251 Life Is On | Schneider Electric www.se.com Chapter 3 – How we manage risk at Schneider Electric Strategic Report 3. 3.3.3 Each Risk Overseer is in charge of moving the risk flywheel for his/her respective domain Risk taxonomy The Group established a unique risk taxonomy to have a common language with all stakeholders. All risk categories included are mapped to a Risk Overseer who is responsible for all assets and processes around the risk flywheel (see figure below). The risk taxonomy is reviewed once per year, with inputs from the three lines of defense. Tr ust Char ter The Trust Charter is the Group code of conduct. Each section is mapped to the risk taxonomy and has the goal, among others, to bring a level of awareness to employees that will contribute to decreasing the Group risk exposure. See more details about the Trust Charter in Chapter 2, section 2.2.1. Policies A policy is an official statement and process description produced and supported by the leadership team and states where the organization stands on important topics or issues. They create the backbone of an organization and are important for all stakeholders to enable and reinforce trust. Each Risk Overseer is responsible to ensure needed policies are written and published. Then, that they are implemented, communicated, and their implementation is being monitored. See more details about policies in Chapter 2, section 2.1.4.4. Mandatory PMI (1) tasks The Enterprise Risk Management framework applies not only to its core and legacy activities, but also to recently acquired companies as part of the post-acquisition integration process. Trust Standards are defined to ensure the integration process is addressing risks and compliance matters, meeting legal obligations, creating a more standardized back-end, and providing clarity regarding integration requirements across the portfolio of companies. Key Internal Controls The Group uses a set of internal controls that is reviewed and updated annually, with the feedback of the Risk Overseers (among others). One of the goals of internal controls is to assess the effectiveness of the mitigation put in place to address a risk. For the controls that are risk specific, the outcome of the yearly self-assessment campaign is twofold: provide a high-level view of the situation to the top management and Risk Overseers, and provide action plans to the risk owners to improve their mitigation, if relevant. Key risk metrics Risk metrics are defined to measure the Group risk exposure for each risk category. They are defined by the Risk Overseers and reviewed on a regular basis. Defining risk thresholds helps to foster a risk centric culture and take business decisions based on risk appetite. (1) PMI = Post-Merger Integration Yearly risk reviews The Group’s entities are performing frequent risk reviews. There are three types: • Zone or country risk reviews, where the leadership team and risk owners review the top risks affecting their territory and legal entities, as well as the mitigation in place. • Function or risk category reviews, where the leadership team and Risk Overseers review the risks affecting their domain of expertise, as well as the mitigation they put in place. • Consolidated risk reviews, performed by the Audit & Risks Committee aiming, in particular, to review and assess the internal control framework and risk management system effectiveness. Risk maturity assessments In a spirit of continuous improvement, Risk Overseers perform risk maturity self-assessments on a regular basis. It helps drive constant improvements to the ways in which the risk is managed within the Group. Among other things, it ensures the Group takes the right steps towards an optimized risk maturity level including: • Governance and organization with dynamic resource allocation; • Management systems are aligned and optimized across all three lines of defense; • Processes and controls rely on digital and advanced analytics to optimized effectiveness and efficiency; • Communication and training are adapted to specific needs, with a measured impact. Risk Taxonomy Trust Charter Mandatory PMI Tasks Key Internal Controls Key Risk Metrics Yearly Risk Review Risk Maturity Assessment Policies Figure 4: Risk flywheel