Three-line defense − integrated governance, risk management and compliance
TeliaSonera’s risk management may be illustrated as a three-line defense being an integral part of the group’s operational activities, business planning process and monitoring of business performance. Risks that may pose a threat to achieving business objectives are identified and assessed, and measures are implemented to mitigate and monitor the identified risks. The aim is not only to focus on risks from a negative perspective, but also to acknowledge that successful risk management is essential for strategy execution and sustainable growth.
Enterprise risk management – lines of defense
Risks and uncertainties
The defense-line roles and responsibilities include:
- First-line defense: The line organization owns its operational risks and is responsible and accountable for assessing, controlling and mitigating the risks as well as for internal control activities and assurance
- Second-line defense: Comprises the group-level enterprise risk management (ERM) function, the internal controls function within Group Finance, the Group Ethics and Compliance Office and the Governance, Risk, Ethics and Compliance (GREC) meetings
- Third-line defense: The group internal audit function provides independent assurance on the risk management process and internal control environment. External parties, such as the external auditors and regulatory bodies, provide assurance related to specific statutory requirements, e.g. information presented in the consolidated financial statements or reported to the Swedish Financial Supervisory Authority
Risk management process
As a basis for first-line defense, TeliaSonera’s group instructions on risk management define roles and responsibilities as well as the main components of the risk management process, which are risk assessment, risk treatment and continuous monitoring.
Risk management – process flow
The objective of the continuous risk management process is that all risks that may harm the achievement of TeliaSonera’s objectives are regularly assessed, treated and monitored.
Risk management shall be fully integrated into the business processes. The risk management procedures shall be transparent, feasible and traceable. Management shall ensure that a personal sense of responsibility and common view on and awareness of risk is established among the employees, as well as facilitate accountability for risks in daily decision-making. Risk reporting is integrated into the business planning process and risks shall be reviewed at business reviews and escalated through the line organization.
Quarterly, the Audit Committee and the Board of Directors receive a consolidated risk report, aligned with the Board’s annual work cycle as described in section “Board of Directors.” The consolidated report is divided into four categories:
- Financial risks
- Business-related risks
- Country-related risks
- Legal and regulatory risks
Under each of these categories, risks are presented either as group-wide or by region with a:
- Risk description
- Description of risk mitigating activities
- Potential financial impact when possible
- Probability grading (low, medium and high risk)
In addition, the Audit Committee quarterly receives a consolidated litigation report with short-form details of ongoing, pending and threatened legal and administrative proceedings. Each case description also includes alleged nominal and estimated financial impact when possible and a probability grading (low, medium and high risk).
Management shall conduct risk and compliance evaluations and assessments proactively, repeatedly and timely in order to ensure that all employees are aware of and take steps to comply with the relevant requirements. Compliance means conforming to external as well as internal requirements, such as:
- Applicable legislation and regulation
- Customer agreements
- International standards and norms
- Group policies and group instructions
The most significant risk areas are monitored by the risk management function including the GREC meetings (see sections “Group-level enterprise risk management (ERM) function,” and “Governance, Risk, Ethics and Compliance (GREC) meetings”), the internal controls function within Group Finance (see section “Internal controls over financial reporting”) and the Group Ethics and Compliance Office (see section “Compliance framework and programs”).
Group-level enterprise risk management (ERM) function
The Head of the ERM function, within group function Corporate Development, acts as the owner of the group-common ERM process to ensure a structured approach towards risk management, compliance and reporting within the group. Function responsibilities include to:
- Define and own the group-common risk framework and processes
- Provide training, support and guidance to the line organization
- Coordinate GREC meetings and ensure alignment across organization levels
- Coordinate and drive group-common risk management and compliance improvement initiatives
- Facilitate risk and compliance forum discussions and continuously monitor risk development
- Report to GREC meetings and the Board of Directors
Compliance framework and programs
Also supporting first-line defense, TeliaSonera has established a framework to enable systematic work with compliance issues. The compliance framework consists of eight steps that are founded on a sound and clear tone from the top. It is designed to adhere to international standards and is based on prevent, detect and investigate principles.
Prioritized risk areas are identified based on risk assessments. The most significant risks are monitored by the Group Ethics and Compliance Office and managed according to the framework through subject-specific compliance programs to ensure consistency and follow-up in implementation and reporting. Currently prioritized risk areas are reflected by the following ongoing programs:
- Anti-bribery and corruption
- Freedom of expression
- Customer privacy
- Occupational health and safety
For additional information on the approach and work in the respective area, see Sustainability Work, sections “Sustainability in TeliaSonera”, “Anti-bribery and corruption”, “Freedom of expression and privacy”, “Customer privacy” and “Occupational health and safety.”
GREC meeting (group level) – participants and risk categories
Governance, Risk, Ethics and Compliance (GREC) meetings
The purpose of the GREC meetings is to act as the primary governing bodies within risk and compliance and to evaluate risk levels and propose risk-mitigation actions.
At the GREC meetings, which are held at least quarterly, management meets to update, discuss, decide and follow-up on ongoing activities and initiatives within the different risk areas and sustainability focus areas. The purpose of the GREC meetings is to:
- Consolidate and assess risk reports from countries, regions and group functions
- Review risk levels in relation to risk appetite and decide on risk response
- Follow-up mitigation plans and execution in key risk areas
- Compile risk and compliance reports and action plans to the Board of Directors’ Audit Committee
- Build a risk awareness culture
GREC meetings are held on group, region and country level. On group level, the GREC meeting is chaired by the CEO and consists of Group Executive Management extended with the Head of CEO Office, the Head of ERM, the Chief Ethics and Compliance Officer as well as the Head of Group Internal Audit. The purpose, agenda and participants of local GREC meetings mirror the group-level meetings. For region Eurasia, GREC issues on group level are addressed by a Steering Board, headed by the CEO (for additional information, see section “CEO and Group Executive Management”).
2015 was the first full year of operations of TeliaSonera’s Speak-Up Line, the whistle-blowing tool enabling employees and others to anonymously report violations of proper accounting, reporting or internal controls, as well as non-compliance with local laws or breaches of TeliaSonera’s policies and ethical instructions. During the year, the processes underlying the reporting of cases and investigations to the Board of Directors and management were set. A group-wide standard for performing internal investigations was also decided. The guiding principle is to ensure that investigations are conducted objectively and impartially; are carried out in a way to swiftly establish the facts with minimum disruption to the business or the personal lives of employees; and to make sure that confidentiality and non-retaliation are respected at all times.
To the reader of this Statement: If you believe there are deficiencies in TeliaSonera’s financial reporting or if you suspect any misconduct within the TeliaSonera group, you may report your concerns at: www.speakupline.ethicspoint.com
Whistle-blowing cases in 2015
During the year, 141 whistle-blowing case reports were recorded. Out of these, 27 investigations were opened by the Special Investigations Office within the Group Ethics and Compliance Office. 42 reports related to HR matters and were forwarded to Group HR. 72 reports were sent for information to other departments (e.g. customer or supplier complaints) or closed after an initial review and response to the whistle-blower concerned (e.g. in cases of ethical reproach).
In 2014, a total of 73 reports was recorded out of which 42 related to whistle-blowing on misconduct and 31 concerned HR matters. The doubling of the number of reports is partly attributed to training and awareness and partly to improved recording mechanisms.
Of the 141 whistle-blowing reports in 2015, 62 percent were received through the Speak-Up Line. 17 percent were sent to the Speak-Up Line e-mail address, 14 percent received through direct contact with ethics and compliance officers at group or local level, 4 percent reported through line managers and 3 percent through e-mails directly to TeliaSonera top management.
Ethical concerns or reproaches against management was the most commonly reported matters, in particular from region Sweden. Other significant issues included abuse of position, conflicts of interest, discrimination and harassment. Several suppliers complained about biased tender results.
The majority of the reports was submitted from regions Sweden and Eurasia. Of all reports, 40 percent were submitted anonymously or by reporters requesting to remain anonymous.
In 2015, investigation support requested by managers was recorded separately. There were 13 such investigations compared to 19 in 2014. As of 2016, these requests will be included in the Speak-Up Line statistics.
Where allegations were substantiated, 17 disciplinary decisions were taken by the Group Ethics Forum. The majority of the decisions resulted in termination of employees but also warnings were issued in some cases. During 2015, employees and line managers were trained in correctly registering case reports and escalating the reports, enabling the Special Investigations Office to ensure a consistent investigation process and implementation of disciplinary actions.
Consolidated case reports were presented to the Audit Committee throughout the year. The reports included allegations of certain significance, progress of investigations and the final results of the investigations. All case closure reports were submitted to the Group Ethics Forum for oversight and decisions on disciplinary action.
To further improve the maturity of our Responsible Business, two KPIs were agreed concerning internal investigations:
- Percentage of whistle-blowing cases closed within 8 weeks with a target of 80 percent, which is considered achievable as in 2015, more than 70 percent of all cases were closed within 8 weeks
- Percentage of disciplinary decisions implemented within 4 weeks after Group Ethics Forum decision with a target of 100 percent. In 2015, only 50 percent of the target was achieved. This KPI will thus greatly help to focus management on prompt implementation of disciplinary action decisions