Risk Factors

TEMENOS AG

(incorporated in Switzerland with limited liability)

Maintaining robust risk management

At Temenos we have developed and implemented an Enterprise Risk Management Framework, which is aligned with ISO 31000: Risk Management guidelines and establishes the vision, mission, objectives, scope and approach for managing enterprise level risks within the organization. We have a Group Risk Management function in place responsible for the operation of the framework as well as the monitoring of key enterprise risks. The Group Risk Management function is overseen and managed by the Group Risk Director, who reports to the Chief Security and Risk Officer, a member of the Executive Committee.

Governance, roles and responsibilities

We have a governance and oversight structure in place which is aligned to three lines of defense principles to ensure transparency and accountability within the organization for risk management activities and reporting.

Board

The Board is responsible for reviewing and approving the Enterprise Risk Management Framework and risk appetite annually as well as reviewing risk reporting and monitoring the Group risk appetite against assessed exposure levels.

Enterprise Risk Management Committee

The Enterprise Risk Management Committee is chaired by the Chief Security and Risk Officer and is comprised of a cross-section of senior management members and is responsible for establishing the tone at the top within Temenos related to enterprise risk management, monitoring risk exposure levels against the defined and approved risk appetite and developing and overseeing risk management plans to ensure the organization can operate within approved risk levels.

Enterprise Risk Management function

The Enterprise Risk Management function reports to the Chief Security and Risk Officer and is responsible for the design, development, implementation and management of the Enterprise Risk Management Framework including developing enterprise risk taxonomies, facilitating various risk assessments, monitoring and aggregating risk exposure levels, preparing Group level risk reporting and risk appetite monitoring to management and the Board and facilitating key risk management activities. The Enterprise Risk Management function represents the second line of defense within the three lines of defense risk management structure and is responsible for performing an independent challenge over risk management activities taken by various risk owners.

Risk owners

Risk owners are defined within the enterprise risk taxonomy and are accountable for managing risks within their areas of responsibility as the first line of defense. Risk owners are responsible for risk identification, risk assessment and risk management activities, including the development and implementation of risk management plans and strategies where assessed risk levels are outside of the defined Group level risk appetite.

Risk management process

The following diagram highlights the risk management processes used to identify, assess, monitor, mitigate and report on key risks.

      Context and risk appetite – The basis for developing the Enterprise Risk Management Framework involves aligning strategic business objectives with risk management strategies, tools, capabilities and priorities. Risk management identification will start by understanding business objectives and context within which risks exist. At this stage risk appetite levels are also agreed for a defined set of risk categories which will be used for specific risk identification.

• Risk identification – We have a process to identify and define key enterprise level risks, aggregate risks within the Group risk taxonomy to ensure alignment between risk management activities, risk monitoring and reporting and assess risk exposure against defined risk appetite.

• Risk assessment – Risk assessments are conducted regularly across the organization at various levels of detail and granularity to assess inherent risk levels, map risks to controls and assess residual risk levels within Temenos.

• Risk response – Risk management response strategies involve risk mitigation, risk transfer, risk avoidance and risk acceptance.

• Risk monitoring and review – We aggregate and monitor risks on a quarterly basis to determine if the organization is operating within the defined risk appetite. To the extent that risks are identified and assessed that are outside of the defined risk appetite levels, action plans are developed, monitored and tracked to ensure residual risk levels remain aligned with the Group level risk appetite.

• Risk reporting – Risks are reported regularly to the Audit Committee of the Board and the Group Risk Management Committee. Risk reporting includes aggregated Group level risks, risk heatmaps and monitoring aggregated risk exposure levels against risk appetite to ensure effective awareness and oversight of risk impact for Temenos. Management action plans are included within risk reporting as needed to ensure effective oversight over risk mitigation activities.

• Risk escalation – In instances where a significant deviation occurs between the agreed upon business risk appetite and current risk exposure levels (as identified through various risk management monitoring capabilities outlined above), risks will be escalated utilizing the risk governance structure.

Internal controls

In addition to the Enterprise Risk Management Framework, there is also a robust internal control system in place for financial reporting and key operational and fraud risks that

goes beyond statutory requirements. All relevant risks are identified, formally assessed and documented. For each risk, we have implemented specific controls and mitigation plans and these are documented in formal risk and control matrices. The effectiveness of the controls is regularly evaluated through a formal self-assessment process which is independently reviewed and tested by both internal and external audit.

While it is management’s responsibility to design, implement and operate effective risk management practices and controls, it is the role of Group Internal Audit to evaluate the effectiveness of risk management and internal controls, assess compliance with policies and procedures and provide assurance to senior management and the Board of Directors on their overall effectiveness.

To ensure the independence and objectivity of Internal Audit, the Group Head of Internal Audit reports functionally to the Audit Committee. The role, responsibilities and authority of the Head of Internal Audit and the function are set out in the Internal Audit Charter, which is reviewed and approved annually by the Committee. All Temenos employees, contractors, Partners and suppliers are required to cooperate fully with Group Internal Audit when requested and to provide access to all records, property and personnel, as required.

Insurance

Temenos’ corporate insurance team manages all global policies. The main global policies provide coverage across core business areas such as professional indemnity liability (errors and omissions), cyber liability insurance, crime insurance, global travel and directors’ and officers’ insurance.

As with any large organization, Temenos strives to secure that its activity, offices and employees are adequately covered, given the liability exposure and the insurance market capacities.

Temenos counts on reliable insurance partners; hence, most of Temenos’ insurance providers are A or A+ AM Best rated companies.

Across the various legal jurisdictions in which Temenos operates, compliance with the local legal requirements is ensured by holding certain insurance policies such as workers’ compensation policies and third party liability, employees’ health and accident benefits protection.

Temenos’ local offices manage their legally required policies with oversight and review by Group management. Each office/Temenos entity is insured against property damage, business interruption and public liability risks. Information and IT infrastructure is also covered by regional and/or local policies.

Risks to achieving our strategic objectives

Risk Potential impact Mitigation activities
Breach of regulatory obligations •      Adverse client reaction •      Sales impairment and reduced revenues •      Regulatory sanctions and fines •      Reputational damage •      Regulatory Change Management Framework in place to monitor, assess, identify and implement applicable regulatory requirements and maintain compliance. •      The framework continues to be enhanced as the degree of regulatory scrutiny increases with new requirements, for example, related to operational resilience, cybersecurity and AI. •      Regulatory compliance capabilities continue to mature as the legislative and regulatory landscape evolves and new requirements are implemented.
Product defects and/or security vulnerabilities •      Adverse client reaction •      Sales impairment and reduced revenues •      Financial loss from liability claims or increased warranty costs •      Reputational damage •      Robust Secure Software Development Lifecycle (SSDLC) and program which drives strong security culture across development and operations teams in place. •      Quality and product security assurance teams which are independent functions test adherence to secure practices. •      Temenos products undergo comprehensive security testing both internally and using external reputed third party firms at least annually. •      New vulnerabilities are monitored as they emerge, and analysis is performed to measure the impact on Temenos products, if any. Products are patched and updates provided as priority to mitigate security risk in case of new vulnerabilities.
Inability to attract and retain the talent needed for strategy delivery •      Business, operating results and financial condition impairment •      Compensation, incentives and recognition programs are utilized to align staff efforts to organizational objectives and to enable effective recruitment and retention; these are reviewed regularly and adjusted as necessary. •      Employees receive a range of training and development to ensure they have the necessary skills to perform their duties and to develop their careers within Temenos. •      Various CSR initiatives are in place to demonstrate our commitment to a purposeful workplace. •      Career and succession planning is reviewed regularly to provide for continuity of operations and mitigate key person risk.
Breach of law(s), litigation and intellectual property infringement claims •      Adverse effect on the Group’s reputation, business, operating results and financial condition •      Litigation costs and payment of fines and/or damages •      Significant spend of management resources/time •      Discontinuation of the use of challenged trade names or technology •      Temenos’ legal teams are aligned to business operations and are involved early in decisions which may incur legal implications. The legal teams review and provide guidance on complex client, Partner and supply contracts to ensure contractual agreements align to local commerce laws and regulations. To the extent possible, Temenos limits its liabilities contractually. •      Specific policies and procedures are in place to ensure compliance with export control and sanctions, anti-bribery and corruption, anti-money laundering, data protection and privacy regulations and other applicable legislation. •      Group level controls, compliance policies and procedures are in place to manage risk of potential breach of legal or regulatory requirements through general operations, such as breach of listing requirements or Group level legal requirements. •      Temenos maintains robust controls in relation to intellectual property. To the best of our knowledge its software products do not infringe upon the intellectual property rights of any third parties and Temenos has secured all the rights required to utilize intellectual property owned by third parties (for example Microsoft) as currently done in the conduct of its business.
Unauthorized use of Temenos’ intellectual property •      Adverse effect on the Group’s reputation, business, operating results and financial condition •      Significant financial and management resources cost to enforce Temenos’ proprietary rights •      Secure Source Code Management Policy and procedures in place. •      Regular training in relation to source code protection in place for all relevant employees. •      Intellectual property clauses are included in all contracts with customers, Partners, vendors and any other third party.
Unforeseen events delaying client implementations •      Adverse client reaction •      Late revenues •      Reputational damage •      Temenos focuses heavily on training the staff and Partners responsible for implementation of software to ensure a strong mix of qualified project managers and technical product expertise. Temenos ensures the adequacy of skills through requiring certification of staff and Partners in Temenos Implementation Methodology and products. Our provision of the Temenos Learning Community (TLC) shows our ongoing commitment to this area. •      Implementation teams are also trained to identify and effectively manage any unforeseen events and a suite of risk management tools is used to monitor and track potential issues which may adversely impact the successful installation of software. Project governance boards are held regularly to oversee the delivery of the implementation against milestones. •      Temenos Implementation Methodology is periodically reviewed and updated in order to maintain high standards for Temenos staff and Partners. Identified initial project risks receive an increased level of review and analysis in order to more effectively mitigate and monitor them throughout the life of the implementation project.
Unauthorized release of confidential, personal or otherwise protected information and corruption of data, networks or systems •      Business disruption •      Reputational damage •      Loss of business •      Regulatory sanctions and fines •      Liability and financial losses •      Harm to individuals or property •      The Security and Privacy Committee provides Group level oversight. This Committee is chaired by the Chief Security Officer, who reports to the Chief Security and Risk Officer – a member of the Executive Committee. Board level oversight is exercised by the Audit Committee. •      Security assurance is embedded across key business processes, including qualifying business projects and procurement activities, product development and Temenos SaaS delivery. Vulnerability management processes are conducted on a continual basis. Additionally, Temenos strengthens its cybersecurity assurance framework through internal audits and external certifications conducted by independent third party organizations. •      Employees and consultants are required to comply with security policies and requirements established by Temenos and receive appropriate training so that the concept of security is deeply rooted throughout Temenos. As part of due diligence, Temenos ensures that Partners have robust security and compliance policies and training. •      Temenos will take appropriate action against those who violate cyber assurance policies. Employees may also incur personal legal liability for violation of relevant laws and regulations. •      The physical security of IT infrastructure and personnel is kept secure through standardized general IT controls across Temenos in line with best practice standards. •      Temenos has implemented a Business Continuity Management System (BCMS) to cover business continuity and resilience requirements, and this is certified to ISO 22301:19. The framework touches on all aspects of business continuity and resilience and is tested and audited regularly. •      Temenos holds an annually renewed SSAE18 – SOC 1 Type 2, SOC 2 Type 2 and SOC 3 along with a Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) STAR Level 2 compliance attestation. During the year we have also achieved adherence to the EU Cloud Code of Conduct Level 2. ISO 9001, ISO 27001, ISO 27017, ISO 27018, ISO 20000-1 and ISO 22301 certifications also provide a greater degree of assurance to clients. Temenos also includes in its independent compliance validation program the certification of the Azure, AWS and Kony infrastructure against Payment Card Industry Data Security Standard (PCI DSS).
Foreign exchange and/or interest rate fluctuations •      Additional costs from operating expenses incurred in currencies other than US dollars •      Group’s interest expense increases from financing arrangements, reducing Group cash flow •      Adverse effect on Temenos’ financial condition and results of operations and on the comparability of its results between financial periods •      Temenos makes efforts to mitigate its foreign exchange risk by aligning its revenue streams to currencies that match its cost base and hedges most of the material residual exposure by the use of derivative instruments. •      Temenos uses a combination of various techniques to protect against currency and interest rate fluctuations including using derivatives to mitigate the risk when it is deemed to be significant in compliance with the terms of Temenos credit facilities.
Failure to maintain and expand sound strategic partnerships and/or reputational issues arising from them •      Adversely affects Temenos’ products and services •      Negatively affects the results of operations and financial condition •      Reputational damage •      Robust Partner governance arrangements in place including due diligence and ongoing performance monitoring. •      Temenos Learning Community membership license and certification in place for implementation Partners. •      Ongoing assessment of current Partner coverage.
Service providers/third parties fail to deliver contractual obligations and/or reputational issues arising from them •      Business disruption •      Reputational damage •      Negatively affects the results of operations and financial condition •      Global Procurement Policy and processes in place, including Supplier Code of Conduct. •      Standardized programs and processes to manage critical cloud service providers that compose the Temenos cloud ecosystem.
Failure to comply with regulation and reporting requirements in relation to environmental and sustainability matters and failure to meet stakeholders’ expectations •      Legal penalties, fines, taxes and regulatory scrutiny, resulting in stringent audits and investigations, operational disruptions, as regulatory bodies may impose corrective measures •      Adverse impact on the demand for our products, our ratings in sustainable investment indices and our corporate reputation, resulting in reduced growth and profitability •      As part of our environmental responsibility and climate change strategy, we have set up an internal Company-wide mechanism, in order to measure, monitor and report on our global impact. •      We monitor environmental regulations, trends and other related governmental developments in the countries we operate in and take proactive actions. •      We communicate our environmental responsibility strategy to all our stakeholders and raise awareness internally and externally. •      Through our cloud and SaaS product offering, we help our clients integrate environmental sustainability into their business strategies, by enabling them to reduce their environmental impact, as well as helping their customers track their environmental footprint. •      We participate in global efforts to improve environmental protection and understanding and align with the United Nations’ global agenda for sustainable development. •      We ensure that our clients, suppliers, Partners and contractors are committed to following our environmental policies and setting environmental targets, by conducting sustainability risk assessments as well as audits and reporting annually to the Board of Directors. •      Refer to the Sustainability Report on page 54 for further details
Failure to acquire, integrate and/or derive the desired value of targeted businesses and/or assets •      Unforeseen operating difficulties and expenditures, impairment or losses adversely affecting Temenos’ business, results of operations and financial condition •      Mergers and Acquisitions Risk Management Policy and M&A Integration Playbook to guide process and integration efforts are in place. •      In case there is a perceived fit of an acquisition opportunity, an M&A Steering Committee will be put in place to oversee the M&A process.

Emerging risks

Identification of emerging risks involves taking a broader approach to risk identification where potential risks are identified that have the possibility of impacting Temenos in the three to five-year range and developing proactive risk management strategies to minimize potential business impact

Emerging risks are taken into consideration as part of our Enterprise Risk Management Framework. The following are considered important in developing a forward-looking approach to manage risks that could impact Temenos.

Risks associated with Artificial Intelligence (AI)(next three years)

There is an increased concern about the adverse outcomes that AI can have impacting individuals, businesses, ecosystems and/or economies. AI technology can lead to: unfair and discriminatory outcomes given that the system can inherit biases present in data input; lack of transparency on how decisions have been taken, eroding trust and hindering accountability; job displacement in certain professions; new security risks where malicious actors can manipulate input data to deceive the system; increased privacy concerns given that AI requires high volumes of data for training; and environmental impact as significant computational resources may be needed to support the system, increasing energy consumption. While this is identified as a risk impacting the business, this risk is expected to further materialize within the next three to five years and potentially impact Temenos’ position within the marketplace and possibly impact strategic growth plans.

Potential business impact

The use of AI in our product offerings will offer numerous benefits to our clients; however, the inability to effectively manage the risks associated during its development and deployment could result in legal liability, increased regulatory scrutiny, challenges in selling products and services and reputational damage.

Mitigation measures

We will review and enhance as appropriate our AI management processes and product offerings. This includes developing appropriately focused risk management activities around the development, deployment and use of AI both internally and within our product suite; regulatory horizon scanning and analysis of emerging regulation and legislation to ensure effective compliance; reviewing and updating our contract documentation as needed; and developing appropriately detailed product documentation to support client needs and expectations.

Frontier technologies integration challenges (three to five years)

As new technologies such as augmented and virtual reality, quantum computing and others emerge, we may face integration challenges. Keeping up with these technologies and seamlessly integrating them into existing platforms may be complex, expensive and time consuming. While not identified as an immediate risk impacting the business, this risk is expected to further materialize within the next three to five years and potentially impact Temenos’ position within the marketplace and possibly impact strategic growth plans.

Potential business impact

The inability for Temenos to successfully integrate new technologies into its offerings may lead to client erosion and loss of market share.

Mitigation measures

We will continue to invest in R&D to ensure that we can effectively integrate new technologies into our offerings where it is believed to be beneficial for our clients to ensure they can benefit from the latest technological developments.