Risks

Distrito Telefónica's panoramic

Introduction and reference frameworks

Telefonica has a Risk Management Framework, based on the model established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), that allows both the identification and the assessment of the impact and the likelihood of occurrence of the different risks of the Company. This framework has been implemented homogeneously throughout the Group’s main operations, and those responsible for the Company, in their field of activity, carry out the appropriate identification, evaluation, response and monitoring of the main risks.

This model, which is inspired by best practices, facilitates the prioritization and development of coordinated actions against risks, both from a global Group perspective, and a specific focus on its main operations.

The Telefónica’s Business Principles specifically state that:

“We establish appropriate controls to evaluate and manage all relevant risks to the Company”

Extract from Responsible Business Principles of Telefónica

In this sense, the Company has a Risk Management Policy, approved by the Board of Directors, and a Corporate Risk Management Manual, both based on experience, best practices and Good Corporate Governance recommendations; contributing to the continuous improvement in business performance, according to COSO ERM 2017 framework, “Enterprise Risk Management - Integrating with Strategy and Performance”.

“The main risks are linked to the strategic objectives of the Company Program”

COSO ERM Framework

COSO ERM Framework infographic

Gobernance & culture icon

Gobernance & culture

Strategy & objective-Setting icon

Strategy & objective-Setting

Performance icon

Performance

Review & revision icon

Review & revision

Icono Información, comunicación y reporte

Information, communication & reporting

Source: COSO ERM 2017

Risk management process

The risk management process takes the Company’s strategy and objectives as a reference for the identification of the main risks that could affect its achievement. The process consists of four stages which are described below:

Infographic about the risk management process

Risk identification by managers of future events that may affect the achievement of objectives, including emerging risks.

Priorization of risks

Risks heatmap

Risks heatmap

1. Competition and market consolidation
2. Data privacy
3. Government concessions, licenses and use os spectrum
4. Technological changes
5. Adaptation to changing customer demands and/or new ethical or social standards
6. Dependency on suppliers
7. Cybersecurity risks
8. Unanticipated network interruptions can lead to quality loss or the interruption of the service
9. Economic and political environment
10. Possible asset impairment (goodwill, deferred tax or other assets)
11. Level of finantial indebtedness and Group’s ability to finance
12. Foreign currency exchange rates and interest rates
13. Lawsuits, antitrust, tax claims and other legal proceedings
14. Compliance with anti-corruption laws and regulations and economic sanctions programmes

Assessment of the impact and likelihood of risks, in order to prioritise actions. Impact is assessed from three perspectives:

Assessment

Economic impact icon

Economic impact

Reputational impact icon

Reputational impact

Impact on compliance icon

Impact on compliance

There are 4 types of risk response:

MITIGATE
1

Take measures to reduce the risk likelihood of occurrence, its potencial impact, or both

AVOID
2

Change the way you act or not proceed with the activity that causes the risk

TRANSFER
3

Transfer the risk to a third party through the contracting of insurance or outsourcing of activities

ACCEPT
4

Make the decision to assume some risk according to management criteria

Monitoring and reporting:
Information on risks and monitoring of their evolution (action plans).