• Download Center

  • Compare to Last Year

What is material in our value-creation process
Enterprise risk management (ERM)

Risk management has always been fundamental to the group's strategy.

Recent internal changes to our operating model and the external environment have increased the expectations from risk management. The group's risk management approach is based on a board-approved enterprise-wide risk management methodology and philosophy to ensure adequate and effective risk management across the group.

In appreciating that success comes from creating a "risk aware" and "risk intelligent" organisation, without the right culture and leadership, Telkom could easily become risk averse and lose sight of opportunities that may exist in the market or take more risks than it can bear. The group recognises that to create a positive risk culture, it is important to have the right level of risk leadership and support. Our senior leadership (board, exco and senior management) takes overall ownership of risk management principles. The board is committed to align Telkom's risk management to good corporate governance and best practice standards, including the Committee of Sponsoring Organisations of the Treadway Commission (COSO) framework.

Our risk management framework defines the processes for effective risk-taking. We are redefining our risk appetite framework and tolerance levels in line with the new federated operating model.

ERM governance structures

The board is responsible for overseeing risk and compliance across the group. The board's committees monitor and advise it on matters related to risk and compliance to laws and regulations.

Our approach to risk and compliance governance

Our risk committee-approved ERM governance structure follows an integrated approach that takes into account nine principles of the Integrated Governance, Risk and Compliance (IGRC) framework for building a risk intelligent organisation.

  • Themes

  • Principles

  • Board of directors
    • Governing body’s responsibility
    • Roles and responsibilities
    • Common definition of risk
    • Common risk management framework
  • Integrated approach to govern and manage risk across the organisation, supported by risk and compliance operating model aligned to the Telkom business model

  • Senior leadership (exco)
    • Common risk infrastructure
    • Executive management responsibility
    • Objective assurance and monitoring
  • Integrated risk and compliance infrastructure, systems and people

  • Business units and support structures
    • Business unit responsibility
    • Support of pervasive functions
  • Risk ownership by business, enabled by process risk and control officers

Risk and compliance governance and operating model

Risk and compliance governance and operating model Our hybrid risk and compliance operating model continues to work as previously reported. However, during the year under review Telkom added layers of governance to embed risk management across the group and ensure robust risk discussions. The IGRC, the IT and information security governance committee and ERM forum were introduced.

Risk and compliance governance and operating model

Corporate ERM continues to shape and safeguard with strong oversight and control at the Corporate centre.

The business units implement the ERM policy, standards and framework. They also implement and maintain the risk registers, identify mitigating controls, implement action plans and operationalise the business unit assurance forums. During ongoing risk analysis, each business unit consults ERM, who in turn produces a risk profile report, demonstrating the management of key risks and opportunities identified.

Each business unit has a business unit assurance forum to effect the ERM framework through effective risk management and combined assurance to optimise risk-taking.

The chief risk and compliance officer leads Telkom's risk community in the ERM forum, which was formed to share best practices and knowledge, and engage and monitor key risks and mitigating plans.

The IGRC and IT and information security governance committees conduct the final assessment of the risks and risk opportunities identified to be reported to the board and its committees.

All business units' executive committees are accountable for managing risks with the approved delegation of authority, within their respective areas of responsibility.

ERM function

The corporate risk and compliance function develops strategy and frameworks, and sets guidelines and standards.
It provides policy direction, assurance and advice, as well as training and monitoring. Business units implement the risk strategy and framework and monitor risk mitigation plans.

The ERM functions across the group are responsible for, but not limited to, the following areas:

ERM function

Our risk and compliance
transformation journey

During the year, we embarked on a transformation journey to enhance our risk management approach and framework for the group. We appointed the chief risk and compliance officer who reports to the GCEO and the risk committee, and dedicated risk officers for each business unit. We have moved from a decentralised model to a hybrid operating model. This aligns with the group's new federated business model, and embeds a culture of risk management within the first line of defence, while providing oversight and control from the Corporate centre.

Progress made

The chief risk and compliance officer was appointed to strengthen Telkom's risk and compliance governance structures, processes and systems as well as build the necessary capability for proactive best-in-class risk management and value-added compliance. The group needed to reprioritise activities.

Below are some of this year's improvements as part of our journey towards a risk intelligent group:

  • We conducted a baseline assessment of our group-wide risk management maturity level across the group including a best practice analysis. Thereafter, we developed a robust risk and compliance transformation plan with five strategic pillars to deliver over a six- to twelve-month period.
  • We reorganised the ERM unit by creating the corporate ERM function as a CoE.
  • We appointed business unit risk officers to strengthen the group's risk management capabilities in line with best practice.
  • Our risk rating scale has been improved to prioritise strategic risks according to their impact on the group's overall strategic imperatives.
  • We reviewed the previously reported top
    priority risks to ensure they are aligned with Telkom's strategic intent. We categorised risks as external, strategic and business (preventable) risks.
  • We enhanced reporting and elevation of the top
    priority risks facing the group to the risk committee and the board.

Focus areas for FY2019

While developing our focus areas, we took account of best practice and the responsibilities of the risk committee. Refer to page 92 for the responsibilities of the risk committee. The ERM priorities will advance the maturity of the group's risk management capabilities and will also assist leadership to enhance and protect Telkom's value.

The focus areas for FY2019 include:

  • aligning frameworks across all disciplines, creating a common risk language;
  • refining and embedding the combined assurance model (refer to page 95);
  • revising the risk appetite and tolerance framework that is aligned to the strategy, value drivers and the new business model; and
  • deploying our technology-based risk assessment tool.

Our top priority risks

Telkom strives to maintain an appropriate balance between risk and reward. We recognise that certain risks are necessary for sustainable growth and returns, but we protect the group and our stakeholders against avoidable risks.

Top priority risks are those that, based on risk assessments, most significantly affect our ability to realise our strategic objectives. We have used a top-down and bottom-up approach in identifying risks affecting our business.

In analysing Telkom's top priority risks, management considered potential risks from decisions regarding, among others, products or services, customer expectations, economic factors, technological changes and competitor actions that might have an impact on the strategic intent.

Key changes

We previously reported 14 risks we saw as significant to our objectives. In FY2018, we began to re-evaluate risks to distinguish between external risks, strategic and preventable and we grouped our risks into themes.

The table below depicts changes during the year, including the grouping of some risks, and the renaming of others. Note that other risks reported in FY2017 are being dealt with at an operational level, i.e. business continuity.

FY2018 FY2017
Competitive threats Competitive threats
  • Revenue growth and profitability
  • Voice revenue decline
  • Vertically integrated operating model not sustainable
Talent and skills Talent and skills
  • Human capital health
Possible changes in legislation Possible changes in legislation
and regulatory requirements
  • Procurement and property management
  • Regulatory and compliance
  • Non-compliance with the Competition Commission Settlement Agreement
Technology enablement Technology enablement
  • Inefficient outdated IT systems
Modernising and commercialising Modernising and commercialising
the network
  • Network transformation

Priority risks and mitigating factors
Risk definition and impact   Mitigating factors   Related
materiality theme
Competitive threats

Competitive threats

Telkom operates in a technological and rapidly changing industry with pressure on pricing and product offerings to remain competitive in the markets we operate in.

Failure to respond to these threats swiftly could negatively impact on market share, revenue growth and profit margins.

  • Investing in advanced technologies
  • Continuously reviewing our go-to-market strategy to remain relevant
  • Continuously reviewing market performance to inform changes
  • Leveraging customer feedback through stakeholder management
  • Competitive/market intelligence
  • Intense competitive landscape
Customer experience

Customer experience

Risk of compromised customer experiences as a result of long turnaround times in service offerings, unreliable networks and systems, and misunderstanding our customers' needs.

This may hamper the group's ability to grow and maintain our customer base, and lose revenue.

  • Frequently reviewing insights into targeted customer needs and expectations through the go-to-market strategy
  • Enhancing market research capabilities
  • Using big data analytics to review and understand customer trends and deliver the expected products or services
  • Investing in advanced technologies and retirement of legacy systems
  • Improving data/information security across the group
  • Actively managing customer retention strategies
  • Customer expectation and experience
Talent and skills

Talent and skills

Talent attraction and retention is at risk and skills for new solutions (IoT, cloud and cybersecurity) are scarce, due to competition.

Having the right skills is fundamental to achieving our strategic objectives.

  • Implement and monitor our talent management framework that supports Telkom's strategic intent
  • Established a data science academy and Digital Skills Training programme
  • Aligned career development plans to personal career aspirations and business needs
  • Developing and implementing succession plans for critical positions
  • People skills and expertise
Technology enablement to achieve business objectives

Technology enablement to achieve business objectives

Our IT solutions need to at minimum align to the pace of our customers' constantly changing needs. Ineffective system architecture and inefficient as well as costly legcy IT systems pose a risk to the new decentralised operating model.

  • New technology strategies that support each business unit's strategic intent. The strategy considers disruptive technology opportunities
  • Continue to replace obsolete technology infrastructure with new cost-effective systems
  • Appointed new business unit chief information officers
  • Evolving technology and ICT market trends
Possible changes in legislation and regulatory requirements

Possible changes in legislation and regulatory requirements

The risk of regulatory changes and developments within the ICT sector actively affect Telkom. Possible non-compliance with regulations could negatively impact Telkom.

Unexpected changes in regulation may negatively affect our revenue growth, while possible non-compliance to regulations and laws could damage our reputation and incur penalties. Ultimately, our profit margins are placed at risk.

  • Enhanced the compliance strategy across all disciplines
  • Continuous training and certification
  • Managing regulator relationships
  • Continuously monitoring legislation and regulations
  • Continuous regulatory risk assessments
  • Regulatory environment


The pressure on revenue as a result of the tough economic environment and market conditions, as well as our intensive capital expenditure, puts liquidity under pressure.

Although we foresee no immediate adverse impact, we closely monitor and continously assess the risk.
The group has a strong balance sheet, low gearing and adequate facilities.

  • Managing and monitoring the group's overall short, medium and long-term financial position
  • Regularly monitor free cash flow including working capital optimisation through programmes
  • Resourcing related programmes and projects with dedicated and experienced resources to lead, support and facilitate change
  • Continuously reporting on the slippages/variances and associated plans
  • Identifying and delivering on new savings/income opportunities
  • Economic climate
Information and cybersecurity management

Information and cybersecurity management

Although Telkom has processes, controls and a robust information security governance and assurance model, there are still certain malicious activities which pose a risk to the group.

Ineffective management of cyber and information security could lead to reputational damage, loss of customers and consequently, revenue loss.

  • Continuously monitoring the implementation of information governance principles across the group and monitoring information security
  • Continual information security risk assessments with mitigation plans
  • Educating and creating awareness across the group
  • Cyber incidents
Disruptive technology

Disruptive technology

Keeping up with the pace of technology becomes a challenge as the world moves to a digital economy. Failure to act with speed and agility may lead to loss of market share and thus compromise our go-to-market strategy.

Disruptive technology presents an opportunity to grow by implementing new revenue growth strategies in BCX.

  • Developing a strategic response plan, including analysing the strengths of disruptive technology in the overall strategy
  • Resourcing the project appropriately to be able to deliver on the mandate
  • Appointed a chief digital officer to support the group's digital strategy
  • Evolving technology and ICT market trends
Modernising and commercialising the network

Modernising and commercialising the network

The risk of delays in rolling out fibre and broadband services could compromise our ability to commercialise the network.

This will have a negative impact on expected revenue growth.

  • Streamlining supply chain processes and focused on-boarding of additional suppliers for all critical material requirements
  • Running a targeted marketing campaign
  • Re-aligning technicians' KPIs for more installations and higher-quality service
  • Evolving technology and ICT market trends
Inability to source new revenue due to B-BBEE certification rating

Inability to source new revenue due to B-BBEE certification rating

The change in ICT sector codes which led to a deterioration in our B-BBEE certification level rating in FY2017, requiring us to make significant investments to improve our rating and protect current revenue and future revenue streams.

  • Drafted and implemented a transformational and compliance plan to address the three priority elements
  • Implemented an aggressive Skills Development and Enterprise Supplier Development programme
  • Cascading the B-BBEE certification plan and targets down to an individual team level to incentivise performance
  • Regulatory environment
  • B-BBEE certification transformation

The estimated likelihood and magnitude of the above risks are indicated on the heatmap.

  • 1
    Competitive threats
  • 2
    Customer experience
  • 3
    Talent and skills
  • 4
    Technology enablement to achieve business objectives
  • 5
    Possible changes in legislation and regulatory requirements
  • 6
  • 7
    Information and cybersecurity management
  • 8
    Disruptive technology
  • 9
    Modernising and commercialising the network
  • 10
    Inability to source new revenue streams due to B-BBEE certification rating
Heat map