PRESENTATION OF THE GROUP AND ITS ACTIVITIES

1.7 Risk analysis

1

30

Registration Document 2016 — Capgemini

Information systems

Risk factors

delivery of our projects, service interruptions at our clients, or

additional costs that could impact the reputation or financial health of

the Group.

and new practices (social networks, mobility, Software-as-a-Service -

SaaS, etc.) inevitably expose the Group to new risks. Risks relating to

cyber criminality of all kind could lead to a loss of data, delays in the

New technologies (Cloud computing, “Bring your own device”, etc.)

consolidated financial statements also present a specific risk in

view of the strict reporting deadlines.

The systems underlying the publication of the Group’s

management systems

event of a disruption to IT services. The main management IT

systems are covered by back-up plans in different data centers.

The Group has implemented business continuity procedures in the

procedures (our operating sites are certified ISO 27001). This

security policy and the back-up plans are validated and audited

periodically.

meeting the highest international standards, proactive controls, a

detection center operating 24/7 and specific technical equipment

such as firewalls. Rules and procedures are defined in a security

policy founded on numerous international standards and

The Group is aware of the importance of internal communication

network security, and protects its networks

via

security rules

For some projects or clients, enhanced systems and network

protection are provided on a contractually agreed basis.

the Cyber Security and Information Protection Director (CySIP).

The Group also has a program that seeks to control the cyber

risks for its main systems. This dedicated structure is headed by

operational projects (data protection, mobility management,

access management, information system control and steering and

strengthening infrastructures). The CySIP community includes

cyber risk specialists in the following areas:

This program covering exposure to cyber risks comprises three

subgroups dealing with governance related issues (organization,

policy and communication and awareness-raising) and five

CySIP Officers in the business units, for client project monitoring;

◗

Data Protection Officers responsible for the protection of

◗

personal data;

Chief Information Security Officers responsible for the protection

◗

of internal information systems.

The aim of this program is to become a benchmark presented to

our clients which helps strengthen the credibility of the Group on

Digital and cybercrime issues. The Group’s policy and

organization for the protection of personal data were drawn-up

Corporate Rules - BCR) and validated by the CNIL (French

National Commission for Data Protection and Liberties), for the

processing and storage of our own data and that of our clients.

based on rules defined by the European Commission (Biding

Service continuity

Risk factors

services to sites or countries other than those in which the

operational units could be affected simultaneously. The use of a

large number of production sites increases the range of

contingency options available to the Group.

America countries. The development of this model has made the

Group more reliant on telecommunications networks, which may

increase the risk of business interruption at a given production site

due to an incident or a natural disaster, in so far as several

services are used or in which the Group’s clients are located and

particularly India, Poland, China and other Asian and Latin

Capgemini’s evolving production model, Rightshore

®

, involves

transferring a portion of the Group’s production of part of its

Risk management systems

Production systems and services provided by the Group to its

subsidiaries are duplicated and covered by back-up plans that are

tested.

measures.

possibly the country. Communication (for example e-mail) and

collaborative systems are covered by a redundant architecture at

two data centers ensuring service continuity, or are hosted by a

supplier with systems with similar redundancy and reliability

with the Good Practice Guidelines of the Business Continuity

Institute (BCI). These measures take account of various degrees of

hypothetical threats along with the related damages considering

the situation and impacts on the site, urban agglomeration and

continuity is ensured by tried and tested alternative routes. The

Group’s Indian subsidiary has set up a Business Continuity

Management (BCM) structure to ensure service continuity in line

Telecommunications networks used by the Group are duplicated

in cases where “Rightshored” production resources are deployed.

In the event of a breakdown in the preferred (fastest)

communications network between Europe and India, service

or contact, are the responsibility of the Group subsidiaries.

disruption to the specific IT infrastructures of a given center, client

Business continuity and resumption plans in the event of a

the subsidiary entities to test the efficiency of these plans. Certain

of these entities have heightened security requirements reflecting

certain clients’ imperatives and they are consequently certified

ISO 27001 compliant by an independent agency.

Where required by specific contracts, a business continuity plan is

prepared by selecting appropriate measures according to the

criticality of the service. Reviews and simulations are performed in

Suppliers and sub-contractors

Risk factors

Technology Services and networks businesses. While alternative

solutions exist for most software and networks, the failure of a

supplier to deliver specific technology or expertise could have

prejudicial consequences for certain projects.

Capgemini is dependent upon certain suppliers, especially in its