RISK FACTORS AND INTERNAL CONTROL The risk identification and evaluation processes Committee for review. The Risk Committee then make it possible to update the risk mapping. These follows up on the progress of action plans with each processes first begin with updating the risk universe, risk owner. which classifies and prioritizes all the potential risks identified for the Rexel Group by type and impact. Certain risks do not directly fit in the Risk Committee’s This risk analysis covers the three following areas: scope. Thus, risks related to the Group’s governance and certain group-wide risks are monitored by the •Strategic risks related to the environment in which Rexel Group’s Executive Committee. The Executive the Group operates as wel l as underway within Committee receives assistance from appropriate the Group, such as external growth projects or working groups, which provide it with a detailed innovations; analysis of each risk and identify measures to be Operational risks, resulting from the inadequate or taken to manage these risks. Financial market risks • and compliance risks are monitored mainly by the inefficient processes, organization and systems, functional departments of the Rexel Group. They 2 or from external events impacting the operations; define action plans to be implemented by Entities and based on procedures which they establish. • Legaland compl iance risks, related to the organization’s obl igations with regards to Operational risks are managed via the internal appl icable local or international laws and control system and the action plans defined by regulations, as wel l as internal guidel ines and the entities. Internal control teams are in charge of procedures (including the compliance program), following up on the progress of these action plans. the Ethics Guide, contracts or industry standards and best practices. Therefore, the Rexel Group’s risk management policy ensures an acceptable level of risk considering its This mapping is used to identify and monitor risks, activity and structure. making it possible to share the risk profile throughout the Rexel Group and to update risk factors disclosed Although the risk identification, assessment in section 2.1 “Risk Factors” of this Registration and management procedures are deemed document. The Risk Committee annual ly reviews acceptable by the Rexel Group, assessments are the consistency between the risk mapping and the regularly conducted to identify the areas in which risk factors. improvements are necessary or desirable. Once these areas are identified, corrective actions are 2.3.2.2 Risk management taken. The updating of the risk mapping within the Rexel Group, carried out in 2017 under the supervision of the Risk Committee, al lowed the Executive 2.3.3 Control activities Committee to update the l ist of top-priority The Rexel Group and its branch network form risks and to identify risks of lesser priority, for a decentral ized structure based on bui lding a which a specific fol low-up has nevertheless been sense of accountabil ity throughout the chain of suggested. command. With respect to the top-priority risks, the Rexel Group’s approach, managed by the Risk Committee, In reference to the risk management system consists in proposing a risk owner for each top- described in paragraph 2.3.2 “Risk management priority risks appointed by the Executive Committee. system” of this Registration document, the Rexel This risk owner is in charge of the risk assessment, Group reviewed in 2017 the existing Internal Control presents the potential impacts, the indicators and Framework Manual in order to ensure consistency the actions implemented to limit such risk, as well as with the risk mapping and focus on critical risks. As action plans to reduce the risk to an acceptable level, applicable, the controls have been linked to the risks as appropriate. The risk owner may set up a working identified through the risk mapping. For each of the group with relevant experienced contributors in main processes, the Manual presents the risks, the order to support the risk assessment and build the control objectives, and the related controls. Its 2017 action plans. The chairman of the Risk Committee version has been significantly circulated especially presents these action plans to the Executive to the management of each entity. REXEL 2017 – REGISTRATION DOCUMENT 49