Major risks to which the Group believes it is exposed
| Residual importance | ||
|---|---|---|
| Business risks | Information and cybersecurity systems*Most material risks in each category. |  |
| Geographic presence and economic and political environment*Most material risks in each category. | |
|
| Sanitary crisis *Most material risks in each category. | |
|
| Reputational crisis management |  |
|
| Data | |
|
| Market and Innovation | |
|
| Business ethics | |
|
| Evolution of sales channels | |
|
| Human Resources risk |  |
|
| Product quality and safety | |
|
| Safety of people and property | |
|
| Industrial and environmental risks | Product availability*Most material risks in each category. | |
| Climate change | |
|
| Environment and safety | |
|
| Legal and regulatory risks | Non conformity*Most material risks in each category. | |
| Intellectual property: trademarks, designs & models, domain names, patents | |
|
| Product claims | |
|
| Financial and market risks | Inflation and currency risk*Most material risks in each category. | |
| Risk on financial equity interests | |
|
| Risk relating to the impairment of intangible assets | |
|
Residual importance:
Low: Moderate : Significant:
3.5.3.1. Business risks
| Business risks/Information Systems and cybersecurity |
|
|---|---|
| Risk identification | Risk management |
|
In a context of digital transformation and constant development of information technologies and their uses, the Group’s business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation. As a result, the malfunction or shutdown of these systems, the leakage or destruction of data for exogenous or endogenous reasons (including cyberattacks, malicious acts, hacks etc.) internally or at a third-party of the Group could have a material impact on the Group’s business activities. |
The IT Department has implemented strict security rules for infrastructures, devices and applications. Furthermore, to adapt to the development of new ways of communication and collaboration, L’Oréal has introduced an Information and Communication Technologies Code of Practice. To deal with the growing cyber-threats, L’Oréal continuously strengthens the resources dedicated to information system security. A multi-year plan aimed at reducing the level of risk from cyberthreats and strengthening the maturity of risk management was therefore set out. This plan relies in particular on anti-intrusion solutions, regular read teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L’Oréal’s security focus is constantly adjusted to deal with new threats of cyberattacks. For example, the Group is increasingly investing in incidents detection and reactions systems and proceeds to regular reviews of the effectiveness of these solutions. An online learning programme for cybersecurity best practices is available for all eligible employees (48,487 employees have completed the “Join the next Shield!” programme, which equates to 81% of eligible employees). Specific learning programmes are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual worldwide awareness-raising campaign called Cyberweek. Management of risks related to data is described in the “Data” risk section. |