2022 Universal Registration Document

Business risks/Information Systems and cybersecurity
Risk identification	Risk management
In a context of digital transformation and constant development of the Information Technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation. As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks, etc.) internally or at a third-party of the Group could have a material impact on the Group’s business activities.	The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To deal with the growing cyber-threats, L’Oréal continuously strenghten the resources dedicated to information system security. A multi-year plan aimed at reducing the level of risk from cyberthreats and strengthening the maturity of risk management was therefore set out. This plan relies in particular on anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions. Online training in cybersecurity best practices is available for all eligible employees (more than 42,000 employees, i.e. 73% of eligible employees, have received training via a new e-learning module published at the end of 2021). Specific trainings are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual global awareness campaign called Cyberweek. Management of risks related to data is described in the “Data” risk section.

Business risks/Information Systems and cybersecurity

Risk identification

Risk management

In a context of digital transformation and constant development of the Information Technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation.

As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks, etc.) internally or at a third-party of the Group could have a material impact on the Group’s business activities.

The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To deal with the growing cyber-threats, L’Oréal continuously strenghten the resources dedicated to information system security. A multi-year plan aimed at reducing the level of risk from cyberthreats and strengthening the maturity of risk management was therefore set out.

This plan relies in particular on anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions.

Online training in cybersecurity best practices is available for all eligible employees (more than 42,000 employees, i.e. 73% of eligible employees, have received training via a new e-learning module published at the end of 2021). Specific trainings are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual global awareness campaign called Cyberweek. Management of risks related to data is described in the “Data” risk section.

Business risks/Geographic presence and economic and political environment
Risk identification	Risk management
L’Oréal is a global corporation that has subsidiaries in 76 countries. More specifically, the global development of the cosmetics market has led L’Oréal to develop its Travel Retail business and its business in countries of North Asia, which represented 29,6% of sales in 2022, SAPMENA-SSA (South Asia Pacific, Middle East, North Africa, Sub-Saharan Africa) 7,7% of sales, and Latin America (6,2% of sales). Because of this globalisation, political or economic disruption (strong economic slowdown due, for example, to geopolitical tensions, sustained high inflation, international trade tensions or sovereign debt crises) in countries in which the Group generates a significant portion of its sales could have an impact on its business activities. As regards Russia’s invasion of Ukraine at the beginning of 2022, depending on its duration and extent, the conflict could impact economic growth worldwide and, consequently, affect the markets in which the Group operates. The impact and management of inflation and currency risks, and those associated with economic sanctions policies, are described in the risk factors entitled “Inflation and currency risk” and “Risk of non‑conformity” respectively. The impact and management of the risk related to Covid-19 are described in the “Sanitary crisis” risk factor.	L’Oréal’s global presence and its portfolio of 36 major international brands helps to maintain a balance in sales and offsetting between the geographic zones, product categories and distribution channels (details on sales from the zones are presented in section 1.3.). With regard to the crisis in Ukraine and Russia, L’Oréal is closely monitoring the situation and its potential for adversely impacting the global economy and, in particular, its business activity (see section 1.3.1.).

Business risks/Geographic presence and economic and political environment

Risk identification

Risk management

L’Oréal is a global corporation that has subsidiaries in 76 countries. More specifically, the global development of the cosmetics market has led L’Oréal to develop its Travel Retail business and its business in countries of North Asia, which represented 29,6% of sales in 2022, SAPMENA-SSA (South Asia Pacific, Middle East, North Africa, Sub-Saharan Africa) 7,7% of sales, and Latin America (6,2% of sales). Because of this globalisation, political or economic disruption (strong economic slowdown due, for example, to geopolitical tensions, sustained high inflation, international trade tensions or sovereign debt crises) in countries in which the Group generates a significant portion of its sales could have an impact on its business activities.

As regards Russia’s invasion of Ukraine at the beginning of 2022, depending on its duration and extent, the conflict could impact economic growth worldwide and, consequently, affect the markets in which the Group operates.

The impact and management of inflation and currency risks, and those associated with economic sanctions policies, are described in the risk factors entitled “Inflation and currency risk” and “Risk of non‑conformity” respectively.

The impact and management of the risk related to Covid-19 are described in the “Sanitary crisis” risk factor.

L’Oréal’s global presence and its portfolio of 36 major international brands helps to maintain a balance in sales and offsetting between the geographic zones, product categories and distribution channels (details on sales from the zones are presented in section 1.3.). With regard to the crisis in Ukraine and Russia, L’Oréal is closely monitoring the situation and its potential for adversely impacting the global economy and, in particular, its business activity (see section 1.3.1.).

Business risks/Crisis management
Risk identification	Risk management
Prejudicial events or information mainly related to the use or misuse of a product, or an inappropriate individual behaviour, whether proven or not, could affect the reputation of L’Oréal, its 36 major international brands and its products and, as a result, affect sales and, more generally, its financial position. The impact of the risk could be amplified, notably, by: the explosion of digital and social media all around the world; and societal movements and enquiries by the civil society, consumers, etc. to the Group or the brands The impact and management of risk associated with social selling, particularly via influencers, are described in the risk factor entitled “Evolution of sales channels”.	L’Oréal has set up a system of: training sessions in crisis communication and support for the communication teams on key issues for the Group; crisis risk management at corporate and local levels; ongoing online monitoring. The subsidiaries deploy their own social media and web monitoring systems under the responsibility of their Director of Communication and immediately report a media risk in their country to the Corporate Communications Department; and L’Oréal has set up a crisis management procedure which is tasked with preventing, managing and mitigating the consequences of undesirable events on the company across the globe. The Group crisis management officer reports directly to General Management. The deployment of the Code of Ethics throughout the Group aims at reinforcing the dissemination of the rules of conduct which form the basis of L’Oréal’s integrity and ethics. These rules of conduct seek to guide actions and behaviour, inspire choices and make sure that the Group’s values are reflected in the everyday acts of each employee. L’Oréal has implemented a “Code of Good Practice for the Use of Social Media” for its employees.

Business risks/Crisis management

Risk identification

Risk management

Prejudicial events or information mainly related to the use or misuse of a product, or an inappropriate individual behaviour, whether proven or not, could affect the reputation of L’Oréal, its 36 major international brands and its products and, as a result, affect sales and, more generally, its financial position.

The impact of the risk could be amplified, notably, by:

the explosion of digital and social media all around the world; and
societal movements and enquiries by the civil society, consumers, etc. to the Group or the brands

The impact and management of risk associated with social selling, particularly via influencers, are described in the risk factor entitled “Evolution of sales channels”.

L’Oréal has set up a system of:

training sessions in crisis communication and support for the communication teams on key issues for the Group;
crisis risk management at corporate and local levels;
ongoing online monitoring. The subsidiaries deploy their own social media and web monitoring systems under the responsibility of their Director of Communication and immediately report a media risk in their country to the Corporate Communications Department; and
L’Oréal has set up a crisis management procedure which is tasked with preventing, managing and mitigating the consequences of undesirable events on the company across the globe. The Group crisis management officer reports directly to General Management.

The deployment of the Code of Ethics throughout the Group aims at reinforcing the dissemination of the rules of conduct which form the basis of L’Oréal’s integrity and ethics. These rules of conduct seek to guide actions and behaviour, inspire choices and make sure that the Group’s values are reflected in the everyday acts of each employee. L’Oréal has implemented a “Code of Good Practice for the Use of Social Media” for its employees.

2022 Universal Registration Document

Chapter 3 : Risk factors and risk management