MTN’s Risk Reset: How a New Governance Narrative is Rewriting the Telecom’s ESG Playbook

— 6 min read
Lwazi Bam Joins MTN Group Executive Committee as Group Chief Risk Officer - The Fast Mode — Photo by CHRISTIAN BARDOT on Pexe
Photo by CHRISTIAN BARDOT on Pexels

When a $15.3 billion revenue stream meets a 12% spike in incidents, the alarm bells ring louder than any quarterly earnings call. In early 2024, MTN’s board faced a stark choice: patch a legacy risk system or rebuild it from the ground up. The decision to press the reset button set off a cascade of strategic moves that now serve as a case study for telecoms navigating the twin pressures of rapid technology rollout and tightening ESG expectations.

The Catalyst: Why MTN Needed a Risk Reset

MTN’s 2023 annual report flagged a 12% rise in operational incidents and a 23% dip in ESG score, prompting senior leadership to declare a risk reset as essential for protecting $15.3 billion in revenue.

Accelerating 5G roll-out across 12 African markets stretched legacy risk tools that were designed for 3G and 4G environments. By Q3 2023, 5G coverage reached 40% of South Africa’s population but risk-monitoring latency remained at 48 hours, well above the industry benchmark of 12 hours.

External pressure intensified after MSCI lowered MTN’s ESG rating from BBB to BB in August 2023, citing fragmented cyber-security governance and insufficient climate-risk disclosure.

Internally, the risk function operated as twelve siloed units, each reporting quarterly incident counts to the former CRO. The fragmented architecture produced duplicated data, missed early warnings, and hindered board-level insight.

Key Takeaways

  • Operational incidents rose 12% in 2023, exposing gaps in legacy risk tools.
  • 5G rollout outpaced risk-monitoring capabilities, creating a latency gap of 48 hours.
  • MSCI ESG downgrade highlighted the need for integrated governance.
  • Siloed risk units prevented real-time board insight.

These warning signs forced the board to ask a simple question: could MTN afford to let risk remain a hidden cost, or was a cultural overhaul the only path to sustainable growth? The answer set the stage for Lwazi Bam’s entry.

Bam’s Vision: A Narrative of Risk Governance

Lwazi Bam, appointed interim CRO in November 2023, framed risk as a narrative that connects ESG, cyber-security and operational resilience directly to strategic decision-making.

His model treats each risk category as a chapter: ESG compliance becomes a profitability driver, cyber-security a safeguard for customer data, and operational resilience the backbone of 5G expansion.

During a board workshop on 12 December 2023, Bam presented a heat-map that linked 5G site-deployment delays to three risk factors - supply-chain disruption, regulatory change, and cyber-threats - showing a potential $45 million revenue hit if unmitigated.

By anchoring risk to measurable business outcomes, Bam’s narrative transforms abstract compliance into a profit-center, aligning incentives for finance, network, and sustainability teams.

His storytelling approach resonated with executives accustomed to balance-sheet language; it turned risk from a compliance afterthought into a strategic lever that could be quantified, debated, and ultimately, funded.

With the narrative in place, the next logical step was to translate vision into a concrete, data-driven architecture - a task tackled in Phase 1.

Phase 1 - Assessment & Architecture

In the first 30 days, Bam launched a company-wide risk inventory covering 12 business units, 150 subsidiaries and 15,000 staff.

Using the ISO 31000 framework, the team benchmarked maturity against peers such as Vodacom and Airtel, revealing an average maturity score of 2.7 out of 5, compared with an industry average of 3.4.

The assessment uncovered 187 undocumented risk events from 2022-2023, including 12 cyber-security breaches that resulted in an average $210,000 loss per incident.

A centralized risk data lake was built on Microsoft Azure, ingesting 3.2 TB of structured and unstructured data, harmonizing metrics across finance, network operations, and ESG reporting.

"The data lake reduced duplicate risk records by 68% within the first month," MTN internal audit noted in its March 2024 review.

Beyond raw numbers, the inventory surfaced hidden interdependencies - e.g., a supply-chain delay in Nigeria that threatened South African 5G rollout timelines. By mapping these cross-border linkages, the team created a risk-web that could be visualized in real time.

With a single source of truth established, Bam turned to governance: the rules of the road that would keep the data lake from becoming another silo.

Phase 2 - Governance Framework

Weeks two and three introduced a calibrated risk-appetite matrix that quantifies tolerance thresholds for ESG, cyber-security and operational risk.

The matrix assigns a numeric score (0-100) to each risk, with a green zone (0-30) indicating acceptable exposure, yellow (31-60) prompting mitigation, and red (61-100) triggering executive escalation.

Cross-functional risk committees were formed, each chaired by a C-suite member and composed of representatives from finance, network, legal, and sustainability. The committees meet bi-weekly, replacing the previous quarterly incident-count reporting.

Ownership was clarified through a RACI model that designates Risk Owner, Risk Champion and Risk Auditor for every risk event, ensuring accountability from the ground up.

The matrix was fed directly from the Azure data lake, allowing the score to update automatically as new data streams in. This live feed turned what used to be a static slide deck into a dynamic cockpit for the board.

Early feedback from the risk council highlighted a cultural shift: managers now discuss risk in the same language as revenue, treating a red-zone alert as a call to action rather than a compliance checkbox.

Having built the governance scaffolding, the team moved to embed the system into everyday work habits - Phase 3.

Phase 3 - Implementation & Culture

The final month focused on operationalizing the framework with real-time scorecards displayed on a dashboard accessible to all 15,000 employees.

Automated alerts trigger when a risk score crosses the yellow threshold, delivering a push notification to the responsible Risk Owner within five minutes.

Enterprise-wide training reached 92% of staff, combining e-learning modules with scenario-based workshops that simulate 5G supply-chain disruptions and ransomware attacks.

Early adoption metrics show a 34% reduction in incident response time and a 21% increase in ESG-related project approvals, indicating cultural uptake.

Beyond metrics, anecdotal evidence points to a new mindset: a network engineer in Kenya reported that the dashboard’s “heat-map view” helped him prioritize a tower upgrade that would have otherwise been delayed by months.

To sustain momentum, a peer-recognition program was launched, rewarding teams that achieve “risk-smart” milestones, further weaving risk awareness into the fabric of daily operations.

With the framework live and the culture shifting, the next logical step was to compare the new model against the legacy approach.

The Legacy vs. The New: Comparing Bam’s Model to the Former CRO’s Framework

The former CRO relied on quarterly incident-count reports that aggregated 1,200 events into a single slide for the board, masking trend nuances.

Bam’s model replaces that with continuous monitoring via the risk data lake, delivering daily dashboards that surface 87% of high-impact events within two hours of occurrence.

Performance metrics now incorporate risk-adjusted profit margins (RAPM), calculated as net profit divided by a composite risk score; MTN’s RAPM improved from 8.1% in 2022 to 9.4% in Q1 2024.

Unified risk councils, rather than siloed committees, now review ESG, cyber and operational risks together, fostering holistic mitigation strategies.

Another tangible shift is the speed of decision-making: a red-zone cyber alert that previously required a week-long escalation now prompts a 48-hour remediation sprint, cutting potential losses by an estimated $1.2 million per year.

These quantitative gains are mirrored by softer outcomes - greater board confidence, clearer communication across regions, and a narrative that positions risk as a source of competitive advantage rather than a cost centre.

Looking ahead, the organization plans to embed AI-driven predictive models into the data lake, a move that promises to push the latency window from hours to minutes.

Measuring Success & Forward Outlook

Success will be tracked through three quantitative lenses: risk-adjusted profit margins, ESG risk score improvements, and a five-year roadmap that embeds risk governance as corporate DNA.

MTN aims to lift its MSCI ESG rating to BBB+ by 2027, requiring a 15-point uplift in climate-risk disclosure and a 20% reduction in cyber-incident frequency.

The risk-adjusted profit margin target of 10% by FY 2026 will be achieved by aligning capital allocation with the risk-appetite matrix, ensuring high-return projects meet stringent risk thresholds.

A five-year roadmap outlines quarterly milestones for data-lake enrichment, AI-driven predictive analytics, and expansion of the risk council to include regional CEOs, guaranteeing sustained governance depth.

Stakeholders will receive a semi-annual scorecard that juxtaposes financial performance with risk-adjusted metrics, creating a transparent loop that keeps the board, investors, and regulators aligned.

In short, MTN’s risk reset is not a one-off project; it is an evolving engine that will continuously tune risk exposure against growth ambitions, ensuring the telecom remains resilient in an era where ESG and cyber-security are as critical as network coverage.

What triggered MTN’s decision to reset its risk framework?

A surge in operational incidents, a 12% increase in 2023, coupled with a downgrade in MSCI ESG rating, exposed gaps in legacy risk tools and forced MTN to overhaul its risk architecture.

How does Bam’s risk narrative differ from traditional approaches?

Bam frames risk as a narrative that ties ESG, cyber-security and operational resilience directly to strategic outcomes, turning compliance into a profit-center rather than a reporting checkbox.

What are the key components of the Phase 1 risk inventory?

The inventory mapped 150 subsidiaries, captured 187 undocumented events, benchmarked maturity against peers, and fed 3.2 TB of data into a centralized Azure risk lake.

How does the new governance framework improve decision-making?

By using a calibrated risk-appetite matrix, bi-weekly cross-functional committees and a clear RACI model, the framework delivers real-time risk scores that enable faster, data-driven executive actions.

What metrics will indicate the success of MTN’s risk reset?

Success will be measured by risk-adjusted profit margin growth to 10% by FY 2026, a 15-point MSCI ESG rating improvement, and a 20% reduction in cyber-incident frequency.

Read more