Sopra Steria - 2020 Universal registration document

2 RISK FACTORS AND INTERNAL CONTROL Risk factors

Risk factors 1. Risk identification and assessment 1.1. The identification and assessment of risks and monitoring of the implementation of associated mitigation plans are conducted on a continuous basis by the various operational and functional departments using the Group’s management system, as described in Section 3.3.2 of this chapter. These help with the preparation and yearly updating of the Group’s risk mapping. This risk mapping covers all internal and external risks and includes both financial and non-financial issues. It is coordinated by the Internal Control Department. The main operational and functional managers are involved through interviews and validation workshops. The results were reviewed and approved by Executive Management and presented to the Audit Committee of the Board of Directors. This exercise consists of identifying the risks that could limit Sopra Steria’s ability to achieve its objectives, as well as assessing their likelihood of occurrence and their impact should they occur, on a financial, strategic, operating and reputational level. Risks are assessed on a scale of four levels: very low, low, possible, almost

certain in terms of likelihood; and low, moderate, significant, critical in terms of impact. The time frame used is five years. Specific mapping for corruption and influence-peddling risks and risks relating to duty of vigilance are taken into account in this general risk mapping. The most significant risks specific to Sopra Steria are set out below by category and in decreasing order of criticality (based on the crossover between likelihood of occurrence and the estimated extent of their impact), taking account of mitigation measures implemented. This presentation of net risks is not intended to show all Sopra Steria’s risks. The assessment of this order of importance may be changed at any time, in particular due to new external factors, changes in operations or a change in the effects of mitigation measures. For each risk, a description is provided explaining in what ways it could affect Sopra Steria as well as the risk management measures put in place, i.e. governance, policies, procedures and controls.

Summary overview of risk factors 1.2. The table below shows the results of this assessment in terms of net importance on a scale of three levels, from least important (+) to most important (+++).

Category/Risk

Materiality

Risks related to strategy and external factors Adaptation of services to digital transformation, innovation

+++

Significant reduction in client/vertical activity

++ ++ ++

Major acquisitions Attacks on reputation

Risks related to operational activities Cyberattacks, systems security, data protection Extreme events and response to major crises

+++ +++

Sale and delivery of projects and managed/operated services Risks related to human resources Development of skills and managerial practices SNFP (1)

+

++

Attracting and retaining employees SNFP Risks related to regulatory requirements Compliance with regulations SNFP

+

+ SNFP : Statement of Non-Financial Performance. This risk also relates to concerns addressed by the regulatory changes set out in Articles L. 225-102-1 III and R. 225-105 of the French (1) Commercial Code, which cover the Company’s Statement of Non-Financial Performance.

36

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2020