WWW.SAINT-GOBAIN.COM

7

RISKS AND CONTROL

2. Internal control

182

SAINT-GOBAIN

- REGISTRATION DOCUMENT 2016

Doctrine

2.4.2

The Doctrine Department is responsible for preparing all

applicable to Group companies.

financial, administrative and management procedures

DOCTRINE

MANAGEMENT

GROUP EMPLOYEES

Information

“pushed”

to employee

email

Hotline

INTRANET

DOCTRINE

These procedures, accessible on the Group’s intranet, cover

Financial and Accounting Standards.

two main themes: Group Organization and Procedures, and

twice a year for the Audit and Risk Committee.

Reports on the Doctrine Department’s activities are prepared

(EHS) Reference Manual

Environment, Health and Safety

2.4.3

The EHS Reference Manual describes the approach to be

workplace accidents and occupational illnesses. The

Group in terms of environmental protection and prevention of

identification, preventive actions implementation, reduction

approach is structured around the main steps of risk

system and contributes to meeting the objectives set by the

followed by all entities to introduce an EHS management

and control of risks.

The EHS Reference Manual (2012 version) is accessible on the

with the ISO 14001:2004 and OHSAS 18001 certifications and

Group Intranet and is distributed to all sites. It is consistent

be reviewed in 2017 to reflect the latest developments in

and 20-step audit). The Reference Manual and the audit will

international standards.

with the Group’s World Class Manufacturing (WCM)

document for the audit of the EHS management systems (12-

approach (see section 4.2), and is used as the reference

In addition, the purpose of the EHS Handbook, updated in

integrated EHS management system as required by the EHS

2014, is to help all Group entities to develop and roll out an

Reference Manual. The EHS Handbook is intended as a tool to

documents, examples of implementation or best practices.

cycle to describe and illustrate how to implement the

be available to all, and follows the continuous improvement

requirements for each area and provides reference

chapters of the Reference Manual. Hence, it describes the

Furthermore, the EHS Department works with its network to

the minimum applicable requirements and/or methodologies.

develop and update Group EHS standards, which describe

controlled on the same basis in all Group entities, irrespective

These tools help to ensure that risks are assessed and

sites.

training packs, assessment questionnaires, and cross-audits

chapter 4, section 1.3). Implementation guides, procedures,

developed to support the application of the standards at the

of standards implementation and computer tools have been

of the country and the local laws and regulations (see

General doctrine on information

2.4.4

systems security

practices concerning information systems and networks,

the following areas:

based on four sets of compulsory minimum security rules in

The Information Systems Department compiles rules and best

points, 112 entities) and SGTS Security Reporting

infrastructure, with 15 minimum security rules (22 control

‹

(34 control points, 17 SGTS covering 440 entities);

critical or large industrial IT systems);

minimum security rules (20 control points, 301 entities with

industrial information technology systems, with 14

‹

security rules (13 control points, 14 R&D Centers);

research and development systems, with 7 minimum

‹

applications, with 17 minimum security rules (35 control

‹

points, 61 competency centers);

points, 17 Datacenters).

coordinated by the Group ISD or the SGTS (55 control

hosting of our resources in partner-operated Datacenters

‹

technological advances and control infrastructure services.

rules, and are updated periodically to keep pace with

Technical standards are also issued as a supplement to these

The Information Systems Department has defined and rolled

out:

user rights and managing conflicting segregations of

a tool (RMT, Rights Management Tool) for controlling SAP

‹

Group’s SAP systems;

duties. This tool will be gradually integrated into all the

accounts that access to applications (ATA/ABA,

a technical standard to manage technical and business

‹

Accounts);

Application Technical Accounts/Application Business

(WASD);

a Web Application Secured Development (3.0) standard

‹