Enterprise risk management (ERM) framework

Operating in a broad range of geographical product and service markets in the highly competitive and regulated telecommunications industry, Telia Company is subject to a variety of risks and uncertainties. Telia Company has defined risk as anything that could have a material adverse effect on the achievement of Telia Company’s goals. Risks can be threats, uncertainties or lost opportunities relating to current or future operations or activities. Risks and uncertainties related to business and sustainability as well as to shareholder issues are described in Risks and uncertainties and financial risks in Note C26 to the consolidated financial statements.

Three lines of defense − integrated governance, risk management and compliance

Telia Company’s risk management may be illustrated as a three-line defense being an integral part of the group’s operational activities, business planning process and monitoring of business performance. Risks are identified and assessed, and measures are implemented to mitigate and monitor these risks.

Enterprise risk management – lines of defense

Risks and uncertainties


The defense-line roles and responsibilities include:

  • First line of defense: The line organization owns its operational risks and is responsible and accountable for assessing, controlling and mitigating the risks as well as for internal control activities and assurance.
  • Second line of defense: Comprises the group-level enterprise risk management (ERM) function, the group risk area coordinators, the internal controls function within group Finance, the group Ethics and Compliance Office in CEO Office; Strategy & Combined Assurance and the GREC meetings.
  • Third line of defense: The group internal audit function provides independent assurance on the risk management process and internal control environment. External parties, such as the external auditors and regulatory bodies, provide assurance related to specific statutory requirements, e.g. information presented in the consolidated financial statements or reported to the Swedish Financial Supervisory Authority.

Risk management process

Risk management – process flow

The objective of the continuous risk management process is that all risks that may help or hinder the achievement of Telia Company’s objectives are regularly assessed, managed and monitored. Risk management shall be fully integrated into the business processes. The risk management procedures shall be transparent, feasible and traceable. Management shall ensure that a personal sense of responsibility and common view on and awareness of risk is established among the employees, as well as facilitate accountability for risks in daily decision-making. Risk reporting is integrated into the business planning process and risks shall be reviewed at business reviews and escalated through the line organization.

Quarterly, the Audit and Responsible Business Committee and the Board receive a consolidated risk report, aligned with the Board’s annual work cycle. The consolidated report is divided into four categories:

  • Financial risks
  • Operational and societal risks
  • Strategic and emerging risks
  • Legal and regulatory risks

Under each of these categories, risks are presented either as group-wide or by country.

In addition, the Audit and Responsible Business Committee quarterly receives a consolidated litigation report with short-form details of ongoing, pending and threatened legal and administrative proceedings. Each case description also includes alleged nominal and estimated financial impact when possible and a probability grading.

Management shall conduct risk and compliance evaluations and assessments proactively, regularly and timely in order to ensure that all employees are aware of and take steps to comply with the relevant requirements. Compliance means conforming to external as well as internal requirements, such as:

  • Applicable legislation and regulation
  • Customer agreements
  • International standards and norms
  • Group policies and group instructions

The most significant risk areas are monitored by the risk management (ERM) function including the GREC meetings, the internal controls function within group Finance and the group Ethics and Compliance Office.

Group-level enterprise risk management (ERM) function

The Head of the ERM function, within group function CEO Office; Strategy & Combined Assurance, acts as the owner of the group-common ERM process to ensure a structured approach towards risk management, compliance and reporting within the group. Function responsibilities include to:

  • Own, govern, coordinate and monitor the ERM process to ensure a structured approach towards risk management, compliance and reporting in the group
  • Own the group framework for ERM, policies and instructions within his/her areas of responsibility and to monitor compliance herewith and support group wide implementation
  • Oversee the operational effectiveness of the ERM processes across the group and propose actions for improvement

  • Monitor the risk level as well as the nature of specific risk matters across the group. As part of that responsibility, the CRO will collect and aggregate the respective reports from countries and group functions in order to give the CEO and the Board a consolidated and holistic view on the group’s risk level and individual, material risks
  • Facilitate and organize the governance forum for Risk Management and Compliance (GREC) on group level
  • Review of group policies and instructions

Compliance framework and programs

Also supporting first-line defense, Telia Company has established a framework to enable systematic work with compliance issues. The compliance framework consists of eight elements that are founded on a sound and clear tone from the top. It is designed to adhere to international standards and is based on prevent, detect and investigate principles.

Compliance framework

Prioritized risk areas, within the responsible business area, are identified based on risk assessments. The most significant risks in this area are monitored by the Group Ethics and Compliance Office in CEO Office; Strategy & Combined Assurance and managed according to the framework through subject-specific compliance programs to ensure consistency and follow-up in implementation and reporting. Currently prioritized risk areas are reflected by the following ongoing programs:

  • Anti-bribery and corruption
  • Freedom of expression and surveillance privacy
  • Customer privacy
  • Children’s rights
  • Responsible sourcing
  • Environmental responsibility
  • Occupational health and safety

For additional information on the approach and work in the respective area, see ”Responsible business.”

Governance, Risk, Ethics and Compliance (GREC) meetings

The purpose of the GREC meetings is to act as the primary governing bodies within risk and compliance and to evaluate risk levels and propose risk-mitigation actions.

At the GREC meetings, which are held at least quarterly, management meets to update, discuss, decide and follow-up on ongoing activities and initiatives within the different risk areas and sustainability focus areas. The purpose of the GREC meetings is to:

  • Consolidate risk reporting from countries/units
  • Assess country and group-wide risks
  • Review risk levels in relation to risk appetite
  • Recommend and decide on risk mitigation actions
  • Escalate and report risks and follow up on mitigation actions.
  • Monitor compliance for key risk areas
  • Build risk culture
  • Monitor and respond to audit findings and non-compliance against internal and external requirements
  • Ensure communication and feed-back to all relevant stakeholders

GREC meetings are held on group and country level as well as in selected group functions and subsidiaries. On group level, the GREC meeting is chaired by the CEO and consists of Group Executive Management extended with the Head of region Eurasia, the Head of ERM, the Chief Ethics and Compliance Officer as well as the Head of Group Internal Audit. The purpose, agenda and participants of local GREC meetings mirror the group-level meetings.

Whistle-blowing process

Speak-Up Line

2017 was the third full year of operation of Telia Company’s Speak-Up Line, the whistle-blowing tool enabling employees and others to anonymously report violations of proper accounting, reporting or internal controls, as well as non-compliance with local laws or breaches of Telia Company’s Code of Responsible Business Conduct, group policies and instructions. Telia Company has a group-wide standard for performing internal investigations. The guiding principle is to ensure that investigations are conducted objectively and impartially; are carried out in a way to swiftly establish the facts with minimum disruption to the business or the personal lives of employees; and to make sure that confidentiality and non-retaliation are respected at all times.

To the reader of this Statement: If you believe there are deficiencies in Telia Company’s financial reporting or if you suspect any misconduct within the Telia Company group, you may report your concerns at: www.speakupline.ethicspoint.com

Speak-Up Line 2017

During 2017, 179 whistle-blowing reports were recorded (123 reports in 2016). The reported issues related mainly to reproach to management, leadership, conflict of interest, and customer complaint or enquiry. Most of the reports were received through the Speak-Up Line, through direct contact with group or local ethics and compliance officers, or through line managers. The majority of reports came from Sweden, Kazakhstan and Uzbekistan.

51 internal investigations were conducted by the Special Investigations Office of Group Ethics and Compliance (35 cases during the same period in 2016). During the period, 10 disciplinary decisions were taken by the group management. These included warnings of employees and managers. In 2017, 11 (24) investigations were requested by managers.

Consolidated case reports were presented to the Audit and Responsible Business Committee throughout the year. The reports included allegations of certain significance, progress of investigations and the final results of the investigations.

Number of whistle-blowing case reports during 2017 (2016)


Investigations opened by the Special Investigations Office

51 (35)

Reports related to Human Resource matters
(handled jointly with Goup People & Brand)

51 (19)

Reports sent for information to other departments

(e.g. customer or supplier complaints), or closed after
an initial review and response to the whistle-blower
concerned (e.g. in cases of ethical reproach)

77 (69)


179 (123)


Reporting channel 2017 (2016)


Speak-Up Line portal

67 (50)

Sent to the Speak-Up Line e-mail address

15 (12)

Direct contact with ethics and compliance officers at
group or local level

9 (17)

Line managers

4 (18)

Telia Company’s executive management

4 (2)


Origins of reports during 2017 (2016)



44 (33)

Region Eurasia

42 (56)

Other group companies

14 (11)


Internal investigation KPIs




Whistle-blowing cases closed
within eight weeks