Cap Gemini - Registration Document 2016

CORPORATE GOVERNANCE AND INTERNAL CONTROL

2.5 Internal control and risk management procedures

Risk management and internal control players for each of the three lines of defense. risk committee and involving various parties operating at different levels of the organization. These key players are presented below In 2016, the Group a risk management system administered by a development of the Group’s business activities and changes in its environment. These rules and procedures are updated periodically to reflect the and actions plans for priority risks. Management. These reviews encompass the overall consistency of the system, the priority risks identified, new or emerging risks internal control systems. The Audit & Risk Committee will therefore be required to review all systems implemented by Group The Group Audit & Risk Committee of Cap Gemini S.A. Board is responsible for monitoring the efficiency of risk management and relating to the risk management process within the Group. The Risk Committee, chaired by the Group Chief Financial Officer, is responsible for the effective implementation of a risk management Group management has delegated to a Risk Committee, created in 2016, the definition and implementation of the various activities and internal control system within the Group. It reports to the Audit & Risk Committee on all issues concerning these systems. The Risk Committee brings together the main members of Group Management with key players in the risk management process within the Group. At least two meetings are held annually to discuss the following main issues: internal control systems within the Group; monitoring of the implementation of risk management and ◗ the identification and prioritization of risks; the Risk Committee validates the mapping of the Group’s main risks; risks; the monitoring of plans defined and implemented for priority ◗ the various Business Units. the potential review of new or emerging risks communicated by ◗ The Risk Committee is also responsible for: proposing to the Board of Directors the acceptable Group’s risk ◗ level ; monitoring changes in the Group’s main risks; selecting the priority risks to be covered by short-term action ◗ plans; Committee; monitoring these action plans in conjunction with the managers ◗ responsible for the priority risks, as designated by the Risk the Insurance Director, who is responsible for coordinating the Group risk management and who supports the risk managment At an operating level, the Risk Committee builds on the actions of Business Units and functional departments. activities of the Risk Committee, and the managers of the various Group management and the Risk Committee Governance bodies The Audit & Risk Committee

decision-making. They concern: These principles is to ensure consistent and efficient authorization ; the decision-making process applied within the Group is based on rules governing the delegation of powers the delegation of decision-making powers and ◗ complying with the principle of subsidiarity and corresponding to the three levels of Capgemini’s organization: the Business Unit, for all issues that fall within its remit, ◗ concerning several Business Units under its authority, provisions to the Strategic Business Unit (SBU) for all issues ◗ the Group (Committee, Group Management, central functions, ◗ etc.) where a decision concerns a wider scope than the divestments, etc.) and/or whose financial impacts exceed well-defined materiality thresholds. Strategic Business Unit and for all transactions that must be decided at Group level due to their nature (acquisitions, This process has been formalized in an authorization matrix which requires both prior consultation and the provision of and drawbacks of each of the possible solutions. all interested parties as well as an assessment of the advantages sufficient information to the parties involved. Recommendations submitted to the final decision-maker must include the views of Blue Book defines the governance and organization of the Group and the main principles and basic guidelines the framework of general policies and procedures ; the ◗ underpinning the Group’s internal control procedures, and sets out the Group's requirements in each of the following areas: client contract pre-sale phase, risk management, pricing, contracting and legal rules, in the ❚ rules and guidelines, financial management, merger, acquisition, and insurance human resources policies, ❚ marketing and communications, knowledge management ❚ and Group IT, procurement policies, including ethical requirements and supplier selection, environmental and community policies. ❚ This set of rules and procedures, which has force of law within the Group, reminds employees of their obligations in this area and inventories the tools and methods which help them control risks identified in the exercise of the Group's businesses. environment. This rules and procedures were updated in 2016 to reflect the development of the Group's business activites and changes in its Group key principles, ❚ Group organization and governance, ❚ authorization and approval processes, ❚ sales and production rules and guidelines, ❚

2

97

Registration Document 2016 — Capgemini