CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report

2019

3.1. Risk management and control model

3.1.1.Introduction and reference frameworks The Telefónica’s Business Principles specifically state that:
Telefonica has a Risk Management Framework, based on the
model established by the Committee of Sponsoring “ We establish appropriate controls to evaluate
Organizations of the TreadwayCommision (COSO), that allows
both the identification and the assessment of the impact and
and manage all relevant risks to the Company”
the likelihood of occurrence of the different risks of the
Extract from Responsible Business Principles of Telefónica
Company. This framework has been implemented
homogeneously throughout the Group’s main operations, and
those responsible for the Company, in their field of activity, In this sense, the Company has a Risk Management Policy,
carry out the appropriate identification, evaluation, response approved by the Board of Directors, and a Corporate Risk
and monitoring of the main risks. Management Manual, both based on experience, best
practices and Good Corporate Governance recommendations;
This model, which is inspired by best practices, facilitates the contributing to the continuous improvement in business
prioritization and development of coordinated actions against performance, according to COSO ERM 2017 framework,
risks, both from a global Group perspective, and a specific focus “Enterprise Risk Management - Integrating with Strategy and
on its main operations. Performance”.
“The main risks are linked to the strategic
Enterprise Risk Management (ERM) objectives of the Company Program”

Risk Culture
In accordance with Telefónica's Risk Management Policy, one
“Training workshops and global awareness
of the basic principles that guide this activity is: “Train and campaigns are developed to strengthen the risk
involve employees in the risk management culture, management culture in the Company”
encouraging them to identify risks and actively participate in
its mitigation.”

In this sense, Telefonica promotes the following actions:

• Communication: in order to spread, through the appropriate

channels, the principles and values that should govern risk
management.

• Training: to promote knowledge and involvement in the

aforementioned values and risk management model.
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

3.1.2. Risk Management Government

Both the Telefonica’s Business Principles and the Risk
Management Policy mentioned above, establish that the
entire organization has the responsibility to contribute to the
identification and management of risks. For the coordination
of these activities, the following roles have been established:

function has been established, within the Internal Audit area,

Supervision of the Risk management system independent of the management, in order to promote, support,
coordinate and monitor the implementation of the provisions
The Board of Directors Regulations of Telefónica, SA, establish of this Policy both at Group level and in its main operations.
that the Audit and Control Committee shall have the primary
function of supporting the Board of Directors in its supervisory For the purpose of ensuring an adequate supervision of the
functions; among which, is included the Supervision of Control Telefónica's risk management systems by the Audit and
Systems and Risk Management, including tax risks. In relation
to this, it is up to propose to the Board of Directors the
Management Policy and Risk Management, which will identify, Control Committee, various sessions are held within that
at least: the risk categories that the company faces; the committee, through:
determination of the level of risk that the Company considers
acceptable; the measures to mitigate the impact of the • Overall presentations on the risk management model and
identified risks in case they materialize; and the control and the situation of the main risks, carried out by Internal Audit,
information systems that will be used to control and manage where the general situation of the Group's risks is presented,
the aforementioned risks. as well as its evolution, general plans on risk assessment and
response. Specifically, during 2019, two general
As a support for the development of these oversight activities presentations on risks have been made to the Audit and
by the Audit and Control Committee, a risk management Control Committee of Telefónica.
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

• Specific presentations of the main risk areas made by

those responsible for their management. . Thus, during
2019, monographic sessions have been made on the risks of
Systems and Network, Regulation, Sustainability, People,
Digital Security, Fiscal, Financial, Legal and Compliance.

Likewise, the Audit and Control Committee periodically reports

on these matters to the Board of Directors.

Risk Owner
Risk owners actively participate in the risk strategy and in the
important decisions about their assurance and control. To this
end, each of the identified risks will be assigned a person
(normally a Director) in charge with total responsibility for the
risk and its management, preparing a plan for its assurance and
control (measures to avoid, mitigate or partially transfer the
risks) and effectively tracking its evolution.

Specifically, with respect to fiscal risks, the Group's Fiscal

Directorate performs the fiscal control function through the Risks Identification
Regional Fiscal Directorates, and the local fiscal control officers The risks are identified by the managers, who consider both
in the different subsidiaries in accordance with the principles the factors that cause them and the effects they may have
defined in the Group's Fiscal Control Policy, approved by the on the achievement of the objectives.
Company's Board of Directors.
In this identification of risks, risks associated with the strategic
plan are considered, as well as potential “emerging risks”,
3.1.3.Tolerance or risk apetite meaning those risks that could eventually have an adverse
The Company has a level of risk tolerance or acceptable risk
impact on future performance; although its result and time
established at corporate level; which means its willingness to
horizon is uncertain and difficult to predict.
assume a certain level of risk, to the extent that allows the
creation of value and the development of the business,
Risk Assessment
achieving an adequate balance between growth, yield and risk.
The objective of the risk assessment is to establish the
For the risk assessment, the different typology of the risks that magnitude or relevance of risks, by considering both their
could affect the Company is considered, as described below: eventual impact and their likelihood of occurrence.

• In general, tolerance thresholds are defined for all risks, by For impact purposes, both the economic impact (quantified -
combination of impact and probability, whose scales are whenever possible - in terms of operational Cash-flow,
updated annually based on the evolution of the main considering OIBDA plus CAPEX ) and the reputational impact
financial figures, both for the Group as a whole and for the (from the variables used in RepTrak) are considered, as well as
main companies that compose it. its potential impact on compliance.

• In the case of risks related to reputation, sustainability and

compliance, a zero tolerance level is established.

3.1.4. Risk management process

The risk management process takes the Company’s strategy
and objectives as a reference for the identification of the main
risks that could affect its achievement. The process consists
of four stages which are described below:
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

The different types of risk response are described below:

Likewise, other qualitative additional factors are considered,

such as the historical trend, the level of assurance or control;
or the perspectives on their future evolution.

Risk Response
In addition to identification and assessment of the risks, the
Risk Management Model considers reasonable response and Global measures, mainly involving the use of financial
monitoring mechanisms for said risks. In this sense, it derivatives, are undertaken to mitigate certain financial risks
contemplates procedures to respond to the new challenges such as those relating to exchange-rate and interest-rate
that arise through the alignment between the strategic fluctuations. In relation to tax risks, the main issues are
objectives and the risks that could affect the fulfillment of such identified are monitored. The Group uses Multinational
objectives. insurance Programs, or insurance policies arranged locally in
each country, to cover operational risks, depending on the type
of risk and cover required.

Monitoring and Reporting

In accordance with the diversity of the types of risk that may
arise, the risk monitoring and response mechanisms include
global initiatives, homogeneously promoted and coordinated
throughout our main operations, and/or specific actions
aimed at addressing particular risks in some of our companies.
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

Business Assurance Model Bottom-up: it is based on the concept of Risk Self-Assessment

A management model based on the existing assurance allows (RSA), according to which managers are responsible for
prioritizing and being more specific in the actions to be carried identifying and describing the specific risks of their area, as well
out in the area of Risk Management and Internal Control. as assessing them and defining an adequate response to them.

Top-down: this assessment is based on the cross-sectional

analysis of those matters considered relevant and common to
most of the Group's companies, complementing the previous
bottom-up approach, thus having a global vision of the main
risks of the Company as a whole.

Risks in Processes: support to process managers to identify

and define their response to those risks that may affect the
achievement of their objectives, with a transversal approach.

Project Risks: applicable to those internal projects of special

relevance, usually related to transformation initiatives and
with a transversal approach.

3.1.5 Perspectives of the Risk Management

Framework
To have a comprehensive model, oriented to the needs and the
Group's own configuration, the ERM Framework considers a
risk assessment through four complementary
perspectives:
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

3.1.6. Digitalization of risk management

With the aim of managing and supervising risks, a Risk
Management tool and a Dashboard have been developed,
which facilitate the reporting, analysis, assessment and
management of risk information withinTelefónica Group.
These tools are common for all Group Companies that report
risks, and their main features are as follows:
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

3.2. Risk map and risk profile

Taking as a reference the objectives identified in the An assessment of the impact and probability of the identified
Company’s Strategic Plan, those risks that could affect the risks is made, which facilitates their prioritization and the
achievement of these objectives are identified, both from a definition of response plans to mitigate them, ensuring the
global perspective (through the main global Group areas) and necessary coordination between global and local initiatives in
a local one (through local managers and the respective local order to act against the risks.
Executive Committees).

In order to facilitate the risk identification process by the

management of the Company, the Telefónica Group has a
general risks catalogue, which is updated periodically, and
which allows the information to be homogenized and
consolidated, and to comply with the internal and external
reporting requirements on the main risks.

Telefónica's risk catalogue considers the following four risk

categories:
CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

This catalogue adapts to the evolution in the typology of the

main risks, revealing a growing relevance of those risks related
to intangibles and of global transcendence, such as public
image, social impact of organizations or sustainability
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

Among the main risks related to reputation, sustainability

and the long term, in accordance with the Responsible
Business Plan of Telefónica, are the following aspects:

In the same way, among the main emerging issues, it is worth

highlighting issues related to People management, including
aspects such as diversity or professional skills
management, in line with what is described below:
 CONSOLIDATED ANNUAL REPORT 2019 Consolidated Management Report
2019

The strategy and management of the Telefónica Group's In addition, Telefónica may not be able to realize deferred tax
activities tend to minimize the impact of the materialized assets on its statement of financial position to offset future
risks, as well as to counterbalance the negative effects of taxable income. By way of example, in 2019, TelefónicaMóviles
some issues with the favourable evolution of others. Mexico derecognized deferred tax assets amounting to 454
million euros.
In accordance with current accounting standards, the
Telefónica Group reviews on an annual basis, or more
3.2.1. Prioritization of Risks
frequently when the circumstances require it, the need to
The risks of Telefónica Group are prioritized based on their level
introduce changes to the book value of its goodwill,
of criticality, which is obtained from the combination of impact
intangible assets, property, plant and equipment or other
and likelihood assessments for each of them.
assets. By way of example, in 2019, impairment losses in the
goodwill allocated to Telefónica Argentina were recognized The detail on the main risks disclosed by the Company is
for a total of 206 million euros, due to factors such as the included in the following section.
country's delicate financial situation or the deteriorating
economic activity, which have strained the financial variables
and a business plan that involves moderation in cash
generation, compared to previous years.