2025 Universal Registration Document

General and financial elements

The VINCI Risk Committee is one of the key elements of the Group’s risk management system. It reviewed 283 business opportunities in 2025. The operating procedure for this committee and its composition are described in paragraph 2.4.3, page 183.

The Audit Department’s role covers the following areas:

  • Risk management: Based on guidelines from the Group’s Executive Management, it heads up the deployment and implementation of a structured system that makes it possible to identify, analyse and handle the principal risks. In this framework, the Audit Department provides methodological support to the subsidiaries’ operational and functional departments. It organises and ensures the follow-up for the meetings of the VINCI Risk Committee, which reviews and authorises tenders exceeding certain thresholds set by the Group’s Executive Management or presenting particular technical or financial risks.
  • Internal control: In addition to drafting and disseminating the general internal control procedures set by the holding company, the Audit Department organises an annual self-assessment survey of internal control, described in paragraph 2.4.7, page 184.
  • Fraud prevention: The Audit Department helps run the fraud prevention system, in collaboration with the Security, Information Systems, and Cash Management and Financing departments.

  • Audit: The department carries out its own assignments in the field, alongside or in support of the work performed by the business lines as well as assignments related to the internal whistleblowing procedure. In 2025, the Audit Department carried out 41 assignments. These assignments did not reveal any problems that might have a significant impact on the business or financial statements of the Group. The work mainly consisted of coordinating the rollout of:

    • compliance oversight in the Group,
    • cybersecurity policies,
    • the social and environmental policy,
    • the policy to bring data processing into compliance with the EU’s General Data Protection Regulation (GDPR).

The Audit Department’s activities in 2025 are summarised in the table below:

Area Description Activities in 2025
Risk management

Risk management

Description

Mapping of risks relating to the activities of the Group (*) and the holding company

Risk committee meetings

Risk management

Activities in 2025

Annual review of the Group’s risk maps

283 business opportunities reviewed by the VINCI Risk Committee

Update of Group procedures
Internal control

Internal control

Description

Self-assessment

Internal control

Activities in 2025

629 entities surveyed, representing 86% of the Group’s total revenue
Fraud prevention

Fraud prevention

Description

Register of fraud attempts

Fraud prevention

Activities in 2025

292,545 reports (including 292,209 incidents of phishing)
Audit

Audit

Description

Support for business line audits

Audit

Activities in 2025

41 joint audits between business lines and the holding company, including 18 on cybersecurity and one relating to environmental, social and governance issues

The Insurance Department proposes and implements the Group’s insurance strategy, as validated by Executive Management (see paragraph 2.5, pages 184 to 186).

The business lines carry out their activities based on the principles of action and conduct described in paragraph 2.2.1, page 181. The operational teams in each business line are monitored at several levels: operational management, support functions (management control, quality, safety, information systems) and periodic internal audits.

Various committees bring together the personnel involved in decision-making, in particular the VINCI Risk Committee (see paragraph 2.4.3, page 183, for information on how it functions), the business line risk committees, and the cash management committees (see Note J.26 to the consolidated financial statements, page 389).

2.3 Risk management

The policy set by VINCI’s Executive Committee aims to comply with legal requirements and to ensure that risks are monitored in as uniform a manner as possible. Risk monitoring is integrated into the reporting process (for accounting and financial, health and safety, social and environmental data) and into the schedules set by the existing procedures related to commitments and the periodic monitoring of operations as described in paragraph 2.4 below. Through this approach, VINCI’s Executive Management is informed of risks that have materialised, their consequences and related action plans. Risk maps have been created for the Group’s main business lines and divisions as well as for the holding company, thereby encompassing all of VINCI’s activities, in line with the methodology of the white paper under the title “Mise en œuvre du cadre de référence actualisé de l’AMF” (Implementing the AMF reference framework). These maps are reviewed annually. The review involves:

  • listing the main sources of identifiable risk, either internal or external, that represent obstacles to the achievement of the Group’s objectives, which can include financial risks, risks to people or reputational risks;
  • assessing risk severity on a qualitative scale, taking into account the potential impact, probability of occurrence and degree of control of the various events constituting risks;
  • implementing proper handling of these risks. Risk scorecards are created for each business line, based on the principal entities’ risk maps. They are used to present and assess, in a uniform manner, events that might affect business opportunities examined by the VINCI Risk Committee.
2.4 Internal control

The main procedures described below are common to all companies in the Group. They are complemented by specific procedures within each business line, in particular for the monitoring of projects and the preparation of financial and accounting information.

2.4.1 Compliance with laws and regulations

The Legal Department of the holding company is responsible for:

  • maintaining a legislative watch related to the various applicable rules,
  • legal compliance of transactions carried out by the holding company,
  • monitoring major acquisition projects and disputes,
  • informing affected employees about rules pertaining to securities transactions.

The main measures relating to legal and regulatory controls are presented in section 4, “Business conduct”, of chapter E, “Sustainability report”, pages 283 to 288.