A diverse and accountable corporate governance

The Company’s Board of Directors seeks to implement a balanced governance structure tailored to Capgemini and able to adapt to the circumstances and challenges specific to the Group, as well as changes in best practices in this area.

It chooses between two general management approaches: combining or separating the duties of Chairman of the Board and Chief Executive Officer. The Board of Directors meeting following the Shareholders’ Meeting of May 20, 2020, unanimously decided to separate the duties of Chairman and Chief Executive Officer with immediate effect, as it considered that the separation of the duties of Chairman and Chief Executive Officer was the most appropriate governance model for the Company in the context of the management succession initiated in 2017. During this meeting, Mr. Paul Hermelin was confirmed as Chairman of the Board of Directors for the remainder of his term of office as director, and Mr. Aiman Ezzat was appointed Chief Executive Officer for his term of office as director. The Board wanted the Company to continue to benefit from Mr. Paul Hermelin’s expertise and experience and his in-depth knowledge of the Group, thereby ensuring a smooth management hand-over.

In addition, the Board of Directors also decided to retain the position of Lead Independent Director, a role with specific powers and duties since its creation in 2014, for as long as the duties of Chairman of the Board are assumed by a director who is not independent as defined by the AFEP-MEDEF Code to which the Company adheres. Accordingly, the Group’s governance enjoys an active, diligent and independent Board of Directors with a collective approach to its organization and the vigilant authority of a Lead Independent Director

The Board of Directors also considers that a satisfactory balance of power exists though the existence of four specialized board committees with different remits encompassing – (1) Audit & Risk, (2) Compensation, (3) Ethics & Governance and (4) Strategy & CSR – and the restrictions introduced by the Board of Directors’ Charter on the powers of the Chief Executive Officer, who requires the prior approval by the Board of Directors for major strategic decisions, and decisions likely to have a material impact on the Company.

In accordance with its diversity policy, the Board comprises individuals from diverse and complementary professional and cultural backgrounds, true to the Group’s history and values. This enables the Board to perform its duties collectively and in an open manner. The replacement of a large number of directors in recent years has resulted in a change in the composition of the Board of Directors, increasing the number of independent, international and female directors and reducing the average age. The Board has also included a representative of employee shareholders since 2012 and two employee representatives since September 2016, further contributing to the range of experiences and viewpoints.

The Board of Directors monitors annually the implementation by Group Management of its policy of non-discrimination and diversity, notably with regard to the balanced gender representation in the Group’s management bodies. It has set Executive Corporate Officers objectives to increase female representation in the Group in the variable part of their annual compensation. Since 2018, the Board of Directors includes a criterion applicable to performance shares granted to Executive Corporate Officers and Group managers targeting an increase in the number of women becoming Vice-President.

Capgemini ensures that the directors have sufficient understanding of the Group, its ecosystem and its challenges. The Board members therefore meet regularly with the members of the Group Executive Board during Board and Committee meetings. Furthermore, the Board organizes a range of specific training sessions throughout the year to help directors increase their knowledge of the Group and its competitive environment, as well as recent market disruption trends and technological developments. A formal assessment of the activities of the Board of Directors and its specialized committees is conducted every three years by an external service provider under the responsibility of the Lead Independent Director

Reflecting shared interests on Company’s long-term performance

The Board works to ensure that the Group’s Strategy is aligned with sustainability in the long-term.

At the end of 2018, the Board of Directors entrusted the Strategy & Investment Committee, subsequently renamed the Strategy & CSR Committee, with a specific duty relating to the monitoring of the Group’s Corporate Social Responsibility (CSR) strategy, ensuring consistency in the consideration of social and environmental aspects in the Group’s main strategic orientations and decisions. The Board studies the Group’s mid- and long-term strategic focus, considering the social and environmental issues associated with its activities and major technological and competitive trends and developments.

The compensation policies for the Chairman and the Chief Executive Officer are aligned with best practices and the Group’s interests. Compensation components are disclosed in detail as part of the Say on Pay procedure. The Compensation Committee refers, in particular, to comparative studies to ensure the consistency and competitiveness of both the compensation level, and structure and calculation methods with market practice. These principles are regularly reviewed and discussed by the Compensation Committee which submits a report on its work and its resulting proposals to the Board of Directors for approval.

The Chief Executive Officer compensation policy strikes a balance between short-term and long-term performance to ensure the sustainable development of the Company and aims for consistency between changes in overall compensation and Company performance trends. Through its compensation policy, the Group seeks to promote the sustainable and responsible growth of the company and recognize individual and collective performance in line with the Group’s results. Capgemini ensures the roll-out of a competitive and inclusive compensation and benefits policy, in order to attract, motivate and retain talent and, more particularly, Group executive management.

Nurturing our shareholders’ dialogue

As for all its stakeholders, the Group strives to communicate regularly with its shareholders and investors, in order to understand and take account of their expectations. Capgemini shareholders are regularly consulted in the same way as the Group’s other stakeholders, on various occasions: for example, they were involved in Group discussions on its Purpose in 2020 and on the update of its materiality matrix in 2021.

Monitoring and safeguarding our assets

are fundamental to carrying out Capgemini’s strategy and to achieving its long-term goals. The Group’s internal control and risk management systems seek to create and protect the Group’s value, assets and reputation, to identify, assess and monitor the critical risks to which the Group is exposed, anticipate and foresee changes in these risks, and finally implement risk prevention and transfer residual risk measures. Ultimately, the Board of Directors of Capgemini SE has overall responsibility for risk management and for reviewing the effectiveness of internal control, internal audit and risk management approaches. It relies on the work of the Audit & Risk Committee to that effect.

Acting in-line with our Values-based ethical framework

Our Values and Ethics are at the heart of our identity. Unique and human, our seven values – Honesty, Boldness, Trust, Freedom, Fun, Modesty and Team Spirit inspire and guide our team members, who each contribute to our ethical culture. Capgemini’s founder, Serge Kampf, was deeply convinced that sound ethics is an essential foundation for profitable and sustainable business. From the outset, this belief in doing business ethically and our commitment to our core Values has distinguished us from competitors. Our Values unite and inspire our Group’s international workforce, across nearly 50 countries. The natural outcome is our shared ethical culture, which we actively nurture through our ethical framework. We have a longstanding formal Ethics program, supported by 5 main levers, to create and maintain awareness among employees, enabling them to make decisions aligned with our core values:

• Policies: Our Code of Business Ethics provides guidance to all team members on how to behave and act in the right way, so no one is left with doubts or unanswered questions. It is available in multiple languages, and is complemented by more detailed Group policies for our ethics helpline SpeakUp (including non-retaliation) and the prevention of conflicts of interest as well as policies adopted under our Compliance program. We have published our Code of Ethics for Artificial Intelligence (AI) for all employees, to support the ethical development of all AI solutions within the Group. Our vision of AI is determined by our ethical culture and guided by our core Values; we thus envisage our developments in AI as a contribution to building the inclusive and sustainable future. Our Code of Ethics for AI sets out guidelines for the ethical and human-centric design and delivery of AI solutions.
• Training programs: They include Ethics@Capgemini, mandatory e-learning courses on Our Code of Business Ethics comprising a core module and scenario-based micro e-learnings on ethics topics, with short engaging videos on how to handle tricky ethical situations; Think Ethics, a managers’ toolkit shared monthly; and Ethics Café, featuring short thought-provoking awareness videos on a range of workplace-related ethical situations.
• The internal ethics awareness communication program, built globally at Group level and deployed locally in each country, addresses all employees, with targeted communication by grade and role. The program leverages multiple internal channels of communication.
• SpeakUp, is a web and phone-based ethics helpline and reporting, incident management and advisory tool. Our employees, clients, suppliers and business partners are made aware that they can use the Group’s helpline (SpeakUp) to report any alerts and/or ask for advice and guidance about actions or behaviors that (1) are not aligned with our Values or our Code of Business Ethics and related ethics & compliance policies, (2) not in compliance with applicable laws, or (3) may significantly affect vital interests of Capgemini and its affiliates. Anyone who raises or helps to address an alert on SpeakUp in good faith is protected by our non-retaliation policy, and substantiated alerts result in appropriate remediation actions including disciplinary actions, counselling/ training, or process improvements. The system helps us perform root-cause analysis and prevent future similar unethical behavior, misconduct, or violation of policies or applicable laws, by helping us identify areas of improvement in our business processes.
• The Ethical Culture survey, in which all our employees are invited to participate and share their views, measures the pulse of our organizational ethical culture. Aggregated feedback and analysis from the survey, along with guidelines, are shared with team managers, and business and country leaders. All managers have access to their span’s dashboard, with scores measured on a 0 to 10 scale and feedback, while maintaining the anonymity of employees. As an on-going priority, scores and employee feedback are shared with managers and leaders, empowering them to take informed and immediate action, and survey findings are acted on for the continuous improvement of our Ethics Program.

Favoring responsible behaviors in business for mutual growth

The Code of Business Ethics forms the basis for our Compliance program, mainly covering competition and anti-trust laws, the fight against corruption and money laundering, duty of care and human rights, sanctions and embargos, and data privacy.

• Business conduct and compliance – The Group competes vigorously but fairly for its clients’ business. The majority of the countries in which we operate have competition or antitrust laws, and trade regulations designed to protect such competition. The Group is committed to complying with all applicable competition and antitrust laws, and regulations. It is fundamental to our purpose as a business that we deliver positive environmental and social impact as well as business growth. Ethical collaboration is a vital element of maintaining clients’ trust in our business and is directly linked to our license to operate and to our reputation. It contributes to business continuity, helps us attract and retain the best talent, increases productivity, and builds long-term value to all.
• Anti-corruption – As part of its Compliance Program, the Group has adopted its Group Anti-Corruption Policy and an anti-corruption training formalizing our zero tolerance for bribery and corruption. The Ethics & Governance Committee of the Board of Directors and the Management of the company ensure the implementation of a corruption and influence peddling prevention and detection system.
• Duty of care and human rights – The Group has developed and implemented a reasonable plan (plan de vigilance) to identify risks and prevent serious violations with regard to human rights and fundamental freedoms, people’s Health and Safety, and the environment, resulting from its own activities and those of their subsidiaries, subcontractors and suppliers. The Ethics & Governance Committee of the Board of Directors oversees Group compliance with rules and conventions on human rights and fundamental freedoms in the exercise of its activities.
• Responsible Procurement – Our supply chain, both serves our clients and ensures that our internal operations are conducted properly. We strive to guarantee that it is in line with our ethical standards and that it meets the expectations of our clients. For over ten years, the Group has had a mandatory purchase order policy and a Global Purchasing System, which gives a clear picture of all our activities in this respect from sourcing to payment. Since 2015, Capgemini has implemented the Supplier Standards of Conduct, which formalizes the standards that will be applied and enforced within its business relationships with its suppliers. The Standards of Conduct define the prerequisites regarding ethics and compliance, Corporate Social Responsibility and sustainable development. It also defines our policy regarding the terms of our trade relations with our suppliers, such as the mandatory purchase order as a prerequisite to any commercial commitment. It is critical to Capgemini that its Suppliers – including their employees and supply chain, are committed to: maintaining the highest ethical standards, to preserving the environment and adhering to all applicable laws, including, human rights and anti-corruption laws, while avoiding the perception of potential conflict of interests. Our standards can be met only with suppliers’ cooperation and commitment. The importance attached to suppliers’ relationships is reflected in all the guidelines related to selecting and managing them. An assessment process is included in the referencing and sourcing procedure, aiming at identifying and preventing financial and non-financial risks. If necessary, mitigation measures can be defined, and corrective actions may be required. Suppliers presenting a serious risk may be excluded from the business transaction and blocked in Capgemini Global Purchasing System.
• Group Tax policy – Due to the international nature of its activities, the complexity and the absence of clarity of certain specific national or international tax regulations, the Group is exposed to tax risks. We strive to consider all existing factors in this environment in order to make the right tax decisions, even when there is uncertainty. Capgemini does not engage in tax evasion nor in any practice that goes against the Group’s Code of Ethics and publicly advocated core ethical values and implements a coherent, consistent and reasonable approach to its tax responsibilities, suited for its activities. We believe public trust in national tax systems is essential and have published a set of global tax principles.

Protecting data and data privacy

Capgemini is committed to protecting all personal data entrusted to it as part of its activities both on its own behalf (as a Data Controller) and on behalf of its clients (as a Data Processor).

As an international group with entities located in more than 50 countries, it is important to Capgemini that information flows in a compliant and secure manner. Providing an appropriate level of protection to the personal data wherever they are processed within the group, is one of the reasons why Capgemini has chosen to implement Binding Corporate Rules (BCR) which were first approved by the European data protection authorities, in March 2016 and updated to comply with the European General Data Protection Regulation 2016/679 (GDPR). Capgemini’s BCR define indeed not only the principles with which it shall comply with when processing personal data on its behalf and on behalf of its clients, but also specify the procedures designed to address Capgemini’s compliance with applicable data protection laws and in particular with the GDPR.

To support an effective implementation of Capgemini BCR, Capgemini rolls out the Group Data Protection Program (GDPP) and has defined a strong organization lead by the Group Data Protection Officer (GDPO) who relies on Regional Data Protection Officers and Local Data Protection Officers. In addition, Data Protection Champions are appointed to represent each Group function and Global Business Line (GBL) to ensure that functions and GBL specificities are taken into account in the GDPP implementation.

Capgemini Data Protection Program is built to ensure a continuous improvement in all Group functions with a focus on Delivery, Sales, Finance, Human Resources and IT. We deploy different Privacy by Design (PbD) checklists, operational guidelines and maturity assessments. Privacy by design is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures. Additional mechanisms have also been put in place in relation to suppliers.

Capgemini monitors the effective implementation of the above through different procedures and controls such as (1) Data subjects’ rights management; (2) Data transfers; (3) Data processing register; (4) Data breach management procedure; and (5) Data protection training program.

Protecting infrastructure and identity

Capgemini Group Cybersecurity strongly contributes to build an Ecosystem Trust with our employees, clients and partners by securing internal activities and preventing external threats to deliver trusted digital services. We have responded to the surge in cybersecurity challenges with a comprehensive, board-sponsored cybersecurity strategy and governance, composed of four cyber-risk management pillars:

• Internal and external threats (i.e. threat actors and cyber-attack tactics);
• Fortifying assets both internally and externally (i.e. vulnerability focus including external facing assets);
• Compliance with laws and regulations and security standards (i.e. ISO 27001 as a minimum); and
• Ecosystem trust mechanisms within Capgemini and with clients, suppliers, and authorities.

This strategy is deployed consistently across the organization and our cyber-risk management approach is operationalized via the Capgemini Cybersecurity Management System, which is modelled on NIST (National Institute for Standards and Technology) framework and includes aspects of the NIS (Network and Information System Security) European Directive.

Capgemini Group Cybersecurity department is tasked with anticipating cyber threats, mitigating cyber risks, preventing cyber incidents, and responding well in all circumstances. This dedicated structure is headed by the Group Chief Cyber Security Officer (CCSO), reporting to a member of the Group Executive Board. The Cyber Risk mapping is consolidated and reported to the Group Risk and Audit Committee twice a year.

The Group Cybersecurity Community is the foundation of Capgemini operating model and involves the Group CCSO and team, the Chief Information Security Officers in Strategic Business Units (SBUs) and Global Business Lines (GBLs), Cybersecurity Officers in the BUs in each country where the Group operates, who support the BUs and liaise with local authorities. Our Acculturation program based on mandatory awareness courses (since 2016) has been complemented with Phishing tests associated to specific awareness modules. We organize annual Cybersecurity Month in October and a Cyber Culture Challenge to award the most effective / engaged Business Units.

Capgemini Group Cybersecurity Policy framework is a series of documented requirements aimed to define and enforce (1) the Strategy and Governance model, (2) the Baseline Policy (100 minimum and mandatory controls based on ISO 27001, NIS Directive and GDPR) associated to management policy documents used for ISO certification, and (3) Technical policies to secure data, endpoints, networks, systems, applications. We have deployed the new Baseline Policy (revised bi-annually) including annual compliance review which contributes to very consistent practices across the units. New policies have been defined such as: data security policy, PenTest policy, security incident and data breach management policy, 3rd Party security management policy, log management policy.