2024 universal registration document

Audit and self-assessment system

(i) Audits

Audits of Applicable Rules: Audits of Applicable Rules are used to check that the Plan is correctly implemented by the Subsidiaries and Suppliers included in the Risk Matrix. Audits are done by specialist external companies. When a Subsidiary or Supplier is audited, the process is carried out in accordance with the Risk Matrix set out above. A written audit report is prepared. With respect to the Subsidiaries, the reports are stored in a secure database available to the Group's Heads of Human Relations and to the Country Operations Directors, in some cases. The reports on Suppliers are intended for Group buyers.

EHS audits specific to Subsidiaries: to ensure compliance with the Group’s EHS policy, a system of worldwide audits has been in place since 1996, and was reinforced in 2001 with the presence of external auditors who are experts in the local environment and regulations. These audits take place regularly on each L’Oréal site: every three years for production sites and every four years for distribution centres, administrative sites and research centres. If the result of the audit does not meet the standard required by the L’Oréal guidelines, a specific interim audit is scheduled for the following year. Every year, the teams responsible for EHS risks review the audit results and identify general improvement plans. Improvement plans specific to the audited Sites are set up immediately after the end of the audit. Any emergency measure intended to prevent an imminent risk for the health of persons at the Site is implemented by the Site EHS teams without waiting for the completion of an audit even if it is not part of the improvement plan in place, if any. Various audit grids – "risk", "culture" and "combined risk and culture" – are used depending on the maturity and type of activity at the Sites. They assess in particular:

• compliance of practices and facilities with the Group’s rules and procedures;
• progress in terms of EHS performance;
• any risks that the sites may present from an EHS standpoint; and
• the level of management and dissemination of an EHS culture on the Sites.

Each risk finding is classified in one of three categories A, B and C according to a matrix of level of impact/probability of occurrence. "A" findings are monitored monthly and consolidated annually by risk type.

The monthly reporting of safety and environmental data also feeds into consolidation and analysis of any anomalies and incidents leading to non-compliance with regulations, complaints and/or fines.

Three types of audit specific to Suppliers:

• initial audits: first audits conducted, which are a prerequisite to the start of the relationship with a new Supplier;
• follow-up audits: audits done 12 to 24 months maximum after the needs immediate action request (NIA), depending on the severity of the case of non-compliance found; and
• confirmation audits, three years after the initial audit.

The possible outcomes of the audits are as follows:

• Satisfactory: all criteria conform to the Applicable Rules and the best practices are highlighted;
• Needs Continuous Improvement (NCI): minor cases of non-compliance were found, but they do not have an impact on employee safety or health;
• Needs Immediate Action (NIA): cases of non-compliance were reported either because they are serious, because they are recurring or have a potential impact on the health and safety of employees;
• Zero Tolerance (ZT): reported, for example, in the event of a critical case of non-compliance related to child labour, forced labour, physical abuse, restricted freedom of movement, an immediate risk of accident for employees or attempted bribery of the auditors⁽¹⁾ ; and
• Access Denied: reported when the audit is refused (for example in the event of refusal to provide partial or full site access to the auditors).

In case of non-compliance (Needs Continuous Improvement, Needs Immediate Action or Zero Tolerance), corrective action plans must be implemented which are then audited at the level of the Subsidiary or Supplier. Failure to implement a corrective action plan can, in the case of a Subsidiary, result in an alert being sent to the Country Manager. Subsidiaries can decide to link part or all of the remuneration of their managers and/or of their performance evaluation to the implementation of the Applicable Rules.

In the case of Suppliers, serious cases of non-compliance (Needs Immediate Action, Zero Tolerance and Access Denied) or the failure to implement corrective action can result in the refusal to list a new Supplier or the suspension or termination of business relationships with a listed Supplier.

In the event that the existence of cases of non-compliance with the Applicable Rules is reported, a specific audit may be launched. Visit reports are issued as part of the process of routine visits made to Suppliers. They can result, if necessary, in additional audits.

Specific EHS audits of subcontractors’ sites

Additional specific EHS audits are conducted by independent third parties for subcontractor sites for aerosol production or storage, bleaching powders and flammable products under the criteria defined by L’Oréal, which are similar to those used for the Group’s sites. These audits are triggered when Suppliers are first listed or approved and are followed up via audits conducted between 12 months and 36 months maximum after the immediate improvement request (NIA), depending on the severity of the case of non-compliance found, and again at the time of confirmation, five years after the initial audit.

The results of these audits are the same type as those previously described: satisfactory, NCI, NIA and ZT.

Serious cases of non-compliance (Needs Immediate Action, Zero Tolerance and Access Denied) or the failure to implement corrective actions can result in the refusal to list a new Supplier or the suspension or termination of business relationships with a listed Supplier.

All the main cases of non-compliance found are monitored and consolidated annually by risk type.

In the event that the existence of cases of non-compliance with the Applicable Rules is reported, a specific audit may be launched. Visit reports are issued as part of the process of routine visits made to Suppliers. They can result, if necessary, in additional audits.