2022 Universal Registration Document

Key Data

An Information Systems Security Committee was created by VINCI at the end of 2018. The committee’s role is to:

  • validate the VINCI information systems security strategy and allocate the resources and funding necessary to implement it;
  • be aware of incidents and manage major information system security crises;
  • examine the key performance indicators of information system security.

The Information Systems Security Committee is composed of VINCI’s Executive Vice-President and Chief Financial Officer, the Group’s Chief Information Officer, as well as VINCI’s Chief Information Security Officer, Chief Audit Officer and Chief Security Officer. The committee has two regularly scheduled meetings per year and exceptional meetings as necessary, such as during a crisis. It reports on its activity to the Audit Committee of the Board of Directors.

The VINCI Risk Committee is one of the key elements of the Group’s risk management system. It reviewed 330 business opportunities in 2022. The operating procedure for this committee and its composition are described in paragraph 3.4.3, page 184.

The Audit Department’s role covers the following areas:

  • Risk management: based on guidelines from the Group’s Executive Management, it heads up the deployment and implementation of a structured system that makes it possible to identify, analyse and handle the principal risks. In this framework, the Audit Department provides methodological support to the subsidiaries’ operational and functional departments. It organises and ensures the follow-up for the meetings of the VINCI Risk Committee, which reviews and authorises tenders exceeding certain thresholds set by the Group’s Executive Management or presenting particular technical or financial risks.
  • Internal control: in addition to drafting and disseminating the general internal control procedures set by the holding company, the Audit Department organises an annual self-assessment survey of internal control, described in paragraph 3.4.7, page 185.
  • Fraud prevention: the Audit Department helps run the fraud prevention system, in collaboration with the Security, Information Systems, and Cash Management and Financing departments.
  • Audit: the department carries out its own assignments in the field, alongside or in support of the work performed by the business lines as well as assignments related to the internal whistleblowing procedure. The 2022, the Audit Department carried out 42 assignments, in line with the initial objective. These assignments did not reveal any problems that might have a significant impact on the business or financial statements of the Group. The work of the holding company mainly consisted of coordinating the rollout of:
  • compliance oversight in the Group,
  • cybersecurity policies,
  • the social and environmental policy,
  • the policy to bring data processing into compliance with the EU’s General Data Protection Regulation (GDPR).

The Audit Department’s activities in 2022 are summarised in the table below:

Area Description Activities in 2022
Risk management

Risk management

Description

Risk mapping of the five business lines

(*)

, VINCI Immobilier and the holding company Risk Committee meetings

Risk management

Activities in 2022

Annual review of the Group’s risk maps 330 business opportunities reviewed by the Risk Committee Three Group procedures updated
Internal control

Internal control

Description

Self-assessment survey

Internal control

Activities in 2022

580 entities surveyed, representing 85% of the Group’s total revenue
Fraud prevention

Fraud prevention

Description

Register of fraud attempts

Fraud prevention

Activities in 2022

147,227 reports (including 146,999 incidents of phishing) One step-by-step programme for external fraud prevention
Audit

Audit

Description

Support for business line audits

Audit

Activities in 2022

42 joint audits between business lines and the holding company

(*) VINCI Autoroutes, VINCI Concessions, VINCI Energies, Cobra IS, VINCI Construction.

The Insurance Department proposes and implements the Group’s insurance strategy, as validated by Executive Management (see paragraph 3.5, pages 185 to 187).

The business lines carry out their activities based on the principles of action and conduct described in paragraph 3.2.1, page 182. The operational teams in each business line are monitored at several levels: operational management, support functions (management control, quality, safety, information systems) and periodic internal audits.

Various committees bring together the personnel involved in decision-making, in particular the VINCI Risk Committee (see paragraph 3.4.3, page 184, for information on how it functions), the business line risk committees, and the cash management committees (see Note J.26 to the consolidated financial statements, page 348).

3.3 Risk management

The policy set by VINCI’s Executive Committee aims to comply with legal requirements and to ensure that risks are monitored in as uniform a manner as possible. Risk monitoring is integrated into the reporting process (for accounting and financial, health and safety, social and environmental data) and into the schedules set by the existing procedures related to commitments and periodic monitoring of operations as described in paragraph 3.4 below. Through this approach, VINCI’s Executive Management is informed on risks that have materialised, their consequences and related action plans. Risk maps have been created for the Group’s main business lines and divisions as well as for the holding company, thereby encompassing all of VINCI’s activities, in line with the methodology of the white paper under the title “Mise en œuvre du cadre de référence actualisé de l’AMF” (Implementing the AMF reference framework). These maps are reviewed annually. The review involves:

  • listing the main sources of identifiable risk, either internal or external, that represent obstacles to the achievement of the Group’s objectives and which can be financial risks, risks to people or reputation risks;
  • assessing risk severity on a qualitative scale, taking into account the potential impact, likelihood and degree of control of the various events constituting risks;
  • implementing proper handling of these risks. Risk scorecards are created for each business line, based on the principal entities’ risk maps. They are used to present and assess, in a uniform manner, events that might affect projects examined by the Risk Committee.