Ethics & Compliance

Digi maintains a zero tolerance stance on corruption. We practice the highest ethical standards to promote good business practices and adhere to applicable laws, regulations and internationally recognised standards.
In an age of oversharing and abundance of information, trust and transparency are vital currencies for any organisation to operate. We therefore adhere to the highest standards of ethics and integrity in conducting our business. We see emerging forces of disruption in the areas of data security, consumer responsibility, and supply chain risks, and we have been agile in adapting to these shifts in the interest of our stakeholders.

Setting the Standards in Governance

All employees are expected to comply with the Code and all related policies and manuals. The Code is owned and approved by the Board of Directors, and is implemented by the Ethics and Compliance function. Compliance incidents are reported through several means: an Integrity Hotline, through leaders or directly to the Internal Audit and Investigations department. The Internal Audit and Investigations department is responsible for all investigations including those raised by whistle-blowers, and handled according to a well-defined process outlined in the Whistle-blowing Manual. The team works closely with the Ethics and Compliance department to conclude investigations and take appropriate action, this includes legal action if required. Any failure to report a breach of the Code warrants an immediate inquiry and action to be taken against the relevant individual.

The Audit and Risk Committee has responsibility over the reports raised by whistle-blowers, to review the related policy and manual in addressing such reports, and to ensure investigations are conducted objectively and independently. Both the Internal Audit and Investigations department and the Ethics and Compliance department report to the Audit and Risk Committee and the Board regularly on any reported cases as well as follow-up actions taken.

Digi was the only Malaysian company to attain the Best Corporate Governance recognition for the highest level of disclosure as published in the CGIO-ACN Corporate Disclosure on Business Integrity in ASEAN 2018 report. Published by the ASEAN CSR Network (ACN) and the National University of Singapore (NUS) Business School, the study compared the 50 largest companies by market capitalisation in five ASEAN countries – Indonesia, Malaysia, Philippines, Singapore and Thailand – and ranked them based on a set of 13 questions developed by Transparency International.
In 2018, we refreshed our Code of Conduct (the Code) mandated for all employees. The new Code adopts a ‘requirement, risk and guidance based model’ versus the previous ‘high level principle based model’. Launched group-wide by Telenor, the new code was enhanced to provide greater clarity on expected employee conduct with clear links to relevant policies and manuals. It also included additional sections to address scenarios concerning ‘Business partners and Public officials’. The Code was made available on mobile to ease access and search capabilities.

Digi maintains a zero-tolerance stance towards all forms of corruption, including bribery, facilitating payments or otherwise offering an improper advantage to influence a third party. We conduct our business in an open and transparent manner. In 2019, we will undertake the ISO 37001 (Anti-Bribery Management Systems) certification which covers elements such as due diligence, financial and non-financial controls, policies on specific high-risk bribery areas, whistle blowing policy, and training and communication. The standard also provides guidance in defining clear roles for leadership in driving Digi’s anti-bribery agenda, third party compliance assessment, and embedding a compliance culture that focuses on prevention.

Digi supports and respects internationally proclaimed human rights including the UN Declaration and conventions on human rights. In 2018, we undertook a Telenor Group Human Rights Due Diligence exercise in collaboration with Business for Social ResponsibilityTM (BSRTM). This company-wide exercise involved participation of key business functions aligning our operations and supply chain to adhere to best practices in human rights including freedom of expression, data privacy, health and safety, bonded labour, child labour, non-discrimination, child online safety and access to technology. The due diligence assessment identified risks and planned preventive and mitigation actions to address human rights impacts. We also engaged external stakeholders such as the Human Rights Commission of Malaysia and UNICEF Malaysia to gain a macro perspective of the industry and the country.

Data Security and Privacy

Safeguarding customer privacy remains a priority and we have integrated all data-privacy related activities into everyday organisational processes. We enforced stringent measures to address possible gaps across our business value chain to ensure we continue to protect the privacy and security of our customers.

New tools and practices introduced during the year included enhancing governance on privacy matters, privacy risk assessment as part of data processing, establishing privacy compliance in vendor process, identifying key functions within the organisation with heightened responsibilities to manage data, and constantly engaging employees with relevant capacity-building programmes. All these measures support our commitment to remain transparent on how we collect and use personal data.

We recorded a 100% completion of the Privacy Matters e-learning module by employees. The module emphasises and cultivates privacy knowledge and awareness to embed a culture of privacy compliance across all job functions. It was made a mandatory learning for all new employees in the onboarding process, and part of periodical training sessions for job functions involving customer data, such as retail frontlines and contact centre.
We introduced an enhanced data processing framework to streamline and simplify processes, while ensuring improved control mechanisms for access to personal data. All internal or external data processors are bounded by data processing agreements that hold them responsible for the implementation of adequate security and confidentiality measures. Planned and systematic risk based measures such as data or privacy impact assessments are carried out to ensure adequate and satisfactory information security management.

The Digi InfoSec (Information Security) team, established since 2011 governs and manages internal and external information security management to ensure Digi operates in a secured environment and in compliance to leading standards and regulatory requirements. Our information security policies define the minimum measures required to protect information assets while meeting business requirements and statutory obligations for data protection. The foundation of the code of practice for Information Security in Digi is ISO/IEC27001:2013. Employees are also prescribed with a handbook, serving as a practical guide to the Information Technology (IT) security in Digi. The handbooks sets guidance on handling confidential information, access controls, hardware and software provisioning, data archival-retention-disposal, and incidence reporting among others.

In 2018, Telenor launched a two-year privacy programme across its Asian markets to build capacity and introduced scenario-based learning to ensure synchronisation among business units in navigating the complex and changing privacy regulatory landscape.

Service Reliability and Quality

We now serve 9.2 million internet customers whose 9.9GB average monthly data usage has driven a 70% surge in data traffic on our network. As data demand continues to rapidly increase, we remain committed to provide a quality and consistent network experience for customers.

This year, we expanded our nationwide 4G plus network footprint to cover 89% of the population with 4G LTE, 65% with LTE-A, and grew our fibre network to 8,400km. Our commitment to service quality was also reflected in the results of the Malaysian Communications and Multimedia Commission (MCMC)’s Network Performance Report 2018. The report outlined nationwide network performance measurements based on key metrics such as data throughput speeds and network latency, in line with the Mandatory Standards for Quality of Service for Wireless Broadband Access services.

Note: In 2017, most networks were on 3G with throughput set at 650kbps at 65% of the time. In 2018, the threshold was raised to 1Mbps at 80% of the time aligned to LTE coverage deployments. (Source: MCMC Network Performance Report 2018)

  • Throughput - refers to how much data can be transferred per unit of time across a network from one location to another, experienced by end user as internet speed. Higher throughput means better internet speeds.
  • Network Latency - refers to the Return Trip Time (RTT) of data transfers on a network, how long it takes for the data to travel to its destination. Low latency is considered better than high latency.
  • Packet Loss - refers to amount of data sent which are unable to reach its intended destination. Low packet loss indicates the network’s ability to transfer data from the user end to the destination host with high reliability.

Customer Concerns

We remained true to our mission of always employing a customer-first mindset and to put customer concerns at the core of all we do. We have a dedicated customer management team constantly working to innovate new ways of improving customer experience across all our digital and retail touchpoints. These efforts have led us to score the highest customer Net Promoter Score (NPS) within the industry for the second consecutive year. NPS is calculated as the percentage of promoters (customers likely to promote a brand) deducted from the percentage of detractors.

We continued making smart investments to redefine our customer experience by digitising customer care services across our touchpoints to meet the expectations of our customers. We introduced further enhancements to offer improved service quality that is relevant and timely. In 2018, we recorded positive customer satisfaction (CSAT) scores across both our key touchpoints – contact centre and retail stores, registering an increase of 5% and 1% respectively.

We took necessary measures to mitigate disputes over unauthorised subscription of content through SMS with third party content providers. We worked to help our customers better manage their subscriptions by implementing an additional authentication layer via Transaction Authorisation Code (TAC) for all third party subscription requests made via SMS, and established a weekly complaint monitoring framework to monitor and escalate disputes to content providers for resolution. We raised efforts to keep customers informed on how they may have unknowingly subscribed to third party services and how to unsubscribe.

We leveraged on the power of Artificial Intelligence (AI) and machine learning to improve cyber security, fraud detection, and streamline processes. These technologies gave us security capabilities to prevent and reduce the effects of a range of threats, including the ability to swiftly detect and respond to fraudulent activities, achieve greater process efficiencies, and reduce human error to provide better protection for customers. The fraud detection AI solution (Automated Deep Learning detector) was developed internally and is able to identify tampered photos and invalid registrations.

Our latest innovation for customers came in the form of a mobile data management feature for Android users. A collaborative effort between Google and Telenor Group, the feature enables customers using Android devices running on 4.0 operating system and newer to access their mobile data plan, purchase data offers and receive alerts via phone settings instead of an app. This brought greater convenience to our customers to enjoy our services seamlessly with minimal disruption, resulting in a better internet experience.

To internalise on the ambition of understanding our customers better, we encourage all employees, beyond retail front-liners and contact center employees to be engaged in internal programs that can help them understand the importance of providing excellent customer experience and how that makes good business sense.

Supply Chain Sustainability

Digi adopts international principles and standards to systematically guide, reduce risk, and bring positive impacts across our value chain. Through our Supply Chain Sustainability (SCS) focus, we require responsible business conduct from all our suppliers in accordance with our Supplier Conduct Principles (SCP), which is part of our Agreement on Responsible Business Conduct (ABC). These requirements are complemented by systematic monitoring and risk management. We believe that decent working conditions, respect for human rights and the environment, as well as willingness to improve standards amongst our suppliers is the only viable way forward. By working closely with our suppliers, we can raise the standards and build a competitive edge from the way we manage our supply chain.

Compliance, Capacity Building and Continuity

Integrity is a vital part of Digi’s business, and we exercise due diligence when it comes to the selecting of business partners to ensure compliance with our ethical standards. We have implemented mandatory requirements for screening and conducted integrity due diligence (IDD) assessments on all business partners and suppliers. Parties with a direct contractual relationship with Digi are legally obliged to uphold responsible business practices and adhere to our SCP.

The principles include areas related to human rights, health and safety, labour rights, environment, privacy, and prohibited business practices, which sets out the minimum standards we expect to see achieved over time. Suppliers are also obliged to ensure compliance with applicable anti-corruption laws and regulations.

In 2018, all 162* newly registered vendors signed the Agreement of Responsible Business Conduct (ABC) which communicated our anti-corruption policies and procedures. We conducted 464 site inspections in the year, 95% of which were unannounced. Eight sites were found to have committed major compliance breaches and 35 sites recorded minor breaches. As a result of failing to meet our safety standards, six subcontractors were terminated while two others were suspended for six months pending improvements. (* assured by KPMG)

All our suppliers underwent capacity building workshops accumulating 2,060 training hours in the areas of safety awareness guidelines, proper ways of using equipment and also on human rights.

We also made functional enhancements to the Digi Permit to Work (D’PTW) app to better track the operations of our contractors and sub-contractors working at our sites. The D’PTW app was developed to digitise safety monitoring and simplify the permit approval process for all contractors and sub-contractors. Features of the app ensure that contractors have Health, Safety and Environment (HSE) competencies, working at height competency and adherence to Personal Protective Equipment (PPE) requirements. With geo-tagging, and check-in and check-out features among others, the app provides real-time monitoring of a contractor’s HSE compliance.