2022 Universal Registration Document

Audit and self-assessment system

(i) Audits

Audits of Applicable Rules: Audits of Applicable Rules are used to check that the Plan is correctly implemented by the Subsidiaries and Suppliers included in the Risk Matrix. Audits are done by specialist external companies. When a Subsidiary or Supplier is audited, the process is carried out in accordance with the Risk Matrix set out above. A written audit reportis prepared. With respect to the Subsidiaries, the reports are stored in a secure database available to Group Human Resources Directors and to the Country Operations Directors, in some cases. The reports on Suppliers are intended for Group buyers.

EHS audits specific to Subsidiaries: In order to ensure compliance with the Group’s EHS policy, a system of worldwide audits has been in place since 1996, and was reinforced in 2001 with the presence of external auditors. These are experts in the local environment and regulations. These audits take place regularly on each L’Oréal site: every three years for production sites and every four years for distribution centres, administrative sites and research centres. If the result of the audit does not meet the standard required by the L’Oréal guidelines, a specific interim audit is scheduled for the following year. Every year, the teams responsible for EHS risks review the audit results and identify general improvement plans. The improvement plans specific to the audited Sites are established immediately after the end of the audit. Any emergency measure intended to prevent an imminent risk for the health of persons at the Site is implemented by the Site EHS teams without waiting for the completion of an audit even if it is not part of the improvement plan that may exist. There are various audit grids called “risk”, “culture”, or“combined risk and culture”, used depending on the maturityand type of activity at the Sites. They assess in particular:

• compliance of practices and facilities with the Group’s rulesand procedures;
• progress in terms of EHS performance;
• any risks that the sites may present from an EHS standpoint;and
• the level of management and deployment of EHS culture on the Sites.

Each risk finding is classified in one of three categories A, B and C according to a matrix of level of impact/probability of occurrence. “A” findings are monitored monthly and consolidated annually by risk type.

The monthly reporting of safety and environmental data also enables consolidation and analysis of any anomalies and incidents leading to regulatory non-conformity, complaints and/or fines.

Three types of audit specific to Suppliers:

• initial audits: first audits conducted, which are a prerequisite to the start of the relationship with a new Supplier;
• follow-up audits: audits done 12 to 24 months maximum after the immediate improvement request (Needs Immediate Action or NIA), depending on the severity of the non-conformities found; and
• confirmation audits, three years after the initial audit.

The possible outcomes of the audits are as follows:

• Satisfactory: all criteria conform to the Applicable Rules and the best practices are highlighted;
• Needs Continuous Improvement (NCI): minor non‑conformities were found, but they do not have an impact on employee safety or health;
• Needs Immediate Action (NIA): non-conformities are reported either because they are serious, because they are recurring or have a potential impact on the health and safety of employees;
• Zero Tolerance (ZT): reported, for example, in the event of a critical non-conformity because of child labour, forced labour, physical abuse, restricted freedom of movement, an immediate risk of accident for employees or attempted bribery of the auditors(1); and
• Access Denied: reported when the audit is refused (for example in the event of refusal to provide partial or full site access to the auditors).

In the event of a non-conformity (Needs Continuous Improvement, Needs Immediate Action, Zero Tolerance), corrective action plans must be implemented which are then audited at the level of the Subsidiary or Supplier. Failure to implement a corrective action plan can, in the case of a Subsidiary, result in an alert being sent to the Country Manager. Subsidiaries can decide to link part or all of the remuneration of their managers and/or of their performance evaluation to the implementation of the Applicable Rules.

In the case of Suppliers, serious non-conformities (Needs Immediate Action, Zero Tolerance and Access Denied)or the failure to implement corrective action can result in the non‑listing of a new Supplier or the suspension or termination of commercial relations with a listed Supplier.

In the event that the existence of a serious non-conformity with the Applicable Rules is reported, a specific audit can be initiated. Visit reports are issued as part of the process of routine visits made to Suppliers. They can result, if necessary, in additional audits.

Specific EHS audits of subcontractors’ sites

Additional specific EHS audits are conducted by independent third parties for subcontractor sites for aerosol production or storage, bleaching powders, flammable products under the criteria defined by L’Oréal, which are similar to those used for the Group’s sites. These audits are triggered at the time of referencing/qualification and are followed up via audits conducted between 12 months and 36 months maximum after the immediate improvement request (NIA), depending on the severity of the non-conformities found, and again at the time of confirmation, five years after the initial audit.

The results of these audits are the same type as those previously described: satisfactory, NCI, NIA and ZT.

Serious non-conformities (Needs Immediate Action, Zero Tolerance and Access Denied) or the failure to implement corrective actions can result in the non-listing of a new Supplier or the suspension or termination of commercial relations with a listed Supplier.

All the main non-conformities found are monitored and consolidated annually by risk type.