Introduction and reference frameworks
Telefonica has a Risk Management Framework, based on the model established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), that allows both the identification and the assessment of the impact and the likelihood of occurrence of the different risks of the Company. This framework has been implemented homogeneously throughout the Group’s main operations, and those responsible for the Company, in their field of activity, carry out the appropriate identification, evaluation, response and monitoring of the main risks.
This model, which is inspired by best practices, facilitates the prioritization and development of coordinated actions against risks, both from a global Group perspective, and a specific focus on its main operations.
The Telefónica’s Business Principles specifically state that:
“We establish appropriate controls to evaluate and manage all relevant risks to the Company”
Extract from Responsible Business Principles of Telefónica
In this sense, the Company has a Risk Management Policy, approved by the Board of Directors, and a Corporate Risk Management Manual, both based on experience, best practices and Good Corporate Governance recommendations; contributing to the continuous improvement in business performance, according to COSO ERM 2017 framework, “Enterprise Risk Management - Integrating with Strategy and Performance”.
COSO ERM Framework
Gobernance & culture
Strategy & objective-Setting
Review & revision
Information, communication & reporting
Source: COSO ERM 2017
Risk management process
The risk management process takes the Company’s strategy and objectives as a reference for the identification of the main risks that could affect its achievement. The process consists of four stages which are described below:
Risk identification by managers of future events that may affect the achievement of objectives, including emerging risks.
Priorization of risks
Assessment of the impact and likelihood of risks, in order to prioritise actions. Impact is assessed from three perspectives:
There are 4 types of risk response:
Take measures to reduce the risk likelihood of occurrence, its potencial impact, or both
Change the way you act or not proceed with the activity that causes the risk
Transfer the risk to a third party through the contracting of insurance or outsourcing of activities
Make the decision to assume some risk according to management criteria
Monitoring and reporting:
Information on risks and monitoring of their evolution (action plans).