2025 Universal Registration Document

General and financial elements

2. Risk management principles and participants
2.1 Reference framework, definitions and scope of risk management and internal control

In July 2010, the Autorité des Marchés Financiers (AMF, the French securities regulator) published a reference framework concerning risk management and internal control systems (“Cadre de référence sur les dispositifs de gestion des risques et de contrôle interne”). The VINCI Group uses this document as the basis for its own framework.

The risk management and internal control systems play complementary roles in the conduct of VINCI’s activities. They aim to identify and analyse the principal risks to which the Group’s subsidiaries are exposed and help to:

  • preserve the value, assets and reputation of the Group;
  • secure decision-making procedures and other internal processes;
  • ensure that initiatives are in line with the Group’s values;
  • foster a shared view of the principal risks among employees.

These systems, however well conceived and implemented, cannot provide an absolute guarantee that the Group will achieve its objectives.

In addition to setting up a specific system for the VINCI holding company, the Group also ensures that its business lines put in place risk management and internal control systems that are appropriate for their subsidiaries. The scope of risk management and internal control includes fully consolidated subsidiaries.

2.2 Environment and organisation
2.2.1 Principles of action and conduct

The businesses in which VINCI operates require the personnel involved to be geographically close to customers in order to ensure the prompt delivery of solutions suited to their needs. To enable the manager of each business unit—of which there are more than 4,300 in total in the Group – to take the required operational decisions rapidly, each business line has put in place an organisational structure suited to its activities.

In this context, the Group has delegated authority to operational and functional staff at all levels of the organisation. Delegation of authority and responsibility to these staff is carried out in compliance with the general guidelines (see paragraph 2.4.2, page 183) and the following VINCI principles of action and conduct:

  • Compliance with the rules common to the whole Group in respect of commitments, risk-taking (see paragraph 2.4.3, page 183), the acceptance of contracts (see same paragraph), and the reporting of financial, accounting, and management information (see paragraph 2.4.6, page 183).
  • Transparency and loyalty of managers towards their superiors and towards the central functional departments of the business lines and the holding company. An integral part of operational managers’ duties is to take decisions on matters falling within their area of responsibility, within the framework of the general guidelines they have received and accepted. Nevertheless, any significant difficulties encountered must be handled with the assistance, as necessary, of their superiors and/or the functional departments of the business lines or the VINCI holding company.
  • Compliance with the laws and regulations in force in the countries where the Group operates.
  •  A culture of all-round performance (financial and non-financial).
2.2.2 Key players in risk management and internal control

VINCI’s Board of Directors (whose role is presented in section 2, “Organization of VINCI’s corporate governance”, of chapter C, “Report on corporate governance”, of the Report of the Board of Directors, beginning on page 127) has the duties and responsibilities laid down in law. It draws on the work of four specialised committees: the Audit Committee, the Strategy and CSR Committee, the Remuneration Committee, and the Appointments and Corporate Governance Committee. The tasks delegated to these committees and the principal activities carried out in 2025 in this regard are presented in paragraph 3.4.2, “Board committees”, of chapter C, “Report on corporate governance”, beginning on page 145. They take into account the recommendations of the Afep-Medef code.

The Executive Committee, composed of 14 members at 31 December 2025, supervises the overall implementation of the Group’s strategy, which cascades through its various business lines, and also approves and monitors the application of its cross-cutting policies in the areas of risk management, finance, human resources, safety, IT and insurance.

The functional departments of the parent company, VINCI SA, are responsible for drawing up the Group’s rules and procedures. They also ensure that these rules and procedures as well as the decisions of VINCI’s Executive Management are correctly enforced. Furthermore, these departments advise business lines on technical matters without interfering with operational decisions, which are the responsibility of the business lines under the Group’s decentralised structure. VINCI SA had a staff of 409 at 31 December 2025.

The Ethics and Vigilance Department, which reports to the Group’s Executive Management, develops and disseminates non-compliance risk prevention measures and assists the business lines with the implementation and continuous improvement of their compliance programs. It coordinates the Ethics and Vigilance Committee, which has seven members, including five Executive Committee members, and is responsible for overseeing the development and rollout of compliance systems covered by the Code of Ethics and Conduct, notably concerning the fight against corruption and the prevention of risks of competition law infringement. The committee also receives information about the number and nature of reports made via the Group’s whistleblowing platform. It met four times in 2025 and reports annually on its activities to the Strategy and CSR Committee of the Board of Directors. The Group’s duty of vigilance plan is presented in chapter F, pages 295 to 324.

An Information Systems Security Committee was created by VINCI at the end of 2018. Its role is to:

  • validate the VINCI information systems security strategy and allocate the resources and funding necessary to implement it;
  • monitor incidents and manage major information system security crises;
  • examine the key performance indicators of information system security.

The Information Systems Security Committee is composed of VINCI’s Executive Vice-President and Chief Financial Officer, the Group’s Chief Information Officer, as well as VINCI’s Chief Information Security Officer, Chief Audit Officer and Chief Security Officer. The committee has two regularly scheduled meetings per year. Additional meetings may be convened on an exceptional basis as necessary, such as during a crisis. It reports on its activities to the Audit Committee of the Board of Directors.