Risk assessment and risk containment

ASSESSMENT METHOD

Risks are assessed on the basis of “probability of occurrence” and “risk extent.” The following assessment yardsticks apply:

   
Probability of occurrence Description
< 5 % very low
≥ 5 to 25 % low
> 25 to 50 % medium
> 50 % high
   
Risk extent Description
Small Limited negative effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk < € 100 million
Medium Certain negative effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk ≥ € 100 million
Large Significant effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk ≥ € 250 million, and/or affects more than one Group entity
Very large Damaging negative effects on business activities, results of operations, financial position, and reputation; individual EBITDA risk ≥ € 500 million, and/or affects more than one Group entity

By assessing risks according to the aspects of probability of occurrence and risk extent, we classify them as low, medium and high risks, as shown in the graphic below.

Chart: Risk level

We report all risks classified as “high” and “medium.” Exceptions are possible in specific cases: For the sake of reporting continuity, for example, we also report risks from prior years that are classified as low for the current reporting period.

It should be noted that risks with an extent currently assessed as being small may in the future acquire a larger extent than risks that are currently assessed as having a larger extent. This may be due to uncertainties that cannot be assessed at present and over which we have no influence. Uncertainties that cannot be assessed at present also give rise to risks that are currently unknown to us or that we presently consider to be insignificant and that may affect our business activities in the future.

RISK CONTAINMENT MEASURES

Risk management and insurance. To the extent possible and economically viable, we take out adequate Group-wide insurance cover for insurable risks. DeTeAssekuranz GmbH – a wholly owned subsidiary of Deutsche Telekom AG – acts as an insurance broker for our Group Risk Management unit and supports insurance risk management. The company develops and implements solutions for the Group’s operational risks using insurance and insurance-related tools and places them on the national and international insurance markets.

Taking out insurance cover is an essential option for our external risk transfer. The coverage of risks in our Group insurance programs requires the transfer of risk for the purpose of protecting the Group’s financial position (i. e., the possible risk extent reaches a volume “relevant for the Group”) or for risks to be bundled and managed at Group level to protect the Group’s interests (opportune reasons/cost optimization/risk reduction).

Business Continuity Management (BCM). BCM is a support process within operational risk management that protects business processes from the consequences of damaging incidents and disruptions, and ensures the continuation of business processes through ongoing analysis, assessment, and management of relevant risks for people, technology, infrastructure, supply and service relationships, and information. The aim is therefore to identify potential threats at an early stage and to reduce the impact and duration of a disruption of critical business processes to an acceptable minimum by ensuring appropriate resilience in the organization plus the ability to effectively cope with threats.

For this, BCM identifies critical business processes and business processes needing protection including any supporting processes, process steps, and assets (people, technology, infrastructure, supply and service relationships, and information). Appropriate precautionary measures are also defined. In particular, Security Management works in coordination with the relevant units and process owners to analyze the possible consequences of external and internal threats with relevance for security, such as natural disasters, vandalism, or sabotage. Once the extent of potential losses and probability of occurrence have been assessed, preventive measures can be put in place and contingency plans developed.

The risk owners initiate and execute further measures to contain the risks. A wide range of measures are available, depending on the risk type. A few examples of these measures are:

  • We tackle market risks with comprehensive sales controlling and intensive customer management.
  • We manage interest and currency risks by means of systematic risk management and hedge them using derivative and non-derivative financial instruments.
  • We also take a large number of measures for dealing with operational risks: For example, we improve our networks through continuous operational and infrastructural measures. We continuously enhance our quality management, the related controls, and quality assurance. We offer our employees systematic training and development programs.
  • We deal with risks from the political and regulatory environment through an intensive, constructive dialog with policymakers and the authorities.
  • We endeavor to minimize risks in connection with legal proceedings by ensuring suitable support for proceedings and designing contracts appropriately in the first place.
  • The Group Tax unit identifies potential tax-related risks at an early stage and systematically records, assesses and monitors them. It takes any measures necessary to minimize tax-related risks and coordinates them with the Group companies affected. The unit also draws up and communicates policies for overcoming or avoiding tax risks.