Risks and control
4
Internal control and risk management procedures
With regard to risks related to climate issues, TOTAL is committed to
managing its energy consumption and develops processes to improve
its energy performance and that of its customers, in accordance with
Article 9 of its Safety Health Environment Quality Charter. In its
decision-making process, the risks and associated climate issues
monitored by the Audit Committee and may be used by
shareholders, employees and third parties.
In 2015, a large campaign on fraud risks to raise awareness of all
Group employees has been launched. A guide “Prevention and
fraud prevention the risks of fraud”, which highlights the different
actions conducted through the anti-fraud program was distributed.
A mapping of fraud risks in the Group was finalized in
(
flaring, GHG emissions, CO price sensitivity) are assessed prior
2
to the presentation of the projects to the Executive Committee.
Climate hazards are taken into consideration and addressed either
through environmental and safety assessments to ensure that the
consequences, and, in particular, possible changes to surface
water levels, do not affect the integrity of the facilities, or through
procedures that take into account local hazards in order to arrange
for the protection of people and facilities.
December 2015, allowing defining priority actions for 2016.
The deployment of the anti-fraud and fraud prevention program
relies on the network of fraud risks coordinators within the business
segments and operational entities.
Prevention of corruption risks
General Management constantly reiterates the principle of zero
tolerance with regard to corruption. Internal rules have been
published since 2011 in this area. They cover various areas where
particular risks of exposure to corruption may exist (business
partnerships, representatives, procurement and sales, donations,
acquisitions, joint ventures, human resources, gifts and invitations, etc.)
in an effort to detect, assess and address risks at a very early stage
through an appropriate due diligence process.
Risks related to information systems
TOTAL’s IT Department has developed and distributed governance
and security rules that describe the recommended infrastructure,
organization and procedures in order to maintain information systems
that are appropriate to the organization’s needs and to limit information
security risks. These rules are implemented across the Group under
the responsibility of the various business segments.
The Group has also developed control activities at various levels of
the organization in areas where information systems cover all or
part of the processes. A set of Information Technology General
Controls (ITGC) aim to guarantee that information systems function
and are available as required, and that data integrity is guaranteed
and changes controlled.
To support this program, in December 2015 TOTAL launched a
second e-learning module in 11 languages open to all employees
and mandatory for more than 30,000 of them.
In addition, 370 compliance officers were appointed and trained
within the business segments and operational entities. Their role is
to ensure that the program is implemented at the local level.
Information Technology Automated Controls (ITAC) aim to ensure
the integrity of data generated or supported by business
applications, particularly those that impact financial flows.
Lastly, under the settlements reached in 2013 between TOTAL, the
Securities and Exchange Commission (SEC) and the Department of
Justice (DoJ), an independent monitor was appointed. His role is to
conduct a 3-year assessment of the anti-corruption compliance
and related internal control procedures implemented by the Group
and to recommend improvements, where necessary. The monitor
took up the position at the end of 2013 and issued an initial report
to the authorities in July 2014. As the monitor was forced by health
reasons to abandon this role, a new monitor was appointed in early
2015 to continue the review. A second report was issued in
October 2015 in which the monitor stated that “TOTAL has
improved its corruption prevention program considerably by
implementing the recommendations made in the first report.”
The outsourcing of some components of the Group’s IT infrastructure
to service providers poses specific risks and requires the selection
and development of additional controls of the completeness, accuracy
and validity of the information supplied and received from such service
providers. Accordingly, to ensure continuous improvement, the Group
assesses whether suitable controls are implemented by the service
providers concerned and what controls are necessary within its
own organization to maintain these risks at an acceptable level.
In addition, in light of growing risks in legal (document retention,
personal data protection, copyrights, etc.) and security (loss of
information, external and internal threats, fraud, etc.) areas, the Group
has stepped up its deployment, including within subsidiaries, of
information protection, document retention and personal data
protection policies (and, for the latter, in anticipation of complying with
the future European regulation scheduled to be adopted in 2016).
Prevention of competition law infringement
A Group policy aimed at ensuring compliance with, and preventing
infringement of, competition law has been in place since 2014 and
is a follow-up to the various measures previously implemented by
the business segments. Its deployment is based, in particular, on
management and staff involvement, training courses that include an
e-learning module and an organization responsible for
implementing the program.
Ethical misconduct and non-compliance risks
Fraud prevention
The Group deploys an anti-fraud and fraud prevention program and
has implemented a range of procedures and programs that help to
prevent, detect and limit different types of fraud. This effort is supported
by the business principles and values of individual behavior
described in the Group’s Code of Conduct and in the codes,
charters and other standards applied by the business segments.
Prevention of insider trading and conflict of interests
The Group’s Ethics Committee implements a policy to prevent insider
trading on the financial markets which is based, in particular, on the
Group’s internal ethics rules. These rules are updated on a regular
basis and widely distributed to employees who are permanently or
occasionally in possession of insider information. These ethical rules
require, in particular, that permanent insiders refrain from carrying
out any transactions, including hedging transactions, in TOTAL
shares or ADRs and in shares in collective investment plans (FCPE)
invested primarily in TOTAL shares (as well as derivatives related to
such shares) on the day on which the Company discloses its
periodic results publications (quarterly, interim and annual) as well
as during the 30 calendar days preceding such date.
The Group has also issued a directive for handling incidents of fraud
that has been widely distributed to employees, and has created an
alert system that employees can use to report acts that may constitute
fraud. In addition, a specific process is in place for reporting
accounting, internal control and auditing irregularities. This alert
process, implemented at the request of the Audit Committee, is
76
TOTAL. Registration Document 2015