technicolor - 2019 Universal registration document

RISKS, LITIGATION, AND CONTROLS RISK FACTORS

CUSTOMER PROJECT MANAGEMENT



Risk identification

Risk monitoring and management

Projects in the Production Services Division vary greatly in size, with several large projects that can last 12-18 months and numerous small ones that require much quicker turnarounds. The difficulty resides in the proper allocation of resources to deliver a production on time and on budget, mitigating gaps between projects, and managing changes by clients in production scope, production schedules and release dates. The projects can also be executed across multiple geographies and time zones, which may create challenges for the management of such projects. If a project consumes more resources than initially planned, it may lead to cost overruns that may be difficult to recover from our customers, especially as much of Production Services’ business operates under fixed-price contracts. Dependencies may also exist with the customer and/or other service providers of the customer that can negatively impact the time available to Production Services to complete a project. For example, Production Services’ VFX businesses are dependent upon the client’s turnover of shots; any delay in turnover by the client reduces the amount of time Production Services has to complete them, which may then require additional resources and costs in order to maintain the production schedule.

In Production Services, there are dedicated processes in place for risk assessment that are regularly updated throughout the execution of the projects to address any mitigating actions needed. As part of the bidding process, the allocation and planning of resources is reviewed by production management to ensure that the assessment is adequate to deliver the project plus the allocation of a contingency. During production, robust monitoring of projects, including regular cost-to-complete financial reviews, is established to ensure that work-in-progress is in line with budgets initially approved, as well as anticipate any deviations in terms of resources, quality and delivery timing. Progress reports and management indicators are built to support this monitoring process. To ensure that quality of services is in line with customers’ expectations, initial tests and intermediary deliveries are scheduled with customers. The division also uses workflow management tools which help to coordinate reviews and deliveries with third parties and limit the dependencies risks. Further mitigating client dependencies, with fixed bid awards, contracts have well-structured change order provisions to allow for the negotiation of award increases or decreases if a client materially changes the project scope or scale or for creative retakes. With a network of production studios across the globe, Production Services also has the scale and technology to optimize resource allocation and utilization if a specific project requires additional resources that were not previously anticipated or if a client changes its production schedule and/or release date for the project. The security actions related to content production networks are led by internal security teams and focus on the mitigation of these risks. These security actions and protocols are continuously implemented, enforced, evaluated and updated as new production facilities are built, moved or acquired, and as new technologies or threats emerge. The security policies and the use of qualified suppliers, equipment and software, combined with regular security trainings, security assessments and penetration testing, aim to mitigate the risk to an acceptable level. For physical security risks, a dedicated team conducts risk assessments on all critical sites and suggests a remediation plan for local security coordinators when needed. Technicolor security standards are continuously reviewed and updated to stay current with the industry and with established security policies. Technicolor hosts audits from various customers (including studios) and industry associations such as the Motion Picture Association of America. Overall in 2019, Technicolor supported over 153 security audits, which included a combination of internal and external audits. Audit findings are tracked and managed by internal teams. Risk monitoring and management

3

CYBER AND PHYSICAL CONTENT SECURITY



GRI [103-1 Customer privacy] [103-2 Customer privacy] Risk identification

The secure maintenance and transmission of customer information is an essential component of the Production Services Division’s operations, as the Group is entrusted with the creation and distribution of highly sensitive content on behalf of its customers and business partners. Production Services relies on internal and external information systems and technologies (managed both by the Group and by third parties) that compute, maintain and transmit multimedia content, for example to render Visual Effects or ensure post-production digital services. The security of this information may be compromised as a result of system or control failures, inadequate or failed processes, human error, willful breaches (internal and external), cyberattacks and/or business interruptions. These events could lead to a breach in the division’s global security protocols and sensitive assets belonging to its customers (such as major studios), may be lost, disclosed, misappropriated, altered or accessed without consent. The failure to have sufficient content security systems and protocols may cause key customers to pull work from Production Services’ facilities and more globally is likely to expose the Group to significant financial burden, legal liability, loss of reputation and loss of revenue.

51

TECHNICOLOR UNIVERSAL REGISTRATION DOCUMENT 2019