2021 UNIVERSAL REGISTRATION DOCUMENT

3.1. Definition and objectives of Internal Control

3. Risk factors and control environment

3.1. Definition and objectives of Internal Control

This Chapter presents the internal control environment of L’Oréal, including the system relating to the preparation and processing of accounting and financial information, based on the various work carried out by the Group’s Internal Control and Risk Management departments.

It includes the description of risk factors pursuant to Regulation (EU) 2017/1129 of 14 June 2017 (“Prospectus Directive III”), as well as the associated risk management policy. These risks a represented in four categories: (i) business risks, (ii) industrial and environmental risks, (iii) legal and regulatory risks, (iv) financial and market risks. The main non-financial risks within the meaning of the Non-Financial Performance Statement, as defined by Articles L. 225-102-1 and L. 22-10-36 of the French Commercial Code, are described in Chapter 4 of this document (see section 4.2.).

This Chapter also includes the Vigilance Plan drawn up pursuant to Article L. 225-102-4 of the French Commercial Code.

3.1.1. Reference work

For the preparation and drafting of this Document and the definition of Internal Control, L’Oréal used the Reference Framework and its application guide initially published in January 2007, and updated on 22 July 2010 by the Autorité des Marchés Financiers (AMF).

3.1.2. Internal Control objectives

At L’Oréal, Internal Control is a system that applies to the Company and its consolidated subsidiaries(the “Group”) and aims at ensuring that:

  • economic and financial targets are achieved in compliance with the laws and regulations in force and the Group’s Ethical Principles and standards;
  • the orientations set by General Management are followed;
  • the Group’s assets and reputation are valued and protected; and
  • the Group’s financial and accounting information is reliable and provides true and fair statements.

By contributing to preventing and managing the risks to which the Group is exposed, the purpose of the Internal Control system is to enable the Group’s manufacturing and economic development to take place in a steady and sustainable manner in a control environment appropriate for the Group’s businesses. There are however limits inherent in any system and process. These limits result from a number of factors, in particular the uncertainties of the outside world or malfunctions that may occur due to technical or human failures.

The handling of a risk relies in particular on a reasonable informed choice between the challenges to be controlled, the opportunities to be seized and the cost of the risk management measures, taking into account the effects of these measures on the occurrence and impact of the risk.

3.1.3. Continuous improvement of the Internal Control system

Within a continuous improvement process, the Group continued its efforts to improve the system of Internal Control in 2021 by taking the following actions:

  • review of the Group matrix for segregation of duties and the associated control environment;
  • new operational guides made available to remind the Group’s principles and enable the sharing of best practices(e.g. philanthropy policy);
  • establishment of the “Fundamentals of Internal Control”digital library, with new areas covered (prevention of corruption, vigilance points on competition);
  • regular update of existing reference frameworks to be adapted to new challenges;
  • updated version of the Group’s digital referential (see section “Communication of information inside the Group” in section 3.2.1. “Organisation and environment” of this document); and
  • revamping of the programme to raise awareness of the risks of fraud.

The deployment of online training (prevention of corruption, data security, competition, cyber security, personal data protection) is ongoing. The network of Internal Control managers continued to be built up worldwide through:

  • specific training courses;
  • informative web chats for sharing updates on Group projects and business standards; and
  • a special-purpose communication platform that encourages and facilitates the sharing of best practices.