SOPRA_STERIA_REGISTRATION_DOCUMENT_2017

INTRODUCTION TO SOPRA STERIA Risk management and control

9.1.2.2. Risks relating to continuity of service

Risk description It is critical for the Group to be able to meet client demands and deliver consistent quality. Depending on the contractual commitments entered into, any failure to provide the services specified in the contracts, or any provision of sub-standard services, may result in a risk for the Group (penalties, client complaints, claims for damages, additional cost, non-payment, early termination of the contracts, reputational risk). In the current environment, clients’ demands are becoming increasingly complex. Unlike time-and-materials contracts, fixed-price contracts are characterised by commitments regarding price, result and lead times: they may be fixed-price projects such as systems integration and/or software development, or fixed-price services such as maintenance contracts, third-party application maintenance, infrastructure management or Business Process Services (BPS). Fixed- price service contracts are often multiannual agreements with regular management and follow-up. For fixed-price projects and fixed-price services, a poor assessment of the scale of the work to be done, an underestimate of the cost of providing the service or an incorrect estimate of the technical solutions to be implemented can lead to estimated costs being exceeded or contractual deadlines not being met. This delay can, in itself, result in late delivery penalties and/or budget overruns, potentially impacting project margins. Risk control frameworks Carrying out projects is central to what Sopra Steria does. In order to ensure the quality of management and execution of client projects, the Group has developed a series of methods, processes and controls via its quality control system. The choice of Project Directors and Director of Monitoring responds to specific requirements and criteria according to the level of risk and project complexity. Particular attention is paid on making any appointments. Project managers receive specific training. In addition to project and line management, Industrial Managers under the authority of division/subsidiary managers and reporting functionally to the Group Industrial Department are responsible for monitoring the Quality System and all projects. Structural audits are performed so as to verify the application and effectiveness of the Quality System among the Sopra Steria staff members concerned (management, sales, operational quality unit). Projects are reviewed on a regular basis, at key phases in their life cycle. Organised by the Industrial Department, or by the quality structure’s local representatives, these reviews provide an external perspective on the status and organisation of projects. Monthly steering meetings facilitate an overview of quality at all levels, the monitoring of annual quality targets established during management reviews and the determination of the appropriate action plans to continuously improve production performance and the quality of Sopra Steria products and services. The implementation of actions agreed during steering committees, audits and reviews is checked by the Industrial Department. The Group has put in place a certification policy, covering all or a portion of its operations, depending on market expectations. This policy relates to the following standards or frameworks: ISO 9001, TickIT Plus, ISO 27001, ISO 22301, ISO 14001, ISO 20000, CMMI and TMMi. An annual review is performed by Executive Management to ensure that the Quality System remains pertinent, adequate and effective. This review is based in particular upon an analysis of project reviews and internal structural audits performed at all levels of the Group as well as upon annual balance sheets produced by divisions or subsidiaries. During this review, the adequacy of the quality policy is evaluated, the annual quality objectives are defined and possible improvements and changes in the Quality System are considered.

Risk description The reliability of IT and communications infrastructures is an issue of growing importance to production. In view of its business model integrating service centres, national and worldwide shared datacentres in nearshore and offshore countries, the Group is potentially dependent on its remote production centres and telecommunications networks functioning correctly. Any claims, failures or shutdowns at the level of these centres could have an impact on both internal systems and client systems, resulting in a potential risk of non-compliance in the execution of contractual services, and consequently potential demands for damages and interest and/or loss of income. It should be noted that a proportion of the Group’s production activities are located in India. India still shows various characteristics that may constitute risk factors (including political, economic and social unrest, wage inflation, natural disasters and pandemics). The Group has service centres in Tunisia, Poland and India. Risk control frameworks The continuity and security of our clients’ services is one of the key criteria in the policy and decision to set up the Group’s production sites. Once the decision has been made, strict prevention and security procedures covering physical security, IT systems security, power cuts, flooding, regulation of temperature change, data storage and backups apply to IT production sites, service centres, offshore development and datacentres. The Group has a Group business continuity strategy and policy that defines a nominal level of service and a principle of redundancy for all critical elements, relying in particular on multi-site replications. All elements are made redundant on site and remotely. Business continuity and disaster recovery plans are in place and monitored on a general basis or by site. Contracts with our suppliers are reviewed according to their nature by the Information Systems Department or the General Resources Department, taking account of the same security and service level requirements. In the case of outsourcing or subcontracting, the same level of service is demanded of our suppliers. The Group has four production facilities in India. These sites are located far apart and in three different regions, considerably limiting the consequences of incidents or risks that might arise in a specific region. In addition, at the Group level, using a large number of production facilities and having a variety of onshore, nearshore and offshore services makes it possible to have backup solutions. 9.1.2.3. Risks relating to systems security Risk description A cyberattack on the Group’s systems by hackers, a security flaw in the Group’s systems and/or our clients’ systems could result in loss of information, and depending on the matter concerned, the loss of confidential information particularly in sensitive activities, payment activities and/or payroll activities. Situations such as this could result in a risk of damages and interest and/or sanctions. In view of the Group’s activities, a major security breach could potentially result in a risk to the Group’s image and raise doubts about the trust placed in us by our clients.

37

SOPRA STERIA REGISTRATION DOCUMENT 2017