Universal Registration Document 2021

3 RISKS, LITIGATION, AND CONTROLS RISK FACTORS

BUSINESS CONTINUITY

[102-34] Risk identification

Risk monitoring and management

A common framework with strong governance, supported by a defined matrix organization and leadership team by division exists across Technicolor, supported by the Technicolor Security Office. Crisis Management and Employee Safety (CMES) programs are established along with significant business incident (SBI) tools and an underpinning process with HR and TSO. Tools, process and resources are in place to anticipate the unforeseen risks ( i.e ., pandemic). A centralized Business Continuity Management System (BCMS) was launched in 2021 across the Group with increased visibility into governance and BCPs across the Group. These improvements also include BCP with pandemic and return to office framework as well as checklist per site and RTO readiness added to the existing BCP site which will significantly reinforce Company’s response in managing the unforeseen risks.

There are risks that critical processes, production/activities are impacted or forced to cease operations by natural disasters ( e.g. : earthquake, floods or pandemics), by government mandates or man-made incidents. Immature and inefficient Business Continuity Plan (BCP) may significantly handicap the Group to return to operations quickly and ultimately have significant impact on its financial situation. For instance, Technicolor Creative Studios relies heavily on the Bangalore studio headcount and any significant business disruption there would have a material impact. As of now, individual Business units have Business Continuity Plans. However, additional work remains to develop a Group-level plan that facilitates sharing of infrastructure across divisions in the event of a major business disruption. Lack of tabletop exercises may also leave potential opportunities for improvement should risks materialize. Business continuity program performance must be tested to ensure they are operational if needed, however limited resources lead to reduced recovery testing by the businesses. Also, producing security assessment reports require tools which licenses may be expensive and leverage infrastructure items that need maintenance. In addition, unavailability from key tools used for BCP and business operations along with lack of data backup could cause business disruption. Risk of poor coordination between IT Disaster Recovery (DR) and BCP operations may compromise the efficiency of continuity solutions. Not updating BCPs with lessons learnt from the pandemic could put the Group in the same situation in the future. Knowledge transfer of business continuity is at risk because of manual project excel based tracking. Insufficient awareness and ownership of incident management, escalation, response procedures and processes may also increase vulnerability.

58

TECHNICOLOR UNIVERSAL REGISTRATION DOCUMENT 2021