Risk Management

Sanofi’s risk management framework ensures clear accountability and strong capabilities for managing risks across the entire organization. It supports informed decision-making aligned with risk exposure and enables effective information exchange with stakeholders.

The framework is structured around three lines of defense: 

• First line - Operational management and business units, who own and manage risks day-to-day 
• Second line - The Risk Management function, providing oversight, guidance, and framework 
• Third line - Sanofi Internal Audit, providing independent assurance 

Key governance bodies include the Sanofi Risk Committee (SRC), the Risk Management team and network, the Executive Committee, the Board of Directors and the Audit Committee.

Sanofi employs a comprehensive approach to monitor and manage potential threats and opportunities through its risk profile and emerging risk radar. This system captures and evaluates all categories of risks based on their potential impact on the company.

Sanofi categorizes risks into two main types: active risks and emerging risks.

• Active risks are those that may affect the company within a 3-year timeframe. These risks require immediate attention and management to mitigate their potential impact. 
• Emerging risks, on the other hand, encompass trends that could present threats or opportunities over a 7-year horizon and beyond. These risks are monitored and addressed proactively to prepare for potential future impacts. 

Sanofi applies a structured risk management process, including active risks and emerging risks identification, evaluation and prioritization, risks treatment and for a selection of emerging risks, development of scenarios to understand their potential impact on the company. This methodology allows us to capture all categories of opportunities and threats closely tied to our strategy and inherent to our business. 

Sanofi uses outside-in, top-down and bottom-up approaches to identify both active and emerging risks, drawing on insights from senior leaders, the risk management network, and reliable external sources.

Risks and emerging risks are assessed based on severity and likelihood. For active risks this evaluation is complemented by assessing the level of control. For emerging risks, the evaluation includes assessing the velocity.

Active risks are then classified into four categories: vigilance, surveillance, watch list, and control adapted. Emerging risks are prioritized by the Executive Committee based on Risk Committee recommendations.

Risk leaders design and monitor mitigation plans. The Risk Committee reviews the mitigation plans and recommends priorities to the Executive Committee which approves the overall approach. Progress of mitigation for risks under vigilance is overseen by both committees and communicated to the Audit Committee of the Board of Directors.

Scenarios are developed for prioritized emerging risks, identifying signals that they might become active and proposing early response actions.