2024 universal registration document

3.1 Definition and objectives of Internal Control

3. Risk factors and management

3.1 Definition and objectives of Internal Control

This chapter is based on the work carried out by the Group’s Internal Control and Risk Management departments. It presents L’Oréal's internal control environment, including the system for the preparation and processing of financial, accounting and sustainability information. It describes the risk factors pursuant to Regulation (EU) 2017/1129 of 14 June 2017 ("Prospectus Regulation III"), as well as the associated risk management policy. These risks are presented in four categories: (i) business risks, (ii) industrial and environmental risks, (iii) legal and regulatory risks, (iv) financial and market risks. The Vigilance Plan(1) is also included in this chapter.

3.1 Definition and objectives of Internal Control

3.1.1 Reference framework

For the purposes of preparing this Document and defining Internal Control, L’Oréal has used the Reference Framework and its application guide published by the French financial markets authority (Autorité des marchés financiersAMF) in January 2007 and updated on 22 July 2010.

3.1.2 Internal Control to prevent and manage risks

At L’Oréal, Internal Control is a system that applies to the Company and its consolidated subsidiaries (the "Group"), which aims at ensuring that:

  • economic and financial targets are achieved in compliance with the laws and regulations in force and the Group’s ethical principles and standards;
  • the guidelines set by General Management are followed;
  • the Group’s assets and reputation are valued and protected; and
  • the Group’s financial and accounting information is reliable and provides a true and fair view.

By contributing to preventing and managing risks, the Internal Control system promotes steady and sustainable industrial and economic development groupwide within a control environment that is appropriate for the Group’s businesses. However, any system or process has its limitations. These result from a number of factors, including external uncertainties and malfunctions due to human or technical error.

Risk management should be based in particular on a reasonable, informed choice between the challenges to be controlled, the opportunities to be seized, the cost of risk management measures, and their effects on the occurrence and impact of the risk.

3.1.3 Continuous improvement process for the Internal Control system

In 2024, the Group maintained its efforts to improve the Internal Control system by:

  • continuing to adjust the Group matrix for the separation of tasks and the associated control environment;
  • providing new operational guides to remind employees of the Group’s principles and encourage the sharing of best practices (e.g., update to the liquidation standard and the standard on retirement plans and sustainable finance);
  • updating the Fundamentals of Internal Control digital library (e.g., on safety, hygiene and environment, and on information systems);
  • regularly adapting the reference frameworks to address new challenges;
  • updating the Group’s digital reference framework; and
  • redeveloping the fraud risk awareness programme.

Online training courses (anti-corruption, data security, competition, cybersecurity, personal data protection) continue to be rolled out.

The network of Internal Control managers was further strengthened worldwide through:

  • compulsory training for onboarding Internal Control managers;
  • specific training courses for each business segment, to present the risks and associated control framework;
  • webchats for sharing updates on Group projects and business standards; and
  • a network of Zone Internal Control managers and officers in each function and business segment.