CAPGEMINI_REGISTRATION_DOCUMENT_2017

2

CORPORATE GOVERNANCE - RISKS{AND INTERNAL{CONTROL

2.5 Risks and internal control

the Group (Office of the CEO, Group Executive Board, Group ❚ Executive Committee, central functions, etc.) where a decision concerns a wider scope than the Strategic Business Unit and for all transactions that must be decided at Group level due to their nature (acquisitions, divestments, etc.) and/or transactions with financial impacts in excess of well-defined materiality thresholds. This process has been formalized in an authorization matrix which requires both prior consultation and the provision of sufficient information to the parties involved. Recommendations submitted to the final decision-maker must include the views of all interested parties as well as an assessment of the advantages and drawbacks of each of the possible solutions{; the framework of general policies and procedures; the Blue X Book defines the governance and organization of the Group and the main principles and basic guidelines underpinning the Group's internal control procedures, and sets out the Group's requirements in each of the following areas: Group key principles, ❚ Group organization and governance, ❚ authorization and approval processes, ❚ sales and production rules and guidelines, ❚ risk management, pricing, contracting and legal rules, in the ❚ client contract pre-sale phase, financial management, merger, acquisition, and insurance ❚ rules and guidelines, human resources policies, ❚ marketing and communications, knowledge management ❚ and Group IT, procurement policies, including ethical requirements and supplier selection, environmental and community policies. ❚ This set of rules and procedures, which has force of law within the Group, reminds employees of their obligations in this area and inventories the tools and methods which help them control risks identified in the exercise of the Group's businesses. The rules and procedures were updated in 2016 to reflect the development of the Group's business activities and changes in its environment. Risk management and internal control players From 2016, the Group developed a risk management framework administered by a Risk Committee and involving various parties operating at different levels of the organization. These key players are presented below for each of the three lines of defense. These rules and procedures are updated periodically to reflect the development of the Group's business activities and changes in its environment.

The Audit & Risk Committee is therefore required to review all systems implemented by Group Management. These reviews cover: the overall consistency of the system; X verification that the major risks faced by the Group are X identified and monitored; presentation of new or emerging risks. Group Management and the Risk Committee Group Management has delegated to a Risk Committee, created in 2016, the definition and implementation of the various activities relating to the risk management process within the Group. The Risk Committee, chaired by the Group Chief Financial Officer, is responsible for the effective implementation of a risk management and internal control system within the Group. It reports to the Audit & Risk Committee on all issues concerning these systems. The Risk Committee brings together the main members of Group Management with key players in the risk management process within the Group. At least two meetings are held annually to discuss the following main issues: monitoring of the implementation of risk management and X internal control systems within the Group; identification and prioritization of risks; the Risk Committee X validates the mapping of the Group's main risks; monitoring of plans defined and implemented for priority X risks; the potential review of new or emerging risks communicated X by the various Business Units. The Risk Committee is also responsible for: proposing to the Board of Directors the Group's acceptable X risk level; monitoring changes in the Group's main risks; selecting the priority risks to be covered by short-term action X plans; monitoring these action plans in conjunction with the priority X risk managers, as designated by the Risk Committee; approving and implementing the risk management and X internal control policy. At an operating level, the Risk Committee builds on the actions of the Insurance Director, who is responsible for coordinating Group risk management and who supports the risk management activities of the Risk Committee, and the managers of the various Business Units and functional departments. In this respect, the risk management coordinator: makes methodology tools and approaches available to the X various management bodies; coordinates all risk management activities within the Group; X centralizes and consolidates all work and particularly work X performed by the various priority risk managers; encourages the sharing of good practice within the Group. X

Governance bodies The Audit & Risk Committee

The Capgemini SE Board’s Audit & Risk Committee is responsible for monitoring the efficiency of risk management and internal control systems.

104

REGISTRATION DOCUMENT 2017 — CAPGEMINI