Vodafone 2014 Annual Report Download - page 198

Download and view the complete annual report

Please find page 198 of the 2014 Vodafone annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 216

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216

Identication and assessment of the Group’s key risks
The Board acknowledges it is responsible for determining the nature
and extent of the signicant risks it is willing to take in achieving its
strategic objectives. A Group wide risk assessment exercise is formally
conducted annually to help full this responsibility.
Local market risk assessment
Risk coordinators in each local market facilitate the identication
of the “top 10” risks and associated mitigating actions for their entity.
With the oversight and approval of local executive teams and Audit
Committees, these risks are assessed for their likelihood and impact
after consideration is given to existing mitigating controls.
An overall market view of the major risks is obtained by identifying
similar risks that are then aggregated and categorised into the following
risk categories:
a strategy;
a reputational damage;
a legal and regulatory compliance;
a nancial;
a operational; and
a malicious events.
Assess the current risk exposure for the Group
Using the market view of the major risks, an exercise is conducted with
Group executives and functional leaders to determine the top Group
risks and identify the current net risk exposure level for each risk.
Compare the current risk exposure to the acceptable level
of risk
The exposure from each of the Group’s top risks is then compared
with the desired level of acceptable risk. The result of this assessment
highlights the perceived “tolerance” for the exposure associated
with a particular risk and indicates whether specic, additional action
is required.
Three “tolerance” categories are used:
1. We don’t believe that Vodafone should do more;
2. We believe that Vodafone should do more and has plans in place
to reduce the net risk to an acceptable level; and
3. We are not sufciently prepared and immediate action is necessary.
Conrmation of key risks and mitigations commensurate with
Vodafone’s risk tolerances
The risk exposure assessment and comparison to the acceptable
level of risk identies the key risks and associated mitigations that are
reviewed and approved by the Group Executive Committee, the Audit
and Risk Committee and the Board.
Changes from prior year risk assessment
One new risk for 2014 has been added:
a The integration of newly acquired businesses does not provide
the benets anticipated at the time of acquisition”. The risk
is that we do not deliver the revenue benets and/or the cost
synergies expected from recently acquired businesses and that,
as a consequence of this, we subsequently need to write down the
carrying value of the assets.
Revised existing risks
Two existing risks from prior year have been revised into a single
combined risk:
a “Our business could be adversely affected by a failure or signicant
interruption to our telecommunications networks or IT systems”
and “Failure to deliver enterprise service offerings may adversely
affect our business” have been combined into the former risk: “Our
business could be adversely affected by a failure or signicant
interruption to our telecommunications networks or IT systems”.
The description of the risk has been revised to more specically
reect the level of dependence enterprise customers have on our
telecommunications infrastructure to provide their services and the
resilience needed in our infrastructure to meet our committed service
level agreements.
The Group’s key risks are outlined below:
1. Our business could be adversely affected by a failure
or signicant interruption to our telecommunications
networks or IT systems.
Risk: We are dependent on the continued operation of our
telecommunications networks. The importance of mobile and xed
communication in everyday life is increasing, especially during times
of crisis. Individuals and organisations who rely on our networks and
systems 24 hours per day, 365 days per year to provide their products
and services, look to us to maintain service. Major failures in the network,
our IT systems or a failure to maintain our infrastructure to the required
levels of resilience (and associated service level agreement) may result
in our services being interrupted, resulting in serious damage to our
reputation, a consequential customer and revenue loss and the risk
of nancial penalties.
There is a risk that an attack by a malicious individual or group
could be successful on our networks and impact the availability
of critical systems. Our network is also susceptible to interruption due
to a physical attack and theft of our network components as the value
and market for network components increases (for example copper,
batteries, generators and fuel).
Assessment: This risk is possible in all markets in which we operate
and has the potential for signicant impact. Given the geographically
dispersed nature of our networks, both mobile and xed, the impacts
of a wide spread and long lasting outage should be primarily restricted
to the market involved.
Mitigation: Specic back-up and resilience requirements are built into
our networks. We monitor our ability to replace strategic equipment
quickly in event of failure, and for high risk components, we maintain
dedicated back-up equipment ready for use. Dedicated access network
equipment is installed on trucks ready to be moved on site if required.
Our critical infrastructure has been enhanced to prevent unauthorised
access and reduce the likelihood and impact of a successful attack.
Network contingency plans are linked with our business continuity and
disaster recovery plans which are in place to cover the residual risks
that cannot be mitigated. A crisis management team and escalation
processes are in place both nationally and internationally, and crisis
simulations are conducted annually.
We also manage the risk of malicious attacks on our infrastructure using
our global security operations centre that provides 24/7 monitoring
of our network in many countries.
Vodafone Group Plc
Annual Report 2014196
Principal risk factors and uncertainties