For the following description of internal control procedures, Rubis referred to the French Financial Markets Authority (Autorité des Marchés Financiers - AMF) guide dated 22  July 2010, which sets out a reference framework for risk management and internal control.

However, Rubis adapted the AMF framework’s general principles to fit its business and own characteristics.

Rubis has put in place a certain number of procedures designed to ensure that:

• •its activities comply with laws and regulations;
• •the instructions and strategic goals defined by the corporate bodies of Rubis SCA and its subsidiaries are applied;
• •the Company’s internal processes run smoothly, particularly processes that contribute to safeguarding its assets;
• •financial information is reliable;
• •a process exists for identifying the principal risks tied to the Company’s business;
• •there are tools to prevent fraud and corruption.

Like any internal control system, the system put in place by Rubis cannot provide an absolute guarantee that the Company will be able to achieve its objectives and eliminate all risks.

The procedures described below apply to Rubis Énergie, which is wholly owned by Rubis SCA, and to Rubis Énergie’s sub-subsidiaries.

The Rubis Terminal JV is managed jointly with the partner. The joint venture’s General Management is responsible for setting up and ensuring internal controls (in accounting, financial and risk matters) in accordance with applicable standards and regulations and its shareholders’ expectations. Details about this joint venture are provided in section 3.2.4 of this chapter.

Although it has acquired an international scale, Rubis wishes to remain a decentralised organisation that is close to the field so that it can provide its customers with solutions that are adapted to their needs by having the ability to take the necessary operational decisions quickly. Regular exchanges, conducted whenever necessary, between the Management Board, on the one hand, and the General Management and functional departments of Rubis Énergie and its foreign subsidiaries on the other hand, are the cornerstone of this organisation.

This managerial model gives the Manager of each industrial site or subsidiary a large degree of autonomy for managing his/her activity. However, such a delegation of responsibility is closely tied to complying with established procedures regarding accounting and financial information and risk monitoring, as well as regular controls by Rubis SCA’s relevant departments and by Rubis Énergie’s functional departments (see sections 3.2.2.3 and 3.2.3.2).

Lastly, the Management Board informs Rubis SCA’s Supervisory Board (through its Accounts and Risk Monitoring Committee) of the essential characteristics of the Group’s internal control and risk management procedures. The Supervisory Board ensures that the main identified risks have been taken into account in the Company’s management and that systems designed to ensure the reliability of accounting and financial information are in fact in place (see chapter 5, section 5.3.2).

Rubis SCA controls its head of division subsidiary Rubis Énergie (Retail & Marketing and Support & Services businesses) in collaboration with Rubis Énergie’s General Management. It defines the Group’s strategy, promotes and finances its development, makes the related key management decisions, and ensures they are implemented by both its direct and indirect subsidiaries. Rubis SCA has established accounting and financial structures and procedures that contribute to reliable internal controls being implemented.

Rubis SCA’s and Rubis Énergie’s Consolidation and Accounting Departments consolidate the Group’s accounts on a quarterly, half-yearly and annual basis. Their work involves:

• •checking that the consolidated financial statements are consistent with the provisional consolidated results prepared by the subsidiaries;
• •verifying that IFRS has been correctly applied;
• •analysing the consolidated financial statements through an analytical review, explaining changes in each item between two reporting dates.

They also monitor standards with a view to identifying any impact of proposed accounting reforms on the Group’s financial statements.

These departments are assisted by a specialist audit and accounting firm, and work under the oversight of the Managing Partners, the Chief Financial Officer and the Director of Accounting and Consolidation.

Accounting and financial information prepared by the subsidiaries is reported to Rubis SCA, via the Consolidation and Finance Departments and, ultimately, to the Management Board.

The main assignments of the Accounts and Risk Monitoring Committee (whose members and functioning are described in chapter 5, section 5.3.2) are as follows:

• •examining the financial statements, ensuring consistency of methods, quality of data and completeness, and ensuring that the financial statements give a true and fair view;
• •monitoring internal control procedures with respect to accounting and financial matters and risk exposure.

To carry out its work, the Accounts and Risk Monitoring Committee hears all the key individuals in the information chain: the Management Board, Managing Director, Chief Financial Officer, Director of Accounting and Consolidation, Rubis SCA’s Corporate Secretary, the CSR Director & Chief Compliance Officer, and the Statutory Auditors.

The members of the Accounts and Risk Monitoring Committee have access to the same documents as the Statutory Auditors and examine the summary of the Statutory Auditors’ work.

The internal control system relies on several channels for reporting information designed to comprehensively identify sensitive issues.

Two manuals have been issued to harmonise the internal control and accounting treatment of the various transactions carried out:

• •the internal control manual;
• •the accounting policies manual.

There are also formalised memoranda and procedures covering areas such as:

• •delegations and limitations of powers in terms of incurring expenses (including investments), approving invoices, and bank payment authorisations;
• •sales management, to define the special terms and conditions granted to customers, limit the total outstanding amounts authorised, obtain bank guarantees, etc.

Rubis Énergie has a centralised information system that makes it possible to consolidate all financial information: management reports for each company, standardised by type of business line/activity; quarterly accounts, monthly margin analyses, monitoring of capital expenditures, budgetary and management forecast monitoring in three phases (initial budget approved in year Y-1 including a three-year plan, budget forecast updated in the second quarter and then in the fourth quarter of year Y). All financial data is archived and backed up daily.

Automatic consistency checks are also carried out directly by the IT system in order to limit any input errors. Documents stored in the central system also serve as a reference and a basis for reconciliation for the internal audit teams during their missions.

Rubis Énergie also operates a document management system that allows its various subsidiaries to share technical, HSE and legal information. Major investment and construction projects are thus closely monitored by Rubis Énergie’s Technical Department.

Budgets are drawn up at the end of the year by Rubis Énergie’s subsidiaries and sub-subsidiaries successively, as part of a rolling three-year budget plan based on management elements and budget indicators defined and standardised by business line. The indicators are defined by General Management and operational management in accordance with Rubis strategy.

Budget indicators include gross margin, EBITDA, EBIT, net income, capital expenditure, internal financing capacity, cash flow and free cash flow, debt, volumes, carbon footprint reduction.

At Rubis Énergie, budgets are drawn up by each subsidiary by country. They are reviewed by the division’s Management Control, Audit and Consolidation Department before being presented to Rubis Énergie’s General Management. After discussion and/or revision of the budgets presented to Rubis Énergie’s General Management, the Management Control, Audit and Consolidation Department prepares a consolidated budget that is then reviewed by Rubis Énergie’s General Management and forwarded to Rubis SCA for review at Management Committee meetings.

Rubis Énergie’s Finance and Management Control Department prepares monthly reports and analyses differences between actual data, budget forecasts, and data from prior financial years.

The reports are issued within 10 calendar days after the end of the month and are then examined and compared with initial forecasts at the Management Committee meeting, with the Management Board in attendance.

Rubis SCA’s and Rubis Énergie’s Finance Departments are responsible for negotiating with banks to raise acquisition financing. They also analyse bank covenants. Cash investments are made in cash instruments, excluding any speculative or risky investments.

The companies falling with Rubis Énergies’ scope prepare quarterly, half-yearly and annual consolidation packages. The half-year and annual financial statements are reviewed and audited by the Statutory Auditors. Rubis SCA’s Finance and Consolidation Departments prepare the Group’s consolidated financial statements in accordance with the standards issued by the International Accounting Standards Board (IASB) and adopted by the European Union. Consolidation procedures include a set of controls to guarantee the quality and reliability of financial information.

The internal control system relies on technical and operational procedures designed to identify sensitive issues, and on a lean and streamlined organisation built around Rubis SCA’s Management Board and General Management and Rubis Énergie’s functional and operational departments in order to ensure the effectiveness of the internal control systems via the Management Committees. An internal control manual was drafted in 2020 in collaboration with the French Institute of Audit and Internal Control (IFACI), making it possible to list all the control points to be complied with in each area in which Rubis Énergie’s subsidiaries operate. The new manual should enable the Group’s various companies to conduct self-assessments on a regular basis and to continue to ensure that the risks of fraud and failures are properly controlled.

Rubis Énergie’s functional departments carry out regular and necessary checks on the procedures in place in their respective fields. Reporting procedures and indicators make it possible to have high-quality monitoring.

Internal audit is an independent and objective activity that makes it possible to ensure that operations are properly controlled and that the procedures in place are constantly improved. Internal audits allow Rubis Énergie’s General Management to reach its targets by assessing its risk management, control and corporate governance processes via a systematic and methodological approach, and to make recommendations to improve their efficiency.

At Rubis Énergie, this function is part of the Management Control, Audit and Consolidation Department. The Director of the department and his/her colleagues carry out internal audits on the entire scope of the Retail & Marketing and Support & Services businesses. These audits are planned with Rubis Énergie’s General Management at the beginning of the year. There are numerous fields of inquiry, which mainly cover verifying that local and Group processes are correctly applied, notably as regards preventing corruption, improving internal control and accounts closing procedures, inventory, cash and fixed asset controls, and controls of all other off-balance sheet commitments and liabilities recorded in the audited company’s accounts. The audit may also cover capital expenditures and analyse differences between expected returns and actual profitability.

The auditor has complete freedom to conduct his/her work as he/she deems appropriate and is independent from the local management when performing this task. The audit brief and report template follow a standard model so that the conclusions can be efficiently understood by all recipients, namely the General Manager of the audited company, the Finance Department and Rubis Énergie’s General Management. The risk factors identified during internal audits are also used to update the relevant company’s risk mapping.

The audit recommendations include a timetable for the implementation of corrective actions, which must be followed by the company at issue. The proper implementation of these corrective actions is also automatically verified during the next audit of the relevant company. In addition, each subsidiary sends Rubis Énergie’s General Management a monitoring report on the implementation of audit recommendations every two months until all the measures recommended by the internal audit have been definitively implemented.

The consolidators are also responsible for analysing the monthly results and the consistency of the data supplied each month by all consolidated companies. This work makes it possible to anticipate accounting errors and improves the reliability of the Group’s financial statements.

Each Rubis Énergie subsidiary is audited once every two years, on average. In 2021, due to the restrictions on movement resulting from the Covid-19 pandemic, the audit programme was significantly disrupted. It was able to resume in the second half of the year when quarantine measures in certain countries were eased. In the first half of the year, the internal audit teams essentially worked remotely to help subsidiaries use the internal control manual properly and to strengthen local anticorruption procedures. Internal audit also looked at the development of IT tools making it possible for Rubis Énergie to better manage risks and associated action plans. After validating expressions of need made by Rubis Énergie’s various operating departments, these new tools should contribute to enhancing risk management and reinforcing control and due diligence procedures by the end of 2022.

Control procedures are structured around Rubis Énergie’s Management Committee.

A Management Committee has been established for each country or region. This Committee meets twice a year and includes: the country’s CEO, General Management, Finance Department, Management Control, Audit and Consolidation Department, Technical Department, the division’s Resources and Risks Department, and Rubis SCA’s Managing Partners, Managing Director and Chief Financial Officer.

During these meetings, budget reporting and dashboards are analysed, along with the performance and results of each business line, development projects and project monitoring, and events considered to be significant for the Company and Group, as much in terms of strategy and operations as in terms of personnel. Questions and issues raised at previous meetings may also be reviewed if necessary. Non-financial issues, such as the roll out and implementation of the CSR strategy (and in particular the CSR Roadmap, Think Tomorrow 2022-2025) and decarbonation projects are also carefully reviewed during these Management Committee meetings.

Therefore, it is ultimately the Management Committees that analyse the financial and non-financial information collected through the reporting process set up by Rubis Énergie’s operational departments and those of its sub-subsidiaries. The entire reporting cycle is based on standardised principles and a single database that is shared by all teams within the finance and operational departments involved in reporting.

Rubis SCA’s Consolidation and Accounting Department runs numerous checks aimed at ensuring that financial information is reliable, particularly during account closing reviews.

Rubis SCA’s Managing Partners, Managing Director and Finance Department regularly analyse the subsidiaries’ financial statements and periodically meet with Rubis Énergie’s General Management in order to conduct an assessment, evaluate risks and the corrective actions that may be necessary to achieve the Group’s objectives (both financial and CSR). Lastly, the Group’s Director of CSR & Compliance maintains ongoing dialogue with the subsidiaries on various topics, including litigation, trademarks, insurance, risk identification and monitoring (mapping), compliance (anticorruption, embargoes, etc.).

All major risks, the monitoring of these risks and the corresponding policies for covering these risks are described in detail in section 3.1 of this chapter and in chapter 4.

In terms of risk, the Group operates in business sectors that are tightly controlled and regulated. The Group’s structure is designed to reflect this circumstance. All French sites covered by the Seveso directive have safety management systems whose main purpose is to define the organising Partnersation, staff functions, procedures and resources that allow the Group to establish and implement a prevention policy for major accidents.

In addition, Group entities often operate their activities in the framework of ISO 9001 and ISO 14001 quality certifications, particularly with respect to the adoption and application of procedures and instructions relating to safety and the environment (see chapter 4, section 4.2.1.2). Accordingly, they follow processes that are extremely formalised.

Internal control procedures for risk management and monitoring seek to cover all of the Group’s businesses and assets. They are based on a process for identifying and analysing the main risks which is reinforced by the appropriate organisation, allowing General Managers to address these risks and maintain them at an acceptable level.

In the same way as for accounting and financial internal control, internal risk management is subject to monitoring by the subsidiaries’ operational departments, which keep Rubis SCA regularly informed.

At Rubis Énergie, the headquarters’ Technical Departments (QHSE) establish information reporting procedures and preventive measures for anticipating and managing risks, as described in chapter 4, section 4.2.1.

Rubis Énergie’s Technical Department reports information on the main risks to its General Management. Certain events may also be discussed by the Management Committee. Lastly, Rubis Énergie lays out these main risks to the relevant departments of Rubis SCA (Managing Partners, Accounting and Consolidation Department, Finance Department and Corporate Secretary in charge of the Legal Department, CSR & Compliance Department) through different transmission channels, such as risk mapping (see section 3.2.3.2 below).

The Accounts and Risk Monitoring Committee reviews how internal control and risk management procedures are organised, as described in this section 3.2.2.1 of this chapter and in section 5.3.2 of chapter 5.

The internal control system relies on several channels for reporting information on the main risks, which are designed to exhaustively identify sensitive areas.

Rubis has developed and conducted mappings of risks to which the Group’s various activities may be exposed. The analysis of these risks also takes into account their occurrence and their financial and reputational impact (on a scale of one to five). The mapping was conducted in close cooperation with Rubis SCA’s Legal, Consolidation, and Finance Departments, together with the operational Managers and Rubis Énergie’s Financial and Technical Departments. A self-assessment is carried out at regular intervals to identify new risks.

The risks analysed have been divided into different families: market risk, accounting miscalculation, insurance, and commercial, environmental, industrial, climate, supply chain, social, legal, and IT risks. The legal risk category also includes issues related to fraud, contractual breaches and, until 2017, corruption risks. In 2018, the Group carried out a specific process to assess the corruption risks to which entities may be exposed, in accordance with the Sapin II law (see chapter 4, section 4.4.1.1).

The maps are completed annually by the operational Managers of the industrial sites and by the Directors of the French and international subsidiaries, assisted by Rubis Énergie’s functional Managers. They are updated during the year at Management Committee meetings. The maps aim to provide on a yearly basis the monitoring status of the significant risks that have been identified and to describe any measures that have been taken or need to be taken to mitigate them if they cannot be completely eliminated.

All these maps are consolidated by Rubis Énergie. This consolidation, together with a review of the major events and non-financial issues of the past year, are sent by Rubis SCA’s Management Board to the Accounts and Risk Monitoring Committee at special meetings dedicated to risks (see chapter 5, section 5.3.2). In turn, the Accounts and Risk Monitoring Committee and the Management Board report to the Supervisory Board at its meetings in March and September.

Rubis Énergie’s functional departments have established reporting, analysis and information-sharing systems covering health, safety and environment (HSE) issues. These systems are described in greater detail in chapter 4, section 4.2.1.2.

Rubis SCA’s CSR & Compliance Department has also implemented an IT tool for reporting and analysing CSR data (environmental, safety, social, compliance and societal) as described in chapter 4, section 4.5.2 (methodological note in the Non-Financial Information Statement).

The control system is based on management accountability and risk monitoring entrusted by the Managing Partners to each subsidiary’s CEO and on a system of internal and external audits.

Rubis Énergie’s General Management is ultimately responsible for the risk management policy, within the framework defined by Rubis SCA’s Managing Partners.

The operational Managers of each site are assisted by Rubis Énergie’s functional departments: Technical/HSE Department, Finance Department, Management Control Department, Audit and Consolidation Department (including Compliance), Resources and Risks Department.

At larger sites, these Managers are supported by a Quality and/or HSE Engineer.

Entity Directors have overall responsibility for risk management and control at their facilities. In addition, Rubis Énergie has a Technical Department that regularly provides operational advice and conducts inspections of facilities with the aim of guaranteeing compliance with uniform operational, safety and environmental standards.

As part of its decentralised structure, the Group encourages quality and independence among its employees, who are responsible for all aspects of their role, including risk management.

At meetings of subsidiaries’ Management Committees (see section 3.2.2.3), an item bearing on the review and monitoring of risks is regularly included on the agenda and is the subject of discussions between the Directors of the subsidiaries and the Managing Partners.

Certain non-financial risks are included in the internal audit programmes. Accordingly, verifying the reliability of ethics and anticorruption policies is one of the issues addressed during inspections performed locally by Rubis Énergie’s Management Control, Audit and Consolidation Department. The Covid-19 pandemic disrupted and limited on-site work at subsidiaries in the first half of 2021, but the activity progressively resumed during the second half of the year. Rubis Énergie’s internal audit teams did, however, continue to monitor the rollout of anticorruption measures in its subsidiaries and helped the various Group entities with the roll out of internal control tools. In a decentralised organisation such as Rubis, continual strengthening of internal controls remains a priority. This is all the more the case in a context in which international travel is restricted.

These are:

• •French Regional Environment, Development and Housing Departments (DREALs), which are responsible in France for regular inspections of industrial facilities and for the application of the “Safety Management System” in view of ensuring that the subsidiary has its business risks under control. Similar systems exist for the sites of certain foreign subsidiaries;
• •ISO certification bodies, such as AFAQ (Association Française de l’Assurance Qualité) or LRQA (Lloyds Register Quality Assurance), which regularly audit certain ISO 9001-certified Rubis Énergie subsidiaries. During these audits, facilities are regularly checked for compliance with procedures, processes and operating practices put in place as part of the Quality plan to ensure they keep their certification and identify areas for improvement.

The General Management of Rubis Terminal Infra is responsible for implementing and ensuring internal control (in accounting, financial and risk matters) in all of the joint venture’s subsidiaries, in accordance with applicable standards and regulations. Rubis SCA exercises its control through monthly reports sent by Rubis Terminal Infra’s General Management to the designated members of the Board of Directors, on which Rubis SCA has representatives.

Rubis Terminal Infra’s budget is drawn up by its General Management in conjunction with the Finance Department and is approved by RT Invest’s Board of Directors.

Rubis Terminal Infra’s General Management provides RT Invest’s shareholders with an annual update of the consolidated risk maps of all its subsidiaries (technological risk map; financial, legal and commercial risk map; corruption risk map) as well as a review of the major events and non-financial challenges of the past year.