www.se.com Schneider Electric Universal Registration Document 2021 252 Chapter 3 – How we manage risk at Schneider Electric 3.3.4 Risk identification and management General risks at the Group level The Internal Audit and Group Risk Management departments conduct interviews to update the list of general risks at Group level each year. In 2021, around 40 of the Group’s top managers were interviewed in addition to external financial analysts and Board members. Since 2016, individualized risk matrices by Operating Division or by Business Unit have been created. The risks identified through these interviews are ranked by a risk score (comprising impact and likelihood of occurrence) and level of mitigation. Risk factors related to the Group’s business, as well as procedures for managing and reducing those risks, are described in “Key risks”, section 3.4 on page 254. These procedures are an integral part of the internal control system. The risk matrix and the analysis of changes from one year to the next contribute to the development of an internal audit plan for the following year. Around two-thirds of the risk categories identified in the Group’s risk matrix are audited by the Internal Audit department over a period of five to six years to assess action plans for managing and reducing these risks. Local risks related to the Company’s business at the Business Unit level Local risks related to the Company’s business are managed first and foremost by the Business Units in liaison with the Operating Divisions, based on Group guidelines (particularly via the Key Internal Controls). Each subsidiary is responsible for implementing procedures that provide an adequate level of internal control. The Operating Divisions implement cross-functional action plans for key risks related to the Company’s business identified as being recurrent in the Business Units or as having a material impact at the Group level, as appropriate. The internal control system is adjusted to account for these risks. Risks related to the Solutions business The Solutions Risk Management department defines and implements principles and tools designed to manage the contractual (such as limitation of liabilities), technical (such as technical discrepancy versus customer specifications), and financial risks (such as factors that may impact margin at solution execution phase). The network of Solution Risk Managers assess the risks and mitigations related to major projects in conjunction with the subject matter experts and Tender Managers during the preparation of offers. Solution Risk Managers then provides a comprehensive, 360-degree view on project risk and mitigations to support the opportunity approval process. Risk management by the Legal department The Legal department oversees the legal affairs and manages the risks relating to legal matters. The Financial Risk Insurance team contributes to the internal control system by defining and deploying a Group-wide insurance strategy, as defined in “Insurance”, section 3.5 on page 265. The insurance strategy includes the identification and quantification of the main insurable risks, the determination of levels of retention, and the cost benefit analysis of the transfer options. The Risk and Insurance department also defines, proposes, and implements action plans to prevent these risks and protect assets. Risk management by the Global Security department The Group’s Global Security department defines corporate governance regarding loss prevention in the area of willful acts against property and people. The Global Security Group Committee was created in 2017, uniting the Zone Security Leaders. Some of these leaders report directly to the Global Security department and some to local management with functional reporting to Global Security. In close co-operation with the Compliance department and the Risk and Insurance department, Global Security is involved in assessing the nature of risk to our people, as well as defining adequate prevention and protection measures. 3.3 Risk management mechanisms