Risk and opportunity management system
As one of the world’s leading providers in the telecommunications and information technology industry, we are subject to all kinds of uncertainties and change. In order to operate successfully in this ongoing volatile environment, we anticipate potential developments at an early stage and systematically identify, assess, and manage the resulting risks and opportunities. We therefore consider a functioning risk and opportunity management system to be a central element of value-oriented corporate governance.
A risk and opportunity management system of this kind is not only necessary from a business point of view; it is also required by laws and regulations, in particular § 91 (2) and (3) of the German Stock Corporation Act (Aktiengesetz – AktG). Deutsche Telekom AG’s Audit Committee monitors the effectiveness of the internal control system and the risk management system as required by § 107 (3) sentence 2 AktG.
Our risk and opportunity management system is based on the globally applicable risk management standard of the International Standards Organization (ISO). ISO standard 31000 “Risk management – Principles and guidelines” is regarded as a guideline for internationally recognized risk management systems.
The new IDW Auditing Standard 340 on the audit of the risk early detection system came into effect on January 1, 2021. We have brought our risk and opportunity management system in line with the methodology of the new standard. The main changes are the implementation of a risk-bearing capacity concept, improvements to risk aggregation (e.g., through greater quantification of risks), as well as the renaming and in some cases reassignment of risks and opportunities to the various categories. So, for example, risks previously assigned to the category “Risks relating to innovations (substitution)” have been reassigned to the category “Market environment” according to their segment. Furthermore, the category “Risks relating to existing and future IT infrastructure, United States” have been incorporated into the category “Technology, United States.” Regarding “regulatory risks,” we have switched from a purely qualitative to a quantitative risk assessment. In addition, we have now added the category “Compliance risks.” Any changes to the content of the risk categories are explained in the relevant sections of the report.
Our Internal Audit unit reviews the functionality and effectiveness of elements of our risk management system at regular intervals. Under § 317 (4) of the German Commercial Code (Handelsgesetzbuch – HGB), the auditor of listed companies should assess whether the board of management has taken the measures incumbent upon it under § 91 (2) AktG in a suitable form, and whether the monitoring system stipulated by this paragraph is calculated to meet its objectives, including the early detection of developments that could put the continued existence of the company at risk. Our system complies with the statutory requirements for a risk early detection system.
In addition, our Group Controlling unit specifies a series of Group guidelines and processes for the planning, budgeting, financial management, and reporting of investments and projects. These guidelines and processes are intended to guarantee both the necessary transparency during the investment process and the consistency of investment planning and decisions in our Group and operating segments. They also provide the Board of Management with support in reaching its decisions. This process also includes the systematic identification of strategic risks and opportunities.
Organization of the risk and opportunity management system
The Group Risk Governance unit defines the methods for the risk and opportunity management system that is applied Group-wide and for the associated reporting system, in particular the Group risk report. All operating segments as well as the Group Headquarters & Group Services segment are connected to the central risk and opportunity management system of the Group via their own risk and opportunity management. The relevant owners in each of the segments are responsible for identifying, assessing, and continuously monitoring risks. Management takes potential opportunities into account in the annual planning process and continuously develops them further during business operations.
Our Group-wide risk and opportunity management system covers strategic, operational, regulatory, legal, compliance, and financial risks and opportunities for our consolidated and major non-consolidated entities. The standard process described below provides a framework. The starting point for the identification of risks and opportunities is the deviation from a planned value or company target. Once risks and opportunities have been identified, we move on to analyze and assess them in more detail. We then decide on the specific course of action to be taken, for example, in order to reduce risks or seize opportunities. The respective risk owner evaluates, implements, and monitors the associated measures. The risks are summarized in the risk reporting, which is submitted to the decision-makers in the company and/or the relevant supervisory body. This also enables transparent monitoring of the development of individual risks, as well as of the overall risk situation, including the mitigation measures taken. Our risk culture, the manner in which we deal with risks, is a key component and is embedded in all parts of the Company.
The risks and opportunity management process is described below using five elements. For purposes of simplification, “risks” is used in the following, instead of referring to “opportunities and risks” in each case. The document nonetheless focuses on both positive and negative deviations from the planned value. Risk management is therefore always a matter of opportunity and risk management.
Risk culture
Our risk culture includes the basic attitudes in relation to risks and forms the basis and the framework for everyday business, for being able to make risk-oriented decisions. The risk culture is closely interlinked with Deutsche Telekom’s corporate culture, which requires risks and opportunities to be dealt with in a positive and transparent way. At the core of our risk culture is the motto “Everyone is a risk manager,” which means that, in principle, every employee takes responsibility for their risks, and handles them in accordance with the defined process.
Corporate targets
The corporate targets (or targets for the relevant individual unit derived from these) serve as the starting point for the identification of risks as deviations from planned values. These include both quantitative and qualitative targets. In order to assess the threat to the continued existence of the Company, we implemented the concept of risk-bearing capacity. Risk-bearing capacity encompasses the assets for covering possible losses. These assets are defined through equity and liquidity.
Risk analysis
Risk identification. Each segment produces a quarterly risk report or risk notification in accordance with the standards laid down by the central risk management and based on specific materiality thresholds. These reports or notifications assess risks, taking into account their extent in terms of impact on results of operations or financial position, as well as their probability of occurrence, and they identify action to be taken and suggest or initiate measures. Qualitative factors affecting our strategic positioning and reputation are taken into account. We base our assessment of risks on a period of two years. This is also the length of our forecast period. If significant risks exist beyond the forecast period, these are monitored on an ongoing basis. In addition, on an annual basis, we consider “emerging risks,” which are primarily derived from external studies. These are risks and opportunities that are developing at considerable pace, and in some cases are difficult to assess. Risks and opportunities like these are triggered primarily by technological developments (e.g., digitalization), environment (e.g., climate change), or threats (e.g., cyberattacks).
Risk assessment. Individual risks are assessed on the basis of “probability of occurrence” and “risk extent.” The following assessment yardsticks apply:
|
|
Probability of occurrence |
Description |
---|---|
< 5 % |
Very low |
5 to 25 % |
Low |
> 25 to 50 % |
Medium |
> 50 % |
High |
|
|
Risk extent |
Description |
---|---|
Small |
Limited negative effects on business activities, results of operations, financial position, and reputation; |
Medium |
Negative effects on business activities, results of operations, financial position, and reputation; |
Large |
Significant effects on business activities, results of operations, financial position, and reputation; |
Very large |
Damaging negative effects on business activities, results of operations, financial position, and reputation; |
Risk extent is primarily assessed based on EBITDA AL. However, it can also be assessed using other indicators, e.g., financial risks based on cash flow, which can also be used to assess the categories of risk. The parameters for classifying risk extent were adjusted in the 2021 financial year following a significant rise in Deutsche Telekom’s EBITDA AL on the back of organic corporate growth and the business combination of T‑Mobile US and Sprint. These adjustments affect the presentation and assessment of the risks and opportunities to some extent and are shown in the table “Corporate risks.”
On the basis of our assessment using the criteria described above, we categorize the individual risks in our risk and opportunity management process as “top risks” or “risks under observation,” as shown in the graphic below.
We generally report the top risks (gray and dark ray shading) Exceptions are possible, for example, risks from prior years that we continue to list for the sake of reporting continuity although they are classified as “risk under observation” (white shading) in the current reporting period.
It should be noted that risks with an extent currently assessed as being small may in the future have a stronger impact than risks currently assessed as having a larger extent. This may be due to uncertainties that cannot be assessed at present and over which we have no influence.
For the aggregate disclosure of an overall risk position, central risk management performs an “EBITDA AL at risk” calculation for Deutsche Telekom. This states that, with a particular probability of occurrence, the risk extent ascertained using the simulation will not be exceeded. This risk aggregation is carried out using a Monte Carlo simulation, in which a large number of risk-related potential future scenarios are considered. The overall risk position is set in relation to the assets for covering possible losses.
Identification and assessment of opportunities in the annual planning process. The systematic management of risks is one side of the coin; securing the Company’s long-term success by means of integrated opportunities management is the other. That is why identifying opportunities and subjecting them to a strategic and financial assessment is an essential part of our annual planning process. It allows us to factor those opportunities into our forecasts for financial and non-financial performance indicators.
The short-term monitoring of results and the medium-term planning process help our operating segments and Group Headquarters identify and seize the opportunities in our business throughout the year. While short-term monitoring of results mainly targets opportunities for the current financial year, the medium-term planning process focuses on opportunities that are strategically important for our Group. In this context we distinguish between two types of opportunity:
- External opportunities, i.e., those with causes over which we have no influence, for example, the revocation of additional taxes in Europe.
- Internal opportunities, i.e., those that arise within the Company, for example by focusing our organizational structure on innovation and growth areas and products, or through business partnerships and collaborations from which we expect to reap synergies.
We are constantly enhancing the efficiency of our planning process so as to gain greater scope for action. The preliminary plans of our operating segments form the basis for a concentrated planning phase during which members of the Board of Management, business leaders, senior executives, and experts from all business areas intensively discuss the strategic and financial focus of the Group and its operating segments, and from all of which they ultimately produce an overall picture. The identification of opportunities from innovation and their strategic and financial assessment play a major role throughout this process. This “brainstorming” may result in opportunities being taken and transferred to the organization, or rejected and passed back to the respective working groups for revision.
Risk handling
Group insurance management. To the extent possible and economically viable, we take out adequate Group-wide insurance cover for insurable risks. DeTeAssekuranz – a subsidiary of Deutsche Telekom AG – acts as an insurance broker for group insurance management. It develops and implements solutions for the Group’s operational risks using insurance and insurance-related tools and places them on the national and international insurance markets.
Taking out insurance cover is an essential option for our external risk transfer. The coverage of risks in our Group insurance programs requires the transfer of risk for the purpose of protecting the Group’s financial position. That means that the possible extent of the risk must have reached a volume “relevant for the Group” or the risks have to be bundled and managed at Group level to protect the Group’s interests (opportune reasons/cost optimization/risk reduction).
Business continuity management (BCM). BCM is a process within operational security and risk management that helps protect business processes from the consequences of damaging incidents and disruptions. It ensures the continuation of business processes through ongoing analysis, assessment, and management of relevant risks for people, technology, infrastructure, supply and service relationships, and information. The aim is to identify potential threats at an early stage and to keep the impact and duration of a disruption of critical business processes to an acceptable minimum by ensuring appropriate resilience in the organization plus the ability to effectively cope with threats.
To this end, BCM identifies critical business processes and business processes requiring protection, including any supporting processes, process steps, and assets (people, technology, infrastructure, information, and supply and service relationships). Appropriate precautionary measures are also defined. In particular, security management works in coordination with the relevant units and process owners to analyze the possible consequences of external and internal threats with relevance for security, such as natural disasters, vandalism, or sabotage. Once the extent of potential losses and probability of occurrence have been assessed, preventive measures can be put in place and contingency plans developed.
Risk containment measures. The risk owners initiate and execute further measures to mitigate the risks. A wide range of measures are available, depending on the risk type. A few examples of these measures are:
- We tackle risks from the market environment with comprehensive sales controlling and intensive customer management.
- We deal with risks arising from brand and reputation by continuously analyzing the market and communications.
- We also take a whole array of measures to deal with operational risks: for example, we constantly implement operational and infrastructural measures in order to improve our networks, and offer our employees systematic training and development programs.
- We deal with risks from the political and regulatory environment through an intensive, constructive dialog with policymakers and the authorities.
- We minimize legal risks by ensuring suitable support for proceedings and by designing contracts appropriately in the first place.
- We manage interest and currency risks by means of systematic risk management and hedge them using derivative and non-derivative financial instruments.
- The Group Tax unit identifies potential tax-related risks at an early stage and systematically records, assesses, and monitors them. It takes any measures necessary to minimize tax-related risks and coordinates them with the Group companies affected. The unit also draws up and communicates policies for avoiding tax risks.
Risk monitoring
The Group risk report, which presents the main risks, is prepared for the Board of Management on a quarterly basis. The Audit Committee of the Supervisory Board of Deutsche Telekom AG also examines this report at its meetings. Furthermore, the Board of Management informs the Supervisory Board. In addition, the emerging risks are presented once a year as part of the risk report. Among other benefits, the Group risk report ensures transparent monitoring of the development of individual risks, as well as of the overall risk situation. This is supported by the new Group-wide risk management tool. If any unforeseen risks arise, they are reported ad hoc (even outside of regular reporting). We inform the Audit Committee about all of the latest developments and/or changes in the risk management system at a special meeting held annually.