3.6.3.1 Business risks
Business risks/Geographic presence and economic and political environment 
|
|
|---|---|
| Risk identification | Risk management |
|
L’Oréal is a worldwide corporation that has subsidiaries in 72 countries. More specifically, the global development of the cosmetics market has led L’Oréal to develop its Travel Retail business and its business in countries of North Asia, which represented 24% of sales in 2024, SAPMENA-SSA (South Asia Pacific, Middle East, North Africa, Sub-Saharan Africa), 9% of sales, and Latin America, 8% of sales. As a result of this globalisation, any unsettled political and economic environment in the countries in which the Group generates a significant proportion of its sales (with a strong economic downturn due to, for example, growing geopolitical tensions, lasting inflation, international trade tensions, including changes in tariffs, or sovereign debt crises) could have an impact on its business. The impact and management of inflation risks and currency risks and risks associated with economic sanctions policies are described in the risk factors entitled "Inflation and currency risk" and "Risk of non-compliance", respectively. |
L’Oréal’s global presence and its portfolio of 37 major international brands help to maintain a balance in sales and offsetting between the geographic zones, product categories and distribution channels (details on sales from the Zones are presented in sections 1.1.4. and 1.1.6.). An internal Risk Committee meets regularly to monitor geopolitical and geoeconomic risks and draw up action plans where necessary. |
Business risks/Information systems and cybersecurity 
|
|
|---|---|
| Risk identification | Risk management |
|
In a context of digital transformation and constant development of information technologies and their uses, and given L’Oréal's ambition to lead on Beauty Tech, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation. As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks, etc.) internally or at a third party of the Group could have a material impact on the Group’s business activities. |
The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. In order to tackle the issue of an increasing number of cyber threats, L’Oréal continuously reinforces its level of cybersecurity using a risk-based management approach. To this end, a multi-year plan aimed at reducing the level of risk from cyber threats and strengthening the maturity of risk management was drawn up. This plan includes, in particular, anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L'Oréal constantly adapts its cybersecurity risk management to changes in the cyber threat landscape, increasing its investments, where necessary, in prevention, protection, detection and response capabilities, while regularly monitoring the effectiveness of the measures in place. The Group is increasingly investing in incidents detection and reactions systems and regularly reviews the effectiveness of these solutions. An online training programme for cybersecurity best practices is available for all eligible employees (54,436 employees have completed the "Join the next Shield!" programme, i.e., 91% of eligible employees). Specific training programmes are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual worldwide awareness-raising campaign, Cyberweek. Management of risks related to data is described in the "Data" risk section. |