CORPORATE GOVERNANCE AND INTERNAL CONTROL

2.5 Internal control and risk management procedures

2

97

Registration Document 2016 — Capgemini

decision-making. They concern:

These principles is to ensure consistent and efficient

authorization

; the decision-making process applied within the

Group is based on rules governing the delegation of powers

the delegation of decision-making powers and

◗

complying with the principle of subsidiarity and corresponding to

the three levels of Capgemini’s organization:

the Business Unit, for all issues that fall within its remit,

◗

concerning several Business Units under its authority,

provisions to the Strategic Business Unit (SBU) for all issues

◗

divestments, etc.) and/or whose financial impacts exceed

well-defined materiality thresholds.

Strategic Business Unit and for all transactions that must be

decided at Group level due to their nature (acquisitions,

the Group (Committee, Group Management, central functions,

◗

etc.) where a decision concerns a wider scope than the

and drawbacks of each of the possible solutions.

all interested parties as well as an assessment of the advantages

sufficient information to the parties involved. Recommendations

submitted to the final decision-maker must include the views of

This process has been formalized in an authorization matrix

which requires both prior consultation and the provision of

underpinning the Group’s internal control procedures, and sets

out the Group's requirements in each of the following areas:

Blue Book defines the governance and organization of the

Group and the main principles and basic guidelines

the framework of general policies and procedures

; the

◗

Group key principles,

❚

Group organization and governance,

❚

authorization and approval processes,

❚

sales and production rules and guidelines,

❚

client contract pre-sale phase,

risk management, pricing, contracting and legal rules, in the

❚

rules and guidelines,

financial management, merger, acquisition, and insurance

human resources policies,

❚

marketing and communications, knowledge management

❚

and Group IT,

procurement policies, including ethical requirements and

supplier selection,

environmental and community policies.

❚

inventories the tools and methods which help them control risks

identified in the exercise of the Group's businesses.

This set of rules and procedures, which has force of law within the

Group, reminds employees of their obligations in this area and

environment.

This rules and procedures were updated in 2016 to reflect the

development of the Group's business activites and changes in its

Risk management and internal control players

for each of the three lines of defense.

risk committee and involving various parties operating at different

levels of the organization. These key players are presented below

In 2016, the Group a risk management system administered by a

development of the Group’s business activities and changes in its

environment.

These rules and procedures are updated periodically to reflect the

Governance bodies

The Audit & Risk Committee

and actions plans for priority risks.

Management. These reviews encompass the overall consistency

of the system, the priority risks identified, new or emerging risks

internal control systems. The Audit & Risk Committee will therefore

be required to review all systems implemented by Group

The Group Audit & Risk Committee of Cap Gemini S.A. Board is

responsible for monitoring the efficiency of risk management and

Group management and the Risk Committee

relating to the risk management process within the Group. The

and internal control system within the Group. It reports to the

Audit & Risk Committee on all issues concerning these systems.

Risk Committee, chaired by the Group Chief Financial Officer, is

responsible for the effective implementation of a risk management

Group management has delegated to a Risk Committee, created

in 2016, the definition and implementation of the various activities

the Group. At least two meetings are held annually to discuss the

following main issues:

The Risk Committee brings together the main members of Group

Management with key players in the risk management process within

internal control systems within the Group;

monitoring of the implementation of risk management and

◗

the identification and prioritization of risks; the Risk Committee

validates the mapping of the Group’s main risks;

risks;

the monitoring of plans defined and implemented for priority

◗

the various Business Units.

the potential review of new or emerging risks communicated by

◗

The Risk Committee is also responsible for:

proposing to the Board of Directors the acceptable Group’s risk

◗

level ;

monitoring changes in the Group’s main risks;

selecting the priority risks to be covered by short-term action

◗

plans;

Committee;

monitoring these action plans in conjunction with the managers

◗

responsible for the priority risks, as designated by the Risk

Business Units and functional departments.

activities of the Risk Committee, and the managers of the various

the Insurance Director, who is responsible for coordinating the

Group risk management and who supports the risk managment

At an operating level, the Risk Committee builds on the actions of