Please enable JS

E

S

G

7.1. Impacts, risks
and opportunities

(GRI 102-15)


Risk management model

The Company conducts ongoing monitoring of the most significant risks that could affect the achievement of its goals. To do this, and as part of the Telefónica Group, it has a risk management model based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This facilitates the identification as well as the impact assessment and probability of occurrence of the different risks with the aim for those responsible in their respective field of action to conduct timely identification, assessment, response and monitoring of the main risks.

The Telefónica Group’s Responsible Business Principles specifically state that,

“We establish adequate controls to assess and manage all the relevant risks for the Company.” (Extract from Telefónica’s Responsible Business Principles).

Therefore, the Company has a risk management policy approved by the Board of Directors of Telefónica S.A. and a corporate risk management manual of the Telefónica Group, both based on experience, good practices and the corporate governance recommendations, contributing to continuous improvement in the performance of the businesses, in line with the COSO ERM (Enterprise Risk Management) –Integrating with Strategy and Performance– framework of 2017.

As a result of the risk management process, the Company prioritizes the main incidents through a risk map that considers the following categories:

Business

Risks resulting from the situation of the competition and market, changes in the business model, innovation, the regulatory framework, and events that affect the Company’s sustainability and reputation.

Operational

Risks resulting from incidents caused by the inadequacy or failures of the network and IT systems, security, customer service, human resources or operating management.

Financial

Risks from adverse activity in the financial variables and the Company’s failure to meet the commitments or make its assets liquid, as well as commercial credit risks and tax risks.

Legal and

regulatory compliance Risks resulting from legal aspects or related to compliance.

The model is adapted pursuant to changes in the environment, regularly including recent risks that arise and with them, new strategies to respond to each one. There is growing significance of risks related to intangible assets and global transcendence, such as public image, the social impact of organizations, and sustainability.

The Company has a risk management policy approved by the Board of Directors of Telefónica S.A. and a corporate risk management manual of the Telefónica Group, both based on experience, good practices and the corporate governance recommendations.

Therefore, communication actions are promoted, so that through the appropriate channels, the principles and values that must govern risk management and training are disclosed, seeking to foster knowledge and involvement in the values and risk management model

Risk culture

According to the Risk Management Policy, one of the basic principles that guide this activity is the one “to train and involve the employees in the risk management culture, encouraging them to identify risks and to actively participate in their mitigation”. Therefore, communication actions are promoted, so that through the appropriate channels, the principles and values that must govern risk management and training are disclosed, seeking to foster knowledge and involvement in the values and risk management model.

Governance mechanisms.

All people inside the organization have the responsibility to contribute to risk management. The following roles and responsibilities have been distributed for the coordination of these activities:

Supervision of risk management

The Board of Directors, through its Audit Committee, is the entity’s body that supervises the process. Similarly, the Board of Directors examines the risks presented by the risk management function from both the perspective of risks common to the Group and of risks specific to operation.

Risk responsibility

The people responsible for the risks or risk owners actively participate in the risk strategy and in the important decisions on their management, preparing a plan for their mitigation and conducting effective monitoring of their evolution.

Risk management function

A function independent from management within the Internal Auditing department in charge of driving, supporting, coordinating and verifying the application of the policy, supporting the Audit Committee and Steering Committee in the amount of matters required.

Risk
management process

Identify

  • Emerging
  • Basic
  • Specific

Evaluation

  • Quantification metrics
  • Trends
  • Proximity

Risk response

  • Activity planning
  • Local actions

Monitoring
and support

  • Internal and external reports
  • Global actions

The risk management process uses the Company’s strategy and objectives as a reference to identify the main risks that could affect said objectives.

Additionally, it includes an assessment from two complementary perspectives: top-down and bottom-up, which as well as identifying and describing the specific operational risks, proposes an analysis of the issues considered critical and common to the companies of the Group.

Similarly, the model includes the identification of issues that, despite their results and temporary horizon being uncertain and difficult to predict, could have a potential adverse impact on the Company’s future performance.

Once identified, the risks are assessed according to the combination of impact, whether qualitative or quantitative, and the probability of occurrence, considering additional factors, such as the historical trend of the risk and the period of time in which the risk incident could materialize. This enables the prioritization of monitoring and response to the risks, whether through mitigation plans to minimize their impact or with actions to prevent or transfer said risks.

The evolution of the risks and action plans are monitored periodically, including an analysis of the risks materialized during the period.

As a result of the process, the relevant risks are periodically presented to the Telefónica Group’s Steering Committee, Audit Committee and Global Risk Unit.

Risk tolerance

The Company has a level of risk tolerance or acceptable risk established in the corporation, understanding these concepts as its willingness to assume a certain level of risk as long as it permits value creation and development of the business, achieving a sufficient balance between growth, profit and risk.

The different typology of the risks that could affect the Company are considered for risk assessment, as described below:

Generally, tolerance thresholds are established for all risks, including tax risks, according to the combination of impact and probability, and their scales are annually updated depending on the evolution of the main scales for the whole Group as well as its main companies.

A zero level of tolerance is established for reputational, sustainability and compliance risks.

Main impacts, risks and opportunities

Risks and uncertainties

Telefónica Movistar faces a variety of risks in the exercise of its activities resulting from external or internal factors, in some cases from specific incidents of the Company, as well as risks related to the telecommunications sector or events related to the country’s political or economic environment. In 2020, as a result of the COVID-19 pandemic, it was considered important to rewrite the risk map to adapt the prioritization of issues, so the supporting guidance was created with the main risk aspects to take into account when identifying COVID-19 incidents with possible impact. The main global areas of consideration include: people, data privacy, cybersecurity, IT and networks, customers, suppliers, regulation, finance, the environment, and reputation and brand.

The most significant risks and uncertainties that the Company faces and that could affect its business, its financial position and its income must be considered alongside the information provided in the financial statements.

COVID-19-related risks: The main risks include infection of employees and vulnerable people, as well as the need to adapt facilities to ensure social distancing. Although the Company has designed, implemented, reported and reinforced biosafety protocols that have permitted the containment of the risk, we are not exempt from consequences such as: contagion of our staff, whether inside or outside of work; a decrease in income due to the effect of preventive mandatory lockdowns or mobility restrictions; a potential increase in expenses that cannot be collected due to the inability of customers to pay because of a decrease in their income or loss of employment; changes in regulatory conditions that could affect the telecommunications sector; or new consumption habits that alter the traffic demand, which could lead to saturation of networks and a reduction in liquidity. However, in all cases, actions have been taken to mitigate the effects and emergency measures were achieved to provide continuity to the service, logistics and support, as well as the regulatory burdens being made more flexible, and the suspension of obligations.

As a result of the COVID-19 pandemic, it was considered important to rewrite the risk map to adapt the prioritization of issues.

The Company operates in highly competitive markets, so it must be prepared to react appropriately to changes in the market. Late or untimely responses put its acquisition, client retention and future income targets at risk.

The Company’s financial position and income could be affected if it does not effectively manage exposure to the exchange rates.

The networks transport and store large volumes of confidential, personal and business data, so the Company must be prepared to detect and react in time to cyber threats, preventing their materialization.

The Company is involved in different kinds of lawsuits.

Negative outcomes of the trade conflict between the United States and China could have impacts on the operation of the network and IT when it has critical suppliers from these countries, which could compromise plans for rollout and expansion of the network or customer service.

Possible IT failures could cause a loss of quality or interruption of the service. Incidents related to extreme natural disasters could affect the availability of IT systems that support the Company’s critical services.