Annual
report 2020

Risk management

Orange Polska is exposed to a range of external and internal risks of varying types which can impact the achievement of its objectives. Therefore, Orange Polska maintains a risk management framework to identify, assess and manage risks.

Risk management system

This framework has been based on the ISO 31000:2018 standard and ISO 27005 (for Information Security Management System only). Leaders within the Group’s individual business areas and functions are responsible for the assessment and management of risks, including the identification and escalation of new/emerging circumstances, and monitoring and reporting on both the risks themselves and the effectiveness of control measures. Events are considered in the context of their potential impact on the delivery of our business objectives.

Orange Polska’s three lines of defence

risk-001_Obszar roboczy 1 risk-001_Obszar roboczy 1

We assess event-based risks according to their likelihood and impact in terms of financial, reputational, business continuity and human resources loss. If the consequences are, for example, both financial and reputational, the risk is assessed according to the most negative consequence. When the negative impact of a risk is assessed as exceeding the acceptable level, mandatory mitigation measures are put in place to prevent or minimise losses. The effectiveness of such measures is verified on an ongoing basis, and they are adjusted as required. The risks and the mitigation measures assigned to them constitute an input for the development of the Annual Internal Audit Plan.

In addition, the identified similar risks are grouped into clusters to ensure consistent and effective risk management across the Orange Polska Group. The risk assessment process, illustrated in Fig. 2 below, is managed by domain co-ordinators. The division of risks into the domains of operating risks, loss of information, business continuity, compliance, fraud and social risks ensures a uniform and objective approach to the assessment of risks of similar consequences (cause and effect analysis). The social risk cluster is associated with the Vigilance Plan, which includes all companies and contracting parties in international Orange Group and covers risks related to human health, safety and security, environmental damage and serious violation of human rights or fundamental freedoms.

A list of TOP risks is developed as a result of individual meetings with Board Members and Executive Directors, who indicate significant events that have the potential to jeopardise the Company’s strategy. Based on the risks identified in this process, their owners continue with further assessment of the risk likelihood and impact, as well as assigning mitigation measures and appointing the managers responsible for the implementation thereof. The outcome of the analysis of each TOP risk is subject to approval by the Board Member or Executive Director responsible for the particular area and, in case of potential financial loss, also by the Chief Financial Officer.

The risk management process in Orange Polska

risk_002_Obszar roboczy 1 risk_002_Obszar roboczy 1

Reporting

Indicative heat maps are used to report and evaluate risks.

Sample heat map

schemat_Obszar roboczy EN_Obszar roboczy 1 schemat_Obszar roboczy EN_Obszar roboczy 1

This example presents a risk that has low reputational impact, but moderate impact in terms of business continuity. Therefore, the overall assessment of the risk would be medium.

The Audit Committee monitors the effectiveness of the risk management system. The report on the system’s design and operation is reviewed by the Audit Committee.

The TOP risks are reviewed at meetings of the Management Board and the Supervisory Board.

TOP risks

The TOP risks, which are set out in the table are clusters of event-based risks that could have a material impact on the business model, future performance, solvency or liquidity of the Group. In each case, the extent to which the Management Board can mitigate the risk is highlighted.

The risk areas included in the TOP list are those which most strongly define our business activities and contribute to the loss or gain of value, and they are subject to change. For example, in 2020 we determined that risks resulting from introduction of handsets with embedded SIM eSIM – risks such as losing our relationship with customers to OTT operators –  had been sufficiently mitigated.

We also identify and monitor risks related to our impact on society and the natural environment. Due to the increasing importance of climate change and its impact on the functioning of the Company and society, climate risk is among the TOP risks.

In 2020, one of these key social risks turned out to be the impact of the pandemic on the operations of the Company, its employees and customers.

Pandemic

The pandemic situation caused by covid-19 virus outbreak deeply transformed setting in which Orange Polska conducts the telecommunication business. Although the COVID-19 pandemic is not a risk anymore it may however trigger new risks for the business We describe some we identify in the tableau below as for the rest of the risks it should be noted the pandemic is taken into account by their assessment even if it is not directly mentioned

Risk exposure

Each category’s current exposure relative to the previous year is indicated by the arrow in the risk exposure column.

 

Risk area

Orange Polska’s failure to successfully implement its strategy could lead to a loss of market share and/or shrinking margins.

 

Main business objective / Strategy reference

Unmatched data connectivity for households and businesses.

 

Risk exposure (year-on-year change)

 

 

 

Key risks, issues or areas of uncertainty

  • Increased competition and pressure on services and prices
  • Increased competition from CATV operators in the convergent market
  • Failure to obtain the expected return on investment in fibre and loss of broadband market share
  • Additional pressure on telco operators taking part in tenders for the public sector
  • Emergence of new types of fraud with new technologies

 

Potential impact

The main markets in which Orange Polska operates are under growing competitive pressure resulting from consolidations in recent years (CPG+Netia, Vectra+ Multimedia) and entrance of new players (Iliad acquisition of Play). Additionally, significant amount of non-OPL FTTH/VHBB coverage (POPC, CATVs) is going to be open for wholesale access what will increase opportunity of MNOs to launch fixed and mobile convergence on wider scale. This market changes and trends could limit OPL ability to deliver convergence ambitions as market will more crowded and impact OPL value strategy as stronger competitors could put pressure on retail market pricing. Market changes could also decrease return of investment from OPL FTTH investments as some demand could be utilize with new open access wholesale providers.Government spreading it’s ownership in the telco sector may cause direct impact on OPL revenues from public sector. Moreover, with growing complexity of technologies and networks and accelerated implementation of new applications and services, particularly related to interconnection and customer relationship management, new types of fraud which are more difficult to detect or combat could also emerge. This may result in a loss of revenues.

 

Management approach and mitigation measures

In response, Orange Polska has chosen to consider more openness on wholesale market to allow other operators to sale on OPL FTTH network (e.g. T-Mobile) what will boost network profitability. In order to further expand fibre footprint we have signed FibreCo partnership which will build fibre network to additional 1.7m households by 2025. FiberCo will operate as wholesale service provider only providing access to its network on equal terms to OPL and other interested operators. Additionally, OPL is actively engaging other FTTH infrastructure providers to obtain more fibre coverage to keep advantage of scale over other ISPs. We are also continuing operational and cost transformation to make our business model more robust and efficient what will deliver more flexibility in case on any market disruptions. Due to width of our offer and multi-year experience in providing convergent services we believe we have tools to differentiate our service offer to keep it competitive and fit it best to customer demand. We are constantly investing in the quality of our sales channels and customer care service. We are currently the most recommended telecom operator on the Polish market.

 

Risk area

Increase in the number and duration of service interruptions.

 

Main business objective / Strategy reference

Effortless and friendly customer experience.

Unmatched data connectivity for household and business.

 

Risk exposure (year-on-year change)

 

 

Key risks, issues or areas of uncertainty

  • Orange Polska’s IT&N infrastructure outage
  • Exposure of Orange Polska to cyber attacks
  • Occurrence of terrorist attacks
  • Decrease in quality or non-performance of services due to dependence on external partners

 

Potential impact

Service disruption or interruption may occur following (i) cyber-attacks (on the IT&N infrastructure), (ii) outages (of hardware or software), (iii) human errors, acts of terrorism or sabotage of critical hardware or software, (iv) failure of a critical supplier, or if the network in question does not have sufficient capacity to meet the growing usage needs, or (v) during the implementation of new applications or software.

The interruptions in services’ provisioning may prolong if engineers who fix network’s malfunctions get infected or the infection spreads among members of the technical groups.

The impact of such incidents could seriously damage Orange Polska’s reputation and result in revenue erosion, affecting its profits and market position.

 

Management approach and mitigation measures

This risk is mitigated by proper network and IT systems development planning, investments in the development of disaster recovery solutions insurance schemes (covering cyber and terrorism risks) as well as implementation of business continuity and crisis management plans. Orange Polska has become the first telecom operator in Poland to obtain the ISO 22301:2012 Certificate for its Business Continuity Management System in the scope of provision of telecommunication, ICT and cybersecurity services.

Risk area

Breach of security of information, including personal data.

 

Main business objective / Strategy reference

Acting in effective and responsible manner.

Effortless and friendly customer experience.

 

Risk exposure (year-on-year change)

 

 

Key risks, issues or areas of uncertainty

  • Breach of security of information, including personal data

 

Potential impact

Orange Polska’s activities may trigger the loss, disclosure, unauthorised communication to the general public or third parties or inappropriate modification of the data of its customers. Such losses could arise from (i)  implementation of new services or new applications, for example those relating to billing and customer relationship management, (ii) launch of new initiatives, especially in the field of Internet of Things (IoT), (iii) malicious acts (including cyber-attacks), particularly aimed at theft of personal data, or (iv) potential negligence within Orange Polska or its external partners.

For infringement of GDPR protection rules, administrative fines of up to 4% of the annual global turnover may be imposed. Such incidents could have a considerable impact on the Group’s reputation and a heavy impact on its liability, potentially including criminal liability, and hence have an adverse impact on Orange Polska’s future financial performance.

Like in case of personal data, Orange Polska faces a risk of unauthorised disclosure, publication or communication to unauthorised entities of proprietary information constituting corporate secrets, particularly the details of intended initiatives, marketing campaigns, new offers or sales packages. The premature disclosure thereof could result in Orange Polska’s failure to achieve its sales objectives and loss of its market shares. The main causes of this risk include: (i) industrial (corporate) espionage, (ii) malicious acts (including cyber-attacks), particularly aimed at theft of proprietary information, or (iii) potential negligence on behalf of the Group or its business partners.

 

Management approach and mitigation measures

Orange Polska holds an Information Security Management System certificate of compliance in line with ISO/IEC 27001, for the scope of services of telecommunications and ICT, hosting, collocation, cloud computing, cybersecurity and personal data processing in cloud computing..

In addition, Orange Polska holds a certificate of compliance with ISO/IEC 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; it covers personal data processing services in cloud computing via ICS (Integrated Computing Standard), ICM (Integrated Computing Managed) and smart CCaaS (smart Contact Center as a Service) cloud computing.

Furthermore, the Company holds and maintains FIRST and Trusted Introducer certificates for CERT Orange Polska.

Risk area

Risks related to financial markets.

 

Main business objective / Strategy reference

Acting in effective and responsible manner.

 

Risk exposure (year-on-year change)

 

 

Key risks, issues or areas of uncertainty

  • Increase of interest rates
  • Depreciation of the local currency

 

Potential impact

In 2020 the Polish Central Bank decreased reference rate to a historic low 0,10%.. The market expects that the Monetary Policy Council will keep interest rates unchanged in 2021 and remain stable till the end MPC current members tenor i.e. 2022.

Foreign exchange rate fluctuations affect Orange Polska’s liabilities denominated in foreign currencies and settlements with foreign operators.

 

Management approach and mitigation measures

A potential increase in interest rates should not have any major influence on Orange Polska’s debt service costs, owing to a high hedging ratio.

Potential depreciation of the Polish zloty should not have any major influence on Orange Polska’s liabilities denominated in foreign currencies or settlements with foreign operators, owing to a high hedging ratio.

Risk area

Regulatory obligations resulting from legislation changes and administrative decisions.

 

Main business objective / Strategy reference

Acting in effective and responsible manner.

 

Risk exposure (year-on-year change)

 

 

Key risks, issues or areas of uncertainty

  • Risks related to acquisition of new spectrum for high-tech telecommunications services (including 5G)
  • Potential consequences of US – China Dispute
  • Legislative process of Electronic Communications Law (will replace the current Telecommunications Law)
  • Proceedings by UOKiK and European Commission related to network sharing
  • Financial corrections or compensation for delays in POPC investments
  • Increased tax burden and fiscal pressure resulting from changes in legislation
  • Increase in remuneration for the use of third parties’ land for the purpose of development and maintenance of Orange Polska’s infrastructure
  • Reputational and financial losses resulting from involvement of Orange Polska’s employees in corruption schemes

 

Potential impact

Orange Polska must comply with various regulatory obligations governing the provision of services and products, particularly related to obtaining and renewing licences. The regulatory obligations result from legislation changes and administrative decisions. Regulatory decisions and changes in the regulatory environment may have an adverse effect on Orange Polska.

Adjustments of operations to the provisions of the new Electronic Communications Law will be required in 2021. The new law (currently in the legislative process) will replace Telecommunications Law and will constitute new legal framework for the telecommunications operators.

There are on-going legislative works at the government level on the draft law on national cybersecurity system. This draft law includes inter alia the assessment scheme of the so called high-risk supplier. Among the assessment criteria there is control over a given supplier by a non-EU, non-NATO state.

If a vendor is recognized as a high-risk supplier through immediately enforceable administrative decision, then  telecommunications operators (and other entities subject to regulations) will be obliged to:

  • not put into use ICT services/ products/processes indicated in the decision and provided by the high-risk vendor
  • withdraw the indicated ICT services/ products/processes no later than within 7 years (general regulation) or 5 years (applies to telecommunication operators if the decision covers critical functions of the network)

For telecom operators, such as Orange Polska, imposition of such regulations could affect the range of telecommunications equipment suppliers available on the market which may bring delays or increase in costs of implementation of the 5G network. New regulations could also entail other costs related to obligation of withdrawal of products/services/processes provided by a high-risk vendor.

There is a risk of failure to achieve the expected return on investment due to decrease of co-financing or obligation to extend the scope of investment with regard to POPC.

Despite Orange Polska’s drive to strengthen its anti-corruption policy, corruption cases could occur due to the number of partners engaged and complex processes performed. This could have an adverse impact, particularly on Orange Polska’s reputation.

Management approach and mitigation measures

In 2020, there were a number of changes in the legal environment with respect to both general law and provisions specific to the telecom sector. Legislative process of the Electronic Communication Law began in 2020 and work continues, the new act should come into force probably in 3Q2021. The legal and regulatory environment requires constant and diligent monitoring, as well as allocating resources to implement new regulations and prevent any noncompliance.

At the European level, in 2019 the European Union commenced work to develop a concerted approach to 5G network security, particularly carrying out a risk assessment and identifying the key risks affecting 5G networks. As a result general approach to the 5G network security was presented in the „Cybersecurity of 5G networks – EU Toolbox of risk mitigating measures.” published in Jan. 2020. This document does not explicitly exclude or prohibit any supplier. However the dependence on one supplier, as well as risk associated with the supply chain, including the activities of other countries, were considered a significant risk. It is also foreseen for Member States to carry out risk profile analysis and depending on their result introduce appropriate restrictions and exclusions especially for key resources. This is also done at the national level, as reflected in signing of the U.S.-Poland Joint Declaration on 5G in 2019 and commencement (2020) of a legislative process regarding new requirements for the security and integrity of telecommunications networks, including 5G. Orange Polska keeps track of this area of possible regulation and will act to comply with any new obligations if they will be put in force.

Orange Polska has implemented an Anti-Corruption Policy and Guidelines. These regulations contain detailed rules and standards as well as references to specific conditions and circumstances relating to the identification and mitigation of corruption risks. In addition, we have carried out a number of trainings and information campaigns to raise awareness of anti-corruption laws and rules among employees. In 2019 new anti-corruption training program „Zero tolerance for corruption” was implemented in OPL. Trainings were profiled according to the risk’s exposure of particular groups of employees.

 

Risk area

Exposure to electromagnetic fields (EMF) from radio equipment.

 

Main business objective / Strategy reference

Unmatched data connectivity for households and businesses.

Acting in effective and responsible manner.

 

Risk exposure (year-on-year change)

 

 

Key risks, issues or areas of uncertainty

  • Adverse effects of EMF on human health
  • Decline in use of mobile telecommunications services
  • Difficulties and additional expense in rolling out base stations and other wireless equipment

 

Potential impact

There might be increased concerns in future about the effects on human health of exposure to electromagnetic fields (EMF). Based on the Governance’s assessment of the scientific evidence, since January 1, 2020, the Polish EMF limits have been consistent with the Council Recommendation 1999/519/ EC. Consequently, they are currently similar to the limits adopted in most European countries. If new scientific evidence gave rise to greater concern in future, this would likely result
in a decline in use of mobile telecommunications services, difficulties and additional expense in rolling out base stations and other wireless equipment, and an increase in litigation.

 

Management approach and mitigation measures

The top management monitors compliance with regulatory requirements, emission limits and other legal requirements related to environmental protection. Furthermore, Orange Polska has implemented an environmental management system for provision of mobile services.

Risk area

Orange Polska’s failure to successfully implement its climate strategy could lead to negative impact on reputation, incising of operational cost and loss of some investors and customers.

 

Main business objective / Strategy reference

Acting in effective and responsible manner.

 

Risk exposure (year-on-year change)

New

 

Key risks, issues or areas of uncertainty

  • Failure to execute the green strategy by assuring the green energy on the determined level
  • Insufficient regulatory support in development of renewable energy in Poland
  • Lack or low customers’ interest in adoption carbon neutral and/or reducing emissions solutions
  • Lack of a national Polish net zero emission strategy

 

Potential impact

Impact: Failure to deliver on declared climate objectives (and in the worst case: increase in CO2 emission) may result in negative media publications, adverse opinions of environmental organizations and rating agencies, which may reduce Orange’s position in WIG-ESG ranking (Environmental, Social, Governmental responsible companies index). This can reduce investor interest in our company. In a longer run it could also be reflected in lower customer satisfaction/loyalty.

Clients’, investors’ and other stakeholders’ awareness about climate changes and broadly understood sustainable development is growing. It is necessary to reduce the environmental impact of our activity, as well as the products and services we provide. If we fail to keep pace with changes in stakeholders’ expectations when it comes to reducing the environmental impact of our activities, we may lose market share, the confidence of investors, customers and other stakeholders. Many stakeholders expect high standards in environmental protection and continued reduction of the company’s impact on climate change, in line with science-based targets needed to reach the Paris Agreement climate objectives. Furthermore, increasing regulatory pressure is expected in the near future in line with climate neutrality objectives introduced by the EU and its member states.

While 5G is more energy efficient than older technologies, continuously increasing data traffic volume will increase the overall electricity consumption and could, therefore, mean higher CO2 emissions (as electricity use is the principal emission driver in telco). Increasing the share of renewable energy used by OPL through long-term Power Purchase Agreements is crucial to reduce OPL’s emissions despite this growth.

 

Management approach and mitigation measures

Green is at the core of the Orange Group and Orange Polska business strategy. OPL has the objective to achieve Net Zero Carbon by 2040 and significant GHG emissions reduction by 2025.

Appointment of Climate Officer (in particular to set climate objectives in close link with business strategy of the Group, Engage 2025 & implement and pilot relevant action plans for 2025) & developing a green strategy and action plan (#OrangeGoesGreen)

Open dialogue with stakeholders on OPL’s engagement and actions as well as the positive impact of telco industry on reducing emissions in other sectors.

Purchase of green energy through long term Power Purchase Agreements directly with producers to reach 60% of such energy in consumption mix in 2025. Continued action to optimise the energy used, including but not limited to technology evolution, further deployment of more energy-efficient solutions (e.g., 5G vs 4G, fibre vs. copper).

Main business objective / Strategy reference

Acting in effective and responsible manner

 

Risk exposure (year-on-year change)

New

 

Key risks, issues or areas of uncertainty

  • Bad debts increase
  • Decrease revenue in roaming services

 

Potential impact

The consequent lockdown due to corona virus relapse may pose threat for OPL functioning and in result for the business and the way it will operate.

Deterioration of the financial situation of some of OPL customers, may increase the level of telco bad debts.

The market turbulences caused by covid may also decrease sales price for receivables or even stop potential buyer from their acquisition.

Lockdown in touristic and company travels may decrease revenue in roaming services.

 

Management approach and mitigation measures

OPL complies with all governmental restrictions. All safety and sanitary measures are provided to its offices and shops for employees and customers usage on daily basis.

The management monitors clients’ behaviour including statistics such as payments ratio, bankruptcies, frauds, delays in payments to adjust recovery actions as well as credit management process immediately.

 

 

Search results