Risk management

The Board of Directors has set the objective of protecting the company’s enterprise value through the implemen-tation of Group-wide risk management. A corporate culture that promotes the conscious handling of risks facilitates the achievement of this objective. Accordingly, Swisscom has implemented a Group-wide, central risk management system that is based on ISO Standard 31000 and takes account of both external and internal events. Swisscom maintains level-appropriate, comprehensive reporting and appropriate documentation. Its objective is to identify, assess and address significant risks and opportunities in good time. To this end, the central Risk Management unit, which reports to the Head of Group Security & Corporate Affairs, works closely with the Controlling and Strategy departments, other assurance functions and line functions. The risk management system is examined periodically by an external auditor. Swisscom assesses its risks in terms of the probability that they will occur and their quantitative and qualitative effects in the event that they do occur. It manages risks on the basis of a risk strategy. The risks are evaluated in terms of their impact on key performance indicators. Swisscom reviews and updates its risk profile on a quarterly basis. In April and December, the Head of Risk Management provides the Board of Directors and the Audit & ESG Reporting Committee with information on significant risks, the potential effects and the status of the corresponding measures. In urgent cases, the Chairman of the Audit & ESG Reporting Committee is informed without delay about any significant new risks. Once a year, the Head of Risk Management consults with the Audit & ESG Reporting Committee (without management involvement).

The internal control system (ICS) ensures the reliability of financial reporting with an appropriate degree of assurance. It acts to prevent, uncover and correct substantial errors in the consolidated financial statements, the financial statements of the Group companies and the Remuneration Report. The ICS encompasses the following components: control environment, assessment of accounting risks, control activities, monitoring controls, informa-tion and communication. The Accounting unit, which reports to the CFO, manages and monitors the ICS. Internal Audit periodically reviews the functioning and effectiveness of the ICS. Significant shortcomings in the ICS identified during these monitoring and review activities, including the corrective actions defined, are reported in the status report to the Audit & ESG Reporting Committee twice a year and to the Board of Directors on an annual basis. Should the ICS risk assessment change significantly, the Chairman of the Audit & ESG Reporting Committee is informed without delay. Appropriate corrective measures to remedy the shortcomings are monitored by the Accounting unit. The Audit & ESG Reporting Committee assesses the performance and effectiveness of the ICS on the basis of the periodic reporting. The internal control system for non-financial reporting is currently being set up. The 2024 Sustainability Impact Report was audited by SGS and compliance with the Global Reporting Initiative (GRI) was confirmed.

The Group-wide central Compliance Management System (CMS) is designed to prevent compliance violations in order to protect the Swisscom Group, its executive bodies and employees from legal sanctions, financial losses and reputational damage. The CMS covers the following legal areas: Anti-corruption, Money laundering and terrorism financing, Data protection and confidentiality, Competition law, Telecommunications law and Stock exchange law.

Swisscom enhanced its CMS in line with the ISO 37301 standard in 2024. The Group’s dedicated compliance functions as well as the compliance officers and compliance managers of the business divisions and fully consoli-dated subsidiaries provide support to the line for the ongoing implementation of the CMS in specific legal areas. External auditors review the CMS for adequacy and effectiveness every four years. Furthermore, external auditors will continue to conduct a specific audit in the area of money laundering law on an annual or biennial basis. 

Once a year, Group Compliance reports directly to the Audit & ESG Reporting Board of Director’s committee and to the Board of Directors on its activities, compliance risk assessment and target achievement. In the event of significant changes in the assessment of compliance risks and in the event of potentially serious compliance violations, a timely report is sent to the Chairman of the Audit & ESG Reporting Committee and to the Chairman of the Board of Directors. 

Internal auditing is carried out throughout the Group by the Internal Audit division. Internal Audit supports the Swisscom Ltd Board of Directors and its Audit & ESG Reporting Committee in fulfilling their statutory and regulatory supervisory and controlling obligations. Internal Audit also supports management by highlighting opportunities for improving business processes and controls as well as the assurance functions. It documents the audit findings and monitors the implementation of measures. Internal Audit is responsible for planning and performing audits throughout the Group in compliance with professional auditing standards and has a high degree of independence. It is under the direct control of the Chairman of the Board of Directors and provides reports to the Audit & ESG Reporting Committee. At an administrative level, Internal Audit provides reports to the Head of Group Strategy & Board Services. Administratively, Internal Audit reports to the Head of Group Security & Corporate Affairs. Once a year, the Head of Internal Audit consults with the Audit & ESG Reporting Committee (without management involvement).

Internal Audit liaises closely and exchanges information with the external auditors. The external auditors have unrestricted access to the audit reports and audit files of Internal Audit. Based on a risk analysis and in close coordination with the external auditors, Internal Audit prepares an audit plan annually and presents it to the Audit & ESG Reporting Committee for approval. Notwithstanding the above, the Audit & ESG Reporting Committee can commission special audits – and do so based on information received on the whistle-blowing platform operated by Internal Audit. This reporting procedure, which has been approved by the Audit & ESG Reporting Committee, allows complaints relating to external reporting and financial reporting, among other things, to be submitted anonymously to Internal Audit, which ensures that these will be followed up. At the meetings, which are held at least quarterly, the Audit & ESG Reporting Committee is briefed on audit findings, the reports submitted to the whistle-blowing platform and the implementation status of the audit plan. The Head of Internal Audit took part in all five meetings of the Audit & ESG Reporting Committee in 2024.

Swisscom implements certified management systems based on internationally accepted standards. These ensure that all of Swisscom's services are quality controlled and developed, simplified and improved systematically. Together, they form Swisscom’s integrated ISO / IEC management system and are periodically audited by external auditing company SGS.

Go to ISO / IEC management system

At the behest of the Board of Directors, the Audit & ESG Reporting Committee verifies the qualifications, independence and performance of the statutory auditors as a state-supervised auditing firm. The statutory auditors are appointed annually by the Annual General Meeting. Since 2019 PricewaterhouseCoopers AG (PwC) is the statutory auditor for Swisscom Ltd and its Group companies. Also, Fastweb is audited by PricewaterhouseCoopers S.p.A.

More about the statutory auditor