Risk Management

Effective Risk and Crisis Management

At Türk Telekom, Corporate Risk Management is positioned as an integral part of all our employees’ responsibilities, and we aim to make it one of the core elements of our decision-making processes by integrating it into all our operations. Our Board of Directors holds ultimate responsibility for the effectiveness of our Corporate Risk Management. The Board evaluates and monitors the risks and opportunities facing our group in alignment with the Group’s strategies. This oversight is exercised through the Early Identification and Management of Risks Committee. All organisational levels of our group, including senior management and risk owners, actively contribute to our Corporate Risk Management and Internal Control practices.

Our Internal Control Policy has been established to define our internal control objectives and policies, structure our corporate control environment, and lay the foundation of our control culture within the group. In addition, our Internal Control Standards have been developed to define our internal control practices, establish the necessary standards for achieving the objectives set out in this policy, and ensure a common internal control language and consistent implementation among our employees.

Our Corporate Risk and Business Continuity Department reports directly to the company’s General Manager and also works in functional coordination with our Early Identification and Management of Risks Committee, which operates under the Board of Directors. It is responsible for setting and improving the standards of our Corporate Risk Management System, coordinating risk management processes across the group, and monitoring the status and development of identified risks to report them to the relevant management levels. It is also responsible for managing the risk of business disruption, which is considered to be one of the group’s critical risks, and for carrying out our business continuity processes.

While our business units take ownership of their own risks and implement the necessary measures, the risk management mindset has been adopted as a natural part of all our employees’ business processes. All our employees across the company are responsible for complying with the risk management policy, effectively managing the risks within their areas of responsibility, and taking the necessary measures to ensure compliance with legal regulations. The risk management processes of our group companies are also carried out in alignment with the risk management standards established for Türk Telekom as the parent company.

Türk Telekom Group Corporate Risk Governance Model

Internal Control Environment

At Türk Telekom, we have established a robust internal control environment to achieve our strategic objectives, enhance our operational effectiveness and efficiency, ensure the accuracy and reliability of our financial data, protect our customers’ personal data and the company’s assets, and ensure compliance with legal regulations, policies, and procedures.

Through the activity control mechanisms that we integrate at the design stage of systems and processes, we work to ensure the achievement of defined operational objectives by reducing the likelihood of risks materialising or minimising their potential impact if they do occur. In addition, through periodic control activities carried out by our Vice Presidency of Internal Control, we test the control points established within processes to provide reasonable assurance regarding those processes. In addition, through periodic control activities carried out by our Vice Presidency of Internal Control, we test the control points established within processes to provide reasonable assurance.

Risk Lifecycle

We continue to carry out our efforts with care to ensure the effective and holistic management of our potential risks. In this context, we identify the risks that our company faces and conduct a detailed analysis of their root causes and potential consequences.

Through the Bow-Tie Analysis method we use in this process, we comprehensively map out our entire risk profile, from root causes to their potential impact on our objectives. After assessing the likelihood of risks materialising and their potential impact if they do occur, we monitor their current status continuously and report on them regularly.

When conducting the risk analysis, we conduct a comprehensive assessment by considering the multiple areas which may be impacted by a single risk. The identified and analysed risks are evaluated and prioritised by the relevant units, then existing controls related to these risks are improved, and the effectiveness of these controls is regularly reviewed.

To achieve our objectives, we aim to develop strategies aligned with our risk appetite by maintaining a balance between risks and returns. When making decisions about managing risk, risk owners conduct cost-benefit analyses and account for the expectations of all stakeholders. We also assess whether the management of these risks requires specialised expertise beyond our business units.

Risk Definitions and Actions Taken

We identify the risks faced by our group through Risk Identification and Assessment meetings, which we conduct regularly each year. We classify the identified risks under three main categories: Financial, Strategic, and Operational Risks.

The identified risks are prioritised by our senior executives, owners are assigned, and action plans are developed to manage or fully eliminate these risks. To form the basis of our action plans, detailed root cause analyses are conducted jointly by the relevant units and our Corporate Risk and Business Continuity Department.

Strategic Risks

At Türk Telekom, we operate in a sector where technological innovation, intense competition, and regulatory changes are constantly taking place. Accordingly, we closely monitor competitor positioning, technological developments in the market, and shifting customer expectations, with a strong sensitivity to industry dynamics.

In line with our strategic priorities, we implement proactive risk management practices to increase company revenue and ensure customer satisfaction. We develop solutions for individuals and the public sector by leveraging information and communication technologies. We have pioneered many firsts in the sector by introducing the most advanced communication technologies to Türkiye.

To achieve our future strategic objectives, we adopt risk management tools and models that transform our competitive advantages into opportunities, ensuring the necessary infrastructure for highperformance products and technologies and protecting our brand value. In addition, supported by the structure that we have strengthened through our subsidiaries, we introduce new products and services to compensate for potential market share losses caused by regulatory changes or major market transformations. We seize emerging opportunities in domestic and international markets.

Operational Risks

As we offer services based on our technology infrastructure, the effective management of our operational risks is of critical importance. These risks may arise from deficiencies or errors in our business processes, personnel, or systems, as well as from external events. Situations such as failures affecting our communication infrastructure and critical systems, power outages, or natural disasters may negatively impact our ability to deliver services to our subscribers.

We implement our Business Continuity Management as a comprehensive management process aimed at identifying potential threats and their impacts on key activities should they materialise, while protecting our company’s internal and external stakeholders, reputation, and brand value. In this context, we have developed Business Continuity Plans, a General Disaster Management Plan, and a Crisis Management Plan, and we have defined the procedures required for rapid and effective response in the event of potential disasters and crises. We subject our critical products and services to Business Impact Analysis and Risk Assessment processes, and we implement necessary improvements by monitoring performance in line with our continuity objectives.

Cybersecurity risk arises from a combination of digital threats and vulnerabilities, and it can hinder our ability to achieve strategic objectives by compromising the confidentiality, integrity, and availability of information. Disruptions to critical operations, loss of strategic data, exposure of personal data, and damage to corporate systems may lead to financial and operational losses. In addition, failure to comply with applicable legal regulations may result in punitive sanctions.

We conduct all our Information Technology and Network operations within the framework of our security policies, and we manage potential threats through early warning systems, which are developed based on continuous threat analysis. To protect both ourselves and our subscribers against service interruptions and security breaches, we implement best practices, standards, and policies. In this context, we hold international certifications such as ISO 22301 (Business Continuity Management System) and ISO 27001 (Information Security Management System). We also hold the PCI-DSS (Payment Card Industry Data Security Standard) certification for our mobile network.

Due to the nature of the industry, we work with a limited number of high-tech suppliers. Therefore, we conduct our procurement processes by accounting for risks arising from suppliers and subcontractors. Considering potential risks such as inefficiencies in the supply chain, low-quality products and services, customer dissatisfaction, security breaches, or business interruptions, we evaluate factors such as the Total Cost of Ownership (TCO), supply chain risks, and sustainability.

In addition, in line with the need for a skilled and specialised workforce, the ability to attract, recruit, develop, and retain employees is critically important to our company’s success. In this context, we develop effective Human Resources practices and implement training projects under the Türk Telekom Academy to support the professional development of our employees.

Business Continuity Management

As a company providing integrated Information and Communication Technologies (ICT) services to over 53 million customers, we are aware of the critical importance of uninterrupted service continuity for society, public institutions, the economy, and individuals. Aware of this fact, we implement endto-end business continuity management through an organisation specifically established for business continuity, with clearly defined roles and responsibilities. Our business continuity management activities are carried out by accounting for all threats and risks, including human-induced events and natural disasters. At the highest level of this organisation is the Business Continuity Committee, which is responsible for steering and overseeing business continuity processes at a strategic level. Our holistic business continuity approach is shaped by the risk appetite and risk tolerance levels set by our Board of Directors; accordingly, we ensure the continuity of communications, recognising its essential role as a public service.

The main activities conducted under Business Continuity Management are as follows:

• Business disruption risk analyses • Scenario analyses and scenario-based action planning

• Business impact analyses • Risk mitigation and improvement of control environments

• Development of business continuity policies, procedures, and plans

• Preparation of regional disaster management plans

• Testing and drill activities

• Training and awareness-raising activities

• Incident and crisis management processes

• Post-incident recovery activities

By adopting international best practices in business continuity management, we successfully completed compliance and assessment processes in 2021 under the Resilient Enterprise Assessment Programme (REAP) developed by the Disaster Recovery Institute International (DRII). DRII accredited Türk Telekom as a Resilient Enterprise based on its current capacity and competencies. Türk Telekom holds the distinction of being the first and only telecommunications company in the world to receive this accreditation. In addition, we effectively operate all our management system processes under the ISO 22301 Business Continuity Management System certifications obtained for both Türk Telekomünikasyon A.Ş. and TT Mobil A.Ş.

Sustainability-Related Risks

We aim to integrate sustainability principles into our business model, strategies, and corporate decisions with the goal of leaving a liveable world for future generations. The telecommunications sector directly contributes to the Global Sustainable Development Goals by providing key solution tools in many areas such as economy, innovation, health, education, social equality, environmental protection and combating the climate crisis. We see sustainability not only as an element of risk management, but also as an opportunity to create value. Since adopting our holistic management approach in 2020, we aim to more effectively manage risks focused on Climate Change and Environment, Contribution to Society, and Human Value.

In this context, we identify our sustainabilityrelated risks by conducting a Sustainability Risks Root Causes analysis.

Financial Risk Management

At Türk Telekom, we recognise that maintaining our financial stability and ensuring sustainable growth are critically important not only for our company but also for the confidence of all our stakeholders. We demonstrate strength through proactive, comprehensive, and dynamic financial risk management strategies against external factors such as global economic fluctuations, foreign exchange movements, and changes in interest rates. By effectively managing financial risks such as liquidity, currency, interest rate, and counterparty risks, we strengthen our financial health and continue to create long-term value.

Türk Telekom is exposed to financial risks such as liquidity risk, currency risk, interest rate risk, and counterparty risk.

As part of the strategy to minimise liquidity risk, financial loans are sourced on a long-term basis from different geographies (America, Canada, Europe, the Gulf, Japan, China, Türkiye) and various creditor groups (commercial banks, international financial institutions, officially-supported export financing agencies, bond markets). This strategy enables the group to access long-term financing under competitive conditions without relying on a limited number of funding sources.

Regarding the foreign bonds issued by Türk Telekom, the group actively monitors the price and yield dynamics of these bonds, which can be traded in the secondary market, based on total return and cost principles to ensure an optimal cash management strategy.

The necessity to source a portion of investment expenditures from firms of foreign origin and the need to finance these through long-term and diversified funding sources have resulted in Türk Telekom having foreign currency-denominated liabilities. Accordingly, when protection transactions conducted by Türk Telekom are not considered, the company holds net foreign currency liabilities and may be exposed to exchange rate risks due to fluctuating exchange rates, which can affect the financial statements.

Türk Telekom aims to minimise the impact of interest rate and currency risk on financial statements through interest rate and currency risk management transactions. Within this framework, Türk Telekom holds a total hedging position equivalent to 1,628* million USD, the details of which are included in the financial statement footnotes. Including foreign currency cash held for natural hedging against currency risk, the total hedging position amounts to 1,706 million USD.

Türk Telekom aims to minimise counterparty risk related to its financial assets through limits applied to counterparties and diversification policies. It carries out hedging transactions related to its financial risks under the guidance and authorisation of the Board of Directors.

Counterparty Risk: Strong Financial Safeguard Mechanisms

We implement a robust risk management and diversification policy to protect our financial assets and minimise counterparty risk. By setting applicable limits for the financial institutions we work with, we ensure that risk remains within defined boundaries and strengthen our financial stability.

Our financial risk management is conducted diligently under the guidance and authorisation of the Board of Directors. With effective and proactive risk management strategies, we build a strong financial structure that is resistant to market fluctuations and lays solid foundations for our long-term growth objectives.

This comprehensive and strategic approach supports both our short-term financial performance and our long-term corporate sustainability, advancing our goal to increase the value we provide to our stakeholders.