Hugo has a degree in Economics and another in Finance and Actuarial Science. He is also certified by the Institute of Internal Auditors in COSO ERM and COSO CI, as well as by the European Federation of Financial Analysts Societies in CESGA.
He tells us a little about what his day-to-day activities are like, what he advises for those who want to train in this role, among other things, stay tuned to find out more about the Risk area in the Group and its importance.
Who are you and what is your role at Telefónica?
My name is Hugo Castaño, with an academic background focused on finance, actuarial science and business. I currently hold the position of head of the Risk Management area at Telefónica S.A. which, as you know, reports to the Chief Internal Audit Officer. Well, the role of this area can be summarised as being responsible for supporting the Audit and Control Committee of Telefónica S.A. in its supervision of the risk management system.
Our activity is regulated by internal regulations, by the Risk Management Policy and we also have a Risk Management Procedure that is updated annually and provides a common methodology for identifying, evaluating and reporting risks in a consistent and effective manner within the Group. Within the Policy we find the basis for the methodology and the procedure sets the operational guidelines for the process.
Within this same Policy we find the tasks carried out by the risk management functions:
- Ensuring the proper functioning of risk control and management systems and, in particular, that all significant risks affecting the Company are adequately identified, managed and quantified.
- participating in the development of risk strategy and in important decisions regarding its management.
- that risk control and management systems adequately mitigate risks within the framework of the policy defined by the Board of Directors.
From a more governance and organisational point of view, the Risk Management Area has local areas that are responsible for providing supervision in the Group’s main operations and a corporate area, which is where I am, whose function, apart from also carrying out supervision at a global level and in corporate subsidiaries, is to coordinate and ensure the homogeneity of the Risk Management Model in the Group.
How did you come to work for Telefónica? What was your first position?
I joined Telefónica in 2017, thanks to a Telefónica Talentum scholarship that covered a position in the Internal Audit area. I stayed there until 2018, when I was able to move internally to the same area. Until 2022, when I joined the Risk Management team.
My relationship with Internal Audit and Risk Management was, at first, accidental, since until I became part of the Area I was not very clear about its objectives, responsibilities or functions. Later, when I began to learn about and develop different functions, I was particularly attracted by the global and cross-disciplinary vision it offers, allowing you to participate in projects of various kinds. In this sense, it was the day-to-day nature of the role and also having met top-level teams and colleagues that made me want to develop my career within the framework of these two activities.
The cross-cutting nature I mentioned before gives you the opportunity to see the Company from start to finish and to be present in all areas. You don’t limit your vision to a single area, but it allows you to get to know the business in a comprehensive way. You have a presence and also the opportunity to add value to the company in various areas and that’s interesting.
From your perspective, tell me what is the most interesting activity you do
If you ask me about the most interesting activity, from the outside, it would be the ‘intelligence’ activities we carry out to keep us constantly up to date on trends in new risks, emerging risks, potential risks in the Company. What we do is continuously monitor the context to identify any developments in the economic, political, regulatory and commercial spheres in the different geographical areas in which the Group operates. This is done through external references, news, risk publications, which allows us to identify in advance those trends and risks that have an impact on the Company, as well as to present them to the areas so that they can evaluate them, design mitigation plans and seek to reduce their impact.
What is the biggest challenge in risk management?
I think the biggest challenge has to do with being able to convey the importance of maintaining an effective risk management system that identifies, assesses and responds to the main risks to the company, because in the end all risk managers have to be aware of this. It is important to convey and raise awareness that we, as a risk function, are not the owners of these risks, but rather that the management areas are the owners of the risks and it is their job to identify and respond to them.
We are a support, which we provide with a Group-wide methodology, the managers are the ones who are responsible and who are dealing with the risks on a day-to-day basis.
What characteristic makes a risk management supervisor strong?
In the case of Telefónica, the integration of the Risk area into Internal Audit is a differential factor and one that, in some way, adds value to our function because it integrates Internal Control with Risk Management, taking us a long way towards adequate risk management. This becomes evident with the adaptation of the COSO ERM 2017 Methodological Framework for the implementation of the Risk Management Model in Telefónica, where, apart from this link between Internal Control and Risks, the connection between risks and the Company’s strategy becomes evident. In fact, the definition of risk is the possibility of events occurring that affect the achievement of the business objectives strategy.
Therefore, one of the most important characteristics, in my opinion, is having the ability to integrate risk management into the rest of the Company’s processes and functions. Having a holistic vision that allows for better decision-making to minimise the impact of risks and ensure the fulfilment of objectives.
What advice would you give to someone interested in Internal Auditing or Risk Management?
To think it over carefully… just kidding. Seriously, what I would say to someone who wants to get into Risk Management or Internal Auditing, I’m thinking of a person who is deciding right now which path or which training to take; the first thing I would recommend is to obtain an academic education in Economics, Finance or related fields and to consider, in the future, professional certifications such as the CIA or the CRMA, then, in addition to more technical training, it is true that soft skills play a fairly or very important role in these two areas. Why? Internal Audit and Risk Management are very much based on building relationships of trust and credibility with the rest of the Company’s areas.
Finally, I would say that it is important to always keep up to date, as these are professions that are constantly changing, you have to be up to date with regulations, risk trends, in the case of Internal Auditing, we know that our standards have recently changed with the entry into force of the International Standards for the Professional Practice of Internal Auditing on 9 January this year. I would summarise it as that.
From the perspective of risk management, could you give me three tips for those areas that are interested in identifying risks in their areas or operations?
I would ask myself three questions:
- What are the main risks to achieving my objectives that are within my scope of action?
- What are the main risks to achieving my objectives that are outside my scope of action?
- What are the risks that we call black swans (risks that have a low probability of materialising but which, if they do, would have a high impact)?
By asking these three questions when identifying risks, we would be covering the whole spectrum. It is also important that, when analysing and evaluating the answers, we consider the root cause of the risks and their impact on the objectives, as this helps to define the action plans appropriately. When in doubt, it is always important to rely on the local Risk Management areas.
One last point, nowadays we have many tools at our disposal, for example, artificial intelligence, which can help us in these identification phases to present us with risks that, perhaps, we had not considered, although we must also be careful with the information that is provided to these tools.
To finish, I would like to express my gratitude for this space and comment that, if Risk Management works so well, I think it is because we have local teams that are made up of incredible people, congratulations to you who are the ones who drive the function.
