Swisscom’s enterprise risk management (ERM) applies Group-wide and takes both internal and external events into account. Swisscom observes the established COSO II and ISO 31000 risk management standards and thus has a risk management system in place that complies with the requirements of its own corporate governance policy as well as those under Swiss law.
Swisscom’s risk management is aimed at safeguarding the company’s enterprise value. This is assured by having in place a recognised and appropriate Group-wide risk management system as well as comprehensive, meaningful, level-appropriate reporting, suitable documentation and a risk-aware corporate culture. Risks are events or situations which could jeopardise the company’s ability to achieve its objectives should they occur.
The Board of Directors delegates responsibility for implementing the risk management system to the CEO Swisscom Ltd. A central organisational unit Risk Management reports to the CFO Swisscom Ltd, coordinates all organisational units charged with risk management tasks and oversees these insofar as this is required for reporting purposes. This ensures comprehensive, Group-wide coordinated risk management and reporting. As part of their remit, employees entrusted with risk management tasks have an unrestricted right to information and are authorised to access and view all relevant documents and records.
Swisscom employs special instruments in individual risk areas. In financial risk management, for example, quantitative tools (sensitivity analyses) are used to assess interest rate and currency risks. Compliance risks and financial reporting risks are overseen by specialist central organisational units which report to the central Risk Management organisational unit and are responsible for meeting the goals of the company’s internal control system (ICS).
The main risks to which Swisscom is exposed are identified in a comprehensive risk analysis. Each risk is assigned a risk owner. To enable the early identification, assessment and management of risks and their inclusion in strategic planning, the central Risk Management unit works closely with the Controlling and Strategy departments and other relevant departments. Risk management covers risks in the areas of strategy (including market risks), operations (including finance risks), compliance and financial reporting. The risks are assessed according to their probability of occurrence and their qualitative and quantitative effects in the event of occurrence, and are managed on the basis of a risk strategy. The risks are evaluated in terms of their impact on key performance indicators reported by Swisscom. The risk profile is reviewed and updated quarterly. The Board of Directors’ Audit Committee and the Swisscom Group Executive Board are informed about significant risks, their potential effects and the status of measures on a quarterly basis, and the Board of Directors on an annual basis. The effectiveness of the risk strategies and measures taken is assessed quarterly. Information on the internal control system, compliance management and internal auditing is provided in Section 3.9 of the Corporate Governance Report, Controlling instruments of the Board of Directors vis-à-vis the Group Executive Board.