Telus 2011 Annual Report Download - page 86

Download and view the complete annual report

Please find page 86 of the 2011 Telus annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 182

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182

82 . TELUS 2011 ANNUAL REPORT
The discussion in this section is qualified in its entirety by the Caution
regarding forward-looking statements at the beginning of the MD&A.
Risk and control assessment process
TELUS uses a three-level enterprise risk and control assessment
process that solicits and incorporates the expertise and insight of team
members from all areas of the Company. TELUS implemented this
process in 2002 and tracks multi-year trends for various key risks and
control environment perceptions across the organization.
Definition of business risk
TELUS defines business risk as the degree of exposure associated
with the achievement of key strategic, financial, organizational and process
objectives in relation to the effectiveness and efficiency of operations,
reliability of financial reporting, compliance with laws and regulations and
safeguarding of assets within an ethical organizational culture.
TELUS’ enterprise risks are largely derived from the Company’s
business environment and are fundamentally linked to TELUS’ strategies
and business objectives. TELUS strives to proactively mitigate its risk
exposures through rigorous performance planning, effective and efficient
business operational management, and risk response strategies which
can include mitigating, transferring, retaining and/or avoiding risks.
For example, residual exposure for certain risks is mitigated through
appropriate insurance coverage, including for domestic and international
operations, where this is judged to be efficient and commercially viable.
Risks are also mitigated through contractual terms and conditions,
contingency planning and other risk response strategies as appropriate.
TELUS strives to avoid taking on undue risk exposures whenever
possible and strives to ensure alignment of these exposures with business
strategies, objectives, values and risk tolerances.
10 RISKS AND RISK MANAGEMENT
Risks and uncertainties facing TELUS and how the Company manages these risks
Enterprise risk and control assessment process
Level one Annual risk and control assessment
Key inputs into this process include interviews with senior managers, data and updates from TELUS’ ongoing strategic
planning process, and the results of an annual web-enabled risk and control assessment survey. The survey is based on
the COSO (Committee of Sponsoring Organizations of the Treadway Commission) enterprise risk management and internal
control frameworks. The survey is widely distributed to TELUS’ management leadership team (all executive vice-president,
vice-president and director level team members and a random sample of management). Survey responses were received
from 1,774 individuals in 2011.
The members of TELUS’ Board of Directors are also surveyed to solicit their perspective of the Company’s key risks and
approach to enterprise risk management, and to gauge the Company’s risk appetite and tolerance by key risk category.
TELUS’ assessment process incorporates input from recent internal and external audits, results of various risk management
activities, and managements SOX 404 (Sarbanes Oxley Act of 2002) internal control over financial reporting compliance
activities. Key enterprise risks are identified, defined and prioritized, and classified into one of nine risk categories. Perceived
risk resiliency (or readiness) is assessed by key risk and risk tolerance/appetite is evaluated by risk category.
Results of the annual risk and control assessment are shared with senior management and the Board (including the Audit
Committee). Executive-level risk owners and Board oversight committees are assigned. The annual risk assessment results
guide the development of the Company’s annual internal audit program, which has an emphasis on assurance coverage
of higher-rated risks and is approved by the Audit Committee. Risk assessments are also incorporated back into the
Company’s strategic planning, operational risk management and performance management processes, and are shared
with the Board.
Level two Quarterly risk assessment review
TELUS conducts quarterly risk assessment reviews with executive level risk owners and designated risk primes across all
business units to capture and communicate the dynamically changing business risks, identify key risk mitigation activities
and provide quarterly updates and assurance to the applicable Board committee.
Level three Granular risk assessments
TELUS conducts granular risk assessments for specific audit engagements and various risk management, strategic and
operational initiatives (e.g. strategic planning, project, environmental management, safety, business continuity planning,
network and IT vulnerability, and fraud and ethics risk assessments). The results of the multiple risk assessments are
evaluated, prioritized, updated and integrated into the key risk profile throughout the year.