2024 Universal Registration Document

2.2.2 Key players in risk management and internal control

VINCI’s Board of Directors is responsible for validating the Group’s strategic choices and ensuring that these choices are properly implemented while taking into account the social and environmental issues relating to its business activities. It also makes sure that the Group’s organisation functions properly. It carries out the controls and verifications that it believes are timely and appropriate. It considers all major matters concerning the Group’s business. In its annual management report, the Board sets out the principal risks and uncertainties the Group faces.

The Board has adopted a set of internal rules that is updated regularly and has four specialised committees: the Audit Committee, the Strategy and Corporate Social Responsibility (CSR) Committee, the Remuneration Committee, and the Appointments and Corporate Governance Committee. The tasks delegated to the Audit Committee and the principal activities carried out in 2024 in this regard are presented in chapter C, “Report on corporate governance”, pages 147 to 148. They take into account the recommendations of the Afep-Medef code. The Executive Committee, composed of 13 members at 31 December 2024, is in charge of implementing the Group’s strategy and also approves and monitors the application of its cross-cutting policies in the areas of risk management, finance, human resources, safety, IT and insurance.

The holding company’s functional departments ensure that the Group’s rules and procedures as well as the decisions of VINCI’s Executive Management are correctly enforced. Furthermore, these departments advise business lines on technical matters without interfering with operational decisions, which are the responsibility of the business lines under the Group’s decentralised structure. The holding company had a staff of 394 at 31 December 2024.

The Ethics and Vigilance Department, which reports to the Group’s Executive Management, develops and disseminates the non-compliance risk prevention measures and assists the business lines with the implementation and continuous improvement of their compliance programmes. It coordinates the Ethics and Vigilance Committee, which has seven members, including five Executive Committee members, and oversees the development and rollout of compliance systems covered by the Code of Ethics and Conduct, notably concerning the fight against corruption, the prevention of risks of infringements of competition rules and reports related to impacts on human rights and fundamental freedoms, on human health and safety and on the environment, as part of the Group’s business activities. It met four times in 2024 and reports annually on its activity to the Strategy and CSR Committee of the Board of Directors. The Group’s duty of vigilance plan is presented in chapter F, pages 279 to 303.

An Information Systems Security Committee was created by VINCI at the end of 2018. The committee’s role is to:

• validate the VINCI information systems security strategy and allocate the resources and funding necessary to implement it;
• monitor incidents and manage major information system security crises;
• examine the key performance indicators of information system security.

The Information Systems Security Committee is composed of VINCI’s Executive Vice-President and Chief Financial Officer, the Group’s Chief Information Officer, as well as VINCI’s Chief Information Security Officer, Chief Audit Officer and Chief Security Officer. The committee has two regularly scheduled meetings per year and exceptional meetings as necessary, such as during a crisis. It reports on its activity to the Audit Committee of the Board of Directors.

The VINCI Risk Committee is one of the key elements of the Group’s risk management system. It reviewed 255 business opportunities in 2024. The operating procedure for this committee and its composition are described in paragraph 2.4.3, page 184.

The Audit Department’s role covers the following areas:

• Risk management: Based on guidelines from the Group’s Executive Management, it heads up the deployment and implementation of a structured system that makes it possible to identify, analyse and handle the principal risks. In this framework, the Audit Department provides methodological support to the subsidiaries’ operational and functional departments. It organises and ensures the follow-up for the meetings of the VINCI Risk Committee, which reviews and authorises tenders exceeding certain thresholds set by the Group’s Executive Management or presenting particular technical or financial risks.
• Internal control: In addition to drafting and disseminating the general internal control procedures set by the holding company, the Audit Department organises an annual self-assessment survey of internal control, described in paragraph 2.4.7, page 185.
• Fraud prevention: The Audit Department helps run the fraud prevention system, in collaboration with the Security, Information Systems, and Cash Management and Financing departments.
• Audit: The department carries out its own assignments in the field, alongside or in support of the work performed by the business lines, as well as assignments related to the internal whistleblowing procedure. In 2024, the Audit Department carried out 45 assignments. These assignments did not reveal any problems that might have a significant impact on the business or financial statements of the Group.

The work of the holding company mainly consisted of coordinating the rollout of:

• compliance oversight in the Group, cybersecurity policies,
• the social and environmental policy,
• the policy to bring data processing into compliance with the EU’s General Data Protection Regulation (GDPR).