Risk Criteria and Guidance_ Risk category High Medium Low Very Low Relationship risk Highly complex: Involves multiple partners or internal directorates Involves some level of reciprocity between parties in the contract Supports several un related O2 programmes Framework agreement that will support multiple concurrent statement of works over a period of time into multiple points of our or customer organisation. Delivery into 2 directorates or two different key customer locations Simple: Likely to be a one-off contract or a simple point to point relationship (ie one O2 directorate or project) Regulatory & reputational risk Underpins public sector commitments in one or more areas Impacts our licence obligations Underpins several areas of regulation, including FCA and/or SOX in O2 Our brand is the major brand involved Health & Safety: Physical work in close proximity to public and customers or Risks related to working on asbestos, electrical or carrying out working at height  or Construction work defined under Construction Design Management Regulations Underpins areas of regulation including new high visibility regulation Visible to customers and of little interest to the media Health & Safety: Concern over H&S performance of suppliers and subcontractors or suppliers involved in potential H&S prosecution or fines Support long standing regulation that we know how to comply with Not visible to customers and of little interest to the media Health & Safety: Routine tasks with minor impact on customer, public or staff Does not relate to regulatory compliance Delivery & quality risk Unusual, new or non-core solution, offering, proposition or product with unique service levels Extensive levels of obligations on O2, even though we are not the supplier Failure to deliver the product or service to spec , volume or date will have Business or customer service impact, > £5m Concern over reliability of delivery partners Requires complex quality & performance measurement systems Failure to deliver the product or service to spec , volume or date will have Business or customer service impact, > £1M Standard offerings, proposition or product with custom service levels Failure to deliver the product or service to spec , volume or date will have little if any Business or customer service impact <£1M Standard offering, proposition or product (our or suppliers) with standard service levels. Failure to deliver the product or service to spec , volume or date will not have Business or customer service impact Strategic importance / business continuity May impact a substantial part (>50%) of our customer base May impact complete network May impact declared O2 strategic intent. May impact a significant part of our customer base (5-49%) May impact a customer facing IT service May impact important internal O2 systems or processes - e.g. NW management May impact a single cell or an internal IT service with little customer service impact Security, information and data risks Impacts our controls around data protection and customer privacy An ISO27001 level three supplier having access to a large amount of Telefonica Customer and or Employee information they could also have access to commercially sensitive information for instance MSISDN >20000 Telefonica In Confidence information or any information Telefonica deems to be of high risk or high value An ISO27001 level two supplier having access to a limited or large amount of Telefonica Customer and or Employee information they could also have access to commercially sensitive information, for instance 20000 > MSISDN > 5000 Telefonica Internal use only information An ISO27001 level one supplier having access to a limited amount of Telefonica’s Customer, Employee or Commercially sensitive Information, for instance MSISDN < 5000 records Commercial information already in the public domain Has no or minimal security, information or data risk Sustainability risk Significant supply from low cost geographies with close O2 brand association. Possible substantial fines Involves large number of workers or significant environment impact from within the UK Involves large number of workers or significant environment impact from within the UK or the EU Low people / environment impact –sourced within the UK or EU Contract risk Government terms and conditions or public sector framework or Customer terms with significant deviation from O2 standard terms O2 standard terms for business customers highly negotiated with significant deviation from standard Customer terms with medium to low deviation from O2 standard terms or Multi-national framework O2 standard terms for business customers with medium to low deviation from standard O2 standard terms with some negotiation Our standard terms and conditions Financial failure risk May result in cost or penalties >£5M May impact current or planned revenues >£5yM May result in medium costs or revenue losses of £5 to £1M May result in small cost or revenue losses of <£1M No foreseeable revenue or cost impacts

Contract Value Scale & Tiering Matrix_ Contract Value Category Directorate Business Digital V. High >£5M High £1-5M Low £0.5-1M £0.5M – 1M V. Low <£0.5M

Contract Management Activities – Customer Contracts_  Activity Tier 1 – over £5m TCV subject to risk criteria Tier 2 £1-5m TCV subject to risk criteria Tier 3 under £1m TCV subject to risk criteria Responsibility Relationship1 Documented Account Plan, updated minimum quarterly. Board Sponsor actively involved in the relationship. Documented relationship (or account) plan, updated minimum annually.   Informal relationship management Account Manager Governance1 Monthly Account and Service Reviews or other as defined in the contract. Minimum quarterly Account and Service Reviews or other as defined in the contract. Ad-hoc Account and Service Reviews or otherwise as agreed with the customer of defined in the contract Account Manager (relationship incl. invoicing) & Service Delivery Manager (service) Risk2 Formal risk register, updated minimum quarterly. Documented actions to mitigate with owners and timelines. Review quarterly with nominated Contract Manager. Formal risk register, updated minimum half yearly. Documented actions to mitigate with owners and timelines. Review half-yearly with nominated Contract Manager. Informal risk assessment on an annual basis. Contract Management engaged by exception on a case by case basis. Change1 O2 standard change control process for change requests unless otherwise agreed in the contract (excludes IMAC’s which are pre-agreed changes at standard prices managed via the Service Desk). Project Manager (for delivery projects) OR Account Manager (in life) Performance, Quality & Compliance1,3 Monthly Service Reviews and delivery reviews for projects Monthly or Quarterly Service Reviews and delivery reviews for projects Ad hoc Service/Delivery Reviews or otherwise as agree with the customer. Service Delivery Manager Financial Health2 Credit vetting at contract signature. Other action as required initiated by Credit & Risk in the event of non-payment. On-going management of billing/revenue collection against the contract and quarterly P&L review with Finance. Credit vetting at contract signature. Other action as required initiated by Credit & Risk in the event of non-payment. n-going management of billing/revenue collection against the contract and P&L review with Finance – frequency tba. Monitored on-going under D&B Failure Risk Alert process initiated by Contract Manager4. Contract Manager/ Procurement Security2 Applicable to the extent that O2 have obligations to manage data security which could expose O2 to financial penalties, potential breach of contract or reputational damage. Physical, information and data risks to be review at contract signature and managed via risk process. Sustainability Not applicable to customer contracts. Customers have no sustainability obligations. N/A Audit2 Customer audits not required. Requests from customers to audit O2 to be referred to Contract Management to verify customer rights to audit including triggers, restrictions and other conditions that may apply. Internal Audit Review2 Conducted minimum once every 3 years to verify contract management framework is operating effectively. Conducted on a sample basis only. Internal Audit Document Retention2 Signed copies of all paperwork (contracts, addendums, annexes, changes and side letters) to be scanned and saved to contract repository and Contract Management notified within 10 working days. Hard copy contracts to be transferred offsite once a month. Capita Term Sheet to be produced and kept up-to-date. Contract Manager NOTES: Customer facing activity. Internally facing activity. The Failure Risk Monitoring, Security Assurance and Sustainability Assurance processes require review to ensure they can operate effectively across all contracts as required. Compliance is a broad topic, numerous specific additional activities are likely to be required to be performed.

Support for Contract Management Activities_ Processes Teams Templates Relationship Account Plan Governance   Risk Legal & Regulatory Operations – Business Operations (for H&S) Contract Management Change Performance, Quality & Compliance Financial Health Finance Security Operations – IT Operations – Business Operations Sustainability Audits Internal Audit Review Document Retention