Risk Factors
TEMENOS AG
(incorporated in Switzerland with limited liability)
Risk management
Risk management provides independent oversight over the portfolio of key risks impacting Temenos and manages emerging risks with a potential business impact.
We have a Group Risk Management function in place to monitor and manage enterprise risks including the implementation and operation of the Group level Risk Management Framework which is aligned with ISO 31000: Risk management and COSO ERM methodology. We also have in place a defined enterprise risk appetite and monitor aggregated risk exposure against this quarterly. The framework defines governance and oversight at the Board and management levels and defines risk management roles and responsibilities for all Temenos employees. The Group Risk Management function is overseen and managed by the Chief Risk Officer, who reports to the Chief Security and Risk Officer, a member of the Executive Committee.
The Audit Committee of the Board of Directors is responsible for oversight of the risk appetite for the organization factoring opportunities for business growth and development and maintaining our status as a trusted partner to clients that operate in highly regulated environments that are dependent on Temenos products and services to meet the needs of their clients to deliver best-in-class financial services to the markets they serve. The Audit Committee of the Board of Directors has approved a risk appetite for the key enterprise risks defined.
We have implemented an enterprise risk management program to monitor risk exposure against agreed upon risk appetite levels and implement risk mitigation strategies when assessed risks exceed approved risk appetite levels.
Risks are regularly assessed and monitored against risk appetite levels to ensure the business is operating within the defined risk appetite and management action plans are developed when a deviation from the defined risk appetite is detected.
A top-down approach has been adopted to ensure alignment between enterprise objectives and risk management program capabilities to ensure enterprise risks are effectively identified, assessed, monitored and managed to support the achievement of strategic objectives.
Risk Management Framework
The Group level Risk Management Framework (GRMF) establishes the vision, mission, objectives, scope and approach for managing enterprise level risks within Temenos. A three lines of defense risk management structure has been adopted
which includes clearly defined risk management roles and responsibilities within Temenos for the Board, management and all Temenos employees.
The Group level Risk Management Framework establishes key program components including the following:
⚫ risk aware culture;
⚫ governance, roles and responsibilities; and
⚫ risk management program activities.
Three lines of defense capital Risk Management Model
Risk aware culture
Integrating risk management within organizational culture is key to ensuring the effectiveness of risk management program objectives. Culture and awareness are key elements in ensuring that risk taking activities are performed in a measured and calculated manner and do not expose the organization to situations that could impact shareholder value or introduce unwanted risks, exposure or legal liability.
The risk management culture within Temenos is supported by the following mechanisms:
⚫ tone at the top, including management support over the risk management program and effective governance and oversight;
⚫ clearly defined roles and responsibilities;
⚫ training and awareness; and
⚫ establishment of a business risk champions network
Governance, roles and responsibilities
We have a governance and oversight structure in place whichis aligned with defined roles and responsibilities and three lines of defense principles to ensure transparency and accountability within the organization for risk management activities and reporting. Key elements of this include:
Audit Committee of the Board
The Audit Committee of the Board is responsible for reviewing and approving the Group level Risk Management Framework and risk appetite annually as well as reviewing risk reporting and monitoring the Group risk appetite against assessed exposure levels.
Group Risk Management Committee
The Group Risk Management Committee is chaired by the Chief Risk Officer and is comprised of a cross section of senior management members and is responsible for establishing the tone at the top within Temenos related to the Group risk management program, monitoring risk exposure levels against the defined and approved risk appetite and developing and overseeing risk management plans to ensure the organization can operate within approved risk levels.
Group risk management team
The Group risk management team reports to the Chief Risk Officer and is responsible for the design, development, implementation and management of the Group level Risk Management Program including developing enterprise risk taxonomies, facilitating various risk assessments, monitoring and aggregating risk exposure levels, preparing Group level risk reporting and risk appetite monitoring to management and the Board and facilitating key risk management program activities.
The Group risk management team represents the second line of defense within the three lines of defense risk management structure and is responsible to perform an independent challenge over risk management activities taken by various risk owners.
Risk Owners
Risk Owners are defined within the Group risk taxonomy and are accountable for managing risks within their areas of responsibility as the first line of defense. Risk Owners are responsible for risk identification, risk assessment and risk management activities, including the development and implementation of risk management plans and strategies where assessed risk levels are outside of the defined Group level risk appetite.
Risk management processes
The following diagram highlights the risk management processes used to identify, assess, monitor, mitigate and report on key risks. These processes are aligned to the ISO 31000 risk management standards.
⚫ Business objectives – The basis for developing the Group Risk Management Framework involves aligning strategic business objectives with risk management strategies, tools, capabilities and priorities. Risk management identification will start by understanding business objectives and context within which risks exist.
⚫ Risk identification – We have a process to identify and define key enterprise level risks, aggregate risks within the Group risk taxonomy to ensure alignment between risk management program activities, risk monitoring and reporting and assessing risk exposure against defined risk appetite.
⚫ Risk appetite – We have risk appetite statements that define qualitative risk levels agreed to by management and the Board within which Temenos operates in the pursuit of key business activities.
⚫ Risk assessment – Risk assessments are conducted regularly across the organization at various levels of detail and granularity to assess inherent risk levels, map risks to controls and assess residual risk levels within Temenos.
⚫ Risk response – Risk management response strategiesinvolve risk mitigation, risk transfer, risk avoidance and risk acceptance.
⚫ Risk monitoring and review – We aggregate and monitor risks on a quarterly basis against the defined risk appetite to determine if the organization is operating within the defined risk appetite. To the extent that risks are identified and assessed that are outside of the defined risk appetite levels, action plans are developed, monitored and tracked to ensure residual risk levels remain aligned with the Group level risk appetite.
⚫ Risk reporting – Risks are reported regularly to the Audit Committee of the Board and the Group Risk Management Committee. Risk reporting includes aggregated Group level risks, risk heatmaps and monitoring aggregated risk exposure levels against risk appetite to ensure effective awareness and oversight of risk impact for Temenos. Management action plans are included within risk reporting as needed to ensure effective oversight over risk mitigation activities.
Internal controls
In addition to the Group Risk Management Framework, there is also a robust internal control system in place for financial reporting and key operational and fraud risks that goes beyond statutory requirements. All relevant risks are identified, formally assessed and documented. For each risk, we have implemented specific controls and mitigation plans and these are documented in formal risk and control matrices. The effectiveness of the controls is regularly evaluated through a formal self-assessment process which is independently reviewed and tested by both internal and external audit.
While it is management’s responsibility to design, implement and operate effective risk management practices and controls, it is the role of Group Internal Audit to evaluate the effectiveness of risk management and internal controls, assess compliance with policies and procedures and provide assurance to senior management and the Board of Directors on their overall effectiveness.
To ensure the independence and objectivity of Internal Audit, the Group Head of Internal Audit reports functionally to the Audit Committee. The role, responsibilities and authority of the Head of Internal Audit and the function are set out in the Internal Audit Charter, which is reviewed and approved annually by the Committee. All Temenos employees, contractors, Partners and suppliers are required to cooperate fully with Group Internal Audit when requested and to provide access to all records, property and personnel, as required.
The following sections outline the key risks that we have identified and track. They represent an aggregated view.
Economic, political and social environment
Temenos derives most of its licensing, SaaS, maintenance and services revenues from banks and other financial institutions.
The banking industry is sensitive to changes in global economic conditions and financial markets and is highly susceptible to unforeseen external events, such as political instability, terrorist attacks, recession, inflation, currency fluctuations, interest rate changes, or environmental, public health or other adverse occurrences that may result in a significant decline in the use and/or profitability of financial services. Any event that results in decreased consumer or corporate use of financial services, or cost-cutting measures by financial services companies, may negatively affect the level of demand for Temenos products and services. Any reduction in the demand for the Group’s products in the banking and finance industries, or decrease in success in marketing the Group’s products to financial sector clients and prospective clients, could have a material adverse effect on the Group’s operations and financial condition and results. Furthermore, if any of the above factors affect the financial stability of our clients, there may be an adverse impact on our ability to recover fees for the services provided to them.
Temenos’ sustainable global presence, strategic planning, organizational structure, internal controls, business continuity management program, international mobility and working from anywhere service delivery to clients, comprehensive product
offering and market leadership help to mitigate this risk.
Law and litigation
Temenos operates in various legal jurisdictions and as such is subject to various legal and regulatory requirements. Temenos may have legal proceedings or litigious actions brought against it. The outcome of these proceedings or actions is intrinsically
uncertain and the actual outcomes could differ from the assessments made by management in prior periods, resulting in increases in provisions for litigation in the accounts of Temenos.
Adverse outcomes to legal proceedings or litigious actions could result in the award of significant damages or injunctive measures that could hinder Temenos’ ability to conduct business and could have a material adverse effect on its reputation, business, operating results and financial condition.
Litigation of intellectual property infringement claims may increase as a result of Temenos acquiring companies which rely on third party code, including open-source code, Temenos expanding into new areas of the banking industry resulting in greater overlap in the functional scope of products and increasing assertion of intellectual property infringement claims by non-practicing entities that do not design, manufacture or distribute products.
Although Temenos has implemented controls and believes that its products do not infringe upon the intellectual property rights of others and that Temenos has all the rights necessary to utilize the intellectual property employed in its business, Temenos is still subject to the risk of claims alleging infringement of third party intellectual property rights, including in respect of intellectual property that has been developed by third parties and acquired by Temenos in business or asset purchase transactions. Responding to such claims, regardless of whether they are with or without merit, and negotiations or litigation relating to such claims could require Temenos to spend significant sums in litigation costs and payment of damages and expend significant management resources. In addition, such claims could lead to delivery delays or require the Group to enter into royalty or licensing agreements on unfavorable terms, discontinue the use of challenged trade names or technology, or develop noninfringing intellectual property. The Group’s liability insurance does not protect it against the risk that its own or licensed third party technology infringes the intellectual property of others. Therefore, any such claims could have a material adverse effect on the Group’s reputation, business, operating results and financial condition.
Temenos’ legal teams are aligned to business operations and are involved early in any decisions which may incur legal implications. The legal team reviews and provides guidance on complex client contracts to ensure contractual agreements align to local commerce laws and regulations. Whenever possible, Temenos tries to contractually limit its liabilities.
This is covered further in “Foreign operations”. More broadly, the risk of potential breach of legislative or regulatory requirements through general operations, such as breach of listing requirements or Group level legal requirements, is managed through Group level controls, compliance policies and procedures. Policy compliance requirements are periodically assessed through Risk Management processes and reviewed by Internal Audit to provide comfort over adequacy of policies, processes and compliance.
IP protection
Temenos relies upon a combination of copyright, trademark and trade secrecy laws, trade secrets, confidentiality procedures, contractual provisions and license arrangements to establish and protect its proprietary rights and Temenos’ ability to do so effectively is crucial to its success. Temenos enters into agreements with its employees, Partners, distributors and clients that seek to limit the distribution of, and otherwise protect, its proprietary information. However, Temenos cannot give full assurances that the steps taken will be adequate to prevent misappropriation of its proprietary information as all of the protection measures afford only limited protection. Temenos’ proprietary rights could be challenged, invalidated, held unenforceable or otherwise affected. Certain proprietary technology may be vulnerable to disclosure or misappropriation by employees, Partners or other third parties, and third parties might reverse-engineer or otherwise obtain and use technology and information that Temenos regards as proprietary.
Accordingly, Temenos might not be able to protect its proprietary rights against unauthorized third party copying or utilization, which may undermine Temenos’ market position and deprive it of revenues Temenos may not be able to detect unauthorized use of its intellectual property, or take appropriate steps to enforce Temenos’ intellectual property rights. Temenos’ products are used lobally and are therefore subject to varying laws governing the protection of software and intellectual property in each of these jurisdictions. Temenos cannot guarantee that its software and intellectual property will be afforded the same level of protection in each jurisdiction, as some jurisdictions may offer no effective means to enforce Temenos’ rights to its proprietary information, which could result in competitors offering products that incorporate features equivalent to Temenos’ most technologically advanced features, which could have a material adverse effect on Temenos’ business, results of operations and financial condition. Any legal action that Temenos may bring to enforce its proprietary rights could involve enforcement against a Partner or other third party, which may have a material adverse effect on its ability, and its clients’ ability, to use that Partner’s or other third parties’ products. Moreover, litigation, which could involve significant financial and management resources, may be necessary to enforce Temenos’ proprietary rights. Any material infringement of Temenos’ proprietary technology could have an adverse effect on its reputation, business, financial position, profit and cash flows. Our Partner contracts are designed in a manner which provides clarity and understanding of both parties with regard to the protection and safeguarding of their IP.
Regulatory compliance
Temenos is a technology service provider for financial services institutions which are regulated and overseen by a diverse set of regulatory authorities based on the various jurisdictions Temenos operates within. As such, Temenos is subject to direct and indirect financial regulatory supervision based on the portfolio of products and services offer to clients in a global client ecosystem. A failure to comply with regulatory requirements and expectations could result in enforcement
actions, sanctions and administrative orders that can be judicially enforced and result in monetary penalties and other adverse scenarios. As the utilization of cloud and SaaS products grows, there is increased dependence on Temenos as a material outsourced technology service provider, regulatory scrutiny and oversight also increases and the degree of exposure to regulatory examinations, sanctions and fines also increases.
We have a Regulatory Change Management Framework in place to monitor, assess, identify and implement applicable regulatory requirements in order to manage compliance with a diverse set of regulatory expectations and requirements.
This framework continues to be enhanced as the degree of regulatory scrutiny increases with new requirements, for example, related to operational resilience, cybersecurity and new technologies such as AI. Regulatory compliance capabilities continue to mature as the legislative and regulatorylandscape evolves and new requirements are implemented.
Undetected defects or security vulnerabilities Temenos’ products and offerings may contain defects or security vulnerabilities that Temenos has not been able to detect and that could adversely affect the performance of the products and negatively impact Temenos’ relationship with its clients. It is not always possible to identify and rectify all errors or defects during a product or services developmental phase and more commonly Temenos has discovered minor software defects in certain new versions and enhancements of its products after they have been introduced. The detection and subsequent correction of any errors or defects can be expensive and time consuming and it is not always possible to meet the expectations of clients regarding the timeliness and the quality of the defect resolution process. In a worst-case scenario, it might not be possible to wholly rectify certain defects or entirely meet client expectations. In such circumstances it is possible that clients may pursue claims for refunds or damages, attempt to terminate existing arrangements, request
replacement software or seek other concessions.
A defect or error in any newly developed software of Temenos could result in adverse client reactions and negative publicity, as Temenos’ clients and potential clients are highly sensitive to defects in the software they use. Any negative publicity could
hinder the successful marketing of the new software, reducing demand for the software. A defect or error in new versions or enhancements of Temenos’ existing products could result in the loss of orders or a delay in the receipt of orders and could result in reduced revenues, delays in market acceptance, diversion of development resources, product liability claims or increased service and warranty costs, any of which may have a material adverse effect on Temenos’ business, results of operations and financial condition. Any claim brought against Temenos in connection with defective software, regardless of its merits, could entail substantial expense and require a significant amount of time and attention by management personnel.
Temenos has implemented a robust Secure Software Development Lifecycle (SSDLC) and has a program which drives strong security culture across development and operations teams. Quality and product security assurance teams which are independent functions test adherence to secure practices. Temenos products undergo comprehensive security testing both internally and using external reputed third party firms at least annually.
New vulnerabilities are monitored as they emerge, and analysis performed to measure the impact on Temenos products, if any. Products are patched and updates provided as priority to mitigate security risk in case of new vulnerabilities.
Key personnel
Temenos operates in an industry in which there is intense competition for experienced and highly qualified individuals and this may be exacerbated by longer-term demographic and geopolitical changes. The success of Temenos is partly dependent on its ability to identify, attract, develop, motivate, compensate and retain highly skilled and qualified management and other personnel, particularly those with expertise in banking software, cyber and information security and cloud and SaaS operations. There is intense competition for experienced and highly skilled personnel globally and if Temenos fails to recruit and retain the numbers and types of employees that it requires, its business, operating results and financial condition may be adversely affected.
Compensation, incentive and recognition programs are utilized to align staff efforts to organizational objectives and to enable effective recruitment and retention; these are reviewed regularly and adjusted as necessary. Employees receive a range of training and development to ensure they have the necessary skills to perform their duties and to develop their careers within Temenos. Various CSR initiatives are in place to demonstrate our commitment to a purposeful workplace. Career and succession planning is reviewed regularly to provide for continuity of operations and mitigate key person risk.
Foreign operations
Temenos has over 950 core banking clients, over 600 digital clients, and clients in over 150 countries and it has sales and support offices in 39 countries. Temenos’ future revenue growth depends on the continued successful expansion of
itsAdevelopment, sales, marketing, support and service organizations, through direct or indirect channels, in the various countries around the world where its current and potential clients are located, including in many developing countries. Such expansion may require the opening of new offices, hiring new personnel and managing operations in widely disparate locations with different economies, legal systems, languages and cultures, and may require significant management attention and financial resources. Temenos’ operations are also affected by other factors inherent in international business activities, such as:
⚫ differing or even conflicting laws and regulation of risk and compliance in the banking sector;
⚫ difficulties in staffing including works councils, labor unions and immigration laws, changing work practices (e.g. flexible working, working from home and part-time working) and foreign operations;
⚫ the complexity of managing competing and overlapping tax regimes;
⚫ differing import and export licensing requirements;
⚫ operational difficulties in countries with a high-corruption perception index;
⚫ protectionist trade policies such as tariffs;
⚫ limited protection for intellectual property rights in some countries;
⚫ difficulties enforcing intellectual property and contractual rights in certain jurisdictions;
⚫ differing data protection and privacy laws; and
⚫ political and economic instability, outbreaks of hostilities, terrorism, mass immigration, international embargoes, sanctions and boycotts.
The risks associated with the factors stated above will intensify as Temenos expands further into new countries and markets through organic growth or acquisitions. Additionally, laws and regulations and governments’ approaches to their enforcement, as well as Temenos’ products and services, are continuing to change and evolve. Compliance with the laws and regulations in the various jurisdictions may involve significant management time and costs and require costly changes to products and/or business practices.
Risks related to foreign operations are regularly assessed and mitigated as needed. Specific policies and procedures are in place to ensure compliance with export control and sanctions, anti-bribery and corruption, anti-money laundering, data
protection and privacy and other legislation. Foreign exchange and/or interest rate fluctuations Temenos’ financial statements are expressed in US dollars and Temenos generates the majority of its revenues in US dollars. However, a significant portion of its operating expenses are incurred in currencies other than the US dollar, particularly in Euros, Swiss francs, Rupees and Pounds sterling.
Temenos is exposed to the fluctuation in exchange rates of each of these currencies. Temenos makes efforts to mitigate its foreign exchange risk by aligning its revenue streams to currencies that match its cost base and hedges most of the
material residual exposure by the use of derivative instruments.
However, such hedging may not be sufficient protection against significant fluctuations in the exchange rate of the US dollar to other currencies, in particular those currencies in which Temenos incurs operating expenses, generates revenues or
holds assets. Such fluctuations may impose additional costs on Temenos and may have a material adverse effect on Temenos’ financial condition and results of operations and on the comparability of its results between financial periods.
Furthermore, the Group is exposed to the fluctuation in interest rates. Some of the Group’s financing arrangements bear interest at floating rates of interest plus a margin and are adjusted periodically. These interest rates could rise significantly in the future. To the extent that interest rates were to increase, the Group’s interest expense would correspondingly increase, reducing Group cash flow. This could have a material adverse effect on the Group’s business, financial condition and results of operations.
Temenos uses a combination of various techniques to protect against currency and interest rate fluctuations including using derivatives to mitigate the risk when it is deemed to be significant in compliance with the terms of Temenos credit facilities.
Compliance with the terms of Temenos credit facilities
Temenos has credit facilities in place with a syndicate of banks. The facilities contain financial covenants, undertakings and event of default provisions. Moreover, the facilities contain cross-default provisions such that a default under another
debt instrument, such as bonds, could result in a default under the credit facilities and acceleration of the debt thereunder.
The inability of Temenos to draw down the credit facilities to satisfy its financing requirements could have an adverse effect on Temenos’ growth. Compliance with the terms is monitored on a monthly basis.
Managing client relationships
Temenos enters into long-term relationships with its clients. The contractual arrangements supporting these relationships are often varied and diverse to reflect the nature of the requirements of the client factoring in specific legal and
cultural requirements of the client’s operating environment as well as the multiple stages of the relationship.
Temenos regularly assesses client satisfaction and proactively seeks and responds to client feedback via the Client Voice program and monitoring of our Net Promoter Score (NPS). Temenos aims to build long-term strategic relationships with clients in order to maximize the value provided to both parties. Through strong relationships, Temenos is able to further develop products according to industry needs and requirements. The Temenos Ambassador Program and CEO Navigator tool support this goal. Furthermore, mechanisms for tracking and oversight of contract clauses are utilized by the global contract team to provide additional comfort over the effective management of client contractual arrangements.
Strategic partnerships
Temenos delivers its products to clients directly and indirectly through distributors and through strategic alliances with IT service providers. Temenos’ strategic partners sell to clients and provide implementation services through a contract with
the client, rather than with Temenos. These relationships with IT service providers and strategic partners help to drive co-innovation of Temenos’ products, profitably expand Temenos’ routes-to-market to enhance market coverage and provide high-quality services in connection with Temenos’ product offerings. Any failure to maintain and expand these relationships could adversely affect Temenos’ products and services which, in turn, would have an adverse effect on Temenos’ ability to compete successfully with its competitors, and therefore negatively affect the results of operations and financial condition.
Cloud and SaaS solutions
Cloud and SaaS technology is inherently complex and, as such, Temenos may be subject to changing regulatory requirements, evolving client attitudes and technical complexities in developing new business offerings and support services. Temenos may fail to achieve desired operating profit results in this market due to regulatory changes and an inability to develop a competitive product which appeals to its clients. In delivering its SaaS and cloud services, Temenos is highly dependent on the availability and security of underlying infrastructure provided by various suppliers including, for example, Microsoft Azure and Amazon Web Services (AWS). By providing cloud and SaaS technology to clients, Temenos will handle client data. Hardware, software, network or data center failures, product defects or system errors could result in data loss or corruption, or cause the information held to be incomplete or contain inaccuracies. The availability of Temenos’ application suite could be interrupted by a number of factors, such as the failure of a key supplier, its network or software systems due to human or other error and security breaches.
Although Temenos employs strict security, data protection and privacy measures, there is a risk that such measures could be breached as a result of malicious third party action, employee error and malfeasance, or otherwise, and if as a result unauthorized access is obtained to client data, which may include personally identifiable information about users, Temenos could suffer significant reputational damage and be exposed to significant liabilities.
Temenos continues to enhance its cloud and SaaS offering and associated security controls though a range of compliance programs. Temenos holds an annually renewed SSAE18 – SOC 1 Type 2, SOC 2 Type 2 and SOC 3 along with a CSA-CCM (Cloud
Security Alliance – Cloud Control Matrix) Star Level 2 compliance attestation. During the year we have also achieved adherence to the EU Cloud Code of Conduct Level 2. ISO 9001, ISO 27001, ISO 27017, ISO 27018, ISO 20000-1 and ISO 22301 certifications also provide a greater degree of assurance to clients. Temenos also includes in its independent compliance validation program the certification of the Azure, AWS and Kony Infrastructure against PCI-DSS standards.
Software implementation project management
The implementation of Temenos’ software and integration of various product components is a complex process requiring skilled and experienced personnel. The implementation of Temenos’ software is often performed in part or wholly by
service delivery partners as well as committed resources of the client. The complex nature of the solutions makes it necessary to provide training and education on the operation of the product.
The reliance on third party capabilities and the complex nature of product customization and installation requirements may lead to unforeseen events occurring which may delay the progress of implementations.
Temenos focuses heavily on training the staff and Partners responsible for implementation of software to ensure a strong mix of qualified project managers and technical product expertise. Temenos ensures the adequacy of skills through
requiring certification of staff and Partners in Temenos Implementation Methodology and products. Our provision of the Temenos Learning Community (TLC) shows our ongoing commitment to this area.
Implementation teams are also trained to identify and effectively manage any unforeseen events and a suite of risk management tools is used to monitor and track potential issues which may adversely impact the successful installation of software. Project governance boards are held regularly to oversee the delivery of the implementation against milestones.
Temenos Implementation Methodology is periodically reviewed and updated in order to maintain high standards for Temenos staff and Partners. Identified initial project risks receive an increased level of review and analysis in order to more effectively mitigate and monitor them throughout the life of the implementation project.
To further enhance the operational oversight for SaaS project implementation, Temenos has formed a Cloud “Architecture Board” (CAB) and a Cloud “Operational Readiness Board” (ORB). The Board’s mission is to provide early guidance on SaaS
project implementation work, monitor and review client deployment readiness, oversee and approve the operational solutions introduced to cloud environment and make sure such solutions will not impact Temenos’ ability to meet clients’
security, resilience, support and service level expectations.
Mergers and acquisitions
Temenos pursues a strategy of making targeted investments, which may include acquisitions, minority stakes, strategic alliances and partnerships. Risks associated with such a strategy include the availability of suitable targets, the difficulty in evaluating potential transactions, including the risk that our due diligence does not fully assess valuation considerations, and successful integration. Risk of failure to assimilate operations and personnel may materialize.
The process of integrating an acquired company or business may create unforeseen operating difficulties and expenditures.
It may take longer than expected to realize the full benefits from transactions.
Minority investments in new ventures may involve further challenges, including more limited financial and non-financial information on the business, less frequent and complete reporting that would typically be available for more mature businesses, and difficulty in periodically assessing a valuation of an investment.
Further consolidation in Temenos’ industry may decrease the number of potential desirable acquisition targets. Failure to acquire, integrate and derive the desired value of any businesses or assets in the future could materially adversely affect Temenos’ business, results of operations and financial condition. In addition, businesses that Temenos acquires or in which Temenos invests might not perform as anticipated, resulting in possible impairment or losses, consequently impacting Temenos’ statement of financial position.
Security, business continuity and resiliency
As a software technology vendor and SaaS provider, we face various cyber and other security threats, including:
⚫ attempts to gain unauthorized access to sensitive information and data;
⚫ threats to the safe and secure operation of our software solutions and services;
⚫ threats to the safety of our Directors, officers and employees;
⚫ threats to the security of our facilities and infrastructure; and
⚫ threats from terrorist acts or other acts of aggression.
Our clients and Partners (including subcontractors) face similar threats.
Although we utilize various procedures and controls to monitor and mitigate the risk of these threats, there cannot be full assurance that these procedures and controls will be sufficient. These threats could lead to losses of sensitive information or capabilities, harm to personnel, infrastructure or products and/or damage to our reputation as well as our Partners’ ability to perform on our contracts.
Cyber threats are evolving and include, but are not limited to:
⚫ attempts to gain unauthorized access to data, information or intellectual property;
⚫ disruption to or denial of service; and
⚫ other malicious or criminal activities.
These threats could lead to disruptions in mission-critical systems, unauthorized release of confidential, personal or otherwise protected information (ours or that of our employees, clients or Partners) and corruption of data, networks or systems. In addition, we could be impacted by cyber threats or other disruptions or vulnerabilities found in products we use or in our Partners’ or clients’ systems that are used in connection with our business. These events, if not prevented or effectively mitigated, could damage our reputation, require remedial actions and lead to loss of business, regulatory actions, potential liability and other financial losses.
We provide software products and services to various clients who also face cyber threats. Our software products and services may themselves be subject to cyber threats and/or they may not be able to detect or deter threats, or effectively
to mitigate resulting losses. These losses could adversely affect our clients and our Group. The impact of these factors is difficult to predict, but one or more of them could result in the loss of information or capabilities, harm to individuals
or property, damage to our reputation, loss of business, regulatory actions and potential liability, any one of which could have a material adverse effect on our financial position, results of operations and/or cash flows.
From an organizational perspective, the Security and Privacy Committee provides the Group level oversight. This Committee is chaired by the Chief Security Officer, who reports to the Chief Security and Risk Officer – a member of the Executive
Committee. Board level oversight is exercised by the Audit Committee.
In terms of business processes, security assurance is integrated into all business processes related to R&D, the supply chain, sales and marketing, delivery and technical services. In addition, Temenos reinforces the implementation of the cybersecurity assurance system by conducting internal audits and receiving external certification and auditing from various independent third party organizations. In connection with personnel management, our employees, Partners and consultants are required to comply with security policies and requirements established by Temenos and receive appropriate training so that the concept of security is deeply rooted throughout Temenos. To promote cybersecurity, Temenos will take appropriate action against those who violate cyber assurance policies. Employees may also incur personal legal liability for violation of relevant laws and regulations. If Temenos security measures are breached and unauthorized access is obtained to Temenos’ IT systems, Temenos’ business could be disrupted and Temenos may suffer financial losses as a result of the loss of confidential client information or otherwise.
Temenos’ insurance coverage might not cover claims against it for loss or security breach of data or other indirect or consequential damages. If Temenos experiences interruptions in the availability of its application suite, Temenos’ reputation
could be harmed, which may have a material adverse effect on Temenos’ business and financial condition.
As part of the periodic risk assessment of IT infrastructure, potential physical and security vulnerabilities are factored into the process for developing a resilient and robust IT infrastructure.
The physical security of IT infrastructure and personnel is kept secure through standardized general IT controls across Temenos in line with best practice standards. Temenos has implemented a Business Continuity Management System (BCMS) to cover Business Continuity and Resilience requirements and this is certified to ISO 22301:19. The framework touches on all aspects of Business Continuity and Resilience and is tested and audited regularly.
Information systems are regularly audited internally and externally (e.g. SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017 and ISO 27018) to provide assurance over the management of these risks.
Supply chain complexity
As we continue our transition to a cloud/SaaS services and delivery model, there is an increased business need to leverage specialized products and services to meet the demands of a diverse set of customers and their business requirements for
resilient scale cloud/SaaS solutions. As such, there is increased risk related to third party service providers that support the delivery of cloud/SaaS products and services to Temenos customers in addition to cloud platform service providers AWS
and Azure. Leveraging an ecosystem of specialized third party service providers to deliver Temenos cloud/SaaS products and services increases the complexity of managing and overseeing these third party relationships from an operations, legal,
regulatory, compliance and risk management perspective.
Additionally, there is increased focus and pressure from clients and the marketplace around ESG program requirements with a focus around moving to net-zero carbon emissions and a heavy focus on Scope 3 emissions. As the ecosystem and complexity
of third and fourth parties within the Temenos cloud supply chain increases, these risks become more challenging to effectively manage.
The inability to ensure and manage trust and transparency in the supply chain utilized to deliver cloud/SaaS products and services to customers could result in legal liability, increased regulatory scrutiny, challenges delivering products and services
in line with contractual requirements and security incidents and data leakage/theft which could have a negative impact on Temenos’ ability to gain efficiencies and effectively augment current enterprise capabilities in a manner that delivers value
to customers.
We are proactively increasing the degree of rigor and enhancing standardized programs and processes to manage critical cloud services providers that compose the Temenos cloud ecosystem in order to ensure these relationships can effectively be managed to deliver anticipated business benefits to customers and shareholders. Examples of actions taken include standardizing legal, regulatory, compliance business continuity and ESG contractual schedules as well as other actions to enable effective management of critical cloud supplier relationships.
Insurance
Temenos’ corporate insurance team manages all global policies. The main global policies provide coverage across core business areas such as Professional Indemnity Liability (errors and omissions), Cyber Liability Insurance, Crime Insurance,
Global Travel and Directors’ and Officers’ Insurance. As with any large organization, Temenos strives to secure that its activity, offices and employees are adequately covered, given the liability exposure and the insurance market capacities.
Temenos counts on reliable insurance partners; hence, most of Temenos’ insurance providers are A or A+ AM Best rated companies.
Across the various legal jurisdictions in which Temenos operates, compliance with the local legal requirements is ensured by holding certain insurance policies such as workers’ compensation policies and third party liability, employees’ health and accident benefits protection. Temenos’ local offices manage their legally required policies with oversight and review by Group management. Each office/ Temenos entity is insured against property damage, business interruption and public liability risks. Information and IT infrastructure is also covered by regional and/or local policies.
Environment and sustainability
As a company, we recognize that climate change is a global challenge with financial implications. We also recognize the importance of understanding and taking action on our material environmental impacts, risks and opportunities. As an IT company, to serve our clients, we rely heavily on people, computing resources and business travel. We are aware ofthe environmental impacts of our business and support a precautionary approach to environmental challenges on our own initiative and an environmentally responsible way of conducting our business operations and serving our clients.
Climate change
In response to increasing concern about the impact and risk associated with climate change, Temenos has aligned the climate risk assessment with the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD). As part of this, we have conducted a qualitative and quantitative scenario-based climate assessment to identify both climate-related risks and opportunities, in order to inform Temenos’ medium- and long-term business strategy.
Governmental actions to mitigate climate change could increase operating costs. Increased frequency of extreme weather (storms, floods, heat waves) could cause disruption of our operations. Failure to meet client, Partner, investor or other stakeholder expectations or globally recognized standards on sustainability and climate change strategy could have an impact on the demand for our products, our ratings in sustainable investment indices and our corporate reputation, resulting in reduced growth and profitability.
Biodiversity
Temenos recognizes the indispensable role biodiversity plays in a sustainable world and has included such risks in its environmental risk assessment registry: operational risks associated with resource dependency; regulatory risks as regulatory changes are anticipated and must be addressed in a timely manner as policymakers ramp up policy action on biodiversity; and market risks as consumers’ preferences towards products with reduced biodiversity impacts can create a shift on the product demand.
Our strategy
As part of our environmental responsibility and climate change strategy, we have set up an internal Company-wide mechanism, in order to measure, monitor and report on our global impact. Our ISO 14001 certified Environmental Management System
provides a solid framework to address such risks and drives continual improvement. We also implement mitigation, adaptation, energy reduction and emissions avoidance initiatives, by putting in place policies and management systems and setting internal targets to improve energy efficiency, reduce emissions and invest in carbon removal and/or offset projects for the carbon we cannot reduce or avoid. We have incorporated environmental requirements into our corporate facilities management practices. Our near-term target has been officially validated by the SBTi and is aligned with the Business Ambition of 1.5˚C. We work with like-minded business partners and suppliers to ensure continued availability of our business operations and products and sustainable options for our clients. We monitor environmental regulations, trends and
other related governmental developments in the countries we operate in and take proactive actions. Where environmental legislation is not clear or enforced, we ensure that all necessary environmental practices are in place. We communicate our environmental responsibility strategy to all our stakeholders and raise awareness internally and externally. Through our cloud and SaaS product offering, we help our clients integrate environmental sustainability into their business strategies, by enabling them to reduce their environmental impact, as well as helping their customers track their environmental footprint. We are an environmentally responsible neighbor and support environmental projects in the communities where we operate. We engage in initiatives focused on nature-based solutions, such as tree-planting and
earth-restoring activities, to tackle climate change and improve biodiversity. We participate in global efforts to improve environmental protection and understanding and align with the United Nations’ global agenda for sustainable development.
We ensure that our clients, suppliers, Partners and contractors are committed to following our environmental policies and setting environmental targets, by conducting sustainability risk assessments as well as audits and reporting annually to the Board of Directors.
Internal controls failures
Although Temenos considers the controls and procedures it currently has in place to minimize the financial reporting, legal, disclosure and other regulatory, compliance, non-financial and operational risks associated with its business to be adequate,
Temenos recognizes that the efficacy of some of these controls and procedures depends significantly on employees and contractors and on input from external parties and all of these controls and procedures need to be kept under regular
review, particularly given the pace at which Temenos’ business has developed and generally increasing regulatory scrutiny.
There is no guarantee that Temenos will not be targeted by those willing to commit fraud against Temenos. Such an action could come from either an internal or external source and could result in a significant adverse impact on Temenos’ business, results of operations and financial condition.
Internal controls are regularly reviewed, updated and tested in accordance with our Internal Control System process and additionally by Internal Audit which serves as a third line of defense to provide assurance on the effectiveness of risk management and internal control systems.
In addition to the assurance provided by Internal Audit, Temenos engages a range of external assurance providers to provide industry standard certifications, e.g. ISO accreditations and Systems and Organization Control (SOC) reports.
Emerging risks
Anticipating potential risks is a critical component to effective risk management. Understanding the potential business impact of macro level and environmental conditions and factors is key to minimizing adverse business impact of these risks from materializing in a manner that negatively impacts value to shareholders, clients, business partners and employees.
Temenos has designed, developed and implemented as part of the Group Risk Management function an emerging risk identification and management program. Identification of emerging risks involves taking a broader approach to risk
identification where potential risks are identified that have the possibility of impacting Temenos in the three to five-year range and developing proactive risk management strategies to minimize potential business impact. We have capabilities to survey the broader risk landscape, review and assess risk trends, macro-environmental considerations and thought leadership to outline emerging risks and develop a proactive strategy and approach to managing those potential risks. Several sources of information include the annual World Economic Forum Global Risk Report, publications from various industry groups (e.g. CRO Forum – Emerging Risk Initiative) and various pieces of thought leadership. The following were considered important in
developing a forward-looking approach to manage risks that could impact Temenos.
Risks associated with Artificial Intelligence (AI)
There is an increased concern about the adverse outcomes that AI can have impacting individuals, businesses, ecosystems and/or economies. AI technology can lead to: unfair and discriminatory outcomes given that the system can inherit biases present in data input; lack of transparency on how decisions have been taken, eroding trust and hindering accountability; job displacement in certain professions; new security risks where malicious actors can manipulate input data to deceive the system; increased privacy concerns given that AI requires high volumes of data for training; and environmental impact as significant computational resources may be needed to support the system, increasing energy consumption. While this is identified as a risk impacting the business, this risk is expected to further materialize within the
next three to five years and potentially impact Temenos’ position within the marketplace and possibly impact strategic growth plans.
Potential business impact
The use of AI in our product offerings will offer numerous benefits to our clients; however, the inability to effectively manage the risks associated during its development and deployment could result in legal liability, increased regulatory
scrutiny, challenges in selling products and services and reputational damage.
Mitigation measures
We will review and enhance as appropriate our AI management processes and product offerings. This includes developing appropriately focused risk management activities around the development, deployment and use of AI both internally and within our product suite; regulatory horizon scanning and analysis of emerging regulation and legislation to ensure effective compliance; reviewing and updating our contract documentation as needed; and developing appropriately detailed product documentation to support client needs and expectations.
Frontier technologies integration challenges
As new technologies such as Augmented and Virtual Reality, Quantum Computing or others emerge, we may face integration challenges. Keeping up with these technologies and seamlessly integrating them into existing platforms may be
complex, expensive and time consuming. While not identified as an immediate risk impacting the business, this risk is expected to further materialize within the next three to five years and potentially impact Temenos’ position within the
marketplace and possibly impact strategic growth plans.
Potential business impact
The inability for Temenos to successfully integrate new technologies into its offerings may lead to client erosion and loss of market share. Mitigation measures We will continue to invest in R&D to ensure that we can effectively integrate new technologies into our offerings where it is believed to be beneficial for our clients to ensure they can benefit from the latest technological developments.