2021 UNIVERSAL REGISTRATION DOCUMENT

General and financial elements

A VINCI Information Systems Security Committee was created at the end of 2018. The committee’s role is to:

  • validate the VINCI information systems security strategy and allocate the resources and funding necessary to implement it;
  • be aware of incidents and manage major information system security crises;
  • examine the key performance indicators of information system security.

The Information Systems Security Committee is composed of VINCI’s Executive Vice-President and CFO, the Group’s Chief Information Officer, the Chief Information Security Officer, the Chief Audit Officer, and VINCI’s Chief Security Officer. The committee has two regularly scheduled meetings per year and exceptional meetings as necessary, such as during a crisis. It reports on its activity to the Audit Committee of the Board of Directors.

The Audit Department’s role covers the following areas:

  • Risk management: based on guidelines from the Group’s Executive Management, it heads up the deployment and implementation of a structured system that makes it possible to identify, analyse and handle the principal risks. In this framework, the Audit Department provides methodological support to the subsidiaries’ operational and functional departments. It organises and ensures the follow-up for the meetings of the VINCI Risk Committee, which reviews and authorises tenders exceeding certain thresholds set by the Group’s Executive Management or presenting particular technical or financial risks.
  • Internal control: in addition to drafting and disseminating the general internal control procedures set by the holding company, the Audit Department organises an annual self-assessment survey of internal control, described in paragraph 3.4.7, page 170.
  • Fraud prevention: participation in running the system set up for this purpose, in collaboration with the Security, Information Systems and Cash Management and Financing departments.
  • Audit: the department carries out its own assignments in the field, alongside or in support of the work performed by the business lines as well as assignments related to the internal whistleblowing procedure. In 2021, because of travel restrictions, 26 audit assignments were completed out of the 46 initially scheduled. These audits did not reveal any problems that might have a significant impact on the business or financial statements of the Group. The work of the holding company mainly consisted of coordinating the rollout of:
    • – compliance oversight in the Group,
    • – cybersecurity policies,

    • the social and environmental policy,
    • – the policy to bring data processing into compliance with the EU’s General Data Protection Regulation (GDPR).

The Audit Department’s activities in 2021 are summarised in the table below:

Area
Description Activities in 2021
Risk management

Risk management

Description

Risk mapping of the five business lines (*) and of the holding company

Risk committees

Risk management

Activities in 2021

Annual review of the Group’s risk maps 279 risk committee meetings
Internal control

Internal control

Description

Self-assessment survey

Internal control

Activities in 2021

579 entities surveyed, representing 85% of Group revenue
Fraud prevention

Fraud prevention

Description

Register of fraud attempts

Fraud prevention

Activities in 2021

38,229 reports (including incidents of phishing)


4 recommendations


1 Group procedure
Audit

Audit

Description

Support for business line audits

Audit

Activities in 2021

26 joint audits between business lines and the holding company

(*) VINCI Autoroutes, VINCI Concessions, VINCI Energies, VINCI Construction, VINCI Immobilier.

The Insurance Department proposes and implements the Group’s insurance strategy, as validated by Executive Management (see paragraph 3.5, pages 170 to 171).

The business lines carry out their activities based on the principles of action and conduct described in paragraph 3.2.1, page 167. The operational teams in each business line are monitored at several levels: operational management, support functions (management control, quality, safety, information systems) and periodic internal audits.
Various committees bring together the personnel involved in decision-making, in particular the VINCI Risk Committee (see paragraph 3.4.3, page 169, for information on how it functions), the business line risk committees, and the cash management committees (see Note J.26 to the consolidated financial statements, page 324).

3.3 Risk management

The policy set by VINCI’s Executive Committee aims to comply with legal requirements and to ensure that risks are monitored in as uniform a manner as possible. Risk monitoring is integrated into the reporting process (for accounting and financial, health and safety, social and environmental data) and into the schedules set by the existing procedures related to commitments and periodic monitoring of operations as described in paragraph 3.4 below. Through this approach, VINCI’s Executive Management is informed on risks that have materialised, their consequences and related action plans. Risk maps have been created for the Group’s main business lines and divisions as well as for the holding company, thereby encompassing all of VINCI’s activities, in line with the methodology of the white paper under the title “Mise en œuvre du cadre de référence actualisé de l’AMF” (Implementing the AMF reference framework). These maps are reviewed annually. The review involves:

  • listing the main sources of identifiable risk, either internal or external, that represent obstacles to the achievement of the Group’s objectives and which can be financial risks, risks to people or reputation risks;
  • assessing risk severity on a qualitative scale, taking into account the potential impact, likelihood and degree of control of the various events constituting risks;
  • implementing proper handling of these risks.

Risk scorecards are created for each business line, based on the principal entities’ risk maps. They are used to present and assess, in a uniform manner, events that might affect projects examined by the Risk Committee.