2023 UNIVERSAL REGISTRATION DOCUMENT

2.2.2 Organisational structures involved in risk management and internal control

VINCI’s Board of Directors is responsible for validating the Group’s strategic choices and ensuring that these choices are properly implemented while taking into account the workforce related, social and environmental issues relating to its business activities. It also makes sure that the Group’s organisation functions properly. It carries out the controls and verifications that it believes are timely and appropriate. It considers all major matters concerning the Group’s business. In its annual management report, the Board sets out the principal risks and uncertainties the Group faces.

The Board has adopted a set of internal rules that is updated as often as necessary and has four specialised committees: the Audit Committee, the Strategy and Corporate Social Responsibility (CSR) Committee, the Remuneration Committee, and the Appointments and Corporate Governance Committee. The tasks delegated to the Audit Committee and the principal activities carried out in 2023 in this regard are presented in chapter C, “Report on corporate governance”, pages 151 to 152. They take into account the recommendations of the Afep-Medef code.

The Executive Committee, composed of 12 members at 31 December 2023, is in charge of implementing the Group’s strategy and also approves and monitors the application of its cross-cutting policies in the areas of risk management, finance, human resources, safety, IT and insurance.

The holding company’s functional departments ensure that the Group’s rules and procedures as well as the decisions of VINCI’s Executive Management are correctly enforced. Furthermore, these departments advise business lines on technical matters without interfering with operational decisions, which are the responsibility of the business lines under the Group’s decentralised structure. The holding company had a staff of 353 at 31 December 2023.

To support the implementation and rollout of compliance programmes in the business lines and to ensure fair business practices, an Ethics and Vigilance Department, reporting to the Group’s Executive Management, was created in January 2018, and an Ethics and Vigilance Committee was created in March 2018. This seven-member committee includes five Executive Committee members and ensures that the compliance procedures covered by the Code of Ethics and Conduct are deployed and updated as necessary, in particular with regard to:

• combating corruption;
• preventing serious violations of human rights and fundamental freedoms, harm to human health and safety, or damage to the environment in the context of the Group’s activities.

The committee met five times in 2023 and reports annually on its activity to the Board of Directors’ Strategy and CSR Committee. The Group’s duty of vigilance plan is presented in section 4 of chapter E, “Workforce-related, social and environmental information”, pages 260 to 291.

An Information Systems Security Committee was created by VINCI at the end of 2018. The committee’s role is to:

• validate the VINCI information systems security strategy and allocate the resources and funding necessary to implement it;
• be aware of incidents and manage major information system security crises;
• examine the key performance indicators of information system security.

The Information Systems Security Committee is composed of VINCI’s Executive Vice-President and Chief Financial Officer, the Group’s Chief Information Officer, as well as VINCI’s Chief Information Security Officer, Chief Audit Officer and Chief Security Officer. The committee has two regularly scheduled meetings per year and exceptional meetings as necessary, such as during a crisis. It reports on its activity to the Audit Committee of the Board of Directors.

The VINCI Risk Committee is one of the key elements of the Group’s risk management system. It reviewed 298 business opportunities in 2023. The operating procedure for this committee and its composition are described in paragraph 2.4.3, page 186.

The Audit Department’s role covers the following areas:

• Risk management: based on guidelines from the Group’s Executive Management, it heads up the deployment and implementation of a structured system that makes it possible to identify, analyse and handle the principal risks. In this framework, the Audit Department provides methodological support to the subsidiaries’ operational and functional departments. It organises and ensures the follow-up for the meetings of the VINCI Risk Committee, which reviews and authorises tenders exceeding certain thresholds set by the Group’s Executive Management or presenting particular technical or financial risks.
• Internal control: in addition to drafting and disseminating the general internal control procedures set by the holding company, the Audit Department organises an annual self-assessment survey of internal control, described in paragraph 2.4.7, page 187.
• Fraud prevention: the Audit Department helps run the fraud prevention system, in collaboration with the Security, Information Systems, and Cash Management and Financing departments.
• Audit: the department carries out its own assignments in the field, alongside or in support of the work performed by the business lines as well as assignments related to the internal whistleblowing procedure. In 2023, the Audit Department carried out 40 assignments, in line with the initial objective. These assignments did not reveal any problems that might have a significant impact on the business or financial statements of the Group. The work of the holding company mainly consisted of coordinating the rollout of:
  • compliance oversight in the Group,
  • cybersecurity policies,
  • the social and environmental policy,
  • the policy to bring data processing into compliance with the EU’s General Data Protection Regulation (GDPR).

The Audit Department’s activities in 2023 are summarised in the table below: