2021 UNIVERSAL REGISTRATION DOCUMENT

3. Risk factors and control environment

The Administration and Finance Department

This Department’s main role is to assist and control the operational employees in their administrative, financial and legal activities and in the processing of information. In order to do so, it sets the operating rules that apply to all entities, defines and deploys tools, procedures and best practices, particularly in the following areas: management, accounting and consolidation, investments (via the BOLD corporate venture fund) and holdings, financing and cash, taxes, legal issues and data governance (including the protection of personal data), financial communication, strategic planning, and insurance.

An Internal Control Committee has the task of taking all measures to promote the proper understanding and the proper application of the Group’s Internal Control rules and also to monitor progress on important Internal Control projects. It is composed of the Chief Financial Officer, and the Directors of Ethics, Risk and Compliance, Internal Control, Operational Finance, Internal Audit and Information Systems (Global IT).

Ethics, Risk and Compliance Department

The objective of this department is primarily to coordinate the processes designed to identify, assess and prioritise risks with all those concerned, and keep the Group’s risk mapping analysis up-to-date. Its aim is to promote optimal use of resources to minimise and control the impact of negative events and maximise the performance of opportunities.

The Chief Ethics, Risk & Compliance Officer reports directly to the Chief Executive Officer.

The Internal Control Department

This Department, which is separate from Internal Audit, is under the responsibility of the Ethics, Risk and Compliance Department.

It works with the experts in each of the Group’s business lines to define and regularly update the internal control framework relating to their area of activity. This internal control framework is summarised in the “Fundamentals of Internal Control” reference document and detailed in standards and procedures that are listed in the Group’s “digital referential”.

It also manages and develops a network of around 150 regional and local internal control managers covering all Group entities, whose mission is to apply the internal control framework and support employees in ensuring compliance with this framework.

Frequent participation in seminars, training cycles, webinars with business lines and the publication of notes of engagement help to strengthen knowledge of the internal control framework within the organisation.

Within a continuous improvement process, the Internal Control Department develops, disseminates and coordinates self-evaluation campaigns focusing on the main risks and issues identified, gradually being rolled out in each of the business lines. The self-evaluation of Internal Control makes it possible for the Group’s entities to ensure the due and proper functioning of the system and to reinforce it with operational actions.

The Internal Control Committee is driven by the Internal Control Department, which validates directions and priorities with regard to improving the internal control framework, developing the network of internal control managers and the tools used to perform internal control tasks.

In addition, this Department monitors changes related to Internal Control relating to expectations and market practices.

The Internal Audit Department

In addition to its role of monitoring the application of the Internal Control system, the Internal Audit Department carries out cross-functional analyses with regard to possible Internal Control weaknesses based on findings noted during its assignments. These analyses make it possible to direct the work of the Internal Control Committee and to identify the priority areas for improvement and strengthening of procedures.

Internal Audit is carried out by a central team that reports directly to the Chief Executive Officer. This department carries out regular assignments to audit major processes and check on the application of Group principles and standards.

Internal Audit assignments are submitted to the General Management and the Audit Committee for their approval and give rise, with their agreement, to the preparation of an annual audit plan. The Group’s risk mapping, the entities’ contribution to the Group’s key economic indicators, their historical precedence and the results of previous audits are factors that are taken into account when defining remits. The risk level assessment carried out by the area departments and experts in the different business lines is also a determining factor in the elaboration of the annual audit plan. Finally, the remarks made by the external auditors as part of their annual audit are also taken into consideration by the Internal Audit Department when defining its assignments.

In 2021, the Internal Audit Department carried out 50 assignments, 19 of which involved commercial entities, 9 of which were factory reviews, 3 of which were carried out on International Marketing Departments and 12 of which were on targeted processes at Group, Zone or Country level. Of these, 6 were specifically dedicated to digital and e-commerce activities. On the other hand, 2 specific assignments were devoted to certain objectives of the L’Oréal for the Future programme, 2 were dedicated to project management and three were carried out on topics relating to information systems and cyber security.

Audits systematically result in a report that describes the findings and corresponding risks, and provides an action plan covering all recommendations to be implemented by the audited entity. These action plans are followed up regularly by the Internal Audit Department which measures, and communicates to the relevant departments, the rate of progress made in acting on the recommendations.

The Internal Audit Department uses the Group’s integrated Enterprise Resource Planning (ERP) software and has developed a number of specific transactions that help it better identify potential weaknesses in the most sensitive processes. The latter were enhanced with Data analytics capacities that are strengthened every year with new standard analyses developed by Internal Audit and by the use of dashboards and analysis tools that the businesses are continually developing for their own management needs. Finally, the Internal Audit Department has a Governance, Risk, Compliance (GRC) tool, which enables it to carry out its tasks using an integrated tool and to consolidate in real-time the progress made in the action plans of the audited entities. This tool is shared with the Internal Control function and thus represents an integrated collaborative platform for the implementation of action plans.

The achievement of the audit plan, the results of assignments and the progress of the action plans are presented to General Management on a regular basis and shared with the Audit Committee and the Group’s Statutory Auditors each year.