Vodafone 2016 Annual Report Download - page 25

Download and view the complete annual report

Please find page 25 of the 2016 Vodafone annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 208

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208

Oversight of risks
The Board has overall responsibility for the Group’s risk management and internal controls system. The Audit and Risk Committee, under delegation
from the Board, monitors the nature and extent of risk exposure against risk appetite for our principal risks. Details of the activities of the Audit and
Risk Committee are set out on pages 47 to 52 of this report.
At an operational level, risks are reviewed and managed by the Executive Committee and through its delegated sub-committee, the Risk and
Compliance Committee. Details of the activities of the Risk and Compliance Committee are set out on page 39 of this report.
As part of the Board review of all risks, an exercise is completed to assess the long-term viability of the company, which includes stress-testing our
principal risks. The output from this is contained in the Long-Term Viability Statement on page 29.
Our principal risks
The risk management framework covers all risks to our business but includes a process to identify the principal risks to our strategic objectives
through the integration of bottom-up and top-down exercises. The bottom-up exercise identies and consolidates all of the priority risks raised
by local markets and entities. The top-down exercise involves interviews with around 30 senior executives. The aggregated results from these
exercises are used to form the principal risks which are approved by the Executive Committee, prior to submission to the Audit and Risk Committee
and the Board. Each principal risk is assigned to a senior executive who is responsible for managing the risk and reporting on progress to the
Executive Committee.
Vodafone’s principal risks are similar to those reported last year, although with some changes to the driving force behind the risks, and one new risk
regarding legal and regulatory requirements. Any changes from last year’s principal risks are highlighted in the tables below.
Cyber threat Movement from 2015: Stable
What is the risk?
A successful cyber-attack or internal event could result in us not being able to deliver service to our customers and/or failing to protect theirdata.
This could include a terrorist attack, state sponsored hacking, hacktivists or threats from individuals.
How could it impact us?
This risk could have major customer, nancial, reputational and regulatory impact in all markets in which we operate. As some systems operate
at Group level and support more than one market, we could be affected in multiple markets at one time and for both consumer and enterprise
customers, magnifying the impact.
Changes from 2015
This risk combines two risks from our previous annual report; malicious attack causing service disruption; and customer data breach. We have
merged these to reect that a single cyber-attack could result in both outcomes.
How do we manage it?
a We have a global security strategy that is risk-based and approved by Executive Committee
a We have a global security function that sets policies and processes. Security controls are implemented centrally and in local markets,
and we have a continuous improvement programme to mitigate the changing threats we face
a We manage the risk of malicious attacks on our infrastructure using our global security operations centre that provides 24/7 proactive
monitoring of our global infrastructure, responds to incidents and manages recovery from those incidents
a Applications or infrastructure that store or transmit condential personal and business voice and data trafc have layers of security
control applied
a We have an assurance programme that incorporates both internal reviews and reviews of third parties that hold data on our behalf.
Vodafone holds internationally recognised certications for its information security processes
a We regularly provide mandatory security and privacy awareness training to Vodafone employees
Overview Strategy review Performance Governance Financials Additional information
Vodafone Group Plc
Annual Report 2016
23