Internal risk management and control systems

Risk management and internal control principles

Risk management and internal controls are critical to the stability of the Company. The aim of our internal risk management is to expand our ability to achieve our objectives by:

  • Effectively constraining threats to acceptable levels,
  • Making informed decisions,
  • Enhancing our capacity to exploit opportunities, while trying to protect the interests of our stakeholders and our shareholders’ investments.

The Company operates in a dynamic environment and there may be circumstances in which risks occur that had not yet been identified or in which the impact of identified risks is greater than expected. Management has put in place a number of key policies, processes and independent controls to provide assurance to the Board, as to the integrity of Gemalto’s reporting and effectiveness of its systems of internal risk management and control, but they may not always prevent or detect all misstatements, inaccuracies, errors, fraud or non-compliance with law and regulations, neither can they provide certainty as to the achievement of the Company’s objectives.

The Board is responsible for reviewing the Company’s system of internal risk management and controls and for assessing their effectiveness. The Audit committee regularly reviews with management and internal audit the Company’s system of internal risk management and controls focusing on financial reporting matters, on main operational risks and on the results of improvement actions. The Board subsequently considers the outcome of the Audit committee’s review.

The Company’s risk profile is reported in ‘Principal risks’.

Risk management organization

The diagram below gives a synthetic view of the Gemalto risk management organization, as explained hereafter.

Risk_management_organization

Foundations: Risk management at Gemalto is built on solid foundations, as described in ‘Our Strategy’, ‘Our approach to sustainability’  and ‘Corporate governance’.

Gemalto has developed three levers to manage its operational and financial risks in a transversal manner throughout the organization:

Risk assessment: Identifying and assessing our major operational and financial risks enables Gemalto to focus on those that matter and align its action plans and resources accordingly. Risk assessment is carried out at all management levels, for example, covering bid to contract reviews, sites (e.g. ISO 27001), new asset acquisitions, etc. Specifically at Group level, a risk mapping is performed and action plans identified and followed.

Crisis and business continuity management: Having a flexible and tested crisis management organization and business continuity responses helps to reduce the impact of events inherent to Gemalto’s operations and the type of industries in which Gemalto is engaged. Through the standardization of production tools and processes, multi-sourcing strategies, IT availability and redundancy infrastructure, Gemalto has developed systems that help to respond to unforeseen circumstances with minimal disruptions to our customers and our business.

Budget, planning and reporting: Various complementary reporting systems enable Gemalto to obtain the right information when required, facilitating the decision-making. Gemalto has also detailed budget and planning processes.

For more information, please refer to below and ‘Internal Control over Financial Information’.

Oversight structure

The oversight structure ensures that the organization is geared towards effective risk management.

Business units and Operations & Innovation

Operations and business managers identify and manage risks in their respective sites or scope of responsibilities in line with Group strategy, policies and standards.

Support functions

Support functions (Finance, Purchasing, Security, IT, Quality, Health Safety and Environment, HR, and Legal) analyze risks, define prevention and protection standards, as well as policies and procedures. They monitor implementation of the respective risk policies in their own field of expertise.

Assurance bodies

The assurance bodies provide assurance on the design and effectiveness of the risk management processes and compliance with the relevant standards, policies and norms.

The Group Risk Manager, reporting to the General Counsel and Company Secretary and to the CFO, is in charge of driving the enterprise risk assessment (in close cooperation with the Internal Audit Director) and promoting transversal risk management projects. The Group Risk Manager is also responsible for managing the insurance programs.

Strategy of risk transfer to insurers

The Group policy on insurance cover focuses on optimizing and securing the policies contracted by Gemalto. The aim is to protect the Company against exceptionally large or numerous claims, at a cost that does not impair the Group’s competitiveness. The Group does not own or operate any insurance captive.

Gemalto has set up global insurance programs with only quality and financially sound insurers and which combine master policies and local insurance policies in countries requiring it. The negotiation and coordination of these programs is carried out centrally with assistance from leading insurance brokers having an integrated international network.

Such an organization facilitates a broad and consistent cover of all Gemalto activities and locations worldwide, cost optimization, global reporting and control, while ensuring compliance with local regulatory requirements. Insurance coverage strategies are periodically reviewed, taking into account changes in Gemalto’s risk profile (acquisitions, claims and loss events, activities, etc.) and insurance market trends.

Gemalto maintains insurance programs with policies encompassing property damage, business interruption, public, product and professional liability and Directors’ and Officers’ exposures.

In 2010, the Group continued improvement actions through subscriptions to multiyear contracts in a hardening insurance market.

Internal control environment

Principles

Gemalto’s management regards internal control as a responsibility that is shared by all managers and that is met by implementing a set of processes and procedures intended to provide reasonable assurance that the Board’s objectives will be attained under the corporate governance rules and respecting local laws and regulations.

It has also defined internal control principles and procedures applicable to its main transaction cycles and to its central functions. Internal control is based on granting extended responsibilities and powers to the managers of subsidiaries, to management bodies and to their functional teams (Legal, HR, Purchasing, etc.).

The Company’s internal control system cannot provide absolute assurance. However, while keeping a reasonable balance between cost and assurance, it aims to ensure that realization of objectives is monitored, financial reporting is reliable and applicable laws and regulations are complied with.

Anti-fraud commission

The 2007 anti-fraud assessment project included an inventory of the Company tools and processes covering fraud prevention and detection. As from 2008, a senior management level operational structure called the ‘Anti-fraud commission’ was put in place. Its first objective was to coordinate the various programs already in place inside the Company. Subsequent objectives encompass the continuous fraud risk assessment, anti-fraud policy and procedures, and response actions in case of fraud.

This structure comprises the Group General Counsel, the EVP Human Resources, the Chief Information Officer, the Quality, HSE, Security and WCE Director and the Internal Audit Director. Its charter was approved by management on August 18, 2008. The commission meets formally on a quarterly basis and on an ad hoc basis in between when required. It has developed an anti-fraud action plan which, among other things, included the issuance of the Gemalto anti-fraud policy in 2009 and the implementation in 2010 of a frame agreement with two forensic specialized firms.

Internal Audit

In order to assess and test the internal risk management and control systems, the Company has a dedicated internal audit team that operates in conformity with a charter approved by the Audit committee (updated in 2010) and in line with international professional standards (Institute of Internal Auditors). The team is composed of eight auditors (as in the previous two years). It has direct and unlimited access to Group operations, documents and employees. The Internal Audit Director reports directly to the CFO and has an open independent line of communication with the Audit committee Chairman, as well as regular private sessions with the Audit committee.

Internal Audit conducts its missions according to an audit plan approved once a year by the Audit committee based on a risk assessment. Upon request of the Group’s management or the Audit committee, Internal Audit also performs several ad hoc audits on certain aspects of the business. Work is coordinated with the external auditors.

The implementation of recommended and accepted corrective actions is systematically followed up.

The Internal Audit Director prepares a monthly report which includes a summary of the activity of his department and the key internal control issues and their status, and submits it to the Chairman of the Audit committee and the CFO.

On November 2, 2010, Gemalto received the professional certification of its internal audit activities from the Institut Français de l’Audit et du Contrôle Internes (IFACI) – France representative of the Institute of Internal Auditors (IIA).

Internal control over financial information (ICFR)

The production and control of financial information is organized so as to be consistent with Gemalto’s operational organization. To ensure the quality and completeness of the financial data produced and reported, Gemalto has set up a process for the production and review of the operating results by management, identified the main risks which have significant impact on the financial statements elements, and implemented preventive and corrective controls so as to mitigate those risks.

As part of ICFR, the following elements are worth highlighting:

Gemalto 2010-2013 Development Plan

This plan was prepared in 2009 encompassing the whole Group and in line with the Group objectives and strategy.

Budget and forecast updating process and business reviews

The budget process covers all operational entities and corporate departments, including treasury. The process begins in October and the result is an annual budget for the Group presented to the Board in December for the following year.

Whenever changes in activity justify it, current-quarter and current-year forecasts are reviewed, and consolidated into an updated forecast for the Group on the basis of actions undertaken to meet Group objectives. They form a key part of the system to co-ordinate and monitor the Group activity.

Monthly operating and financial results review and reporting processes

Monthly and quarterly operating results are reviewed in detail in the first days of the following month between Gemalto’s Corporate Controller and the President and/or Controller of each business segment and geographic area, on a date fixed in advance in the monthly or quarterly reporting calendar. The Chief Accounting Officer and the Internal Audit Director attend, and from time to time the CFO.

Once validated by each area and segment Controller, operating results are consolidated by the corporate accounting department, reviewed by the Corporate Controller, the Chief Accounting Officer and the Finance Director (in charge of treasury and tax), then presented and discussed with the CFO. They are then presented jointly by the Corporate Controller and the CFO to the CEO.

The Corporate Treasurer prepares a monthly report which includes a review of the financial result of the period, of the efficiency of the balance sheet and cash flow hedges, of the client receivables position and of the Group’s cash and debt positions.

On the basis of the operating results review and of the treasury report, the monthly operating dashboard and accompanying CEO and CFO letter are prepared by the Corporate Controller and CFO, and reviewed by the CEO before they are sent to the Board and circulated to the first line of management. The dashboard and accompanying letter cover the activity of the month by business segment, the updated operating income statement forecast for the current quarter, as well as a review of the cash and debt positions and of the working capital.

A review of the activity is presented by the CEO and the CFO at each meeting of the Board.

Quarterly pre-close reviews with each business segment and geographic area are organized by the Chief Accounting Officer in the last days of the quarter. They allow prompt identification and communication of any transaction or event which could potentially result in significant impacts on the results or the financial condition of the Group.

Internal Control over Financial Reporting

In 2007, a corporate project was launched with the objective of improving internal control over and above the quality of financial reporting. A self-assessment campaign is now performed each year through a financial risks based scoping exercise following the COSO2 model. The self-evaluations of the controls are tested for some critical processes and entities by internal auditors, as well as by the Company’s external auditors. This campaign is also aimed at defining remediation plans based on identified deficiencies and to follow up the progress of those plans year-on-year.

An annual report on financial internal control and on internal audit activity is prepared by the Internal Audit Director, reviewed and agreed by the CFO, approved by the CEO and presented to the Audit committee.

Actions taken in 2010

Enterprise risk assessment: In 2010, action plans launched on risk and identified in the 2008 ERA continued and their status were regularly presented to the Audit committee and to the Board. In 2010 a new risk mapping exercise was launched on the risks that could impact the objectives and/or reputation of the Group.

Policies and procedures: Gemalto maintains operational and financial policies and procedures, which are published on Gemalto´s intranet and regularly updated when required. For example, during 2010, the following main policies and procedures were updated or first-time issued: the agent management policy, the R&D financial policy and the hedging policy.

Crisis management: In 2009, Gemalto defined a Crisis Management Framework which encompasses basic escalation and communication rules, guidelines for anticipation and action, and clarified roles and responsibilities. Training sessions (including simulation exercises) started in 2009 and are currently 87% completed with, for example, 61 crisis management leaders trained worldwide.

This proactive approach to crisis management enabled us to respond to unforeseen events, minimizing the impact for our customers and our business during the year.

Business continuity: The capability of Gemalto to provide business continuity response has been strengthened by the enhancement of the standardization of the production tools and processes, with improved centralization of pertinent data and of relevant architecture for the seamless distribution of those data to back-up sites. Additional manufacturing capacities have been implemented to cater for unplanned circumstances.

Training: In addition to trainings on internal control, ethics, anti-fraud, authority limits, contract management and competition rules, regularly given throughout the organization, in 2010 a special focus was put on newcomers (whether newly hired employees or newly acquired entities), on delegation of power and agents management.