What is material in our value-creation process
Enterprise risk management (ERM)
Risk management has always been fundamental to the group's strategy.
Recent internal changes to our operating model and the external environment have increased the expectations from risk management. The group's risk management approach is based on a board-approved enterprise-wide risk management methodology and philosophy to ensure adequate and effective risk management across the group.
In appreciating that success comes from creating a "risk aware" and "risk intelligent" organisation, without the right culture and leadership, Telkom could easily become risk averse and lose sight of opportunities that may exist in the market or take more risks than it can bear. The group recognises that to create a positive risk culture, it is important to have the right level of risk leadership and support. Our senior leadership (board, exco and senior management) takes overall ownership of risk management principles. The board is committed to align Telkom's risk management to good corporate governance and best practice standards, including the Committee of Sponsoring Organisations of the Treadway Commission (COSO) framework.
Our risk management framework defines the processes for effective risk-taking. We are redefining our risk appetite framework and tolerance levels in line with the new federated operating model.
ERM governance structures
The board is responsible for overseeing risk and compliance across the group. The board's committees monitor and advise it on matters related to risk and compliance to laws and regulations.
Our approach to risk and compliance governance
Our risk committee-approved ERM governance structure follows an integrated approach that takes into account nine principles of the Integrated Governance, Risk and Compliance (IGRC) framework for building a risk intelligent organisation.
Board of directors
- Governing body’s responsibility
- Roles and responsibilities
- Common definition of risk
- Common risk management framework
Integrated approach to govern and manage risk across the organisation, supported by risk and compliance operating model aligned to the Telkom business model
Senior leadership (exco)
- Common risk infrastructure
- Executive management responsibility
- Objective assurance and monitoring
Integrated risk and compliance infrastructure, systems and people
Business units and support structures
- Business unit responsibility
- Support of pervasive functions
Risk ownership by business, enabled by process risk and control officers
Risk and compliance governance and operating model
Risk and compliance governance and operating model Our hybrid risk and compliance operating model continues to work as previously reported. However, during the year under review Telkom added layers of governance to embed risk management across the group and ensure robust risk discussions. The IGRC, the IT and information security governance committee and ERM forum were introduced.
Corporate ERM continues to shape and safeguard with strong oversight and control at the Corporate centre.
The business units implement the ERM policy, standards and framework. They also implement and maintain the risk registers, identify mitigating controls, implement action plans and operationalise the business unit assurance forums. During ongoing risk analysis, each business unit consults ERM, who in turn produces a risk profile report, demonstrating the management of key risks and opportunities identified.
Each business unit has a business unit assurance forum to effect the ERM framework through effective risk management and combined assurance to optimise risk-taking.
The chief risk and compliance officer leads Telkom's risk community in the ERM forum, which was formed to share best practices and knowledge, and engage and monitor key risks and mitigating plans.
The IGRC and IT and information security governance committees conduct the final assessment of the risks and risk opportunities identified to be reported to the board and its committees.
All business units' executive committees are accountable for managing risks with the approved delegation of authority, within their respective areas of responsibility.
The corporate risk and compliance function develops strategy and frameworks, and sets guidelines and standards.
It provides policy direction, assurance and advice, as well as training and monitoring. Business units implement the risk strategy and framework and monitor risk mitigation plans.
The ERM functions across the group are responsible for, but not limited to, the following areas:
Our risk and compliance
During the year, we embarked on a transformation journey to enhance our risk management approach and framework for the group. We appointed the chief risk and compliance officer who reports to the GCEO and the risk committee, and dedicated risk officers for each business unit. We have moved from a decentralised model to a hybrid operating model. This aligns with the group's new federated business model, and embeds a culture of risk management within the first line of defence, while providing oversight and control from the Corporate centre.
The chief risk and compliance officer was appointed to strengthen Telkom's risk and compliance governance structures, processes and systems as well as build the necessary capability for proactive best-in-class risk management and value-added compliance. The group needed to reprioritise activities.
Below are some of this year's improvements as part of our journey towards a risk intelligent group:
- We conducted a baseline assessment of our group-wide risk management maturity level across the group including a best practice analysis. Thereafter, we developed a robust risk and compliance transformation plan with five strategic pillars to deliver over a six- to twelve-month period.
- We reorganised the ERM unit by creating the corporate ERM function as a CoE.
- We appointed business unit risk officers to strengthen the group's risk management capabilities in line with best practice.
- Our risk rating scale has been improved to prioritise strategic risks according to their impact on the group's overall strategic imperatives.
- We reviewed the previously reported top
priority risks to ensure they are aligned with Telkom's strategic intent. We categorised risks as external, strategic and business (preventable) risks.
- We enhanced reporting and elevation of the top
priority risks facing the group to the risk committee and the board.
Focus areas for FY2019
While developing our focus areas, we took account of best practice and the responsibilities of the risk committee. Refer to page 92 for the responsibilities of the risk committee. The ERM priorities will advance the maturity of the group's risk management capabilities and will also assist leadership to enhance and protect Telkom's value.
The focus areas for FY2019 include:
- aligning frameworks across all disciplines, creating a common risk language;
- refining and embedding the combined assurance model (refer to page 95);
- revising the risk appetite and tolerance framework that is aligned to the strategy, value drivers and the new business model; and
- deploying our technology-based risk assessment tool.
Priority risks and mitigating factors
|Risk definition and impact
Telkom operates in a technological and rapidly changing industry with pressure on pricing and product offerings to remain competitive in the markets we operate in.
Failure to respond to these threats swiftly could negatively impact on market share, revenue growth and profit margins.
Risk of compromised customer experiences as a result of long turnaround times in service offerings, unreliable networks and systems, and misunderstanding our customers' needs.
This may hamper the group's ability to grow and maintain our customer base, and lose revenue.
Talent attraction and retention is at risk and skills for new solutions (IoT, cloud and cybersecurity) are scarce, due to competition.
Having the right skills is fundamental to achieving our strategic objectives.
Our IT solutions need to at minimum align to the pace of our customers' constantly changing needs. Ineffective system architecture and inefficient as well as costly legcy IT systems pose a risk to the new decentralised operating model.
The risk of regulatory changes and developments within the ICT sector actively affect Telkom. Possible non-compliance with regulations could negatively impact Telkom.
Unexpected changes in regulation may negatively affect our revenue growth, while possible non-compliance to regulations and laws could damage our reputation and incur penalties. Ultimately, our profit margins are placed at risk.
The pressure on revenue as a result of the tough economic environment and market conditions, as well as our intensive capital expenditure, puts liquidity under pressure.
Although we foresee no immediate adverse impact, we closely monitor and continously assess the risk.
Although Telkom has processes, controls and a robust information security governance and assurance model, there are still certain malicious activities which pose a risk to the group.
Ineffective management of cyber and information security could lead to reputational damage, loss of customers and consequently, revenue loss.
Keeping up with the pace of technology becomes a challenge as the world moves to a digital economy. Failure to act with speed and agility may lead to loss of market share and thus compromise our go-to-market strategy.
Disruptive technology presents an opportunity to grow by implementing new revenue growth strategies in BCX.
The risk of delays in rolling out fibre and broadband services could compromise our ability to commercialise the network.
This will have a negative impact on expected revenue growth.
The change in ICT sector codes which led to a deterioration in our B-BBEE certification level rating in FY2017, requiring us to make significant investments to improve our rating and protect current revenue and future revenue streams.
The estimated likelihood and magnitude of the above risks are indicated on the heatmap.
- 1Competitive threats
- 2Customer experience
- 3Talent and skills
- 4Technology enablement to achieve business objectives
- 5Possible changes in legislation and regulatory requirements
- 7Information and cybersecurity management
- 8Disruptive technology
- 9Modernising and commercialising the network
- 10Inability to source new revenue streams due to B-BBEE certification rating