Corporate
Governance

5.4. Management Governance

G - Leading by example

5.4.1. Having the customer at the center of what is done

Movistar works to achieve the best customer experience and satisfaction. In the process of recertification of the Quality Management System (QMS), structured under the ISO 9001 standard, it was noted that the Company has been recognized as a reference in business agility, being above the average in the region, as well as the meticulous work done in the monitoring of risks, which allows better results in each of the processes.

Agility

In 2022, the Agile operating model continued to be promoted in order to accelerate the achievement of organizational objectives and increasing the speed to market, improve productivity and placing the customer at the center, not only from the ongoing agile units, which are 15 Trains and 9 Centers of Excellence (COEs), but also from the Business As Usual (BAU) areas, where a management model was designed that adopts the best practices and premises of Agility and in turn management through Objectives and Key Results (OKRs).

Employees have been a key part of the transformation process. In 2022, a training plan was implemented to strengthen Digital Capabilities in those employees with non-digital roles, reaching more than 2,500 people.

It is important to continuous measurement of adoption and maturity over the transformation process, in that sense, the Company was assessed by a diagnostic based on McKinsey&Co’s business agility framework, and a team of McKinsey Experts.

The Agility model has become a reference not only in Colombia, but also in the industry, having been invited as speakers at the Enterprise Agility Forum in Panama, and in Medellin with the Telefonica experience as a good practice in Latam, as well as being invited by companies from various sectors to share their experience and learnings.

Digital Transformation

In 2022, the Digital Transformation plan was consolidated, targeting the strategy towards the automation of processes and operational tasks, with continuous and tangible value delivery for the business and focused on maximizing customer experience. Digital mindset and culture initiatives were promoted with the Digital Minds program, fostering the Business Process Management methodology for the development of digital solutions. All this is reflected in the positive impact and growth of the Digital Maturity Index, which in 2022 grew from 5.52 to 6.08 points on a scale of 10.

Customer experience

The year 2022 proved to be remarkably successful in customer experience, as it strengthened the trend of continuous improvement in recommendation levels, with year-on-year improvements in all sub-segments, reaching and, in most cases, surpassing the targets set.

Mejora continua NPS

Telefónica’s customer satisfaction and reference measurement model is based on the ACSI model (American Customer Satisfaction Index). This metric assesses the principal processes or customer dimensions in the service value chain, overall satisfaction and the NPS (Net Promoter Score), which is an indicator of loyalty and enables us to discover the degree that an individual is likely to recommend a brand, service or company.

At Experience level, we contributed to the improvement of both the NPS and the Customer Satisfaction Index (CSI) with the integral management of the root cause of invoice complaints, management of errors in the registration and post-sales of Fiber Optic (FO) customers, managing to deal with 98% of the errors in less than 24 hours, improving the FO customer experience from engagement to delivery, design of desired experiences in key offerings and products through inter-area sessions, among others.

Processes to reduce negative impacts

(GRI Content 2-25)

Although the Company has regulated service channels to address all complaints, grievances and requests (PQR, for the Spanish original), actions were developed to improve customer experience through digital and self-management channels focused on solving the most recurring issues for users.

Customer service

 The outstanding technological resources, fast response Accessibility for people with disabilities time in the design and implementation of strategies, and the support of our partners have enabled us to provide everything required to strengthen the call and digital service channels; as well as to provide self-management solutions for customers to be able to carry out their queries and frequent transactions at a click of a button.

To achieve this continuity and in view of the imminent shift from face-to-face to virtual or telephone customer service, the following strategic axes are ensured:
strengthening of social network customer service, self-management and multi-channel Interactive Voice Response (IVR) and self-management of digital channels.

Accessibility for people with disabilities

At this particular point in the Experience Centers channel, the following strategies were developed that allowed for a better performance in the light of commercial results and improvements in customer service processes.

The Company has implemented different tools and updated internal processes and procedures to provide the Colombian hearing impaired population with the opportunity to access the prioritized channels of attention. Through SERVIR, a platform of the Colombian Federation of the Deaf FENASCOL.

So far, 35 Experience Centers nationwide have been equipped with terminals for exclusive use in communication with virtual interpreters. In addition, it was created the Special Attention Protocols for People with Visual and Hearing Disabilities and carried out sensitizations and training for the Experience Center channel through virtual training, strengthening the attention guidelines and protocols established for the visually and hearing impaired population.

Additionally, in 2022 the Company announced that prepaid and postpaid mobile customers will be able to enjoy the ICT Ministry Centro de Relevo application, which allows people with hearing disabilities to communicate in the country, free of charge without data from their mobile plans.

5.4.2. Corporate Governance

In order to preserve the integrity of the administrators and safeguard the interests of the organization, the Company has a Code of Good Governance (hereinafter “the Code”) which aims to “ensure its proper administration, public knowledge of its management and the mechanisms for evaluation and control of such evaluation”5. This Code governs the ethical behavior of the Company and compiles the rules of administration, conduct, information and control to which the Company is subject. Its general principles include, among others, the sustainable investment model, fair competitiveness and sustainability.

Governance Structure

(GRI Content 2-9, 2-10, 405-1)

Board of Directors

(Contents GRI 2-12, 2-13, 2-14, 2-17, 2-18)

 The General Shareholders’ Meeting appoints the members of the Board of Directors subject to the provisions of the Company’s Bylaws and, while the Company is listed on the stock exchange, to the provisions of Law 964 of 2005 and the regulations that may amend it.

The Board of Directors is formed of 10 principal members, with their respective personal substitutes. As long as the Company is listed on the Colombian Stock Exchange, the members of the Board of Directors shall not have alternates.

The Company’s Bylaws, the Code of Good Corporate Governance and its Annex No. 3- Regulations of the Board of Directors establish that the members of the Board of Directors are professionals of high moral and ethical qualities, with management and leadership skills that enable them to contribute to the Company thanks to their special knowledge of the information and communications technologies industry, of financial and risk aspects, of legal matters. Likewise, it is establish the obligation that 25% of the members must be independent, in accordance with the criteria of independence and the requirements established in Law 964 of 2005.

The profiles of the members of the Board of Directors are published on the website
www.telefonica.co/ junta-directiva.

Composition of the Board of Directors
Participation by gender
Participation by age

In accordance with the Company’s Bylaws, the Board of Directors is responsible for supervising good corporate governance practices and reviewing the level of compliance with the ethical and conduct standards adopted by the Company, including the Code of Good Corporate Governance, the Responsible Business Plan and the Principles of Responsible Business. Therefore, it periodically receives and approves information related to compliance with such policies and information on the advances and status of the business plan and management of the Company.

The Board of Directors actively participates in the integration of sustainability in the organization, since its activities include the definition of guidelines and directives of the sustainability strategy, regular monitoring of the management, risk and performance indicators reported to it. Likewise, the Board of Directors is responsible for supervising the Responsible Business Plan and good corporate governance practices, as well as verifying the level of compliance with the ethical and conduct standards adopted by the Company.

Annually, the Board of Directors reviews the Responsible Management Report – BIC Management Report, prior to submitting it for review and approval by the General Shareholders’ Meeting.

In accordance with Sustainable Development Target 16, over the year 2022 the Company was certified ISO 37001:2016 (Anti-Bribery Management Systems), in which the Board of Directors is responsible for ensuring compliance with the Anti-Corruption Policy. Aware of the adverse effects generated by Money Laundering (ML), Financing of Terrorism (FT) and the Proliferation of Weapons of Mass Destruction (WMD) for the economy and society, the Company has a Comprehensive Risk Self-Management System for Money Laundering and Financing of Terrorism (SAGRILAFT), through which it seeks to prevent the Company from incurring or being affected, directly or indirectly, by ML/FT/AMLP behaviors.

The results of SAGRILAFT’s performance, including the due diligence of the Company’s counterparties, are reported every six months in the reports submitted by the Management of Compliance to the Board of Directors, enabling the Board to have a reasonable supervision over them and state its opinion on any improvement opportunities it may deem appropriate.

In this regard, it is pertinent to point out that during the period, the General Shareholders’ Meeting approved the modification of the Anti-Corruption Policy, in order to ensure its harmonization with the requirements of the ISO 37001:2016 standard.

Likewise, as part of its responsibilities, the Board of Directors regularly receives reports from the Management of Compliance regarding the fulfillment of the Company’s Compliance Program, including what refers to the management of complaints about possible infractions of the Telefónica Group’s ethics and integrity regulations.

These reports are also submitted to the Audit Committee and the Company’s Management Committee, which are responsible for leading and exercising reasonable oversight regarding the planning, implementation, establishment and continuous improvement of the Compliance Program and its components.

Chairman

The Chairman of the Board of Directors is not a senior executive of Colombia Telecomunicaciones. The Company’s Bylaws establish that the Board of Directors shall have a Chairman elected by its members for a term equal to the term of this corporate body. The Chairman of the Board of Directors shall be the Chief Executive Officer of the Company. However, as long as the Company is listed on the Colombian Stock Exchange, whoever is the legal representative of the Company may not act as Chairman of the Board of Directors. (GRI Content 2-11)

Assessments

Although it does not conduct specific performance assessments of the Board of Directors related to oversight of the management of the organization’s impacts on the economy, the environment and people, in accordance with the provisions of the Code of Good Corporate Governance and its Annex No. 3 – Regulations of the Board of Directors, this performs an annual evaluation of its management, through the mechanism defined by the Board itself. The self-evaluation involves the active participation and attendance of its members to the meetings, the knowledge they have of the main issues of the Company and the follow-up on the decisions made by this corporate body and its contribution to the definition of the Company’s strategies and projection.

The results of the self-evaluation of the members of the Company’s Board of Directors and the management performed during the year will be included in the Good Corporate Governance Practices Compliance Report 2022, which is published on the Company’s website.

Remuneration
(Content GRI 2-19, 2-20)

 In accordance with the provisions of the Company’s Bylaws, the Code of Good Corporate Governance and its Annex No. 3 – Regulations of the Board of Directors, the members of the Board of Directors are entitled to remuneration or compensation. The fees are set by the General Shareholders’ Meeting, in consideration of the responsibility of the position, the size of the Company and market guidelines. The Company does not have variable remuneration systems, hiring bonuses, hiring incentives, retirement pensions or remuneration systems that incorporate stock options for the members of the Board of Directors.

On the other hand, it is reported that no fees are recognized or paid to the members appointed by the Telefónica Group who are employed by it.

Finally, it is specified that the remuneration policy for members of the Board of Directors and Senior Executives is not linked to their performance in the management of the organization’s impact on the economy, the environment, and people.

In the Annual Report on Compliance of Good Corporate Governance Practices will be reported annually the remuneration received by the members of the Board of Directors in each fiscal year. This information may be accessed through the website https://www.telefonica. co/informe-de-gobierno.

Audit Committee

(Content GRI 2-14)

 Los Estatutos Sociales y el Código de Buen Gobierno Corporativo establecen que el Comité de Auditoría está The Company’s Bylaws and the Corporate Governance Code set the Audit Committee is formed by five members of the Board of Directors, as well as its composition considers the quality of independent members and establishes that all of them must have knowledge of accounting, financial and other subjects.

The profiles of the members of the Audit Committee are published on the website https://www.telefonica. co/comite-auditoria.

The Audit Committee analyzes the Company’s business plan reports and management, and within its duties is, in general, to supervise compliance with the internal audit program, which must consider the business risks and comprehensively evaluate all areas of the Company. 

Conflict of interest

(Contenido GRI 2-15)

Under other provisions, paragraph 3.7 of the Code states that “in accordance with the law, directors must refrain from participating, by themselves or through a third party, in personal or third party interests, in acts in respect of which there is a conflict of interest”.

Concerning the Board of Directors, its members shall declare their conflicts of interest to other members of the governing body, who must rule on the ability of the member to participate in the issue in respect of which such conflict of interest is presumed to exist.

However, those directors who have the status of collaborators of the Company must comply with the provisions of the Corporate Conflicts of Interest Regulations.

In this case, directors must declare their conflicts of interest on two (2) moments: (i) During the selection process, by filling out the form of acceptance of the Rules on Conflicts of Interest, and (ii) At any other time at which a possible conflict may arise, through the declaration of conflicts of interest tool of Grupo Telefónica.

In both events, the Management of Compliance is responsible for conducting the corresponding analysis, issuing the conclusion regarding the existence of the conflict and, if applicable, issuing recommendations to mitigate the risk derived from the existence of the conflict.

The Company has complied with the provisions of the law in matters relating to the declaration of conflicts of interest of its members of the Board of Directors. In this order of ideas, its members must disclose any activity that implies competition with the Company and, in general terms, any act with respect to which there is a conflict of interest, including those related to their participation in other boards or their cross-shareholding with suppliers or other interest groups.

In this regard, with respect to the Company’s senior management, the Telefónica Group has a Corporate Policy on the participation of Executives and Managers in Boards/Boards of Directors of External Companies, according to which, Executives and Managers are allowed to participate in such entities, as long as it guarantees the non-existence of conflicts of interest and is authorized by the pertinent bodies.

On the other hand, directors who have the status of collaborators must declare any situation in which a personal interest, direct or indirect, influences, may influence or appear to influence their professional decisions.

In accordance with the Conflict of Interest Regulations, conflict of interest includes those situations derived “from kinship, participation in companies either in their capital or management and/or administrative bodies, other cause that the Affected Subject considers that limits or restricts its ability to take objective decisions in the performance of its duties”.

Notwithstanding the foregoing, in the declaration of conflicts of interest made by employees during the selection process, they are expressly required to provide information regarding kinship relationships and contractual and/or legal ties with contractors, suppliers or competitors of Telefónica, among others. 

Communication of critical concerns

(GRI Content 2-16)

Since the governing body must evidence its commitment and leadership with ethical and responsible management within the Company, as well as exercise reasonable supervision over it, the Board of Directors receives regular information on the management of the reports received through the complaint channels by the Management of Inspection which may include critical issues or items of significant importance to the Company.

In addition, the Management of Compliance submits regular reports to the Board of Directors on the performance of the Company’s Compliance Program. In this channel is also available to report any critical concerns or issues related to the Telefónica Group’s Ethics and Integrity Regulations.

In the year 2022, there were no critical concerns regarding the ethical and responsible management of the Company that, due to their nature and scope, merited being reported to the Board of Directors.

Amendments to the Company’s Bylaws and Corporate Governance Code

On March 16, 2022, the General Shareholders’ Meeting approved the amendment to the Company’s Bylaws, Code of Good Corporate Governance and its Annexes in order to incorporate some recommendations of the Code of Country and Decree 1510 of 2021 that may improve the Company’s good corporate governance practices.

In this regard, it should be noted that the Code of Country is a compilation of recommendations of best practices of Corporate Governance for issuers of the real and financial sector provided by the Financial Superintendence of Colombia, which are of voluntary adoption by issuers. With the approved reforms, the Company adopted 4 additional recommendations of the Code of Country. Decree 1510 issued on November 19, 2021, by the Ministry of Finance and Public Credit seeks, that state-owned entities must adopt particular corporate governance practices in the companies in which they have a stake.

5.4.3. Culture based on ethics and responsible principles

(GRI Contents 2-23 y 2-24)

In order to ensure ethical and responsible management, the Company has a robust regulatory framework through which the main commitments assumed by the organization are established, developed and regulated for this purpose.

In order to ensure that these are incorporated into organizational strategies and, in particular, into operating policies and procedures, the Telefónica Group has adopted a Policy for the Preparation and Organization of the Regulatory Framework, also known as “Regulation Zero”, which establishes the foundations, instruments and mechanisms necessary for an adequate and efficient coordination between Telefónica S.A., the Parent Company, and the other 

companies of the Group regard to the preparation of their internal regulations. -Head Office- and the other companies of the Group regarding the elaboration of their internal regulations. This regulation recognizes the Principles of Responsible Business (PRB) as ethical code of the Telefónica Group, which inspire and set the manner of acting of the Group and of all employees in the development of their professional activity, are the fundamental standard under which all other Group Internal Standards are defined.

The foregoing implies that, as the highest standard within the organization, in the framework of the design and set of its policies and regulations, the Company must respect the content and scope of the PNR and its guiding elements from the moment of its inception until its eventual repeal.

For this purpose, locally, the Management of Compliance is responsible for supervising the local policies and procedures within the organization. This review is carried out prior to their publication, in order to safeguard compliance with the PRBs and the company’s applicable obligations in accordance with the Preventive Model of Regulatory Compliance (MPCN in spanish); and prior to their repeal, to ensure their removal from the regulatory framework does not affect compliance with the PRBs and the obligations of the MPCN.

This framework is based on a series of policies and corporate and domestic regulations that develop the Principles of Responsible Business, the most relevant of which include the following: 

In order to ensure that the personnel and other counterparties with whom the organization has relationships effectively adhere to these regulations or, otherwise, to the commitments to which they refer, the Company implemented contractual clauses that are incorporated into the agreements or contractual arrangements and which, in most cases, impose an obligation on the counterparties to comply with them and set consequences for their eventual infringement.

In addition, in accordance with the provisions of the Regulations on Anti-Corruption Certifications for Executives, the organization’s executives must annually reaffirm their commitment to compliance with the Principles of Responsible Business by signin the Anti-Corruption Certificate. This document, according to the scope of the relationship, is also subscribed by suppliers, sponsors, business partners and collaborators who have positions sensitive to the risk of corruption within the Company.

As it reflects the commitments undertaken by the organization to achieve ethical and responsible management, compliance with the PRBs is a duty for the Company’s employees and other counterparties, whose compliance must be evidenced in each of their actions and decisions before, during and after their relationship with the Company.

However, in order to make these commitments tangible, the organization has established a series of implementation mechanisms that could be summarized as follows: (i) due diligence on counterparties, in order to identify possible corruption risks with the potential to affect the ethical and responsible management of the organization; (ii) adherence of counterparties to compliance with the PRBs through the subscription of the Anti-Corruption Certificate and the contractual clauses established by the Company; (iii) implementation of technological platforms for reporting conflicts of interest and the receipt or delivery of invitations and gifts; (iv) setting up consultation and/or complaint channels for consultation; and (v) contractual or disciplinary mechanisms that enable the application of consequences in the event of any breach of commitments.

Communication and training

(GRI Content 2-17)

Over the year 2022, we launched a new version of virtual courses on Responsible Business Principles, Competition Law and FCPA (Foreign Corrupt Practices Act) in the Company, by the end of December 31, 2022, the personnel had attended 96%, 94% and 97% of the courses, respectively.

In addition, the Management of Compliance provided 37 internal and external courses on Telefónica’s Compliance Program, which covered the Principles of Responsible Business. Most of the external training sessions were given to Optecom S.A.S., a company in which Colombia Telecomunicaciones S.A. ESP BIC is the sole shareholder.

On the other hand, the Company has a Code of Good Corporate Governance (as mentioned in chapter 5.4.2. Corporate Governance) that governs the Company’s ethical behavior and compiles the rules of management, conduct and information to ensure its proper administration.

In addition, the Company’s Responsible Business Principles include within its guidelines the respect and promotion of Human Rights and Digital Rights. The Company recognizes, among others, the rights contained in the United Nations Declaration of Human Rights, as well as the principles related to the rights recognized by the International Labor Organization (ILO) and the eight fundamental agreements that develop them. Additionally, in accordance with the United Nations Guiding Principles on Business and Human Rights, the Company conducts ongoing due diligence (with the support of third-party and in close consultation with our stakeholders) to identify, prevent, mitigate and remedy potential human rights impacts of our activities and those of our suppliers, partners and customers (see chapter 5.3.3. Human Rights).

One of the main features of the Company’s compliance program is Top at the Tone, understood as the commitment of senior management to conducting business in an ethical, transparent and responsible environment.

The Telefónica Group is aware that procedures must be established to sensitize and raise awareness among managers and directors regarding the importance of having ethical and transparent behavior in accordance with the Company’s regulations, as well as to update their knowledge of the primary internal and external regulatory obligations regarding ethics and integrity applicable to the Telefónica Group.

Considering the foregoing, during the year 2022, 100% of the members of the Board of Directors and Directors of Levels I and II signed the Telefónica Group’s AntiCorruption Certificate, through which they reaffirmed their commitment to comply with the policies, practices and standards established in the Principles of Responsible Business and the Anti-Corruption Policy. During the second half of the year, the steering committee received training in anti-corruption matters.

In addition, over the year 2022, a total of 22 internal training sessions were held, attended by more than 1,000 personnel. The main topics that were addressed in these training sessions refer mainly to the main ethics and integrity regulations of the Telefónica Group, including the Principles of Responsible Business, the Conflict of Interest Regulations, and the Regulations on Relationships with Public Entities/Officials.

Likewise, we provided training focused on areas of the Company that, given the nature of their functions and the risks to which they are exposed, require training in specific Regulations or Policies, such as the General Secretary’s Office, the Internal Audit Department and the Public and Wholesale Affairs Department.

Within the framework of the relationship with the different business partners, the Company is committed to establishing mechanisms that allow them to effectively manage their own integrity risks. To this end, in 2022, we provided training 4 external training sessions within the framework of the collective anti-corruption initiatives to which the Company belongs, 2 training sessions were held for specific suppliers and 3 training sessions on private corruption were held for citizens. These workshops sought to make visible and share the good practices adopted by the Company in terms of due diligence, private corruption and gender equity based on an anti-corruption approach that fulfills, on the one hand, the commitments made by the Company in this area and, on the other hand, the recognition of the importance of combating this phenomenon and its impact on society, the economy and social development. 

Mechanisms for counseling and concerns

(GRI Content 2-26)

The Company recognizes and accepts that ethical behavior is the foundation for the trust of its stakeholders and that such trust can only be generated through open and permanent communication with each of them. With this in mind, the Company has established mechanisms through which any person, internal or external to the Company, can safely communicate any doubt or concern related to the Telefónica Group’s ethics and integrity regulations.

Complaints channel

The Company has a whistle-blowing mechanism managed by the Internal Audit area that provides the option of denouncing, anonymously or personally, any alleged unethical or corrupt conduct committed, on behalf of or in representation of the Company, which constitutes a violation of any of the regulations, including those related to ethics and integrity.

The Company has an internal channel for queries and complaints, which is also available to external stakeholders, as well as a telephone line for the reception of them.

Employees:

All employees have at their disposal a whistle-blowing channel through which they can communicate any information about the existence of a possible irregularity, or an act contrary to the law or internal rules. This also includes any irregularities relating to accounting matters, audit-related issues and/ or issues related to internal control over financial reporting in compliance with section 301 of the Unites States Sarbanes-Oxley Act and other requirements in this regard. The complaints channel is based on the principles of confidentiality, respect, and integrity, and has been designed for anonymous communication by any complainant who wishes to do so.

The channels available to employees to access the complaints channel are as follows:

A total of 51 complaints were received through the complaints channel in the year 2022, of which:

As a results of the investigations during the year, 26 complaints were substantiated. Of the investigations closed, there were 5 for inappropriate/misconduct, 8 for external fraud, 3 for internal fraud, 7 for conflict of interest, 2 for non-compliance with commitments to clients and one case of harassment.

It is important to point out that, for founded complaints, the Company took the respective disciplinary and corrective measures in each process. Within the measures taken as a result of the founded complaints, there were 9 terminations of employment contracts and 2 employees who resigned prior to the notice of termination of contract with just cause.

In accordance with our policy of zero tolerance to corruption, bribery and discrimination, Telefónica has specific controls in place to detect and remedy possible cases. This materializes in the adoption of disciplinary measures and/or contract terminations. 

Third parties:

The company has provide access to the complaints channel available to third parties through the following links:

Operation:

The Company has implemented a communications plan using #Movistaresintegridad and through the workplace, text messages, daily communication, pop-up windows on employees’ computers; and to our partners, through newsletters and training sessions.

Compliance Mailbox
Currently, the Company also has a permanent inquiry mailbox available through the e-mail ofc.cumplimiento. co@telefonica.com. This consultation channel is governed by the principles of confidentiality, availability and accessibility and can be used by any person inside or outside the Company, including senior management, to request information or advice from Compliance Management regarding (i) ethical dilemmas or (ii) the content and application of the Telefónica Group’s ethics and integrity regulations. In this regard, it is pertinent to specify that an ethical dilemma is understood as those cases in which an executive or personnel of the Company has doubts about how to behave or act in a specific event, because it is unsure whether their performance (i) is ethical, (ii) complies with the ethics and integrity regulations of the Telefónica Group or (ii) could generate adverse consequences for them or for the organization. On the other hand, the consultations regarding the content and application of compliance and integrity regulations seek to resolve doubts associated with the scope of these policies, how to comply with them and the consequences of non-compliance.
Responsible Business Channel

In addition, the company has a Responsible Business Channel, a specialized channel for dealing with any inquiry and/or complaint related to the Responsible Business Principles. This channel is managed by the Sustainability area who, according to the nature of the issue, is responsible for transferring the communication to the competent area. In 2022, the company had 9 cases through this channel: 5 from business partners/suppliers, 2 from customers and 2 from employees.

 

During the year 2022, the information related to the Telefónica Group’s consultation channel and complaints channel was updated on the website www.telefonica.co and on the Company’s new intranet, in order to make them known to employees and to any person outside the Company.

Corruption-related risks

(GRI Content 205-1)

In the exercise of its functions and with the objective of actively contributing to the management of the risks to which the Company is exposed, the Management of Compliance intervenes directly in the identification and evaluation of corruption and ML/FT/AML risks associated with the operations carried out by the Company.

 The following table shows the total number of operations evaluated by the Management of Compliance, according to the type of operation:

Through the promotion of a culture of ethics and integrity, the Company not only seeks to generate trust in its different stakeholders, but also aims to generate a distinctive seal that allows it to distinguish itself from its competitors.

In pursuit of this purpose, during the year 2022, the Company obtained the ISO 37001:2016 Standard certification (Anti-Bribery Management System), for which were carried out the corresponding internal and external audit processes.

As a result of these processes and in accordance with the commitment to continuous improvement of the Telefónica Group’s Compliance Program, it was identified opportunities for improvement in the identification and evaluation of risks, by virtue of which the Company’s Integrity Risk Matrix was updated.

As a result, the company added new risk events associated with the areas involved in the processes under the scope of the ESMS, as follows: (a) search for business opportunities and contracting with public sector clients at the national level, (b) procurement of goods and services with suppliers in Colombia, (c) contracting of sponsorships at the national level, and (d) selection, hiring and remuneration of personnel.

Additionally, by virtue of the commitment to promote ethics and integrity, during the year 2022, the Company carried out activities aimed at ensuring that the companies in which it has major stake implement their own anti-corruption controls and Implement the Telefónica Group’s ethics and integrity standards effectively. In this sense, the Company guided Operaciones Tecnológicas y Comerciales S.A.S. -Optecom- S.A.S. in the process of identifying its integrity and ML/FT/ADM risks, in order to contribute both to the management of the risks to which Optecom S.A.S. is exposed and those that may impact directly or indirectly on the Company. 

Confirmed corruption cases and measures taken

(GRI Content 205-3)

The Telefónica Group has mechanisms that allow it to identify, investigate and apply consequences in the event of irregularities or infractions associated with acts of corruption or breaches of ethics and integrity.

Within the framework of the activation of these mechanisms, during the year 2022 there were no confirmed cases of corruption within the Company that have resulted in the termination of contracts with business partners or in the reputational impact of the Company.

In 2022, it was imposed 108 disciplinary sanctions for disciplinary offenses subcategorized into conflicts of interest and acts contrary to integrity in the private sphere.

 Good practices

In the year 2022, the Company continued to position itself as a benchmark for best practices in ethics, integrity and anti-corruption in the business sector.

As proof of this, within the framework of the 2nd Edition of Good Anti-Corruption Practices in Colombia, the Global Compact organization selected and made public the practice entitled “Validation of Temporary Unions (TUs) as a tool for promoting integrity in business with customers in the government sector in which Telefónica Movistar participates”. Through this practice, the Company seeks to (i) identify, evaluate and manage in a timely manner the corruption risks to which it is exposed as a result of its participation in Temporary Joint Ventures, (ii) indirectly contribute to the prevention of corruption in public procurement and (iii) support the achievement of the purposes of the Government.

In addition to this recognition, in the month of November, Transparencia por Colombia granted an award to the Company for its good practice called

“Gender equity and anti-corruption perspective from design”. This initiative seeks to promote the gender equity principle enshrined in the Responsible Business Principles and protect it from any practice that could be classified as fraudulent by including it in the different organizational policies and procedures.

In this regard, it is worth mentioning that the award was given during the socialization of the results of the initiative “Measuring Corporate Transparency 2022”, led by Transparencia por Colombia, in which the Company had a satisfactory level of performance. It is remarkable its optimal performance in the components of clear rules and openness, which evaluated good practices in areas such as corporate governance and business ethics, the Transparency and Business Ethics Program (PTEE in spanish), management systems, whistleblower protection and disclosure of socially useful information.

Certifications

During 2022, the Company became the first Colombian company belonging to the IT sector to obtain ISO 37001:2016 certification (Anti-Bribery Management System). By adopting this standard, the Company seeks to contribute to the effective prevention, detection and sanctioning of bribery and other corrupt practices; contribute to its reputational positioning; increase the trust of its different stakeholders; increase its competitiveness; and promote the generation of a culture of ethics and integrity.

5.4.4. Building digital trust, safeguarding data security and privacy

The Company, as a service provider, strongly believes that the appropriate access and processing of this significant amount of data represents a major opportunity to enrich the lives of citizens and contribute to the development of societies. Telefónica Movistar respects the fundamental rights and freedoms of individuals, including the fundamental right to the protection of personal data. The Responsible Business Principles contemplate the need to preserve this fundamental right and, in this area, establish common behavioral guidelines for all the companies that are part of it. Aware of the importance of deserving the trust of its customers and/or users and, in general, by the guarantee of control and value of the personal data processed by Telefónica.

For this reason, the Company develops the general principles and guidelines of the Global Security Policy, in its integral security concept, based on the applicable control frameworks extracted from international reference standards, establishing policies through an organizational security structure that are defined in a global security regulatory framework that covers four levels:

The scope of comprehensive global security includes not only physical and operational security (people and goods) but also digital security, business continuity, fraud prevention, supply chain security, as well as any other relevant area or function whose objective is to protect the company against potential damage, whatever it may be, or possible losses. In turn, the concept of digital security includes issues related to information security and cybersecurity. These factors apply to the hardware, the systems and the technologies and elements that integrate the network, and the associated services, based on the following principles: legality, efficiency, co-responsibility, cooperation and coordination.

In 2022 the Company was recertified of the Information Security Management System (ISMS) structured under the ISO 27001 standard, which it has had since 2016, which seeks to act according to regulatory requirements and privacy and security expectations of our customers; guarantee the confidentiality, integrity and availability of information, and preserve the security of information assets.

Information security and cybersecurity actions in 2022 in the Company, achieving that 45.9% of Partners/third parties (10,000 people) took the digital security course.

We worked together with the training area and channel leaders to promote the completion of the information security course by Partners and third parties. The following activities were carried out through communications and by providing activities for people to strengthen their knowledge of information security:

Within the framework of the Information Security System, it provided availability, confidentiality and integrity of data at all times, supporting the business in capturing value and avoiding the materialization of information security and cybersecurity risks.

CETI was also implemented, a tool that allows the company’s information to be classified, labeled and treated. Among the main benefits with the implementation of CETI are the following:

De igual manera, se inició el despliegue del componente Similarly, it began the deployment of the Azure Information Protection (AIP) component of Office 365, which allows protecting the company’s information sent via email and documents (Word, Excel, power point, etc.), through the application of labels. To achieve this, it issues a guide for all collaborators to use the functionalities of this add-on and label documents and emails properly.

Regarding the protection of the Company’s information stored on mobile devices (cell phone or Tablet), we implemented INTUNE, an Office 365 add-on that allows us to ensure that all Telefónica Movistar data is protected by application policies and avoid some actions that may materialize security risks, such as copying content to other non-corporate apps.

We work on updating and improving the functionalities of the Data Loss Prevention (DLP) tool. DLP identifies user activities that compromise the transfer of information, detects policy violations, identifies incidents and manages security cases. In this way, the risk of information leakage is mitigated and it is ensured that the machines or equipment of the employees are active with the DLP tool.

 

Likewise, the cybersecurity level were performed for vulnerability analysis and intrusion tests on 100% of the infrastructure and applications exposed, and in the same way, we achieved the integration of 82% of the internal technological and network infrastructure to the continuous monitoring of vulnerabilities.

Treatment of 100% of cybersecurity incidents, supporting the investigation, mitigation, implementation of controls and recovery of the affected asset. The foregoing without any impact on the service or personal data of customers, suppliers, or employees. Additionally, we integrated new intelligence sources to anticipate threats that may trigger potential security incidents.

Regarding Personal Data Protection, the Company recognizes the importance of assuming a commitment within the Company that guarantees the due compliance and development of the Proactive Responsibility Principle or Demonstrated Responsibility as it is called in the Colombian legislation. To this effect, the Company has implemented concrete actions that allow increasing its standards in terms of Personal Data Protection and Information Security, with the purpose of guaranteeing its users a suitable treatment of their personal information and the efficient compliance with the current regulations on personal data protection. Therefore, we have developed policies and plans that set the internal guidelines for the proper compliance and implementation of those provisions contained in the Personal Data Protection Law, its regulatory decrees and/or other provisions of the Data Protection Authority and international standards.
 

Viguías - Center for Safe Internet

As a founding partner of Te Protejo, the Company participates in Viguías, the first Safe Internet Center (CIS in spanish), an initiative aimed at helping, protecting, and guiding children and adolescents on the Internet, as well as preventing digital risks. Viguías has four components for the prevention and management of dangerous situations in online environments. These components are: Te Protejo (reporting line), Tú Lideras (youth initiatives), Te Guío (helpline) and Centro de conocimiento (Knowledge Center).
(https://viguias.org/)

5.4.5. Commitment to suppliers

(Content GRI 204-1)

The Company is aware of the significant importance of its supply chain, both for its international operations and for the impact and size it represents in the Company’s turnover. For this reason, it encourages, sets, and preserves high levels of responsibility with respect to its suppliers, promoting among them compliance, not only with product and/or service quality standards, but also with legislation and ethical, social, environmental and privacy standards in everything related to Telefónica’s supply chain. 

The Responsible Business Principles include responsible supply chain management as a principle:

Sustainability in the supply chain is a key issue in the telecommunications sector, in which we share with our suppliers and contractors a growing number of services and activities in the value chain.

We promote sustainability to extend the positive impact on society and the planet of the products and services we offer our customers, as they are the result of a mutually beneficial relationship with our business partners and suppliers. Our relationships are balanced and trusting, and generate a joint commitment to quality, innovation and endcustomer satisfaction.

We are committed to act with rigor, objectivity, transparency and professionalism in the relationship with our business partners and suppliers.

For this reason, we use a global purchasing model that promotes competition and guarantees transparency and equal opportunities for all our partners and current or potential suppliers.

In order to fulfill our commitment to responsibility throughout our value chain, we require our business partners and suppliers to comply with the Telefónica Group’s minimum criteria for responsible business.

It is important that those employees who make purchases or acquisitions for our company assume their individual responsibility to work with responsible suppliers and partners, and that they carry out the established controls to ensure, beyond the quality of the service provided or product delivered, that they act at all times in a responsible manner towards their stakeholders. 

La Compañía cuenta con una Normativa y una Política de Sostenibilidad en la Cadena The Company has a Supply Chain Sustainability Policy and Regulations that have their origin in the Responsible Business Principles, which constitute the reference framework in the Company’s relationship with its different stakeholders, and more specifically in the commitment assumed by Telefónica with the Sustainable Management of the Supply Chain. These have been developed in accordance with international standards such as, for example, the Business Guiding Principles and United Nations Universal Declaration of Human Rights, the conventions of the International Labor Organization, the United Nations Convention on the Rights of the Child, the OECD (Organization for Economic Cooperation and Development) guidelines and ISO (International Standards Organization) criteria. The Policy also demonstrates Telefónica’s commitment to the Global Compact in terms of corporate social responsibility, the Sustainable Development Goals and the defense of Human Rights promulgated by the United Nations. 


 Of 506 suppliers (awardees) that the Company had in 2022, 79% (401) are companies incorporated in Colombia (local suppliers), who were awarded 88% of the total values awarded, into the following product lines:

In 2022, the Company had the support of 41 Partners and 35 Agents who contributed to the following indirect jobs:

Partner Company: a company that provides a service to Telefónica and, in the development of the service, directly or indirectly impacts the end customer and/or the internal customer. In addition, this type of company assigns resources (human, physical, financial, among others) for the provision of the exclusive service to Telefónica.

Commercial Agents: an organization that commits to act independently and permanently to promote the business of selling Telefónica’s products and services.

On the other hand, in 2022 the Company entered into

 413 new contracts

outside the scope of the Telefónica Purchasing Model (MCT), 342 new contracts and 97 of them were amendments.

Evaluation of Sustainability Performance for Suppliers

(Content GRI 308-1)

In accordance with the guidelines of the Supply Chain Sustainability Standard, the Company relied on EcoVadis to assess the level of sustainability performance of high-risk suppliers. This company has a rating system for suppliers, which helps organizations in risk management and the promotion of good practices and uses an evaluation methodology that covers criteria such as: ethical, social, environmental and supply chain management, it assigns each assessed supplier a total score (0- 100) for Sustainability. For the purpose of easy consultation of the EcoVadis assessment for the buyer, it is integrated with the Purchasing System:

Actions according to performance

With these results, the supplier may have an analysis that allows it to define an action plan and perform its own assessments of environmental, social, ethical, corporate governance, and its own supply chain management. The percentage of new suppliers assessed with environmental and social criteria was 7% (GRI 308-1 and 414-1 content).

Audits to Suppliers

 In 2022, we continued to strengthen the partner model in Colombia with the following focuses of action:

a.

We conducted 13 on-site audits, achieving by the end of the year coverage of 28% of partners, through which we identified and designed action plans, establishing the analysis and removal of the root causes of deviations.

b.

Good local practices to ensure compliance with standards of social, labor, safety and health in the supply chain:

  • Administrative audits of contractors: we conducted 667 audits to ensure timely compliance with the labor obligations of our Partners.
  • Comprehensive audits of contractor companies: we conducted 10 comprehensive audits on Human Resources - Occupational Safety and Health (OSH) - Environment - Responsible Business Principles - Security and Data Protection.
  • Administrative audits to close contracts: we perform audits to ensure compliance with labor obligations.
  • Technical workshops on the implementation of OSH standards with partners that perform high-risk tasks with the following approaches:

Technical workshop – Serious and Lethal Instructional Update

In addition, the compliance with Telefónica’s ethical, labor, health and safety, and environmental requirements is encouraged among suppliers (being aligned with the Responsible Business Principles and the Sustainability Policy in the Supply Chain), through the Partner Induction. It is carried out with new partners at the moment of starting operations. New partners attend this session at the time of starting operations. In this session, it is explained the partner model, communication channels and it is also recalled the contractual commitments and the alignment with the principles of Responsible Business.

c.

Main practices for communication, dialog, and promoting supplier satisfaction.

  • Partners’ mailing list, in which we communicate with our partners on issues related to Human Resources and Occupational Health and Safety processes.
  • Aliados Newsletter is the channel to inform our partner network (and contract administrators) about topics of interest to all. It is published quarterly and there were sent three editions in 2022. (Attached are communications sent to partners with the newsletters).

AEO Certification

Through Resolution No. 004349 of June 1, 2022, the National Tax and Customs Office (DIAN in Spanish) granted Colombia Telecomunicaciones S.A. ESP BIC the Authorized Economic Operator (AEO) certification. This program is designed to prevent illegal activities such as smuggling, money laundering, drug trafficking, terrorism, arms trafficking, among others, in the international supply chain. The main objectives of the OAS Program are: