PERNOD RICARD - 2018-2019 Universal registration document

4.

RISK MANAGEMENT Risk factors

Negativemedia/social media campaign 3.

Risk identification and description

Potential impacts on the Group

Media/social media attacks represent a major threat for the Group. Through the increasing number and growing influence of social media networks, the Group faces the risk of being exposed to significant media coverage of inappropriate publications or messages.

A malicious attack intending to damage the reputation of the Group or a genuine incident in relation with Pernod Ricard brands could have a significant impact on the Group’s image and reputation. Further widespread negative media coverage could lead to jeopardizing the consumers’ confidence in Pernod Ricard brands resulting in a potential sales decline.

Risk control andmitigation The Group's risk is managed through a series of internal and external measures. While internal measures primarily focus on raising the awareness on the impacts of social media and sharing good practices in terms of communication, external measures mainly lay the emphasis on the monitoring of social networks and the promotion of the Group's S&R activities.

Cyberattack 4.

Risk identification and description

Potential impacts on the Group

The Group’s digital transformation has brought with it greater exposure to risks stemming from cyberattacks, as well as those related to IT and telecommunications system failures. These systems are of inestimable importance in the Group’s day-to-day processing, transmission and storage of electronic data relating to both operations and financial statements, and communication between Pernod Ricard’s personnel, customers and suppliers. Stronger personal data protection regulations, including the General Data Protection Regulation, increase the risks associated with regulatory non-compliance.

Potential impacts of a cyberattack and its effects depend on the nature of the attack: leakage, loss, theft of personal, strategic or confidential data, — and the resulting chain of potential repercussions; system failure; — incapacity to perform day-to-day operations. — Although the Group invests a significant amount in maintaining and safeguarding its IT systems, particularly in view of growing threats in terms of cybercriminality, any malfunctions, significant disruption, loss or disclosure of sensitive data could disrupt the normal course of business, and have financial, operational or reputational consequences.

Risk control andmitigation The Group has drawn up a cybersecurity-specific roadmap based on the establishment of dedicated governance and resources. It also has cyber insurance providing coverage of €20 million. The Group strives to strengthen the security of its infrastructure, its websites and its networks. Infrastructure monitoring and management is performed constantly. IT and security audits are performed to assess whether the level of security is adequate; they give the Group a good overview of the reliability of its IT systems. In addition, awareness-raising campaigns are conducted. Lastly, tests are carried out on the recovery of the Group’s IT systems following a hypothetical cyberattack, and a plan designed to facilitate the recovery of data as efficiently as possible has been drawn up.

129

2018-2019

PERNOD RICARD UNIVERSAL REGISTRATIONDOCUMENT