to Capgemini’s first
This year, for the first time, we release digitally and in print, an Integrated Report aligned with the IR Framework as published by the International Integrated Reporting Council.
It is a key communication intended for all our stakeholders to explain who we are at Capgemini: a technology-enabled business transformation company serving global clients and a leading responsible company, using our expertise for positive impact.
Confident about the future, we believe that financial and non-financial performance are both critical to creating sustainable value for all. We would be delighted to gather your comments at firstname.lastname@example.org
Chairman and CEO
People Management and Transformation
Corporate Social Responsibility
In this digital version of our 2017 Integrated Report, we present our internal control and risk management systems and we focus on the risks and opportunities related to the key topics selected during our Integrated Reporting process.
Readers wanting to find a holistic description of our risks and opportunities will find it in our 2017 Registration Document / section 2.5.
1. Internal control and risk management systems
The Group’s internal control and risk management systems seek to create and protect the Group’s value, assets and reputation, and identify and measure the major risks to which the Group is exposed, anticipate and foresee changes in these risks and finally implement risk prevention and transfer measures.
Capgemini Group has defined and implemented a control system that seeks to ensure:
- compliance of all management acts with relevant laws and regulations;
- compliance with the Group’s seven core values and guidelines set by the Board of Directors and/or Group Management;
- application by the subsidiaries of instructions communicated;
- the smooth functioning of the Group’s internal processes safeguarding assets; and
- the reliability of accounting and financial information.
While contributing to the improved efficiency of its operational support functions, the optimal use of resources and good risk control, this system does not however offer an absolute guarantee of the control of all possible risks imaginable, no more than it can – irrespective of the skills of the employees performing the controls – guarantee alone the attainment by the Group of all objectives set.
Group Management has distributed a set of rules and procedures known as the Blue Book. Compliance with the Blue Book is mandatory for all Group employees. It sets out and comments Capgemini’s seven core values, sketches out the overall security framework within which the Group’s activities must be conducted, and, finally, describes the desired behaviors and specifies the prohibitions applicable in each of the Group’s main functions. This set of rules and procedures, which has force of law within the Group, reminds employees of their obligations in this area and inventories the tools and methods which help them control risks identified in the exercise of the Group’s businesses.
From 2016, the Group developed a risk management framework administered by a Risk Committee and involving various parties operating at different levels of the organization. These key players are presented below for each of the three lines of defense.
- The Audit & Risk Committee
The Capgemini SE Board’s Audit & Risk Committee is responsible for monitoring the efficiency of risk management and internal control systems.
- Group Management and the Risk Committee
Group Management has delegated to a Risk Committee, created in 2016, the definition and implementation of the various activities relating to the risk management process within the Group. The Risk Committee, chaired by the Group Chief Financial Officer, is responsible for the effective implementation of a risk management and internal control system within the Group. It reports to the Audit & Risk Committee on all issues concerning these systems.
At an operating level, the Risk Committee builds on the actions of the Insurance Director, who is responsible for coordinating Group risk management and who supports the risk management activities of the Risk Committee, and the managers of the various Business Units and functional departments.
The 3 lines of defense
- 1st line of defense: from management to employees
Operations and Business Unit management supplement and adapt the Blue Book drafted by Group Management, by drawing up detailed internal control procedures which comply with the relevant laws, regulations and customary practices in the country where they operate, in order to exercise control more effectively over risks specific to their local market and culture.
Operations and Business Unit management duties include the identification and control of risks relating to their own environment, in compliance with the rules and procedures implemented and communicated by the Group functional departments.
- 2nd line of defense: function departments with risk expertise
The various Group functional departments assist the Risk Committee with the identification and prioritization of risks. Each department defines and rolls out risk control systems in its activity sector and ensures, in particular, the consistency of actions undertaken in the Business Units with these guidelines. It assists all Group entities by facilitating the sharing of risk management and internal control best practice.
- 3rd line of defense: internal audit
For over 30 years, the Capgemini Group has had a central Internal Audit function. Its Director reports directly to the Chairman and Chief Executive Officer, guaranteeing the internal audit function is independent of the functions and Business Units audited. The internal audit team comprises 33 auditors, representing 10 different nationalities and covering 90% of the languages spoken locally in the Group. This significant internationalization of the internal audit team reflects the desire to accompany the expansion of the Group into new regions of the world; the Internal Audit Department also has a Bombay desk with 18 auditors including 4 technical experts specializing in the review of IT projects.
2. Majors risks and opportunities
Capgemini Group completed updating the mapping of its major risks in 2017, during which it assessed the risks likely to have a significant negative impact on its activity, financial position or results. You will find below a selection of the risks and opportunities related to the key topics that result from the internal materiality analysis performed in 2017 and which are considered to have a potential significant effect on Capgemini’s business, financial results and future prospects. This list is not intended to be exhaustive.
2.1. Clients & innovation
The main risks and opportunities our industry is facing related to clients and innovation include in particular our ability to adapt our services portfolio, remain cost competitive, and to avoid major service delivery failure, data protection and cybersecurity issues and significant contract liabilities.
Capgemini seeks to develop its market share and serves a large client base, in a wide variety of sectors and countries.
The Group’s biggest clients are multinationals and public bodies. The detailed list of the Group’s biggest clients is strategic information and is not communicated.
The contribution of the Group’s main clients to Group revenues (as a percentage of total revenues) is as follows:
Top three clients:
Top five clients:
Top ten clients:
For existing clients, Capgemini is potentially exposed to standard risks:
- excessive dependence on a single client
- or group of clients or a single business sector;
- client insolvency;
- client dissatisfaction.
Despite the formal review and approval procedure for all contractual commitments given by the Group to its clients, suppliers and sub-contractors, difficulties with respect to project performance and/or project costs may be underestimated at the outset. This may result in cost overruns not covered by additional revenues, especially in the case of fixed-price contracts, or reduced revenues without any corresponding reduction in expense in the case of certain outsourcing contracts where there is a commitment to provide a certain level of service.
More generally, the Group could be unable to control changes in its cost base, materially impacting the overall profitability of its operations.
The Group monitors the international development of its business, focusing on countries offering satisfactory guarantees in terms of individual security and business ethics and a robust legal framework for the conduct of business, thereby limiting this risk.
In addition, standard client-related risks are closely monitored.
With regard to dependency, the Group has several thousand clients, which to a certain extent enables it to resist market turbulence and reduce its exposure to volatility in certain sectors. The client portfolio consists of both a large number of entities from the public sector and a large number of entities from the private sector, from a wide spread of diversified markets. Exposure to risks of commercial dependency is therefore limited;
Client solvency controls during the sales process help minimize client credit risk. In addition, the solvency of major clients, combined with the wide diversity of other smaller clients, helps reduce credit risk; Furthermore, Capgemini has introduced rigorous monitoring of accounts receivable by age and a dynamic follow-up process;
Capgemini pays particular attention to assessing client satisfaction and has implemented a rigorous client relationship management process that it carries out throughout the projects. This is a key pillar of the Group’s client loyalty policy, particularly for major client accounts.
The Group-wide deployment of the Commercial and Contract Management function ensures operational, financial, contractual and reputation risks are monitored and mitigated throughout the contract life cycle. It focuses particularly on major, complex and high-risk contracts. This program is led by the Commercial and Contract Management Department, created in 2016, which has implemented tools, methodologies, procedures and training sessions, notably to help Production/Methods and Support Department teams manage risks.
The Group has developed a range of methods, organized and documented in its DELIVER methodology, in order to ensure the high quality performance of client projects. Project managers receive specific training to develop their expertise and obtain certification levels consistent with the complexity of projects entrusted to them. The Group continues its active policy of external certification of its Business Units (CMM, ISO, etc.).
Project performance monitoring satisfies the management and control procedures defined by the Group, with projects classified as “complex” subject to more specific controls. Internal Audit also verifies the application of project management and control procedures. At the initiative of the Production/Methods and Support Department, specialist teams of experts audit projects considered high-risk or facing performance difficulties.
The Group has devised a formal process to identify and control risks associated with the delivery of projects ordered by clients, from pre-sale to acceptance and payment by the client of the last invoice for the project. More details in the Registration Document, section 2.5.3.c
The main talent related risks and opportunities our industry is facing relate to attracting and retaining talent, including key executives, and managing succession planning.
The vast majority of the Group’s value is founded on its human capital and its ability to attract, train and retain employees with the technical expertise necessary to the performance of client projects to which it has committed. In particular, this requires a strong reputation in the employment market and ensuring fair appraisal and promotion procedures as well as the professional development of our employees.
The loss of talent or a team could also follow an acquisition or a change in Group or entity management.
In the event of an industrial dispute or non-compliance with local regulations and/or ethical standards, the Group’s reputation and results could be adversely affected.
Figures concerning, in particular, the attrition rate, the utilization rate, changes in headcount, career management, the development of expertise, building employee loyalty and the level of employee commitment are presented in the Chapter 3 of the Registration Document .
The Group pays close attention to internal communication, diversity, equal opportunity and good working conditions and to the quality of its human resource management and employee commitment. Accordingly, an internal survey is conducted very regularly aimed at measuring commitment and expectations among the Group’s employees. This survey is an appraisal tool and action plans are established based on identified results.
Furthermore, a human resources management information system is being rolled-out globally by the Group Human Resources Department to ensure the comprehensive management of all processes concerning the management of high-performing individuals and enabling a uniform approach to monitoring performance, the career plans of our employees, the management of international mobility and succession plans, in a manner consistent with the strategic objectives of the Group and the interests of our clients.
Group Management has published a Code of Business Ethics and oversees its application, to reduce as far as possible the potential impact on the Group’s reputation.
The Capgemini Group International Works Council covers not only European countries but also includes representatives of the main countries outside Europe (India, United States and Brazil).
The Group’s key managers regularly attend meetings to present changes in the Group and the main challenges facing it, and discuss them with employee representatives in an open manner and an environment of mutual understanding.
Finally, as part of our “People Matter, Results Count” policy, we take account of:
- the motivation and career path of our employees;
- the implementation of varied and attractive career plans;
- the development of our employees through development and training programs;
- the respect and promotion of a good work-life balance.
2.3. Data protection and cybersecurity
The main risks and opportunities our industry is facing relate to data protection failure or cyber risk incidents, which could result in reputational issues.
New technologies (Cloud computing, “Bring your own device”, etc.) and new practices (social networks, mobility, Software-as-a-Service – SaaS, DevOps, artificial intelligence, etc.) inevitably expose the Group to new risks.
Risks relating to all kinds of cyber criminality could lead to a loss of data, delays in the delivery of our projects, service interruptions at our clients, or additional costs that could impact the reputation or financial health of the Group.
The Group has implemented business continuity procedures in the event of a disruption to IT services. The main management IT systems are covered by back-up plans in different data centers.
The Group is aware of the importance of internal communication network security, and protects its networks via security rules meeting the highest international standards, proactive controls, a counter attack detection center operating 24/7 and specific technical equipment such as firewalls. We have defined a security policy founded on numerous international standards and procedures (our operating sites are certified ISO 27001). This security policy and the back-up plans are validated, updated and audited periodically.
For some projects or clients, enhanced systems and network protection are provided on a contractually agreed basis.
In addition, a large number of our clients have been identified as operators of vital importance by their national authorities. Certain clients will also be identified as Operators of Essential Services (OES) under Directive 2016/1148 of July 6, 2016, also known as the NIS (Network Information Security) Directive, or by Europe. The security of their information systems will therefore have to be approved by these national or European authorities and our Group, as a major sub-contractor, will also have to comply with these regulations.
The Group continuously ensures the security of its systems and their compliance with contractual commitments and any applicable legislative and regulatory provisions. It works to implement, with stakeholders, any necessary corrective or protection measures.
To this end, the Group also has a program that seeks to anticipate, prevent and mitigate cybercrime risks for its main systems. This dedicated structure is headed by the Cybersecurity and Information Protection Director (CySIP). He reports, since January 1, 2018, to the Chief Technology Officer.
This program covering exposure to cyber risks comprises three subgroups dealing with governance related issues (organization, policy and communication and awareness-raising) and five operational projects (data protection, mobility management, access management, information system control and steering and strengthening infrastructures).
The CySIP community works closely with the Data Protection Officers responsible for the protection of personal data and compliance.
The aim of this program is to become a benchmark for our clients, thereby strengthening the Group’s credibility on Digital and cybercrime issues. The Group’s personal data protection policy and organization were drawn-up based on the Binding Corporate Rules defined by the European Commission (BCR) and validated by the CNIL (French National Commission for Data Protection and Liberties), for the processing and storage of our own data and that of our clients.
2.4. Ethics and values
The main risks and opportunities our industry is facing related to ethics and values are compliance with applicable laws, crisis management or reputational issues.
The Group is a multinational company operating in several countries and providing services to clients who, in turn, operate around the world and are subject to numerous and constantly changing laws and regulations. These mainly include, for example, anti-corruption laws, import and export controls, anti-trust laws, sanctions, immigration rules, safety obligations and employment legislation.
The sheer diversity of local laws and regulations applicable and the constant changes therein, exposes the Group to a risk of infringement of such laws and regulations by under-informed employees especially those working in countries that have a different culture to their own – and to the risk of indiscretion or fraud committed by employees. As stringent as they may be, the legal precautions taken by the Group both at a contractual and an operational level to protect its activities or to ensure adherence by employees to internal rules can only provide reasonable assurance and never an absolute guarantee against such risks.
The Group has a Legal Department with an established presence in the main geographic areas. Its role is to monitor changes in legislation relevant to the Group’s activities and provide training in the main legal issues.
The Group has also adopted a Code of Business Ethics and an anti-trust policy and calls on a network of Legal Counsels who double-up as Ethics & Compliance Officers and participate in 2 identifying risks and train and monitor employees in order to guarantee compliance.
In addition, drawing on employee commitment to the Group’s values, first among which honesty and trust, on a global risk management and mapping system at Group level and on the countries that have developed specific systems in response to local legislative requirements, Capgemini continues to implement measures and procedures to prevent and detect, in France and elsewhere, acts of corruption or influence peddling. In particular, it has introduced an awareness-raising and training program, a code of conduct, an internal whistle-blowing system and third-party assessment procedures in order to satisfy the requirements of French Law no. 2016-1691, known as the “Sapin 2” Law. Measures to ensure compliance with obligations introduced by French Law no. 2017-399 of March 27, 2017 on the duty of care of parent and sub-contracting companies, fall within the same framework.
2.5. Corporate social responsibility
The main risks and opportunities our industry is facing related to sustainable development are political risks and natural disasters.
Service continuity risks are analyzed in detail in the Registration Document, section 2.5.3.C.
Climate change impacts and global temperature increases are not only a future inevitability, they are already being experienced. As well as minimizing our own contribution to climate change and working with clients to enable carbon reductions, we need to ensure we have the capability to adapt to climate change. This means, for example, ensuring business continuity and supporting the wellbeing of our people in the face of extreme weather events.
Service continuity risk management systems are decribed in detail in the Registration Document, section 2.5.3.C.
For environmental risks, the Group has a Group Environmental Management System (ISO 14001:2015) in place that identifies and manages environmental risks in accordance with international and local regulations and in accordance with our Group environmental objectives and targets. This includes managing risks within our supply chain. We have expanded our risk management procedures in 2017 with a climate change risk assessment that will be rolled out to all Capgemini countries as part of the regular management system approach
Over the last 18 months, we have been developing and deploying a Group-wide Climate Change Risk Assessment (CCRA) approach to further integrate climate change risk into our corporate risk management. This will ensure the risks of climate change are planned for and we remain resilient in a changing global climate.
The CCRA assesses the vulnerability to climate change of our assets, workplace locations, employees and the national infrastructures we rely upon. We have undertaken significant analysis of scientific, peer reviewed research and models to identify the top climate hazards posed to each of our operating countries.
The model analyzes six main hazards: extreme weather, extreme temperatures, changing weather patterns, water stress, rising sea levels and loss of natural capital. This information is then used to create a model which maps likely impacts and assesses the outcomes of these impacts for our business.
We believe our business will experience the outcomes of these impacts in six areas:
- project delivery;
- health and wellbeing;
- legislative compliance;
- insurance; and
- Digital connectivity.
(see DDR – section 3.4 Environmental sustainability).