Risk management and internal control procedures

Risk management and internal control definition and objectives

Definition of internal control

Webhelp Group has adopted the definition set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control—Integrated Framework (2013): Internal Control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, finance and compliance.

The system that has been defined and implemented within Webhelp specifically in order to ensure:

  • Control Environment: standards, processes, and structures that provide the basis for carrying out internal control across the organization.
  • Risk assessment: iterative process for identifying and analyzing risks to achieving the entity’s objectives.
  • Control activities: policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.
  • Information and communication: to understand internal control responsibilities and their importance to the achievement of objectives.
  • Monitoring activities: evaluations to ascertain whether each of the five components of internal control are present and functioning.

As any system of control, it cannot provide an absolute guarantee that all risks have been eliminated.

 

Internal control and risk management

The internal control system relies on the risk management system to identify the main risks that need to be controlled.

 

Risk management and internal control system components

Introduction

Control environment, values, and Code of Conduct.

The control environment is a fundamental component of risk management and internal control systems and forms the common basis of the systems.

 

Webhelp values

The Group’s internal control system is based on five core values: Recognition, Integrity, Unity, Commitment and Way of Working (WOW). These values infuse the Group’s leadership strategy and form the key value charter for our employees and our subsidiaries.

The Group’s values are brought to the attention of all Webhelp personnel. It places great emphasis on its managers’ ability to live up to these values daily.

Webhelp’s Code of conduct is a fundamental reference in terms of ethics, business integrity, social, and environmental responsibility. The management is responsible for ensuring that the Code is strictly and consistently respected across the Group.

 

Organization and responsibilities

The Top Executives’ role mainly consists in validating strategic decisions and policies. Members of the General Management Committee oversee implementing decisions taken. For instance, the General Management Committee oversees the development and the monitoring of policies that enable the Group to attain its various objectives in terms of global growth, technological decisions, the implementation of identical operating procedures for the entire network, as well as development of human resources.

 

Information systems

Group management and the Information Systems Department determine the Group’s strategic directions for production tools and information systems for subsidiaries. They ensure that the development of information systems is consistent with Group objectives.

The Information Systems Department also issues directives on security and business continuity in compliance with data protection. These directives are based on compliance with international standards, ISO 27001, PCI (Payment Card Industry) and the European Data Protection Regulation (GDPR) in coordination with the Legal and Compliance department to satisfy regulatory requirements specific to each business sector or to obtain the certifications requested by clients.

 

Operating Model

The internal control system also depends on subsidiaries implementing the “WOW” (Way of Working) operating model. It defines a homogeneous vision of the way Webhelp does business: a consistent global framework tailored locally to country culture and client needs.

The Group has been developing the use of this methodology, providing training for all its managers, to develop a common language grounded in the notions of measurement, analysis, and control.

Additional Webhelp Unique Standards support the operating model and describe the common processes and tools.

The implementation and application of these procedures and standards enable the Group to make its global network more internally consistent, while providing greater control over our operations.

 

Risk management system

Definition

In the operation of its business, the Group is exposed to a variety of risks that could affect the Company’s personnel, assets, environment, objectives, or reputation.

Risk management is a lever for anticipating the main potential threats to Webhelp, whether internal or external, to preserve its value, assets, and reputation, help it achieve its targets, ensure that actions taken are consistent with Group values and rally employees in support of a shared vision of key risks.

Organizational framework

Group management is particularly vigilant when implementing the measures and procedures necessary to manage our business and prevent risks, according to Webhelp’s objectives and strategy. A Group Risk and Audit Department is in place and reports directly to the CEO.

Process and control

A Group risk mapping is regularly updated to identify and analyse Wehbelp’s major risks and measures that can be used to limit their consequences. Action plans are defined to mitigate risks and when appropriate, Webhelp Unique Standards are updated accordingly.

In addition to the Group risk mapping, dedicated risk mappings are also conducted. The Compliance Department is responsible for performing and monitoring the regulatory risk mapping related to anti-bribery, duty of care and data privacy. A specific Cyber risk mapping is regularly updated with the IT department. Regional risk mappings support the risk management at regional level.

The Finance Department runs on a yearly basis a self-assessment on internal controls. The scope of this campaign covers all the Regions within the Group, and consist of 3 questionnaires at region, processes, and IT levels. The results of the self-assessment are shared with the Top Management and with the Internal Audit Department. The Internal Audit Department includes a review of the self-assessment campaign within its annual program and a follow-up of action plans.

 

Control activities

Centralized control procedures

The internal control procedures centralized at headquarters cover areas common to all companies within the Group.

Financial procedures

The Group’s Finance department is headed and managed by a central team based in Paris, with decentralized and autonomous financial teams within each Region. Group’s central finance team includes Group Financial Control and Accounting Consolidation, Tax, Treasury, and Financial Planning & Analysis.

Group’s financial information is prepared and monitored using key software applications.

A reporting on the Key figures is communicated monthly through a bottom-up approach, followed by a top-down review to confirm the reliability on the financial data. The consolidation tool is common to all Group’s subsidiaries.

The profitability per project as well as the costs of the different functions are monitored monthly, and this management reporting is aligned with the consolidation every month.

The Group consolidated financial statements are prepared in accordance with IFRS. Statutory accounts and consolidated accounts are prepared monthly (an accounting handbook written by the Group Financial Department and communicated all over Webhelp ensures the compliance with IFRS and the consistency of the consolidated financial data). Mid-year financial statements are subject to a limited audit review and year-end consolidated financial statements go through a full audit.

The Group prepares quarterly reporting for its financing banks, as required by its financing agreements. Management also issues a more complete and comprehensive report at financial year ends. The reporting pack reports on key financial statement items and aggregates.

The Group Finance team coordinates the management of foreign exchange and interest rate risks, with the aim to limit these risks, preserve sales margins and control interest charges.

Legal and Compliance procedures

As part of its responsibilities, the Group Legal and Compliance Department oversees the Group’s compliance with applicable laws and regulations in the countries where it operates, through its local network of lawyers and compliance officers. It also plays a central role in monitoring changes in laws and regulations and advising the various Group entities.

The Group Legal and Compliance Department is centralized and headed in the Paris headquarters. It initiates Group policies in the areas of Group compliance, business ethics, regulatory requirements, and data protection. The network of Compliance Officers, as well as the network of local inhouse lawyers oversee deploying the policies in their relevant region as well as monitoring additional local requirements.

The Group Legal and Compliance Department has issued the Code of Conduct and related trainings. The Code of Conduct is regularly updated and is completed by several procedures in the compliance matters.

IT, Security and Data Privacy procedures

The Group has streamlined its security technology to reflect best market practices and to introduce the technology required contractually by its clients or pursuant to applicable regulations. A Group Cyber security program is in place and aims to prevent and detect intrusions, notably to reduce the risk of introduction of malware, protect personal data and Group assets, and set-up a back-up strategy and recovery plans.

All personal data is collected and processed in accordance with applicable laws and the Group’s Policies applicable at each Webhelp site are designed to prevent potential acts of fraud or breaches of security standards. In 2022, the Webhelp Binding Corporates Rules were formally approved by the E.U data protection Authorities.

The third-party certifications requested by clients and audits conducted by clients also serve as a guarantee that the application of strict control procedures will be verified to ensure compliance with security and/or quality standards and processes.

 

Information sharing

Group information, policies and procedures are regularly communicated to the managers of all subsidiaries. These rules are also reiterated at Company Board meetings. Subsidiary executives are expected to communicate instructions from Group management to their employees.

The heads of corporate support departments also inform their teams of specialized personnel at meetings and training sessions.

The Group relies on several internal communication systems (SharePoint, Teams) to be sharing all policies and practices within the relevant teams.

 

Oversight of the internal control system

Group senior management

The Group Executives monitor the internal control system to ensure that the system is relevant and suited to the Group’s objectives.

This includes regular reviews on the part of management and supervisory staff. It falls within the scope of their day-to-day activities and ensures that each organizational process is consistent with the Group’s vision and strategy.

Group Internal Audit

The Group Internal Audit department reports to the Group CEO to ensure its independence, and the internal auditors are members of the French Institute for internal auditing (IFACI).

As part of the monitoring, internal audit missions are regularly performed by the Group internal audit team in various entities of the Group across all the Regions. Internal audits aim at ensuring that internal rules are known and duly applied, and that internal control is consistent within the Group.

Internal audit reports are communicated to operational managers, support functions and the Top Management of the Group. Remediation plans may be designed to improve the internal control environment. A follow-up of action plans issued following the audits is regularly performed by the Group Internal Audit team.