3.5 Risk factors and risk management - Page 156 | L'Oréal - 2023 universal registration document

Major risks to which the Group believes it is exposed

Residual importance
Business risks	Information and cybersecurity systemsMost material risks in each category.
	Geographic presence and economic and political environmentMost material risks in each category.
	Sanitary crisis Most material risks in each category.
	Reputational crisis management
	Data
	Market and Innovation
	Business ethics
	Evolution of sales channels
	Human Resources risk
	Product quality and safety
	Safety of people and property
Industrial and environmental risks	Product availabilityMost material risks in each category.
	Climate change
	Environment and safety
Legal and regulatory risks	Non conformityMost material risks in each category.
	Intellectual property: trademarks, designs & models, domain names, patents
	Product claims
Financial and market risks	Inflation and currency riskMost material risks in each category.
	Risk on financial equity interests
	Risk relating to the impairment of intangible assets

Residual importance:

Low: Moderate : Significant:

3.5.3.1. Business risks

Business risks/Information Systems and cybersecurity
Risk identification	Risk management
In a context of digital transformation and constant development of information technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation. As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks etc.) internally or at a third-party of the Group could have a material impact on the Group’s business activities.	The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To deal with the growing cyber-threats, L’Oréal continuously strengthens the resources dedicated to information system security. A multi-year plan aimed at reducing the level of risk from cyberthreats and strengthening the maturity of risk management was therefore set out. This plan relies in particular on anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions. An online learning programme for cybersecurity best practices is available for all eligible employees (48,487 employees have completed the “Join the next Shield!” programme, which equates to 81% of eligible employees). Specific learning programmes are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual worldwide awareness-raising campaign called Cyberweek. Management of risks related to data is described in the “Data” risk section.

Business risks/Information Systems and cybersecurity

Risk identification

Risk management

In a context of digital transformation and constant development of information technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation.

As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks etc.) internally or at a third-party of the Group could have a material impact on the Group’s business activities.

The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To deal with the growing cyber-threats, L’Oréal continuously strengthens the resources dedicated to information system security. A multi-year plan aimed at reducing the level of risk from cyberthreats and strengthening the maturity of risk management was therefore set out.

This plan relies in particular on anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions.

An online learning programme for cybersecurity best practices is available for all eligible employees (48,487 employees have completed the “Join the next Shield!” programme, which equates to 81% of eligible employees). Specific learning programmes are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual worldwide awareness-raising campaign called Cyberweek.

Management of risks related to data is described in the “Data” risk section.

450 pages