Risk Management

Enterprise Risk Management (ERM)

The present context of highly competitive and volatile business environments, market saturation of telecommunications operators, OTT Players, fast-changing technology, and economic uncertainties are threatening the continuity of our operations. Cyber-attacks are increasing and SLT’s network elements and systems are exposed to this risk. Therefore, it is vital for an organisation to foresee business-critical risks and manage these effectively as such. Having considered this context, the Board of Directors (BOD) gave direction to implement risk management processes across the Organisation in May 2011. Complying with the BOD’s direction; the Enterprise Risk Management (ERM) process and the ERM framework were developed in 2011. References have been made to the best practices of ERM such as ISO 31000 and COSO and due guidance has been obtained from Messrs Deloitte. The implementation of the ERM process within SLT started in early 2012 to identify and manage functional risks to create a risk management culture marked as Business-as-Usual (BAU).

In September 2014, the Board of Directors took another step to keep the ERM process up to date by setting up a Risk Management Committee (RMC) at Board level chaired by a Director. This was to enhance and drive the ERM process within SLT and scrutinise any business-critical top risks at the Board level. In addition, a Risk Management Steering Committee (RMSC) was also formed under the Chairmanship of the Group CEO. This was to aid the RMC in analysing any escalated risks from functional groups and to identify any business-critical risks as such. The ERM framework was thus modified under the guidance of the Group-RMC. In 2016, the ERM process was extended to our subsidiaries with the accommodation of Mobitel, and the RMC was renamed as the Group-RMC. Later in 2016, the Board recommenced the reviewing of group risks with an agenda item in the Audit Committee meeting replacing the Group RMC.

Our culture of risk management has now reached maturity at both functional units and project management. Since the introduction of the ERM in 2011, it has become an important (BAU) process. It encourages senior executives to embed the risk management process into functional units. This has empowered them to take appropriately-calculated positive risks (rewarded risks) and accept, mitigate, avoid or transfer any negative risks (unrewarded risks). The figure below illustrates the organisation of the ERM, its responsibilities and the relevant reaches of the responsible groups. This elaborates that due consideration should be given to enterprise-related risks when making all business decisions. The following table summarises top business-critical risks; both industry-specific and company-specific; gives a brief description of each risk and their potential impact; and details our assessment of the level of severity of such and the actions taken to mitigate them.

No. Type Category Risk description Impact Severity Mitigation factors
1. Industry Regulatory Fibre laying by telcos and
non-telcos, creating undue competition against the
NBN license holder on
wholesale business
Threat for ROI
on NBN Loss of business opportunities
  • SLT has raised its concerns with TRCSL and continuously lobbying with authorities against the license violation
2. Company Regulatory Delays by TRCSL in allocating
a further 20MHz in the 2.5GHz
band for the fixed LTE rollout
Delayed project rollouts Set limitations to the expansion of LTE network Low  
3. Industry Business Renewal of Integrated Transmission Network
License of Competitors with
a new inclusion to provide
last mile fibre connectivity
competition in Broadband Business
  • Litigation in progress
  • Expediting the FTTH rollout
    and Capturing the market
  • Improve quality of service (QoS)
4. Company Financial External pressures to recruit outsourced (e.g. SLTHCS) staff
as SLT’s permanent employees
operational costs Degrade the quality
of employees
  • Suspension of sourcing new staff through SLTHCS
  • Discontinue outsourced employees who have disciplinary issues
  • Timely breaks of contract periods in process to recruit HCS Staff who meet the requirements in the SRPS
  • Organise training opportunities to improve competencies of the out sourced staff to improve their cooperative contribution
5. Company Strategic Non-Existence of a company-wide Business Continuity Plan Threat to business continuity in disaster situations Financial losses Loss of reputation Low
  • An organisation level BCP is prepared with the support of external experts. BCPs prepared for individual business units are being tested
6. Industry Financial Exposure for FOREX fluctuations FOREX translation Losses   High capital and operational costs in Rupee terms High
  • To explore possibilities of limiting non-business critical CAPEX expenditure since most CAPEX related expenditure is in Foreign currency
  • Improve foreign currency inflows which will reduce the USD exposure
  • Limit the funding through borrowings in foreign currency
7. Industry Financial Declining of International Revenues from On-net traffic due to the existence of Bypass terminations and OTT Revenue loss Medium
  • Use of technology to monitor bypass traffic and take appropriate actions
  • Lobby with authorities to tax the International
    OTT operations
  • Introduce OTT content/services by SLT collaborating with ICT service providers
8. Company Operational Data integrity risk Loss of business opportunities Low
  • Revisiting existing business processes and making necessary improvements
  • Identification and correction of inaccurate data in the systems
9. Industry Financial Financial risks due to
Government Budget 2016/17
and subsequent customer
reaction to taxes
Reduced ARPU Decline in profit margins High
  • Continuously monitor the impact
  • Provide value additions
10. Company Financial Lack of effective governance framework over subsidiaries Corporate governance compliances Medium
  • Working with a consultancy to establish a governance framework
11. Company Financial Lack of documentary evidence
to prove the titles for some of
the SLT’s property (transferred
to SLT by the state)
Threat on company
non-current assets
  • Working closely with the Attorney General’s Department, the Ministry of Telecom & Digital Infrastructure and the Ministry of Lands to resolve the matter
12. Industry Information Security Cyber Security incidents and leakage of sensitive information Threat to Business continuity Loss of customer Confidence Loss of Revenue Threat to the competitive position of SLT High
  • Established an IS Management Steering committee
  • Review existing Information Security policies and procedures and standards
  • Information Security posture Assessment for SLT enterprise and service provider network & Associated Systems
  • Implement and maintain ISO 27001 standards for all technical operational areas
13. Industry Legal Non-Compliance to Laws,
licenses and regulatory
conditions would lead to
penalties and reputational risk
Negative impact
on brand image   Financial risk
  • Vigilance Team to look for conditions in existing and prospected Acts that could create harm to SLT
  • Create awareness among the senior management and employees on possible impacts of the violation of Acts/Licenses/BOI/CSE Conditions
  • Classification in SLT to prepare a single list of non-disclosure information as per the provisions in RTI Act