

7
RISKS AND CONTROL
2. Internal control
182
SAINT-GOBAIN
- REGISTRATION DOCUMENT 2016
Doctrine
2.4.2
The Doctrine Department is responsible for preparing all
applicable to Group companies.
financial, administrative and management procedures
DOCTRINE
MANAGEMENT
GROUP EMPLOYEES
Information
“pushed”
to employee
Hotline
INTRANET
DOCTRINE
These procedures, accessible on the Group’s intranet, cover
Financial and Accounting Standards.
two main themes: Group Organization and Procedures, and
twice a year for the Audit and Risk Committee.
Reports on the Doctrine Department’s activities are prepared
(EHS) Reference Manual
Environment, Health and Safety
2.4.3
The EHS Reference Manual describes the approach to be
workplace accidents and occupational illnesses. The
Group in terms of environmental protection and prevention of
identification, preventive actions implementation, reduction
approach is structured around the main steps of risk
system and contributes to meeting the objectives set by the
followed by all entities to introduce an EHS management
and control of risks.
The EHS Reference Manual (2012 version) is accessible on the
with the ISO 14001:2004 and OHSAS 18001 certifications and
Group Intranet and is distributed to all sites. It is consistent
be reviewed in 2017 to reflect the latest developments in
and 20-step audit). The Reference Manual and the audit will
international standards.
with the Group’s World Class Manufacturing (WCM)
document for the audit of the EHS management systems (12-
approach (see section 4.2), and is used as the reference
In addition, the purpose of the EHS Handbook, updated in
integrated EHS management system as required by the EHS
2014, is to help all Group entities to develop and roll out an
Reference Manual. The EHS Handbook is intended as a tool to
documents, examples of implementation or best practices.
cycle to describe and illustrate how to implement the
be available to all, and follows the continuous improvement
requirements for each area and provides reference
chapters of the Reference Manual. Hence, it describes the
Furthermore, the EHS Department works with its network to
the minimum applicable requirements and/or methodologies.
develop and update Group EHS standards, which describe
controlled on the same basis in all Group entities, irrespective
These tools help to ensure that risks are assessed and
sites.
training packs, assessment questionnaires, and cross-audits
chapter 4, section 1.3). Implementation guides, procedures,
developed to support the application of the standards at the
of standards implementation and computer tools have been
of the country and the local laws and regulations (see
General doctrine on information
2.4.4
systems security
practices concerning information systems and networks,
the following areas:
based on four sets of compulsory minimum security rules in
The Information Systems Department compiles rules and best
points, 112 entities) and SGTS Security Reporting
infrastructure, with 15 minimum security rules (22 control
(34 control points, 17 SGTS covering 440 entities);
critical or large industrial IT systems);
minimum security rules (20 control points, 301 entities with
industrial information technology systems, with 14
security rules (13 control points, 14 R&D Centers);
research and development systems, with 7 minimum
applications, with 17 minimum security rules (35 control
points, 61 competency centers);
points, 17 Datacenters).
coordinated by the Group ISD or the SGTS (55 control
hosting of our resources in partner-operated Datacenters
technological advances and control infrastructure services.
rules, and are updated periodically to keep pace with
Technical standards are also issued as a supplement to these
The Information Systems Department has defined and rolled
out:
user rights and managing conflicting segregations of
a tool (RMT, Rights Management Tool) for controlling SAP
Group’s SAP systems;
duties. This tool will be gradually integrated into all the
accounts that access to applications (ATA/ABA,
a technical standard to manage technical and business
Accounts);
Application Technical Accounts/Application Business
(WASD);
a Web Application Secured Development (3.0) standard