „ points, 94 entities) and SGTS Security Reporting (34 control points, 20 SGTS covering 428 entities); industrial information technology systems, with 14 „ minimum security rules (20 control points, 303 entities with critical or large industrial IT systems); research and development systems, with 7 minimum „ security rules (13 control points, 14 R&D Centers); applications, with 22 minimum security rules (50 control „ points, 63 competency centers); hosting of our resources in partner-operated Datacenters „ coordinated by the Group DSI or the SGTS (99 control points, 17 Datacenters). These rules are the operational application by area of another two key high-level documents in the IT security document reference system: the General IT Security policy letter, ensuring the „ importance of this issue and its sponsorship by top management; the Group IT Security Doctrine, the essential standards „ that form the Information Systems Security policy; the reference framework for short- and medium-term „ actions to strengthen Saint-Gobain’s cyber defenses against new cyber-attacks. This framework is divided into four specific operational action plans covering global infrastructure, local infrastructure, application continuity plans and user-focused actions. Lower-level technical standards are also issued as a supplement to these rules, and are updated periodically to keep pace with technological advances and control infrastructure services.

DOCTRINE MANAGEMENT

Information “pushed” to employee email

INTRANET DOCTRINE

Hotline

GROUP EMPLOYEES

Environment, Health and Safety 2.4.4 (EHS) Reference Manual The EHS Reference Manual describes the approach to be followed by all entities to introduce an EHS management system and contributes to meeting the objectives set by the Group in terms of environmental protection and prevention of workplace accidents and occupational illnesses. The approach is structured around the main steps of risk identification, preventive actions implementation, reduction and control of risks. The EHS Reference Manual (2012 version) is accessible on the Group Intranet and is distributed to all sites. It is consistent with the ISO 14001:2004 and OHSAS 18001 certifications and with the Group’s World Class Manufacturing (WCM) approach (see Chapter 4, Section 2), and is used as the reference document for the audit of the EHS management systems (12- and 20-step audit). The new versions of the Reference Manual and the audit were released at the beginning of 2018 to reflect the latest developments in international standards. In addition, the purpose of the EHS Handbook, updated in 2014, is to help all Group entities to develop and roll out an integrated EHS management system as required by the EHS

198 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017