HERMÈS - 2018 Registration document

1

Overview of the group

Risk factors

Audit and risk management department (A&RMD) The department reports to the Group’s Executive Vice-President of Governance and Organisational Development, which guarantees its independence, and has unlimited authority to review any matter at their discretion. The A&RMD consists of a core team of experienced auditors, and runs a decentralised network of internal controllers. It performs three main roles for the Group: s s it performs internal audits and monitors the implementation of the recommendations; s s it identifies and analyses risks; s s it ensures the deployment of internal controls suited to Group ventures. The auditors work on the basis of an annual audit plan, validated by the Executive Management and the Audit and Risk Committee, which is adapted every six months, if necessary. The audit plan is powered by comprehensive risk analysis, including financial, operational and compliance, by the proposals of the Executive Committee and by the audit trails. It must allow a regular review of all Group entities and pro- cesses, with a frequency appropriate to the magnitude of the risks and the relative weight of the various Group entities. The A&RMD also car- ries out support assignments for the internal control roll-out within newly acquired entities. In order to conduct specialised audits, A&RMD may call upon outside firms or use appropriate analysis tools which are used notably in the context of preventing accounting fraud. The A&RMD regu- larly conducts integrated audits with Group experts. The A&RMD carries out a continuous improvement initiative as regards the internal control and risk management systems. It notably monitors the practices of other companies in such matters. It works alongside the Group’s various departments in order to promote the upstream handling of the main risks, as well as emerging risks, and runs the risk mapping approach of the main businesses, retail subsidia- ries and support functions. Themethodology for riskmapping is regularly updated in the light of best practice. In 2017, this methodology was entirely revised by a specialist external firm. The A&RMD coordinates a network of around 60 employees responsible for internal control, in France and abroad, within the métiers, in distribu- tion and in support activities. This coordination includes awareness-rai- singaboutbestinternalcontrolpractices.Lastly,italsoparticipatesinthe Group training sessions in order to promote an awareness of risk mana- gement and internal control best practices amongst the management. An audit charter formalising the duties and responsibilities of the internal auditors and their professional conduct and detailing their audit enga- gements was released and circulated in 2010. In 2013, the system was completed by a risk charter that formalises the principles and rules implemented with regard to risk management, and by an internal control charter that formalises the roles and responsibilities of the people invol- ved in internal control. These charters are reviewed regularly. The Head of audit and risk management attends Audit and Risk Committee mee- tings. Hemeets with the Audit and Risk Committee six times a year, inclu- ding once without the presence of third parties. He presents a report on the Audit and Risk Committee’s activity each year.

Internal control managers Internal control managers oversee the implementation of the internal control system within their scope, businesses, distribution subsidiaries or support functions. They report to the CFO of their entity. They work according to an annual plan, shared with their department and A&RMD, taking into account the Group’s internal control priorities and the risks specific to their company. Within their entity, their main tasks are to: s s review the key risks and the organisation of internal control; s s verify the implementation of Group procedures in accordance with local regulations;

s s participate in self-assessment of internal control work; s s spread the culture of internal control to all employees; s s perform monitoring of the action plans of risk mapping; s s follow up on the audit recommendations of the A&RMD. Specialised committees

Hermès Group has deployed specific processes to monitor certain risks through specialised committees or working groups. These committees meet ona regular basis. For example, committees focusing on real estate risks, safety, IT risks and treasury risks analyse the issues, and study the appropriate corrective measures so that they are deployed in the entities. They also check that existing control systems comply with Group procedures. The main operational contacts involved take part in these committees, as does A&RMD, whose role is to facilitate the identification of risks and of the associated action plans. Since 2016, the Group Security Committee has been arbitrating on cross-functional topics of security and monitoring the functioning of the specialised committees. In addition, an ad hoc committee on the safety of transport, comprising the Group Safety Department, Transport Department, Insurance Department, Audit and Risk Management Department and the departments of the Métiers concerned is also held on a regular basis to define actions to improve the transportation safety of products at Hermès. In 2017, Hermès Group introduced the «Compliance and Vigilance Committee»,comprisingrepresentativesoftheComplianceDepartment, Legal Department, Sustainable Development Department, Industrial AffairsDepartment,AuditandRiskManagementDepartment,Marketing Department and Human Resources Department, in order to prepare a vigilance plan for all Group subsidiaries. A Director of Legal Compliance and Public Affairs was appointed in 2017. His duties are detailed in para- graph 3.2.2.2.

44

2018 REGISTRATION DOCUMENT HERMÈS INTERNATIONAL