2021 UNIVERSAL REGISTRATION DOCUMENT

3. Risk factors and control environment

Business risks/Information and cybersecurity systems
Risk identification Risk management

In a context of digital transformation and constant development of the information technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation.

As a result, the malfunction or breakdown of these systems or the leakage or destruction of data for exogenous or endogenous reasons(including cyberattacks, malicious acts, hacks, etc.) internally or at a third-party service provider of the Group could have a material impact on the Group’s business activities.

The Global IT Department has introduced strict security rules for infrastructures, equipment and applications. Furthermore, in order to adapt to the development of new methods of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To address the growing threat of cybercrime, L’Oréal takes continuous steps to strengthen the resources dedicated to information system security.

This plan relies in particular on anti-intrusion equipment, regular intrusion tests, an information system security audit programme, the protection of sensitive equipment and global supervision to identify irregularities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions. In addition, in order to mobilise all teams, the Group conducts a global awareness campaign every year. Online training in the best cybersecurity practices is available for all employees. As at 31 December 2021, 82% of employees had validated this e-learning programme.

Management of risks related to data is described in the “Data” risk section.
Business risks/Geographic presence and economic and political environment
Risk identification Risk management

L’Oréal is a global corporation that has subsidiaries in 73 countries. More specifically, the global development of the cosmetics market has led L’Oréal to develop its Travel Retail business as well as its business in countries of North Asia, which represented 30.5% of sales in 2021, SAPMENA-SSA (South Asia Pacific, Middle East, North Africa, Sub-Saharan Africa) 7.2% of sales, and Latin America 5.5% of sales.

Because of this globalisation, political or economic disturbances (strong economic slowdown due to e.g. geopolitical tensions or a health crisis, international trade tensions, sovereign debt crises) in countries in which the Group generates a significant portion of its sales could have an impact on its business activities. The impact and management of the risk related to Covid-19 are described in the “Sanitary crisis” risk factor.

 L’Oréal’s global presence and its portfolio of 35 major international brands helps to maintain a balance in sales and offsetting between the geographic zones, product categories and distribution channels (details on sales from the zones are presented in section 1.3. “2021 Financial results and corporate social responsibility commitments” of this document).
Business risks/Crisis management
Risk identification Risk management

Prejudicial events or information mainly related to the use or misuse of a product, or an inappropriate individual behavior, whether proven or not, could affect the reputation of L’Oréal, its 35 major international brands and its products and, as a result, affect sales and, more generally, its financial position. The impact of the risk could be amplified, notably, by:

  • the explosion of digital and social media all around the world;
  • the emergence of social beauty, which is connected and shared;
  • the role of influencers as opinion leaders with a significant community of subscribers; and
  • societal movements and enquiries by the civil society, consumers, etc. to the Group or the brands.

L’Oréal has set up a system of:

  • training sessions in crisis communication and support for the communication teams on key issues for the Group;
  • crisis risk management at corporate and local levels;
  • permanent online monitoring system in English, French and Chinese. The subsidiaries deploy their own social media and web monitoring systems under the responsibility of their Director of Communication and immediately report a media risk in their country to the Corporate Communications Department; and
  • L’Oréal has also set up a crisis management procedure which is tasked with preventing, managing and mitigating the consequences of undesirable events on the Company across the globe. The Group crisis management officer reports directly to General Management.

The deployment of the Code of Ethics throughout the Group aims at reinforcing the dissemination of the rules of conduct which form the basis of L’Oréal’s integrity and ethics. These rules of conduct seek to guide actions and behavior, inspire choices, and make sure that the Group’s values are reflected in the everyday acts of each employee. L’Oréal has also implemented a “Code of Good Practice for the Use of Social Media” for its employees.

On its website, the Group has published the “Influencer Value Charter”which each influencer with whom L’Oréal collaborates agrees to respect. The Group’s principles and operational processes, to be applied for partnerships with influencers, have been disseminated worldwide to the collaborators concerned.