LOREAL_Registration_Document_2017

Corporate governance * RISK FACTORS AND CONTROL ENVIRONMENT

BUSINESS RISKS \ INFORMATION SYSTEMS AND DATA Risk identification The day-to-day management of activities such as purchasing, production and distribution, invoicing, reporting and consolidation, as well as internal data exchange and access, relies on the proper functioning of all technical infrastructure and IT applications. As part of the digital transformation and ongoing development of information technologies and their applications, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on being able to function in an increasingly virtual and digital environment. The European General Data Protection Regulation (GDPR), applicable as of May 2018, provides for significant sanctions and for controls in every country by the national authorities. The malfunction or breakdown of these systems or the misappropriation of confidential or personal data processed by L’Oréal or its partners for exogenous or endogenous reasons (including intrusions, malicious acts, etc.) could have a significant impact (reputation, consumer confidence, etc.). BUSINESS RISKS \ RISK OF AN INTERNAL CONTROL FAILURE Risk identification L’Oréal has set up an Internal Control system (see paragraph 2.8.1.2. Internal Control Objectives ) which, however effective it may be, can only provide reasonable and not absolute assurance that the Company’s objectives can be achieved due to the inherent limitations of any control system. Accordingly, the Group cannot rule out the risk of an Internal Control failure that may expose it to an act of fraud in particular.

Risk management

To minimise the impact that this type of occurrence could have, the Information Systems Department has introduced strict rules with regard to data back-up, protection of, and access to, confidential data and data security with regard to both computer hardware and software applications. Furthermore, in order to adapt to the development of new methods of communication and to the digital transformation of its activities, L’Oréal has introduced an Information and Communication Technologies Code of Practice. The Group’s principles with regard to personal data management have been disseminated all over the world to raise the awareness of all employees about respect for ethical principles and legal and regulatory requirements in the matter. L’Oréal has initiated a project to comply with the GDPR, at Group level, which is based on a Strategic Committee, a Steering Committee and business line task forces, as well as a Data Privacy Committee and a Project manager in each country. To address the growing threat of cybercrime, L’Oréal takes continuous steps to strengthen the resources dedicated to information system security. This plan relies in particular on anti-intrusion equipment, an information system security audit programme, protecting sensitive equipment and providing global supervision for identifying irregularities. L’Oréal’s safety focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in systems for detecting and reacting to warnings and security incidents and in the periodic supervision of the effectiveness of such solutions. Furthermore, the Group deployed all over the world in 2016 an on-line training programme on best practices with regard to safety and security, intended for all the employees.

2

Risk management

The components of the Internal Control and risk management system implemented are detailed in paragraph 2.8. In the areas of fraud and corruption, the deployment of a programme designed to raise awareness of fraud risk has been rolled out to all the Management Committees of the Group’s subsidiaries (setting out the main operational scenarios that could occur, the whistle-blowing systems and the existing procedures and controls) and helps to reduce the Group’s exposure to this risk. In addition, the Group has also published a guide, created from country-specific corruption risk mapping, and is deploying an e-learning module on corruption prevention which will round out the commitments and principles set out in L’Oréal’s Code of Ethics and described in the Social, Environmental and Societal Information below (see paragraph 3.5.1).

REGISTRATION DOCUMENT / L'ORÉAL 2017

125