Risk assessment and risk containment Assessment method Risks are assessed on the basis of “probability of occurrence” and “risk extent.” The following assessment yardsticks apply: Probability of occurrence Description < 5% very low ≥ 5 to 25% low > 25 to 50% medium > 50% high Risk extent Description Small Limited negative effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk < € 100 million Medium Certain negative effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk ≥ € 100 million Large Significant effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk ≥ € 250 million, and/or affects more than one Group entity Very large Damaging negative effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk ≥ € 500 million, and/or affects more than one Group entity By assessing risks according to the aspects of probability of occurrence and risk extent, we classify them as low, medium, and high risks, as shown in the following graphic. From the 2019 financial year, the risks and opportunities will no longer be assessed in terms of their risk extent using the performance indicator EBITDA, but rather using EBITDA AL (after leases). For further information on the new performance indicators, please refer to the section “Management of the Group”. Risk significance We report all risks classified as “high” and “medium.” Exceptions are possible, for example, risks from prior years that we can continue to list for the sake of reporting continuity although they are classified as “low” in the current reporting period. It should be noted that risks with an extent currently assessed as being small may in the future have a stronger impact than risks currently assessed as having a larger extent. This may be due to uncertainties that cannot be assessed at present and over which we have no influence. Uncertainties of this kind also give rise to risks that are currently unknown to us or that we presently consider to be insignificant and that may affect our business activities in the future. Risk containment measures Group insurance management. To the extent possible and economically viable, we take out adequate Group-wide insurance cover for insurable risks. DeTeAssekuranz – a subsidiary of Deutsche Telekom AG – acts as an insurance broker for Group Insurance Management (part of Group Headquarters & Group Services). It develops and implements solutions for the Group’s operational risks using insurance and insurance-related tools and places them on the national and international insurance markets. Taking out insurance cover is an essential option for our external risk transfer. The coverage of risks in our Group insurance programs requires the transfer of risk for the purpose of protecting the Group’s financial position. That means that the possible extent of the risk must have reached a volume “relevant for the Group” or the risks have to be bundled and managed at Group level to protect the Group’s interests (opportune reasons/cost optimization/risk reduction). Business Continuity Management (BCM). BCM is a process within operational security and risk management that helps protect business processes from the consequences of damaging incidents and disruptions. It ensures the continuation of business processes through ongoing analysis, assessment, and management of relevant risks for people, technology, infrastructure, supply and service relationships, and information. The aim is to identify potential threats at an early stage and to keep the impact and duration of a disruption of critical business processes to an acceptable minimum by ensuring appropriate resilience in the organization plus the ability to effectively cope with threats. SDG 9 To this end, BCM identifies critical business processes and business processes requiring protection, including any supporting processes, process steps, and assets (people, technology, infrastructure, information, and supply and service relationships). Appropriate precautionary measures are also defined. In particular, Security Management works in coordination with the relevant units and process owners to analyze the possible consequences of external and internal threats with relevance for security, such as natural disasters, vandalism, or sabotage. Once the extent of potential losses and probability of occurrence have been assessed, preventive measures can be put in place and contingency plans developed. The risk owners initiate and execute further measures to mitigate the risks. A wide range of measures are available, depending on the risk type. A few examples of these measures are: We tackle market risks with comprehensive sales controlling and intensive customer management. We manage interest and currency risks by means of systematic risk management and hedge them using derivative and non-derivative financial instruments. We also take a whole array of measures to deal with operational risks: For example, we constantly implement operational and infrastructural measures in order to improve our networks; continually enhance our quality management system, the associated controls, and quality assurance; and offer our employees systematic training and development programs. We deal with risks from the political and regulatory environment through an intensive, constructive dialog with policymakers and the authorities. We minimize risks in connection with legal proceedings by ensuring suitable support for those proceedings and by designing contracts appropriately in the first place. The Group Tax unit identifies potential tax-related risks at an early stage and systematically records, assesses and monitors them. It takes any measures necessary to minimize tax-related risks and coordinates them with the Group companies affected. The unit also draws up and communicates policies for avoiding tax risks.