Major risks to which the Group believes it is exposed

Residual importance
Business risks Information and cybersecurity systemsMost material risks in each category.
Geographic presence and economic and political environmentMost material risks in each category.
Sanitary crisis Most material risks in each category.
Reputational crisis management
Data
Market and Innovation
Business ethics
Evolution of sales channels 
Human Resources risk Low
Product quality and safety Low
Safety of people and property 
Industrial and environmental risks Product availabilityMost material risks in each category.
Climate change
Environment and safety Low
Legal and regulatory risks Non conformityMost material risks in each category.
Intellectual property: trademarks, designs & models, domain names, patents Low
Product claims Low
Financial and market risks Inflation and currency riskMost material risks in each category.
Risk on financial equity interests Low
Risk relating to the impairment of intangible assets Low

Residual importance:

Low: Moderate :   Significant:

3.5.3.1. Business risks
Business risks/Information Systems and cybersecurity
Risk identification Risk management

In a context of digital transformation and constant development of information technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation.

As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks etc.) internally or at a third-party of the Group could have a material impact on the Group’s business activities.

The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To deal with the growing cyber-threats, L’Oréal continuously strengthens the resources dedicated to information system security. A multi-year plan aimed at reducing the level of risk from cyberthreats and strengthening the maturity of risk management was therefore set out.

This plan relies in particular on anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions.

An online learning programme for cybersecurity best practices is available for all eligible employees (48,487 employees have completed the “Join the next Shield!” programme, which equates to 81% of eligible employees). Specific learning programmes are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual worldwide awareness-raising campaign called Cyberweek.

Management of risks related to data is described in the “Data” risk section.

450 pages