Risk management

Our commitment to risk management

At u-blox, we understand that strong risk management is essential to achieving long-term success. Our risk management program, aligned with ISO 31000, helps us identify, assess, and address risks that could impact our operations and goals. This program is embedded throughout our organization globally, supporting our ability to meet objectives, enhance performance, and seize new opportunities.

We allocate resources to support and strengthen risk management processes throughout the company. Our framework aligns with stakeholder interests, directly addresses uncertainties, and is integrated into daily decision-making. It is proactive, adaptable, and responsive to change, based on the best information available.

Transparency is a core part of our approach. We aim to keep our shareholders, partners, and the public informed about our risk management practices, reinforcing our commitment to responsible and ethical business practices.

Who we are

Our Corporate Risk Management team is led by the Chief Security Officer / Head of Risk Management who oversees the process by ensuring that risks are properly documented, monitored, and reviewed at least twice a year, or more frequently if necessary.

Working closely with Function Heads of various departments across the company, we collaborate to identify and address potential risks to support our overall objectives.

The program is overseen by our executive leadership, with updates provided twice a year to the Executive Committee and to the Board of Directors via the Audit Committee. This structure ensures that risk management remains a core component of our corporate strategy, aligned with our commitment to stability and sustainable growth.

What we do

We manage corporate risks within an ISO-31000-based Risk Management Framework that includes the following elements:

The Risk Management Framework

Our approach to Risk Management is built on a structured framework designed to identify, assess, and manage risks that could impact our operations and objectives.

Any employee or third party can identify and report risks, which are directed to the relevant Functional Head, EC member, or Corporate Risk Management. Each identified risk is assigned a clear risk owner to ensure accountability. If ownership spans multiple functions, the Executive Committee, or the CEO if needed, designates a single owner. Corporate Risk Management conducts formal risk assessments with all Functional Heads and EC members twice a year, with additional updates as needed to keep assessments current and comprehensive.

Through this approach, we ensure that identified corporate risks cover all levels of the organization, and that ownership is taken at the appropriate level:

Risk Assessment

Our risk assessment process includes three main steps:

1. Risk Identification: Functional Heads are asked to identify potential sources of risk, events, and possible consequences that may affect our business.
    
2. Risk Analysis:  Risk Owners analyze each identified risk, considering its possible consequences, likelihood, and overall impact.
    
3. Risk Evaluation: Risks are rated using a Risk Priority Number (RPN), which is calculated using the formula: RPN = Severity x Likelihood. The resulting RPN determines the overall risk level, which indicates whether the risk is above our risk appetite (“High” / “Critical” risks, or potentially acceptable (“Low” / “Medium” risks):

Risk Treatment

For each identified risk, we apply a range of treatment options to address it effectively.

• Avoidance: We may change our approach or activities to eliminate certain risks.
• Mitigation: We implement measures to reduce the likelihood or impact of risks where possible.
• Transfer: When appropriate, we shift the responsibility for certain risks to third parties, such as through insurance.
• Acceptance: For risks within our tolerance levels & risk appetite, we may decide to retain and monitor them, documenting this decision carefully.

Risk Treatment Plan and Residual Risk: Risk Treatment Plans are documented and have an assigned risk owner who is responsible for the risk treatment. Residual risk ratings are re-calculated, considering planned mitigation, to verify the plan is suitable to control the risk and aligns with our defined tolerance levels.

Risk Reporting & Review

A Corporate Risk Register is maintained to capture all corporate risks, along with key performance indicators (KPIs) that track the top current risks, overall risk levels, and trends since the last report.

Through these steps, our framework supports resilient, informed decision-making that aligns with our strategic goals.

Regular half-yearly reports are prepared for the Executive Committee and the Board of Directors via the Audit Committee, featuring a risk dashboard, updates on the top risks, and insights from each responsible Executive Committee member. 

Continuous Risk Monitoring

All Functional Heads are responsible for monitoring risks and conducting regular reviews to ensure that risk reports from both internal and external sources are accounted for, and that already assessed risks remain acceptable according to our risk appetite. The Corporate Risk Management team will arrange review meetings twice annually to ensure that all risk assessments and updates are thoroughly completed.

This structured approach ensures that risk data remains current and supports informed decision-making throughout the organization.

Types of Risks we cover in Corporate Risk Management

By conducting Risk Assessments for all corporate functions, we ensure a broad coverage of all types of risks affecting our company and our stakeholders. This includes, but is not limited to:

• Financial Risks
• Business- and Market Risks
• Legal Risks
• Operational Risks
• Cybersecurity Risks related to Products, Infrastructure
• Sustainability- and Climate Risks
• Supply Chain- / Third Party Risks
• Business Continuity Risks

An overview of significant risks we faced in the past fiscal year, and how we addressed them, can be found in our 2024 Sustainability Report.