Governance
Enterprise Risk Management
Enterprise Risk Management (ERM) is critical within a telco operating in a rapidly evolving, technology-driven and highly regulated environment. It provides a holistic framework to identify, assess, and mitigate diverse risks, ranging from regulatory and cybersecurity to network and competition. Ensuring operational resilience and service continuity. By embedding risk considerations into strategic and operational decision-making, we strengthen our resilience and ability to deliver sustainable long-term value.
As a national information and communication technology (ICT) services provider, Sri Lanka Telecom PLC operates in an environment characterised by strategic, external, and internal risk. These emerging risks arise from fast-changing customer expectations, expanding digital ecosystems, cybersecurity threats, regulatory oversight, technological advancement, geopolitical changes, and macroeconomic conditions. This dynamic operating landscape requires a proactive and integrated approach to managing uncertainties and capturing emerging opportunities.
our SLT’s Enterprise Risk Management (ERM) framework provides a structured, organisation-wide methodology to identify, assess, prioritise, and respond to risks that may impact the Company's strategic objectives, service continuity, financial performance, or regulatory compliance. By considering all aspects, this enables informed decision-making at both strategic and operational levels.
The ERM function also supports Board and Senior Management oversight by providing transparent reporting on key risk exposures, response progress, and the effectiveness of internal controls. By embedding risk awareness into business planning, major investment decisions, and operational processes, the Company strengthens its capacity to maintain service availability, uphold customer trust, safeguard assets, and ensure compliance with evolving regulatory requirements.
Risk Leadership and Governance
At the core of our SLT’s risk management ethos is the belief that effective leadership and governance are indispensable. The Company’s senior management plays a pivotal role in embedding a risk-conscious culture throughout the organisation. Through the establishment of a comprehensive Risk Management Framework, SLT defines its risk management philosophy, appetite, tolerance levels, and the approach towards identifying, assessing, and addressing risks. This framework is vital in guiding the organisation through the complexities of various risk types, including those that could significantly impact our SLT’s reputation, operational efficiency, human resources, and financial health. By fostering an environment where risk management is vigorously supported and actively engaged in by the leadership, we SLT ensure that risk considerations are integral to the formulation of key business strategies and decisions.
Audit Committee and Risk Management Steering Committee
The governance structure of our SLT’s risk management efforts is anchored by the Audit Committee, which was supported by the Risk Management Steering Committee (RMSC). Endorsed by the Board of Directors, the Audit Committee represents the highest level of risk management oversight within the Company. This Committee is instrumental in overseeing the ERM function, ensuring that risk management practices are not only implemented but are also aligned with the Company’s strategic direction and operational requirements.
ERM Standards
our SLT’s adherence to the ISO 31000:2018 guidelines underscores its commitment to a structured and effective risk management approach. The incorporation of these standards into its ERM framework is complemented by our SLT’s initiative to integrate best practices developed within the organisation, thereby enhancing the robustness and relevance of its risk management efforts.
Risk Process and Activities
We SLT adopts a comprehensive 360-degree approach to risk identification; however, it is well recognised that functional teams remain the subject matter experts in their respective domains and are therefore best positioned to identify risks and early-warning triggers. Risks identified at the business or operational unit level are first assessed by the respective Group Heads for relevance, impact, and alignment with functional priorities.
The ERM team then consolidates, validates, and prioritises these risks across the organisation. Appointed Group Risk Coordinators act as a vital link between the ERM team and business units, ensuring consistency, timely escalation, and effective communication of risk information.
All analysed and prioritised risks are periodically reported to the RMSC, where response plans, mitigation strategies, and progress reviews are formally discussed. Summaries of these discussions, including key risks, response status, and emerging concerns, are subsequently presented to the Audit Committee for oversight and guidance.
Enterprise Risks for 2025
In 2025, the Company encountered various risks, arising from multiple areas.
| Risk | Description | Risk level | Actions Taken |
|---|---|---|---|
| Regulatory Risk | Changes in telecommunications regulations and policies may impact operations and financial performance. | High Compared to last year, risk was slightly reduced after the awarding of 5G spectrum and improvements in regulatory compliance. | SLT continued monitoring and close collaboration with regulators to manage compliance and minimise impact. |
| Competitive Risk | Increasing competition, entrance of new operators and shifting customer preferences pose challenges to revenue growth. | High This risk remained same compared with last year, though few areas addressed new triggers emerged. | Strengthening customer retention strategies, enhancing service quality, and introducing innovative products and services. |
| Technology Risk | Potential disruptions due to rapid technological advancements, system failures, obsolescence, and interdependencies. | High This also remained the same this year. | Monitoring industry advancements and investing in cutting-edge technologies to remain competitive. |
| Data Privacy and Cybersecurity Risk |
The growing threat of data breaches, theft, and misuse of information could weaken customer confidence, disrupt operations, and damage reputation. | High The same risk level was reported because the threat landscape is constantly evolving. Despite strong controls, no system can be made 100% secure. |
Strengthening cybersecurity measures, enhancing monitoring capabilities, and obtaining ISO security certifications. Measures are initiated to comply with the Personal Data Protection Act. |
| People Risk | Employee-related risks, including turnover, workforce planning, and talent-retention challenges, together with maintaining industrial relationships with employees. | High The challenge persists, as rapid technology trends drive the industry’s demand for new skills while requiring careful management of operational costs. | Implementing retention strategies and aligning talent acquisition with market expectations. |
| Operational Risk | Maintaining continuous business operations and ensuring uninterrupted service availability emerged as the highest priority during disaster situations. | High Maintaining critical network infrastructure with the required redundancy is a challenging task with emerging climate and sustainability aspects. | With limited financial flexibility, critical network elements are maintained through the dedication of operational teams. |