Vodafone 2024 Annual Report

57 Vodafone Group Plc Annual Report 2024

Strategic report



Other information

Risk management Managing uncertainty in our business

We face multiple risks and uncertainties that could affect the success of our business. We mitigate these risks through a robust risk management framework and by integrating risk management into our daily operations and culture. Governance and identifying our risks The Audit and Risk Committee, on behalf of the Board, reviews and challenges the principal and emerging risks as well as advises on the level of risk the Company is willing to take in achieving its strategic goals. The Board approves Vodafone’s strategy and aligns the risk management approach with it. The risk function aims to make risk considerations an integral part of executing our strategy, enabling informed decision-making across all our markets. Our risk management approach is end-to-end, starting with local markets and Group entities identifying and evaluating risks to their local strategy. The Group risk team centrally assesses and challenges these risks. A comprehensive list of risks, along with external risk scanning findings, is presented to the Directors and executives for analysis and identification of significant risks. The proposed principal (pages 58 to 61), watchlist, and emerging (page 62) risks are agreed by our Executive Committee (‘ExCo’) before being submitted to the Audit and Risk Committee and the Board for review and approval.

Managing our risks It is important to establish the context and understand the environment in which we operate. We categorise our risks into different risk types (strategic, operational, or financial) and identify whether the source of the threat is internal or external. This helps us effectively treat risks and provide appropriate oversight and assurance. Executive risk owners have the responsibility to put in place adequate controls and necessary treatment plans to bring risks within acceptable tolerance levels. Additionally, risk treatment plans and the effectiveness of our current controls are monitored through in-depth risk reviews, which are presented to relevant oversight committees. Read more about the Audit and Risk Committee on pages 89 to 94 For each principal risk, we develop severe but plausible scenarios to understand the impact if it were to materialise. These scenarios provide additional insights into possible threats and improve the treatment strategy. They are also used to assess our viability. Read more about our long-term viability statement on page 63 The diagram below illustrates a simplified, high-level governance structure for risk management.

Overview of risk governance structure

Assurance Assurance functions Review and provide assurance over selected controls for the Group and local markets Internal audit Supports the Audit and Risk Committee in reviewing the effectiveness of the global risk management

Board/Audit and Risk Committee – Provide oversight for Vodafone Group – Discuss, challenge and make a robust assessment of principal and emerging risks – Embed appropriate risk culture throughout the organisation

Risk and Compliance Committee – Reviews principal, watchlist and emerging risks – Reviews effectiveness of risk management across the Group

Group risk team – Responsible for the application of the global risk management framework – Supports the Board/ExCo by creating programmes to strengthen our risk culture

Group risk owners – ExCo risk owners have responsibility for management of the risks assigned to them – Senior executive risk champions identify and implement mitigating actions

framework and management of individual risks

Vodafone Group

Local oversight committees Provide oversight for the local risk management programme Local market CEOs Set local objectives, identify priority risks and align tolerance levels with the Vodafone Group guidance Local risk owners Senior managers in local management teams are responsible for local risks and the local risk programme to manage, measure, monitor, and report on the risks Local risk managers Are the contact point for each market/entity on risk, and facilitate all activities as defined by the global risk management framework

Local markets or Group entities

Powered by