A VINCI Information Systems Security Committee was created at the end of 2018. The committee’s role is to:
The Information Systems Security Committee is composed of VINCI’s Executive Vice-President and CFO, the Group’s Chief Information Officer, the Chief Information Security Officer, the Chief Audit Officer, and VINCI’s Chief Security Officer. The committee has two regularly scheduled meetings per year and exceptional meetings as necessary, such as during a crisis. It reports on its activity to the Audit Committee of the Board of Directors.
The Audit Department’s role covers the following areas:
–
the social and environmental policy,The Audit Department’s activities in 2021 are summarised in the table below:
Area |
Description | Activities in 2021 |
---|---|---|
Risk management | Risk management Description Risk mapping of the five business lines (*) and of the holding company Risk committees |
Risk management Activities in 2021 Annual review of the Group’s risk maps 279 risk committee meetings |
Internal control | Internal control Description Self-assessment survey |
Internal control Activities in 2021 579 entities surveyed, representing 85% of Group revenue |
Fraud prevention | Fraud prevention Description Register of fraud attempts |
Fraud prevention Activities in 2021 38,229 reports (including incidents of phishing) 4 recommendations 1 Group procedure |
Audit | Audit Description Support for business line audits |
Audit Activities in 2021 26 joint audits between business lines and the holding company |
(*) VINCI Autoroutes, VINCI Concessions, VINCI Energies, VINCI Construction, VINCI Immobilier.
The Insurance Department proposes and implements the Group’s insurance strategy, as validated by Executive Management (see paragraph 3.5, pages 170 to 171).
The business lines carry out their activities based on the principles of action and conduct described in paragraph 3.2.1, page 167. The operational teams in each business line are monitored at several levels: operational management, support functions (management control, quality, safety, information systems) and periodic internal audits.
Various committees bring together the personnel involved in decision-making, in particular the VINCI Risk Committee (see paragraph 3.4.3, page 169, for information on how it functions), the business line risk committees, and the cash management committees (see Note J.26 to the consolidated financial statements, page 324).
The policy set by VINCI’s Executive Committee aims to comply with legal requirements and to ensure that risks are monitored in as uniform a manner as possible. Risk monitoring is integrated into the reporting process (for accounting and financial, health and safety, social and environmental data) and into the schedules set by the existing procedures related to commitments and periodic monitoring of operations as described in paragraph 3.4 below. Through this approach, VINCI’s Executive Management is informed on risks that have materialised, their consequences and related action plans. Risk maps have been created for the Group’s main business lines and divisions as well as for the holding company, thereby encompassing all of VINCI’s activities, in line with the methodology of the white paper under the title “Mise en œuvre du cadre de référence actualisé de l’AMF” (Implementing the AMF reference framework). These maps are reviewed annually. The review involves:
Risk scorecards are created for each business line, based on the principal entities’ risk maps. They are used to present and assess, in a uniform manner, events that might affect projects examined by the Risk Committee.