Saint-Gobain // Universal Registration Document 2021

Risks and control Internal control

Internal control and risk 2.1.3 management process

Executives leading by example, and control at all levels in implementing the Principles is essential in disseminating these values, which all Group employees must adhere to. The organizational model 2.1.2.2 The implementation of an internal control system requires: appropriate organization which provides a framework ■ for the planning, execution, monitoring and management of operations; clearly defined roles and responsibilities, according to a ■ human resources management policy which recruits people with the knowledge and skills necessary to perform their jobs, providing them with training to develop employees’ knowledge; rotation and succession plans for key positions and ■ replacement solutions during temporary absences; powers of attorney granted to suitable people in line ■ with the principle of task segregation. Dissemination of policies and programs 2.1.2.3 The policies and programs devised by the Group’s Senior Management are disseminated within each corporate department. The Regions, countries and activities formalize guidelines and directives within their scope of responsibility in line with the Group’s own guidelines and directives, ensuring that they are applied when conducting operations. Information systems 2.1.2.4 The Group’s organizations and their operations rely to a large extent on information systems, information-sharing and the digitalization of processes. Information systems must therefore be efficiently protected in terms of both physical and logical security. The Saint-Gobain Group companies thus comply with the safety rules set out by the Group Information Systems Department and Internal Control (automated controls described in detail in the “ITAC” reference base).

Within Saint-Gobain, internal control is a continuous and ongoing process that integrates risk management procedures. Due to the constantly changing environment and the regulatory context, the companies must take steps to identify, evaluate, process and monitor any risks which may affect them. At Group entity level 2.1.3.1 The internal control and risk management process can be summarized in four stages: analysis of the main identifiable risks. The company ■ analyzes its main risks, and thus identifies what could prevent it from meeting its objectives, as well as dangers that could harm its interests or have a major impact on its internal control situation; developing controls that are proportionate to the risks ■ involved in each process; communicating the objectives of internal control to ■ employees and implementing controls; permanent oversight of and regular checks on the ■ effectiveness of internal control: a compliance declaration is signed each year by the Chief Executive Officers according to the perimeter defined for each annual campaign. This process is outlined in the Internal Control Reference Framework (see Chapter 6, Section 2.5.1 – Internal Control Reference Framework) applicable to all Group entities. At the level of Compagnie de Saint-Gobain 2.1.3.2 The Audit and Internal Control Department updates the Group’s risk mapping every year. These updates draw on the contributions of the various management levels, and the results are submitted to the Audit and Risk Committee and the Board of Directors. For the various risks analyzed, the necessary corrective action is taken.

6

SAINT-GOBAIN UNIVERSAL REGISTRATION DOCUMENT 2021 239