Saint-Gobain // Universal Registration Document 2021

Risks and control Risk factors

1.1.8

Risks related to information

Risks related to climate change 1.1.9 and energy transition The fight against climate change involves both risk management and the development of the Group's markets (see Chapter 3, Section 2.1.2). The Group has placed the fight against climate change at the heart of its strategy and aims to contribute to a fair and sustainable transition to a low-carbon economy with the adoption of a 2030 roadmap to achieve its goal of carbon neutrality by 2050 and the implementation of the Sustainable Solutions for Growth programme. Achieving carbon neutrality requires, among other things, that the Group has access to sufficient renewable energy sources to meet its needs at satisfactory pricing conditions. The Group's failure to access such energy sources could have an adverse effect on its ability to implement its strategy and meet the expectations of its customers and investors. In addition, the need for decarbonisation of the Group's industrial customers requires an acceleration of innovation in decarbonisation technologies for the construction industry, green mobility and in speciality materials for the decarbonisation of industrial processes. The implementation of new industrial processes and procedures as part of the Group's sustainability roadmap represents a major technical and technological challenge. The Group's failure to deploy these new processes or procedures, or a delay in deploying them, could adversely affect its ability to implement its strategy and meet the expectations of its customers and investors.

systems Daily management of the Group’s activities, specifically the conduct of its commercial, industrial, logistics and accounting processes, particularly in its Distribution activities, requires the proper functioning of all technical infrastructure and computer applications. The risk of system malfunction or interruption, which may be external or internal in origin (computer viruses or hacking, service providers’ defaults, blackouts or network shutdowns, natural disasters, human error, etc.), cannot be underestimated. In particular, a cyber attack could affect not only operations, but also the protection of confidential information or lead to the theft, loss or exposure of personal data. It should be recalled that, in June 2017, the Group, as per numerous other companies and organizations in France and abroad, was affected by the NotPetya cyber-attack, which required IT systems to be disconnected in order to prevent the spread of the virus, as well as the introduction of alternative processes in all of the Saint-Gobain businesses. The impact of the cyber-attack on operating income for the 2017 fiscal year was calculated to be €80 million. All of the information systems were back up and running within ten days, without any data being lost or compromised. With a view to learning from NotPetya and minimizing the impact of this type of malfunction, the Information Systems Department, as part of a cyber-defense plan, introduced strict rules relating to the governance and security of information systems, both in terms of infrastructure and applications, data protection and business continuity plans. This plan is deployed at Group level, controlled by the Audit and Internal Control Department and by external audits (see Chapter 5, Section 1.2.3: work of the Audit and Risk Committee). Furthermore, a new insurance program covering the Group’s cyber risks has been set up end of 2017. The occurrence of such malfunctions may adversely affect the Group’s operations, the protection of its know-how and its financial results.

6

SAINT-GOBAIN UNIVERSAL REGISTRATION DOCUMENT 2021 231