245 Life Is On | Schneider Electric www.se.com Chapter 3 – How we manage risk at Schneider Electric Strategic Report 3. 3.2.2 General internal control and risk management principles: our three lines of defense The three lines model Figure 1: The three lines model Board of Directors and Audit & Risks Committee Accountable to stakeholders for organizational oversight Corporate culture Management Actions (including managing risk) to achieve organizational objectives Internal Audit Independent assurance Governing body roles: Integrity, leadership and transparency 1 st line roles: Business and risk owners, provide products/services to customers and manage risk 3 rd line roles: Advice on the adequacy and effectiveness of governance and risk management • Divisions, Business Units • Zones, Clusters, Countries • Global Internal Audit • Cyber Security • Compliance • Quality • ... 2 nd line roles: Global Functions Leaders and Experts, oversee risks, set guardrails (policies, process, control), advise and monitor 1 st line Alignment, communication, coordination, collaboration Delegation, direction, resources oversight Accountability, reporting 1 st line of defense: Business and risk owners Among other responsibilities, Operating Divisions and Business Units have a duty to preserve good faith and trust. As business and risk owners, they must: • Embed risk management into first line processes; • Execute risk strategy in line with risk appetite and standards; • Complete risk assessments and provide supporting data; • Identify and control risks relating to their own environment, in compliance with the rules and procedures implemented and communicated by the Group functional department; • Design and implement remediation actions. More specifically, Operating Division and Business Unit management supplement and adapt the Enterprise Risk Management framework drafted by the Group management, by drawing up detailed policies and internal control procedures which comply with the relevant laws, regulations, and customer practices in the country they operate, to exercise control more effectively over risk specific to their local market and culture. 2 nd line of defense: Risk Overseers Risk Overseers and expert Functions The various Group functional departments and Risk Overseers assist the Enterprise Risk Management body with the identification and ranking of risks. Each department defines and rolls out risk management systems in its activity sector and ensures the consistency of actions undertaken in the Business Units and Operating Divisions. It assists all Group entities by facilitating the sharing of risk management and internal control best practice. Depending on the risk category, Risk Overseers must: • Identify and manage adoption of regulatory and legal standards; • Initiate first risk identification as a base for risk-specific programs design; • Own risk-specific policies; • Define risk-specific processes and controls. Enterprise Risk Management body In the current context of an acceleration towards a more complex and fragmented world, the Group has engaged in a restructuration of its Enterprise Risk Management body, with the help of experts. It has started in 2021, with most of the deployment scheduled in 2022. The objective is to strengthen the overall risk management at Schneider Electric, with a more robust Enterprise Risk Management to implement and deploy advanced mechanisms, support the first and second lines of defense, and consolidate and report to the Executives and the Board of Directors. It will ensure that the maturity level and effectiveness of the governance and organization, management systems, processes and controls, and communication and training will all increase. Engaging in this journey until 2024, the Group expect to reach optimized maturity level in the way we develop and maintain a Group risk appetite framework.