Risk management system

Structure

Risk management system

Swisscom’s enterprise risk management (ERM) applies Group-wide and takes both internal and external events into account. ­Swisscom complies with the established COSO II and ISO 31000 risk management standards and thus has a risk management system in place that meets the requirements of its own corporate governance policy as well as those of Swiss law.

Objectives

Swisscom’s risk management is aimed at safeguarding the company’s enterprise value. This is assured by having in place a recognised and appropriate Group-wide risk management system as well as comprehensive, meaningful, level-appropriate reporting, suitable documentation and a risk-aware corporate culture. Risks are events or situations which, should they occur, could potentially jeopardise the company’s ability to achieve its objectives.

Organisation

The Board of Directors delegates responsibility for implementing the risk management system to the CEO ­Swisscom Ltd. A central Risk Management unit reports to the CFO ­Swisscom Ltd, coordinates all organisational units charged with risk management and oversees these insofar as this is required for reporting purposes. This ensures comprehensive, Group-wide coordinated risk management and reporting. As part of their remit, employees entrusted with risk management tasks have an unrestricted right to information and are authorised to access and view all relevant documents and records.

Swisscom employs special instruments in individual risk areas. In financial risk management, for example, quantitative tools (sensitivity analyses) are used to assess interest rate and currency risks. Specialised central organisational units monitor the legal compliance risks and financial reporting risks (internal control system, ICS).

Process

The main risks to which ­Swisscom is exposed are identified in a comprehensive risk analysis. Each risk is assigned a risk owner. To enable the early identification, assessment and management of risks and their inclusion in strategic planning, the central Risk Management unit works closely with the Controlling and Strategy departments and other relevant departments. Risk management covers risks in the areas of strategy (including market risks), operations (including finance risks), compliance and financial reporting. The risks are assessed according to their probability of occurrence and their qualitative and quantitative effects in the event of occurrence, and are managed on the basis of a risk strategy. The risks are evaluated in terms of their impact on key performance indicators reported by ­Swisscom. The risk profile is reviewed and updated on a quarterly basis. The Board of Directors’ Audit Committee and the ­Swisscom Group Executive Board are informed about significant risks, their potential effects and the status of measures on a quarterly basis, and the Board of Directors on an annual basis. The effectiveness of the risk strategies and measures taken is assessed quarterly. Information on the internal control system, compliance management and internal auditing is provided in the Corporate Governance Report, Section 3.8, Controlling instruments of the Board of Directors vis-à-vis the Group Executive Board.