Internal risk management and control systems

Risk management principles

The principal aim of the Group’s internal risk management structure and control systems is to manage business risks, with a view to enhancing the value of shareholders’ investments and safeguarding assets.

Management has put in place a number of key policies, processes and independent controls to provide assurance to the Board, as to the integrity of Gemalto’s reporting and effectiveness of its systems of internal risk management and control.

Risk management organization

The diagram gives a synthetic view of the Gemalto risk management organization, as explained hereafter.

Chart outlining the risk management organization structure

Foundations: Risk management at Gemalto is built on solid foundations, as described in ‘Our Strategy’, ‘Sustainability’ and ‘Corporate Governance’.

Gemalto has developed three levers to manage its operational and financial risks in a transversal manner throughout the organization:

Risk assessment: Identifying and assessing our major operational and financial risks enables Gemalto to focus on those that matter and align its action plans and resources accordingly.

Crisis and business continuity management: Having a flexible and tested crisis management organization and business continuity responses helps to reduce the impact of events inherent to Gemalto’s operations (international scope, emerging markets and changing risk arena) and the type of industries in which Gemalto is engaged.

Budget, planning and reporting: Various complementary reporting systems enable Gemalto to obtain the right information at the right time, facilitating the decision-making processes and the monitoring of the efficiency of the actions with regard to its business objectives. Gemalto has also a detailed budget and planning process. For more information, please refer to ‘Internal Control over Financial Information’, below.

Oversight structure

The oversight structure ensures that the organization is geared towards effective risk management.

Business units and Operations & Innovation

Operations and business managers identify and manage risks in their respective sites or scope of responsibilities in line with Group strategy and standards.

Support functions

Support functions (Finance, Security, IT, Quality, Health Safety and Environment, HR, and Legal) analyze risks, define prevention and protection standards, as well as policies and procedures. They monitor implementation of the respective risk policies in their own field of expertise.

Assurance bodies

The assurance bodies provide assurance on the design and effectiveness of the risk management processes and compliance with the relevant standards and norms.

The Group Risk Manager, reporting to the General Counsel and Company Secretary, is in charge of driving the enterprise risk assessment (in close cooperation with the Internal Audit Director) and promoting transversal risk management projects. The Group Risk Manager is also responsible for managing the insurance programs for Gemalto.

Strategy of risk transfer to insurers

The Group policy on insurance cover focuses on optimizing and securing the policies contracted by Gemalto. The aim is to protect the Company against exceptionally large or numerous claims at a cost that does not impair the Group’s competitiveness.

The Group does not own or operate any insurance captive.

Gemalto has set up global insurance programs which combine master policies and local insurance policies in countries requiring it. The negotiation and coordination of these programs is carried out centrally for Gemalto with assistance from leading insurance brokers having an integrated international network.

Such an organization facilitates a broad and consistent cover of all Gemalto activities and locations worldwide, cost optimization, global reporting and control, while ensuring compliance with local regulatory requirements. Insurance coverage strategies are periodically reviewed taking into account changes in Gemalto’s risk profile (acquisitions, claims and loss events, activities, etc.) and insurance market trends.

Gemalto maintains insurance programs with policies encompassing property damage, business interruption, public, product and professional liability and Directors’ and Officers’ exposures.

In 2009, the Group continued improvement actions through subscription to multiyear contracts with quality and financially sound insurers.

Internal control environment

Principles

Gemalto’s management regards internal control as a responsibility that is shared by all managers and that is met by implementing a set of processes and procedures intended to provide reasonable assurance that the Board’s objectives will be attained under the corporate governance rules and respecting local laws and regulations.

It has also defined internal control principles and procedures applicable to its main transaction cycles and to its central functions. Internal control is based on granting extended responsibilities and powers to the managers of subsidiaries, to management bodies and to their functional teams (Legal, HR, Purchasing, etc.).

The Company’s internal control system cannot provide absolute assurance. However, while keeping a reasonable balance between cost and assurance, it aims to ensure that realization of objectives is monitored, financial reporting is reliable and, where relevant, applicable laws and regulations are complied with.

Anti-fraud commission

The 2007 anti-fraud assessment project included an inventory of the Company tools and processes covering fraud prevention and detection. Following this, a senior management level operational structure called the ‘Anti-fraud commission’ was defined and put in place in 2008. Its objective was to coordinate the various programs already in place inside the Company, and the response actions in case of fraud.

This structure comprised the Group General Counsel, the EVP Human Resources, the Chief Information Officer, the Quality Health Safety and Security Director and the Internal Audit Director. Its charter was approved by management on August 18, 2008. The commission meets now on a regular basis and has developed an anti-fraud action plan which, among other things, included the issuance of the Gemalto anti-fraud policy in 2009.

Internal Audit

In order to assess and test the internal risk management and control systems, the Company has a dedicated internal audit team that operates in conformity with a charter approved by the Audit committee and in line with international professional standards (Institute of Internal Auditors). The team is composed of eight auditors (as in the previous two years). It has direct and unlimited access to Group operations, documents and employees. The Internal Audit Director reports directly to the CFO and has an open line of communication with the Audit committee Chairman, as well as regular private sessions with the Audit committee.

Internal Audit conducts its missions according to an audit plan approved once a year by the Audit committee based on a risk assessment. Upon request of the Group’s management, Internal Audit also performs several ad-hoc audits on certain aspects of the business. This work is coordinated with the work carried out by the external auditors.

The implementation of recommended and accepted corrective actions is followed up, as and when deemed relevant.

The Internal Audit Director prepares a monthly report which includes a summary of the activity of his department and on the key internal control issues and their status, and submits it to the Chairman of the Audit committee and the CFO.

Internal control over financial information

The production and control of financial information is organized so as to be consistent with Gemalto’s operational organization. To ensure the quality and completeness of the financial data produced and reported, Gemalto has set up a process for the production and review of the operating results by management, identified the main risks which have significant impact on the financial statements elements, and implemented preventive and corrective controls so as to mitigate those risks.

Gemalto 2010-2013 Development Plan

A new plan was prepared in 2009 covering the whole Group and in line with the Group objectives and strategy.

Budget and forecast updating process and business reviews

The budget process covers all operational entities and corporate departments, including treasury. The process begins in October and the result is an annual plan for the Group presented to the Board in December for the following year.

Whenever changes in activity justify it, current-quarter and current-year forecasts are reviewed, and consolidated into an updated forecast for the Group on the basis of actions undertaken to meet Group objectives. They form a key part of the system to co-ordinate and monitor the Group activity. These reviews are carried out every quarter by regional, segment and product line managers.

Monthly operating and financial results review and reporting processes

Monthly and quarterly operating results are reviewed in detail during meetings or conference calls held in the first days of the following month between Gemalto’s Corporate Controller and the President and Controller of each business segment and geographic area, on a date fixed in advance in the monthly or quarterly reporting calendar. These meetings or conference calls are also attended by the Chief Accounting Officer and the Internal Audit Director, and in certain instances by the CFO.

Once validated by each area and segment Controller, operating results are consolidated by the corporate accounting department, reviewed by the Corporate Controller, the Chief Accounting Officer and the Finance Director (in charge of treasury and tax), then presented and discussed with the CFO. They are then presented jointly by the Corporate Controller and the CFO to the CEO.

The Corporate Treasurer prepares a monthly report which includes a review of the financial result of the period, of the efficiency of the balance sheet and cash flow hedges, of the client receivables position and of the Group’s cash and debt positions.

On the basis of the operating results review and of the treasury report, the monthly operating dashboard and accompanying CEO and CFO letter are prepared by the Corporate Controller and CFO, and reviewed by the CEO before they are sent to the Board and circulated to the first line of management. The dashboard and accompanying letter cover the activity of the month by business segment, the updated operating income statement forecast for the current quarter, as well as a review of the cash and debt positions and of the working capital.

A review of the activity of the previous few months and of the expected evolution is presented by the CEO and the CFO at each meeting of the Board.

Pre-close reviews

Quarterly pre-close reviews with each business segment and geographic area are organized by the Corporate Controller and the Chief Accounting Officer in the last days of the quarter. The Internal Audit Director participates in these reviews. They allow prompt identification and communication of any transaction or event which could potentially result in significant impacts on the results or the financial condition of the Group.

Internal Control over Financial Reporting

In 2007, a corporate project was launched with the objective of improving internal control over and above the quality of financial reporting. A self-assessment campaign is now performed each year through a financial risks based scoping exercise following the COSO2 model. The self-evaluations of the controls are tested for some critical processes and entities by internal auditors, as well as by external auditors. This campaign is also aimed at defining remediation plans based on identified deficiencies and to follow up the progress of those plans year-on-year.

An annual report on financial internal control is prepared by the CFO and the Internal Audit Director, approved by the CEO and presented to the Audit committee.

Actions taken in 2009

Enterprise risk assessment: In 2007 Gemalto started conducting an enterprise risk assessment process, mapping its main risks and mitigation processes, including self-evaluation of the key Company risks by a significant group of employees and advice from third parties. Conclusions were reached in 2008, defining a set of objectives and actions for each identified key risk. In 2009 action plans continued and their status was presented to the Audit committee and twice to the Board.

Policies and procedures: Gemalto maintains operational and financial policies and procedures, which are published on Gemalto´s intranet and regularly updated when required. For example, during 2009, the following main policies and procedures were updated or first-time issued: the code of ethics, the anti-fraud policy, the corporate authority limits, the business acquisitions and divestiture policy and the guidelines for evaluating Gemalto projects bids and proposals.

Crisis management: The foundations of a crisis management organization and communication system, defining key processes and responsibilities, were set up and tested. They will be fully deployed Company-wide in 2010.

Business continuity: Beyond improving its business continuity responses (through the standardization of production tools and processes, multi-sourcing strategies and IT availability) Gemalto leveraged on the H1N1 Pandemic flu to strengthen its pandemic preparedness plans.

It was also the opportunity to foster collaboration and knowledge sharing between corporate and local teams, and link business continuity actions. This initiative will be enhanced and widened in 2010. A Business Continuity Management Director was recently appointed to organize and coordinate the numerous existing local plans, under a Company-wide project of demonstrated capabilities through strongly tested business continuity plans.