We have a comprehensive Risk Management Framework in place. This Framework helps us achieve our strategic goals, maintain confidence in our brands and protect our stakeholders, including customers, employees and shareholders.
Our Framework provides a basis for effective risk management throughout the company. It establishes a clear and consistent process to ensure we comply with all legal and regulatory requirements. This process is based on identifying, assessing, managing and mitigating potential risks to our business. As part of the process, we identify any significant or emerging risks, both internal and external. A consolidated risk list – along with proposed risk tolerances – is then presented to management and the Audit, Risk & Compliance Committee. The Audit, Risk & Compliance Committee monitors via risk deep dives the measures taken to manage and reduce the significant risks.
Each significant risk is assigned to a ‘risk owner’, responsible for managing that risk and implementing mitigation measures. In addition, each business unit has a designated ‘risk champion’ to oversee management of existing risks, as well as identifying and reporting new risks.
Risk governance and three lines model
In managing risk, VodafoneZiggo adheres to the ‘three lines model’:
First line: management and risk owners are responsible for designing, implementing and maintaining an effective system to manage all identified risks
Second line: within the company, specific risk functions analyse any significant and emerging risks; these functions carry out risk monitoring, oversee our risk policies, and ensure risk acceptance remains in line with our strategic goals, legal obligations and regulatory requirements
Third line: our internal audit department provides assurance on the effectiveness of the company’s internal controls, governance, risk management and compliance. Planning for these audits is included in its annual audit plan, or in special requests for verification
The Supervisory Board has delegated responsibility for overseeing the quality and integrity of the company’s Risk Management Framework to its Audit, Risk & Compliance Committee. Members of this Committee oversee the implementation of control measures, as well as the company’s exposure to significant and emerging risks (against established risk tolerances).
Risks and control measures
Below is an overview of significant risks identified in 2022, along with control measures taken to manage or mitigate these risks:
The risk of a technical fault in critical parts of our networks, systems or platforms, potentially disrupting fixed-line or mobile services. This may lead to lower customer satisfaction, damage to our reputation or even fines from regulators.
We have very low tolerance for any network, system or platform faults that may adversely affect our customers. To limit the impact of service disruptions, we have put in place clear recovery objectives and measures for critical components. We monitor our networks, systems and platforms closely, so we can identify and address technical faults as they arise. When incidents do occur, we carry out a comprehensive investigation to identify the causes and take appropriate action to remedy the fault.
The risk of a cyberattack, originating either within the company or outside. Such attacks may have serious consequences, including loss of data or network failures, which may, in turn, adversely affect our customers, financial situation or reputation.
To mitigate this risk, we have extensive control measures in place across all business units. We identify potential cyber threats, and conduct simulations to ensure we are able to respond effectively to attacks. Our goals are to:
Prevent cyberattacks where possible
Ensure all incidents are reported immediately
Respond to attacks quickly to limit damage
The risk of disruptive competition – i.e. competitors (such as other telecom operators) expanding their networks, improving service or introducing new customer propositions that may mean VodafoneZiggo is no longer able to compete effectively in its chosen markets.
We monitor market developments closely, support innovation and continue to offer customers products, services and content that distinguish us from the competition, such as sports, films and TV series.
Failure to meet customer expectations
The risk that we fail to meet customer expectations regarding our products, services and overall customer experience. This may be the result of faults in our systems or products, or inadequate customer service which may, in turn, lead to lower customer satisfaction or increased customer churn.
We monitor customer feedback and market developments closely, and take measures to address any shortcomings. To meet customer expectations, we introduce regular initiatives to improve both the customer experience and our products and services.
Changes in regulatory requirements
The risk of major changes to regulations as a result of case law or new or amended legislation. In our industry, national and international regulations are becoming increasingly complex. New regulations may significantly increase the ‘regulatory pressure’ within our organisation or adversely affect our competitive position.
Our Regulatory Affairs department monitors legal and regulatory developments closely, and regularly consults with governments and other stakeholders to ensure policymakers have the benefit of our industry knowledge and experience before framing new laws or regulations.
Failure to comply with laws and regulations
The risk that we fail to comply with laws and/or regulations in the markets in which we operate; these include the EU’s General Data Protection Regulation (GDPR), anti-bribery laws, competition law, consumer law and consumer credit regulations, as well as our own internal standards, policies and guidelines. Failure to comply may result in financial penalties and/or a loss of reputation.
We have in place a comprehensive framework of policies, controls and risk management measures to ensure we comply with relevant laws and regulations. We also have a Code of Conduct setting out ethical standards and principles. The Code of Conduct applies to all VodafoneZiggo employees. In addition, we provide extensive training to inform employees of new laws or regulations, and to help them understand their and the company’s obligations. We regularly review and audit our business activities to ensure continued compliance with laws and regulations.
Data integrity, quality and management
The risk that our data quality and data management fails to reach a minimum standard; this may impair decision-making, adversely affect customers, potentially impede the company’s digital transformation, and prevent or delay realisation of our commercial and strategic objectives.
We have appointed a dedicated Data Officer, responsible for overseeing our data quality and data management. We have initiatives to improve the quality of our data (both financial and non-financial), and policies in place to ensure we maintain certain quality levels.
The risk that we fail to comply with new environmental, social and governance (ESG) reporting regulations; this includes the EU’s Corporate Sustainability Reporting Directive (CSRD), due to come into effect from 2024 (effective date for VodafoneZiggo: 1 January 2025).
To ensure compliance with the CSRD, we have established a project team to review all requirements and make adjustments as necessary to our current reporting, risk and control processes.
Company and IT transformation
The risk of IT system failures, resulting from the scale and complexity of our IT infrastructure. Failures may have significant adverse consequences for our customers, financial performance and reputation.
To address this risk, we monitor our IT systems closely to identify any errors or malfunctions. Management and risk owners regularly discuss risks associated with current IT programmes. Where necessary, adjustments are made to reduce risk levels. As a rule, we prioritise risk management in our decision-making processes.
In 2022, VodafoneZiggo carried out extensive research into three emerging risk areas:
employee/integrity risks and salary expenses
managing third parties, and
energy and climate control
We have identified and agreed control measures for each of these risks. In 2023, we will conduct a further evaluation with a view to adding these risks to our significant risk list.
Our response to fraud risks
We closely monitor fraud risks at operational and financial reporting levels. We conduct annual fraud risk assessments, host workshops and review and assess fraud risks based on risk heatmapping. We have implemented mitigating activities to reduce fraud risks and continuously assess the appropriateness of our response to those risks. In order to foster a culture of fraud awareness throughout our organisation, we have a company-wide Code of Conduct and mandatory e-learnings for new employees. We have whistleblowing procedures in place to encourage employees to report fraud, corruption and inappropriate behaviour, as outlined in our Code of Conduct.