Intelligent and early risk management not only allows us to face the unknown. It also helps us build a more resilient, sustainable future full of possibilities.
GRI (3-3) Risk management is decisive in fulfilling our strategy. It is a differentiator to achieve sustainability in the business, It allows us to plan what may significantly affect the company, prepare for mitigating its impacts, and reduce the perception of uncertainty related to decision-making, ensuring the safe achievement of objectives. Moreover, it helps us identify opportunities, to take advantage of them and manage them correctly.
Our Management
GRI (3-3) We manage risks under the guidelines of the Comprehensive Risk Management System (CRMS) Policy and Manual, aligned with best practices and international standards, guaranteeing a solid and efficient framework for identifying, evaluating and mitigating these in all operations. We have a technological tool managed by each one of the teams that supports us in managing and monitoring risks and opportunities in the processes. This allows us to integrate the risks, their level of exposure, the causes, controls, responsible parties, action plans, and other factors in one place.
The Comprehensive Risk Management System (CRMS) focuses on identifying the most relevant risks in the strategy to address the incidence and criticality of the impacts on our objectives in:
Processes.
Projects
New businesses or products
Facilities
To evaluate our risks we analyze the criteria of probability and impact. To qualify the probability we have a scale that includes very low, low, moderate, high and very high levels, according to the occurrence of the event.
To assess the impact we have four possible criteria:
Economic
People
Reputation
Loss of information
The economic impact scale is aligned with the Ebitda financial indicator.
Lower scale (very low level)
Less than 0.5% of the previous year’s Ebitda.
Low scale (low level)
Between 0.5% and 3% of the previous year’s Ebitda.
Significant scale (moderate level)
Between 3% and 7% of the previous year’s Ebitda.
Major scale (high level)
Between 7% and 10% of the previous year’s Ebitda.
Significant scale (very high level)
Greater than 10% of the previous year’s Ebitda.
When we combine the probability and impact criteria we arrive at the Exposure level:
These exposure levels represent our risk tolerance thresholds.
Risks at the high and critical exposure levels are not tolerable, are prioritized and immediate actions must be implemented to control them.
Ongoing monitoring and oversight is performed by the risk team, and management indicators are measured quarterly, including the implementation of risk mitigation measures. Relevant risk management issues are presented quarterly to the Audit, Finance and Risk Committee.
The risk management process is reviewed annually in internal and external audits of the quality, environmental and asset management systems..
Assessment of the Magnitude and Potential Scope of Risks
TCFD: Risk Management – a. The risk management process is defined in the SGIR and adjusted to international good practices such as ISO 31000 and the COSO ERM standard, which define similar components based on the understanding of the business, objectives, environment and trends..
Subsequently, we identify and analyze the relevant risks, associate them with mitigation controls, evaluate them in terms of probability and impact qualification and, according to the level of exposure, define their treatment, record them and report them.
We apply this same process to manage risks and opportunities derived from climate change. The risk of climate change and resource scarcity is strategic for the companywhich is why it is qualitatively and quantitatively assessed from the physical impacts to our assets caused by climate threats to the implications associated with the transition, such as changes in the market, technology and regulation.
To manage it, we have mainly defined mitigation, compensation, adaptation, communication, and treatment plans focused on business continuity strategies, risk transfer through the insurance program and taking advantage of opportunities, such as diversification of the energy matrix with non-conventional renewable sources, energy efficiency, sustainable mobility, and others.
Risk Governance
GRI (2-12) (2-13) TCFD: Governance – b. We have the following governance structure, responsibilities and functions to guarantee and ensure the implementation of the SGIR and other actions defined in the risk policy:
Board of Directors
- Ensuring implementation of the SGIR.
- Approving the policy.
- Approving risk appetite.
CEO
- Responding to the Board of Directors and shareholders for the implementation of the SGIR.
- Reporting on the risk profile.
- Reporting on the status of risk mitigation plans.
Steering committee
- Reporting on the operation of the SGIR in processes.
- Warning of new identified risks.
Audit, Finance and Risk Committee
- Assisting the Board of Directors in all responsibilities related to supervising the SGIR.
- Monitoring strategic risks.
Risk Area
- Designing and leading the implementation of the risk policy, processes and methodology.
- Monitoring effective risk management.
- Supporting the different teams in carrying out risk assessments.
Internal Auditor
- Evaluating the efficiency and effectiveness of the SGIR.
- Issuing recommendations to improve the operation of the SGIR.
- Evaluating the effectiveness of risk mitigation plans.
- Validating the effectiveness of controls
Risk Managers
- Building and updating risk and control maps of their processes.
- Providing support in training and the dissemination of the risk culture.
- Providing support to the risk area in implementing the SGIR in its process.
Employees
- Applying comprehensive risk management, in accordance with the policy and methodology.
- Warning of possible risks in their processes.
- Reporting risk materialization events.
In addition, we follow a management and control model based on the three lines of defense, as follows:
First line of defense
It is made up of the business areas and all the support functions that generate exposure to risks.
Second line of defense
It is made up of the Risk and Compliance areas.
Third line of defense
It is made up of the Internal Auditor and is responsible for supervision and control.
Organizational risk management structure
Click to enlarge the image
This risk governance covers the strategic risk of climate change; in addition, some specific topics are presented to the Sustainability Committee.
Structural Independence in the Risk Management Function
GRI (2-13) Risk management is cross-cutting across the organization and external to the lines of business: Asset, home and company management (managed from the Generation, Transmission and Distribution areas; and Sales)).
The financial director maintains constant interaction with senior management and the Audit, Finance and Risk Committee of the Board of Directors. These organizations have the greatest responsibility for risk management in the company.
In addition, the Risk Management Policy supports the SGIR. It establishes the elements and general framework for action against risks of all kinds that the organization faces, as well as the governance structure that indicates the instances, roles and responsibilities to manage and ensure the proper functioning of the SGIR.
Risk Management Training for Non-executive Directors in 2023
GRI (2-13) We promote training members of the Board of Directors on issues related to business and risk management. During 2023, knowledge was provided on regulatory and cyber risk and on relevant climate issues, such as the El Niño phenomenon. Additionally, they were trained in environmental, social and governance (ESG) risks.
In addition, the risk module continued being used in the application of the Board of Directors and the Steering Committee. In this tool, you can access updated information on strategic risks, the risk map and their characterization, as well as mitigation initiatives.
Risk Culture
In order to strengthen the risk management culture, in 2023:
- We carried out Risk Week, a space for talks and training in which we explore the different challenges, trends and opportunities.
- We reinforce the use of the risk management, opportunity and event reporting tool, an intuitive and easy-to-use application.
- We carry out crisis management test exercises with a cyber risk scenario. We have the permanent support of risk specialists to share trends and best practices.
Additionally, we have online training for all employees of the organization:
- A findings management course, which tells us how to manage risk action plans, from their creation to monitoring them and closing effectiveness.
- Adopting risk management to raise awareness of the risks.
- Guardian of Information, which is a preventive cyber risk management measure that helps raise awareness among employees about the importance of protecting information.
- The crisis management plan controlling and mitigating adverse events.
Strategic and Emerging Risks
We continually carry out interdisciplinary work to identify and evaluate the company’s strategic and emerging risks:
Strategic Risks
They are the internal and external events and trends that can generate a positive or negative deviation on the company’s expected growth trajectory, our strategy and the value for shareholders.
Click on the image to enlarge.
Emerging Risks
Risks that we have recently identified and that could affect both the organization and the industry in approximately three to five years. Some of its consequences can impact business performance as of now. However, some of its consequences may impact business performance today. Emerging risks may be new and unforeseen events or be associated with the evolution of previously known risks that are changing their characteristics and potential impacts.
The identification of these risks in the company is due to the study and monitoring of global and local trends in social, political, economic, technological and environmental aspects, which are those that allow us to consider possible scenarios in which conditions that could imply changes in the operations of our business or affect the continuity and profitability could occur.
Under this perspective, we are preparing ourselves through qualitative and quantitative impact assessment analyses, evaluating possible risk mitigation and transfer mechanisms designed to meet the company’s needs, which allow us to maintain the quality of our operating and commercial activities in the medium and long term
Main Results
GRI (3-3) Our management in 2023 mainly focused on the following activities:
In order to strengthen the risk management culture throughout the company, we held Risk Week, during which we explored the different challenges, trends and opportunities in our sector.
We provided support to risk analysis in projects and new businesses.
We updated the risk matrices in 25 value chain processes and the BIA (Business Impact Analysis) for critical processes in Colombia.
Along with the Supply Area and our partner Sura, we carried out training for suppliers with high sustainability risk, mainly on the carbon footprint, impacts and environmental regulation.
We continue to update the disaster risk management plans of our assets, in accordance with Decree 2157 of 2017.
We carried out a test exercise with the Steering Committee in a cyber risk scenario.
We carried out drills with five operation teams in a cyber risk scenario.
We updated the Crisis Manual to our current environment and included a playbook of cybercrises.
We updated quantitative assessments of the strategic risks of climate change, cybersecurity and political risk.
We implemented parametric climate solutions.
We developed simplification initiatives to improve our process.
Lessons Learned
The 2015-2016 El Niño phenomenon allowed us to identify possible financial risks to which we would be exposed in the event of the arrival, once again, of this climatic phenomenon. For this purpose, and as a management strategy, we formulated and structured a mechanism to transfer this risk in order to have an economic hedge that would allow us to face critical market conditions, derived from significant changes in the variables that affect our own and the country’s energy generation.
Relevant Fact
Celsia’s hydro and thermal plants prepare to mitigate possible effects of El Niño phenomenon
Relevant Facts
Celsia’s hydro and thermal plants prepare to mitigate possible effects of El Niño phenomenon
ESG: environmental, social and corporate governance.
BIA: Business Impact Analysis.
Comprehensive Risk Management System (CRMS): A systematic application of policies, procedures and practices for risk identification, analysis, evaluation, treatment, monitoring and review, communication and monitoring. It comprises four pillars: governance, processes, risk culture and technology.
