60 Vodafone Group Plc Annual Report 2026
Strategic report
Governance
Financials
Other information
Principal risks and uncertainties Our principal risks
The external environment remains dynamic, as a result the Group continues to face a broad range of risks. These risks are actively monitored and managed through our established risk management framework, supported by a strong organisational risk culture. Governance and oversight On behalf of the Board, the Audit and Risk Committee (‘ARC’) reviews and approves the Group’s principal risks, considering their impact on strategic objectives, business model, financial performance and reputation, and challenging management’s judgements, where appropriate. The Board reviews the principal risks at least annually and monitors changes in the risk profile throughout the year. The change in the external environment, performance against strategic priorities and emerging risk drivers leads to a reassessment of risks and a refinement of the Board’s focus areas for the year. Principal risks are reviewed by the Executive Committee (‘ExCo’) and the Risk and Compliance Committee (‘RCC’) before being submitted to the ARC and the Board, supporting clear ownership and escalation and enabling executive and Board‑level challenge to focus on the risks with the greatest impact. Risk management framework The Group operates a global enterprise risk management framework applied consistently across local markets and Group entities, using common risk definitions, assessment criteria and escalation thresholds. This enables risks to be identified, assessed and aggregated, while recognising interdependencies and shared drivers as part of the Group’s risk assessment process.
Overview of the risk governance structure
Strengthening risk management During FY26, the Group continued to strengthen its risk management framework, improving the consistency and comparability of risk information used by management and the Board. Governance was reinforced through closer alignment across the three lines of defence, enhancing accountability, risk reporting, as well as supporting more focused Board challenge and prioritisation of principal risks. Progress was made in preparation for UK Corporate Governance Code Provision 29 through enhancements to processes and supporting evidence for future Board attestation. Risk management was further strengthened through the introduction of an integrated Group‑wide Governance, Risk and Compliance (‘GRC’) platform, a refreshed risk taxonomy and the piloting of a Group operational risk management methodology, improving integration, aggregation and data‑driven insights across markets. Emerging risks Emerging risks are inherently uncertain and evolving, and have the potential to materially impact our strategic objectives, business model and long‑term value creation. We identify emerging risks through continuous analysis of internal and external trends, and the signals they present. Emerging risks are grouped into the following categories: legal and regulatory, political, economic, societal, technological, and ecological. These are assessed to determine escalation criteria and whether enhanced management focus, Board oversight, or elevation to principal risk status is required.
Board/Audit and Risk Committee – Provide oversight for Vodafone Group – Discuss, challenge and make a robust assessment of principal and emerging risks – Embed appropriate risk culture throughout the organisation
Assurance functions Review and provide assurance over selected controls for the Group and local markets Internal audit Supports the Audit and Risk Committee in reviewing the effectiveness of the global risk management framework and management of individual risks
Risk and Compliance Committee – Reviews principal, watchlist and emerging risks – Reviews effectiveness of risk management across the Group
Group risk team – Responsible for the application of the global risk management framework – Supports the Board/ExCo by creating programmes to strengthen our risk culture
Group risk owners – ExCo risk owners have the accountability and responsibility for the management of the risks assigned to them – Risk owners identify and implement mitigating actions
Vodafone Group
Local oversight committees Provide oversight for the local risk management programme Discuss, challenge, and make a robust assessment of the local risks and significant operational risks Local market CEOs Set local objectives, identify local priority risks and align tolerance levels with the Vodafone Group guidance Approve and are accountable for the risk treatment options selected for their local risks Local risk owners Are responsible for local risks and the local risk programme to manage, measure, monitor, and report on the risks Local risk managers Are the contact point for each market/entity on risk, and facilitate all activities as defined by the global risk management framework
Local markets or Group entities
Overview of the risk governance structure Local markets and Group entities identify and assess risks relevant to their strategies and operating environments, informed by management insight and assurance activities across the three lines of defence. These assessments are reviewed and challenged by the Group risk team to support completeness, consistency and appropriate aggregation, including consideration of changes in risk severity and the potential for risks to occur across multiple markets or entities. A consolidated Group risk profile is developed through a bottom‑up process and supplemented by external horizon scanning, thematic analysis and assessment of key risk drivers, supporting
a forward‑looking view of the risks that matter most to the Group and its stakeholders. Principal risks and viability In assessing the Group’s principal risks, the Board considers the resilience of the business under severe but plausible scenarios, including the extent to which risks could interact or occur concurrently, informing the Long‑Term Viability Statement and the Board’s view of the Group’s longer‑term prospects. Risk appetite provides a framework for decision‑making by setting boundaries for acceptable risk‑taking and guiding management and Board discussion where risks approach or exceed tolerance.
Powered by FlippingBook