Risk management

Risk assessment and internal control
Risk management and internal controls are critical for the stability of the Company. Internal risk management strengthens our ability to achieve our objectives by:

Effectively constraining threats to acceptable levels;
Making informed decisions;
Enhancing our capacity to exploit opportunities while also protecting stakeholders’ interests and shareholders’ investments.

We see internal control as a responsibility shared by all managers within the Company. It is underpinned by processes and procedures intended to provide reasonable assurance that:

Risks are mitigated;
Financial reporting is reliable;
Relevant laws and regulations are complied with;
The Board’s objectives are attainable (for full details, see our 2010 Annual Report ).

To provide assurance to the Board, we have policies and processes to ensure reporting integrity, alongside effective internal control and risk management systems.

Gemalto focuses on three key areas for managing its operational and financial risks:

Risk assessment;
Crisis and business continuity management;$
Budget planning and reporting.

Risk assessment

By identifying and assessing key operational and financial risks, Gemalto can focus on those that matter, and plan accordingly. We carry out risk assessment at all management levels – for example, encompassing contract reviews, sites (e.g. ISO 27001) and new asset acquisitions. At Group level specifically we conduct risk mapping, develop action plans and monitor their effectiveness.

In 2007 we carried out a global Enterprise Risk Assessment (ERA). Its aim was to help us better prioritize and map the risks we face, and to control them. In 2008, we used conclusions from the global ERA to define objectives and agree plans which we have followed into 2010. Their status has been presented regularly to the Audit committee and the Board.
In 2010, we launched a new risk mapping program to identify and manage risks that could impact the objectives and/or reputation of the Group.

Crisis and business continuity management
In today’s climate, no business is immune to crisis. In 2009, Gemalto defined a Crisis Management Framework to reduce the impact of events beyond our control on Gemalto’s operations and the industries with which we engage.

The Framework encompasses basic escalation and communication rules, guidelines for anticipation and action, and clear roles and responsibilities. It is available internally via our intranet.

We started running crisis management training – including simulation exercises – in 2009. These sessions are now currently 87% complete, with 61 crisis management leaders trained worldwide. We also ran several crisis simulation training sessions for managers to enhance team response, thus improving our internal communication and coordination. (More information on crisis management)

We also strengthened Gemalto’s business continuity capabilities in 2010, so as to better respond to events such as natural hazards, fire, flood or supply chain disruptions.

We did this by standardizing production tools and processes, centralizing more data, and creating an appropriate architecture for seamless data back-up. We also put in place additional manufacturing arrangements to cater for unplanned circumstances, including multi-sourcing strategies, IT availability and redundancy infrastructure.

This approach enabled us to respond effectively to unforeseen events in 2010, minimizing their impact both for our customers and our business. For example, we were able to deal effectively with the consequences of the Icelandic volcano eruption. Following our crisis management procedures, we tracked all Gemalto employees traveling at that time, and provided support when needed to get them home safely.

Complementary reporting systems enable Gemalto to obtain the right information to facilitate decision-making. Detailed budget and planning processes are also in place.