Risk description The Group may be faced with events that could trigger a major crisis for it. This could be a systemic event such as political, economic or social crisis profoundly changing business conditions in one or more countries in which the Group operates, a major health crisis, natural phenomena relating to climate change, a cyberattack or a major incident making the Group’s physical and/or IT infrastructures widely unavailable. Major external events could also be the cause of a major crisis for the Group, such as those relating to problems with executing sensitive and highly visible projects, a targeted cyberattack, failure to protect personal data and the disclosure of confidential information. Failings in prevention plans and/or crisis management processes or an inappropriate response to the crisis could have very major repercussions on an economic and operational level and seriously damage the Group’s reputation.
Risk management measures All risk prevention systems help to control crisis management. This concerns in particular those relating to human resources, management of projects and services and protection of IT systems and infrastructures. The health crisis and the cyberattack in October 2020 provided the opportunity to apply the Group’s crisis management systems. These are based on swiftly adapting the Group’s operations, with impetus provided at the highest level, in this case the adoption of dedicated governance with the aim of defining, coordinating and permanently monitoring remediation and crisis communication measures. These crisis management systems are also based on permanent interaction with entities’ management teams, who are in the front line in each country in which the Group operates, in order to react and quickly adapt the measures implemented by the Group. Despite this, the impact of an extreme event of the same or a different nature, which is by nature rapid and severe, remains a significant risk for the Group on a five-year horizon.
More specifically, as regards business continuity to ensure our ability to meet our commitments to clients and internal operating requirements, definition of the policy and choice of implementation of the Group’s production sites depend on these factors. The decision to increase the number of countries and regions in which it operates is an integral part of this policy to maintain security and reduce risk exposure, allowing for the management of emergency plans. A redundancy principle is applied for all critical infrastructures and all system components, thanks to multi-site replication and supplier redundancies. In the event of outsourcing or subcontracting, the same level of service is demanded of our suppliers. The Group has strict prevention and security procedures covering areas such as physical security, power cuts at critical sites, information systems security, and data storage and backups. These procedures and technical measures are re-evaluated on a regular basis in order to adapt corrective measures.
SALE AND DELIVERY OF PROJECTS AND MANAGED/OPERATED SERVICES ❙
Risk description For fixed-price projects and managed or operated services, poor quality or failure to meet the standards expected of services and defined in contracts may give rise to various risks for Sopra Steria, such as contractual penalties, client complaints, claims for damages, non-payment, additional costs, early contract termination and reputational risk. These types of projects and services account for two-thirds of the Group’s consolidated revenue. In the current environment, clients’ demands are becoming increasingly complex due to speed of execution, the agility required and the technical nature of solutions, as well as due to strict regulatory requirements, for example for the financial sector. These demands increasingly factor in corporate responsibility, particularly in terms of reducing the environmental impact of information systems developed or managed. A poor assessment of the scale of the work to be done, an underestimate of the cost of providing the service or an incorrect estimate of the technical solutions to be implemented can lead to estimated costs being exceeded or contractual deadlines not being met. This delay can, in itself, result in late delivery penalties and/or budget overruns (additional days), resulting in additional costs and potentially impacting service margins.
Risk management measures It is critical for the Group to be able to meet client demands and deliver consistent quality. In order to ensure the quality of management and execution of services, the Group has developed a series of methods, processes and controls. In order to further strengthen these aspects, the Group developed and released its Delivery Rule Book at the end of 2019 (a set of 30 mandatory rules covering all phases, from pre-sales to the end of production for services), which continued its rollout throughout 2020. The selection of Project Directors and of Project Managers responds to specific requirements and criteria according to the level of risk and project complexity. Particular attention is paid before any appointment is made. Project managers receive specific training. These courses are regularly updated to include issues meriting special attention and warnings relating to risks. In addition to
project and line management, Industrial Managers under the authority of division/subsidiary managers and reporting functionally to the Group Industrial Department are responsible for monitoring all projects as well as the application of the production rules. The review of proposals and contracts by line management, but also by the Industrial Department and the Legal Department, is an integral part of the Group’s controls implemented to fulfil its commitments. In addition, projects are reviewed on a regular basis, at key phases in their production life cycle. These reviews, which are organised by the Industrial Department or by its local representatives, provide an external perspective on the status and organisation of the delivery. Monthly steering meetings facilitate an overview of quality at all levels, the monitoring of annual quality targets established during management reviews and the determination of the appropriate action plans to continuously