Risk management

The Board of Directors has set the objective of protecting the company’s enterprise value through the implementation of Group-wide risk management. A corporate culture that promotes the conscious handling of risks facilitates the achievement of this objective. Accordingly, Swisscom has implemented a Group-wide, central risk management system that is based on ISO Standard 31000 and takes account of both external and internal events. Swisscom ensures comprehensive reporting at the relevant level and appropriate documentation. Its objective is to identify, assess and address significant risks and opportunities in a timely manner. To this end, the central Risk Management unit, which reports to both the CFO and Controlling, works closely with the Controlling and Strategy departments and other assurance functions and line functions. The risk management system is examined periodically by an external auditor. Swisscom assesses its risks in terms of the probability that they will occur and their likely quantitative and qualitative effects. It manages risks on the basis of a risk strategy. The risks are evaluated in terms of their impact on key performance indicators. Swisscom reviews and updates its risk profile on a quarterly basis. The Audit & ESG Reporting Committee and the Group Executive Board are provided with a report on risks every quarter. The Board of Directors and the Audit & ESG Reporting Committee are provided with in-depth information in April and December on significant risks, their potential effects and the status of remedial measures. In urgent cases, the Chairman of the Audit & ESG Reporting Committee is informed without delay about any significant new risks.

The internal control system (ICS) ensures the reliability of financial reporting with an appropriate degree of assurance. It acts to prevent, uncover and correct substantial errors in the consolidated financial statements, the financial statements of the Group companies and the remuneration report. The ICS encompasses the following internal control components: control environment, assessment of accounting risks, control activities, monitoring controls, information and communication. The Accounting department, which reports to the CFO, controls and monitors the ICS. Internal Audit periodically monitor the functioning and effectiveness of the ICS. Significant shortcomings in the ICS identified during the monitoring activities are reported together with the corrective measures in a status report to the Audit & ESG Reporting Committee twice a year and to the Board of Directors on an annual basis. Should the ICS risk assessment change significantly, the Chairman of the Audit & ESG Reporting Committee is informed without delay. Corrective measures to remedy the shortcomings are monitored centrally. The Audit & ESG Reporting Committee assesses the performance and effectiveness of the ICS on the basis of the periodic reporting.

The Group-wide central Compliance Management System (CMS) serves to prevent compliance violations in order to protect the Swisscom Group, its executive bodies and employees from legal sanctions, financial losses and reputational damage. It covers the legal areas of anti-corruption, money laundering, data protection and confidentiality, antitrust law, telecommunications legislation and stock exchange law. Swisscom redesigned its CMS in line with the ISO-37301 standard. The new Compliance Management Framework makes even more targeted improvements possible. The Group’s central compliance functions as well as the compliance officers and managers of the Group divisions and fully consolidated Group companies provide support to the line for the ongoing implementation of the CMS in specific legal areas. External auditors will now review the CMS for adequacy and effectiveness every four years. Furthermore, external auditors will continue to conduct a specific audit in the area money laundering law on an annual or biennial basis. Once a year, Group Compliance reports directly to the Audit & ESG Reporting Board of Director’s committee and to the Board of Directors on the function’s activities, compliance risk assessment and target achievement. In the event of significant changes in the assessment of compliance risks and in the event of potentially serious compliance violations, a timely report is sent to the Chairman of the Audit & ESG Reporting Committee as well as the Chairman of the Board of Directors.

Internal auditing is carried out throughout the Group by the Internal Audit division. Internal Audit supports the Swisscom Ltd Board of Directors and its Audit & ESG Reporting Committee in fulfilling their statutory and regulatory supervisory and controlling obligations. Internal Audit also supports management by highlighting opportunities for improving business processes and controls as well as the assurance functions. It documents the audit findings and monitors the implementation of measures. Internal Audit is responsible for planning and performing audits throughout the Group in compliance with professional auditing standards and has a high degree of independence. It is under the direct control of the Chairman of the Board of Directors and provides reports to the Audit & ESG Reporting Committee. At an administrative level, Internal Audit provides reports to the Head of Group Strategy & Board Services. Administratively, Internal Audit reports to the Head of Security & Corporate Affairs.

Internal Audit liaises closely and exchanges information with the external auditors. The external auditors have unrestricted access to the audit reports and audit files of Internal Audit. Based on a risk analysis and in close coordination with the external auditors, it prepares the integrated strategic audit plan annually and presents it to the Audit & ESG Reporting Committee for approval. Notwithstanding the above, the Audit & ESG Reporting Committee can commission special audits based on information received on the whistle-blowing platform operated by Internal Audit. This reporting procedure, which has been approved by the Audit & ESG Reporting Committee, allows complaints relating to external reporting and financial reporting, among other things, to be submitted anonymously to Internal Audit, which in turn ensures that these will be followed up. At its meetings, which are held at least quarterly, the Audit & ESG Reporting Committee is briefed on audit findings, the reports submitted to the whistle-blowing platform and the status of any corrective measures implemented. The Head of Internal Audit took part in all six meetings of the Audit & ESG Reporting Committee in 2022.

Swisscom implements certified management systems based on internationally accepted standards. These ensure that all of Swisscom's services are quality controlled and developed, simplified and improved systematically. Together, they form Swisscom’s integrated ISO / IEC management system and are periodically audited by external auditing company SGS.

Go to ISO / IEC management system

At the behest of the Board of Directors, the Audit & ESG Reporting Committee verifies the qualifications, independence and performance of the statutory auditors as a state-supervised auditing firm. The statutory auditors are appointed annually by the Annual General Meeting. Since 2019 PricewaterhouseCoopers AG (PwC) is the statutory auditor for Swisscom Ltd and its Group companies. Also, Fastweb is audited by PricewaterhouseCoopers S.p.A.

More about the statutory auditor

Competitive dynamics are currently being driven by infrastructure providers and service providers without their own network infrastructure. Swisscom is countering this pressure and the development of revenue from the traditional telecommunications business by transforming the company as well as through constant innovation. Megatrends such as increasing connectivity, customisation of customer needs, and demographic change are indelibly shaping and altering both society and the economy and have a long-term impact on the activities of Swisscom. Swisscom conducts a comprehensive external environment analysis at least once a year in order to identify potential disruptions at an early stage. It uses the future trends and developments identified by the analysis in a targeted manner: for example, to categorise new, potentially disruptive devel-opments and to model possible scenarios in a timely manner. Swisscom also produces regular analyses of the economic and regulatory environment. It also examines the activities of global Internet corporations in greater depth to identify relevant changes and respond with appropriate measures. To respond to changes in the market, Swisscom consistently focuses on customer needs when transforming its own company and optimises or adapts its processes and organisation.

The manner in which regulations are implemented entails risks for Swisscom, which could have an adverse impact on the company’s financial position and results of operations. Sanctions by the Competition Commission could also reduce Swisscom’s operating results and cause reputational damage to the company. Finally, excessively high political demands threaten to fundamentally undermine the current com-petitive system. Swisscom’s wide range of business activities, coupled with the complexity of the applicable regulations, calls for an effective compliance management system (CMS). Swisscom’s central CMS covers the entire Group. It was redesigned in line with the ISO-37301 standard during the year under review.

Geopolitical developments pose the risk of sustained inflation, shortages of goods or delays in deliveries, as well as recession or stagflation in general. The limited availability of goods and the shortage of various components can lead to increased costs, delivery delays and reduced deliveries. To enable it to respond appropriately to geopolitical developments, Swisscom reviews and implements measures on an ongoing basis. It also pursues a successful hedging strategy, thereby minimising the risk of losses that can arise as a result of fluctuating foreign exchange rates.

Customer demand for broadband access is growing rapidly, as is the popularity of mobile devices and IP-based services (smartphones, IPTV, OTTs, etc.). Swisscom faces tough competition from cable companies and other network operators as it strives to meet current and future customer needs and defend its own market share. The network expansion this necessitates calls for major investments. To mitigate financial risks and ensure optimum network coverage, network expansion is geared towards population density and customer demand. Substantial risks would arise if Swisscom were forced to spend more on network expansion than planned or if projected long-term earnings were to fall. Swisscom minimises the risks by adapting the broadband expansion of the access network to changing conditions and technical opportunities on an ongoing basis.

The competitive dynamics in Italy carry risks that have a detrimental impact on Fastweb’s strategy and could jeopardise projected revenue growth as a result. In particular, risks may arise in connection with the entry of new competitors in the market. Fastweb is countering this pressure by constantly adapting its services, organisation, processes and partnerships. Changes in the legal and regulatory environment can have a negative impact on business activities and thus on the value of the company.

Usage of Swisscom’s services is heavily dependent on technical infrastructure such as communications networks and IT platforms. Any major disruption to business operations poses a financial risk as well as a substantial reputational risk. Force majeure, natural disasters, human error, hardware or software failure, criminal acts by third parties (e.g. computer viruses, hacking) and the ever-growing complexity and interdependence of modern technologies can cause damage or interruption to operations. Built-in redundancy, contingency plans, deputising arrangements, alternative locations, careful selection of suppliers and other measures are designed to ensure that Swisscom can deliver the level of service that customers expect at all times. As a systemically important company, Swisscom also wants to do its part to minimise the risk of a power shortage.