Saint Gobain - Registration document 2016

7 RISKS AND CONTROL 2. Internal control

2.2.4

Corporate departments

controls within their area; inform and train the employees responsible for internal ‹ the results of internal audits. analyze any internal control weaknesses or incidents and ‹ internal control system within the Company entities. The corporate departments are also responsible for the

defining internal control strategies and procedures in their responsible for setting up an internal control structure and area. To this end, they: Compagnie de Saint-Gobain’s corporate departments are internal processes; identify and analyze the main risks associated with their ‹ the Internal Control Reference Framework; define appropriate controls based on those described in ‹

Corporate departments

Main responsibilities

Reference standards and/or measures

2016 key figures

EHS reference framework and standards ‹ Integrated EHS audits ‹ Self-diagnostic tool ‹ OSHAS 18001 and ISO 14001 standards ‹ Minimum security rules ‹ Technical standards ‹ Development standard for secure web ‹ applications Note on the Cloud ‹ Datacenter security rules ‹

Industry audits: ‹

and Medical Department Safety (EHS) Department Environment, Health and

Promote and coordinate ‹ Group EHS policy

° 43 “12-step” audits ° 135 “20-step” audits (1) Distribution audits: ‹ ° 448 ESPR audits (2)

principles reference framework Monitor the application of EHS ‹ information systems and Define Group policy for ‹ computer network security annual self-assessment plan Promote and coordinate an ‹ practices Develop rules and best ‹ Purchasing program, an Manage the World-Class ‹ approach focusing on department purchasing performance, supplier innovation professionalization and multi-country purchasing Execute multi-business and ‹ purchasing activities in France conduct multi-business function in France and Coordinate the purchasing ‹ or distribution sites property damage at industrial insurance and monitoring its Define Group policy for ‹ implementation programs Steering centralized insurance ‹ Define Group policy for ‹

Department Information Systems

See chapter 7, section 2.4.4, General ‹ security doctrine on information systems

ITAC reference bases ‹ SAP users control tool ‹

purchaser actions in 2016 Completion of 12,000 individual ‹ technical purchases 24 internal audit assignments on ‹ countries 63 Buy/Techs executed in 20 different ‹

ISO 9001 standard with certification in ‹ Energy for Saint-Gobain Purchasing Raw Materials, Precious Metals and Control Reference Framework (14 risks, Purchasing process of the Internal ‹ 38 controls to be applied)

Purchasing Department

Risk and Insurance Department

Prevention/ protection reference base ‹ “Risks Grading” self-assessment tool ‹ Doctrine memos ‹ Risks and Insurance Intranet ‹

485 site visits by prevention engineers ‹

Risk Grading self-assessment 1,357 sites that have performed their ‹ 911 assessments of Building Distribution ‹ ESPR audits Sector sales outlets by, including 289 22 prevention training sessions ‹ Regular field inspections ‹

Department Treasury and Financing

Define policy for financing, ‹ banking relationships for the market risk control and entire Group

112,813 internal/external foreign ‹ exchange transactions per year

- for subsidiary activities - for DTF activities Procedures reference base ‹ Daily reports (DTF) and monthly reports ‹ (subsidiaries and DTF)

per year 25,816 internal/external transfers issued ‹

Financial Control Department

Sectors and Delegations Over 200 meetings per year with ‹ participation of 150 employees 15 training sessions with the ‹ 215 DAC (Credit Authorization ‹ Requests) have been completed 58 planned acquisitions, 34 of which ‹ 70 divestments and mergers completed ‹

Dashboards ‹ Permanent relationship with ‹ Delegations and Sectors

operating performance of the Group’s results and Implement continuous control ‹ Participate in drawing up the ‹ reviews budget and quarterly budget figures at all levels of the Oversee monthly results ‹ organization Closely analyze and validate ‹ the financial consequences of divestment, merger and investment, acquisition, restructurings capital expenditure plans and

controllers Oversight of the network of Group ‹ tools Implementation of common analysis ‹ corporate departments and Sectors Group reference base and notices to ‹

Audits following a 12- and 20-step schedule for the Group’s industrial activities. (1) ESPR (Environment, Safety, Prevention of Risks) audit: specific to the Building Distribution Sector. (2)

178

SAINT-GOBAIN - REGISTRATION DOCUMENT 2016

WWW.SAINT-GOBAIN.COM