The risk management of GEB and its subsidiaries is framed within strategic priorities and consistent with corporate values, capabilities, roles, and responsibilities, ensuring compliance with the Corporate Risk Management Policy.
The Risk Management Policy establishes the framework for action and commitments regarding risk management for GEB and its subsidiaries, as well as the understanding and application of the Integrated Risk Management methodology, which is based on the international standard NTC ISO 31000 and the COSO framework.
Please consult the GEB Risk Management Policy here:
At GEB, risk management contributes to achieving its strategic objectives in terms of operational, financial, environmental, and social indicators.
GEB's risk management model allows the Company to identify potential threats, risks, and opportunities, assess and define the corresponding treatment, and proactively manage and mitigate risks. This increases the possibility of achieving the strategic and operational objectives that impact its stakeholders, which require contributing to the energy transition, the development of low-carbon economies, and an equitable society that reduces multidimensional poverty and social gaps in access to basic public services such as electricity and gas.
Risk management is a cross-cutting commitment across the entire Group to risk prevention and mitigation.
Risk Oversight at Board Level:
Oversight is led by the Audit and Risk Committee of the Board of Directors, whose main functions in relation to risk management are:
- Recommend to the Board of Directors the risk matrix for the Company and its subsidiaries, as well as the Risk Policy and the methodology for calculating risk appetite.
- Oversee and periodically report to the Board of Directors on the effective application of the risk matrix of the company and its subsidiaries so that the main financial and non-financial risks, including environmental, social and corporate governance risks arising from the sustainability strategy adopted by the Company, both on and off the balance sheet, are identified, managed and reported to the Board of Directors appropriately and in a timely manner.
The regulations of the Audit and Risk Committee of the GEB Board of Directors can be found here:https://www.grupoenergiabogota.com/en/corporate-governance/corporate-governance-bodies/board-of-directors/board-of-directors-committees/audit-and-risk-committee
The members of the Board of Directors' Audit and Risk Committee have the experience and knowledge to assist in the Group's risk management. Every two months, management reports to the management team, the Audit and Risk Committee, and the Board of Directors on strategic risks. This is done with the purpose of monitoring, adjusting, and strengthening treatment plans and taking action on relevant risks throughout the organization.
At the administrative level, GEB and its subsidiaries have specialized teams that monitor risks and their controls, and coordinate across different areas of their companies the necessary actions to prevent and mitigate risks.
The functions dedicated to operational risk management are framed within the Three Line Model defined in the Control Architecture Policy
Through the application of the Comprehensive Risk Management Model, GEB identifies and manages strategic and process risks, conducting periodic monitoring and control in coordination with process leaders. Risk control is based on the three lines of the defense model, according to the European Confederation of Institutes of Internal Audit (ECIIA) standard, which defines the responsibilities for the Internal Control System.
First Line (self-control, self-regulation, and self-management): This refers to the activities carried out by each of the Group's employees, including those responsible for processes and controls, through the definition and execution of controls through policies, procedures, methodological frameworks, among others. The first line of defense of the Internal Control System is based on three key principles: self-control, self-regulation, and self-management.
Second line: The different supervision and monitoring functions developed by the areas that carry out financial reporting control activities, legal and regulatory compliance, quality management systems, information security, supervision and inspection, and risk management are found among themselves, when the execution of control activities is facilitated and supervised to mitigate risks.
Third line: Corresponds to independent assurance through internal and external audit activities. This line of defense provides corporate governance bodies and senior management with reasonable assurances regarding the effectiveness of corporate governance, risk management and control, and the independence and objectivity of the Group's companies.
Based on this, through Internal Audit and the execution of the Annual Risk-Based Audit Plan, risks and the effectiveness of controls for their mitigation are assessed. In this process, risk controls are assessed, both in design and operation, and audit results reports are prepared, providing feedback to the risk management process for action and continuous improvement. This process is evaluated annually through internal and external audits of quality, management, risk, and the Integrated Management System.
Risk Management is part of the second line of responsibility, defining policies and guidelines for managing strategic risks and its processes, as well as promoting initiatives to strengthen GEB's risk management culture.
The GEB Risk Management team is comprised of the Manager, a strategic risk management specialist, an operational risk management specialist, and a risk professional.
Additionally, to support risk management in each subsidiary, there is the role of Risk Leader, who is in turn accompanied by a risk professional.
Through these teams, we contribute to the proper identification, assessment, and mitigation of potential risks. In this way, we ensure the protection of our assets and investments, improve decision-making, and guarantee long-term sustainability.
GEB's Risk Management ensures that risk management objectives are achieved by supervising, monitoring, supporting, and advising on processes for the proper management of risks identified within the company. Effective risk management demonstrates to stakeholders that the organization is committed to safety and sustainability.
*Alex Vladimir Garcés is the current Risk Manager, reporting to the Operational Excellence Direction and the Vice President of Business Management and Innovation. The Risk Manager also reports bimonthly on the Risk Management results of GEB and its subsidiaries to the Audit and Risk Committee of GEB's Board of Directors.
Objective:
The objective of the Comprehensive Risk Management process is to design and implement policies and methodologies that ensure adequate risk management, which contributes to the fulfillment of the objectives of the Group and its subsidiaries.
Sub-processes:
GEB has a robust structure for Comprehensive Risk Management. At the highest level of the organizational structure, the Vice Presidency of Business Management and Innovation leads risk management, facilitating direct engagement and reporting of risk information to the Group President and the Audit and Risk Committee of the GEB Board of Directors. This Vice Presidency promotes risk transformations and initiatives, as well as their coordination and alignment across GEB subsidiaries.
In 2024, the Operational Excellence Direction was created, as part of the Vice Presidency of Business Management and Innovation. Along with the Direction, the Risk Management Department was created as a department of the Direction.
The Operational Excellence Direction, through its Risk Management Department, designs strategies and defines objectives and goals for strategic risk management at GEB and its subsidiaries. They are also responsible for implementing various initiatives and guiding and supporting the other risk areas in its subsidiaries in the implementation of guidelines, policies, and any decisions made regarding Corporate Risk Management.
GEB identifies, measures, and manages the strategic risks to which companies are exposed. These are events that can affect or impede the achievement of strategic objectives, with the aim of minimizing the likelihood of potential financial and reputational impacts and taking advantage of any opportunities that may arise. Each subsidiary of the Group applies the Comprehensive Risk Management model and has a map that identifies and assesses risks and presents the measures and plans for addressing them in each business.
At GEB, we are committed to contributing to the achievement of our strategy, continuous operational improvement, investment protection, and the company's reputation by managing risks at all levels in a permanent and systematic manner through the implementation of Comprehensive Risk Management.
Heat maps allow us to represent and describe the company's specific risk exposure (considering probability and magnitude):
The following are some of the high impact strategic risks for the GEB:
Risk | Description | Probability | Impact (Magnitude) | Mitigation Actions |
|---|---|---|---|---|
Regulatory Changes Unfavorable to the Company's Interests | Modification of current regulations (laws, decrees, resolutions, circulars, sentences, doctrine) that negatively impact the interests of the GEB | Very High | Very High 110M USD | Recurring monitoring of government entities with jurisdiction over the energy sector (executive and legislative). Strategic regulatory management that preserves the company's value, either directly or through proactive participation in associations. Government Relations Strategy. Proactive regulatory management, anticipating government measures with favorable regulatory proposals for regulated sectors. Evaluate impact scenarios for potential regulatory changes in the short term and take measures to mitigate them. |
Workplace accidents in the operations and activities carried out by GEB and its subsidiaries | Workplace accidents in the operations and activities carried out by GEB and its subsidiaries by direct collaborators and third parties, which generate one or more injuries due to accident(s) with major consequences*, including fatal work accidents | Average | Very High It can affect a group of more than 10 people and can cause injuries with disability lasting more than 1 month or fatal losses. | Implementation of the cultural transformation program in occupational safety and health. Inspection and verification of compliance with Occupational Safety and Health (OSH) procedures, high-risk jobs, and social security affiliations. Periodic verification of the competence and training of our own and contractor staff. Induction and periodic awareness-raising of the risks and hazards to which our employees and contractors are exposed. Indicators for measuring competencies and performance in OSH at each organizational and contractor level – Implementation of proactive practices by operational leaders (proactive performance indicator). Monitoring the implementation of action plans resulting from investigations into high-potential accidents and incidents and sharing of lessons learned |
Consult GEB's strategic risks in the Annexes of the 2024 Sustainability Report
Risk Appetite Framework:
Risk appetite is a reference amount established by the Board of Directors that allows for the financial evaluation of the impact of the company's risks, in order to prioritize risk management and define mechanisms to mitigate and control adverse situations that could affect the company's profitability and solvency.
GEB has a methodology for calculating the Risk Appetite Framework, which establishes the reference values for the Appetite, Capacity, and Tolerance of GEB and its Subsidiaries; it is represented below:
The risk appetite framework is reviewed at least once a year, and its calculation considers two main variables:
- ROE = It becomes a fundamental indicator for measuring the group's strategic objectives. This is primarily because the objective of ROE is to assess GEB's ability to generate value for its shareholders, directly evaluating a component of the group's strategic objectives.
- Standard deviation of ROE = This measure is used to quantify the dispersion of a data set with respect to the mean. In this case, it indicates a percentage value that estimates the variation that occurs in ROE compared to its average, assuming the volatilities of the periods evaluated. The result allows us to calculate the reference value for appetite, tolerance, and capacity by multiplying it by the average equity for the period evaluated.
During 2024, the risk appetite framework (appetite, tolerance, and capacity) was reviewed for all of the Group's controlled subsidiaries, and its results were presented to the Audit and Risk Committee of GEB's Board of Directors, whose recommendation was to maintain the current risk appetite framework.
Risk Management Indicators
1. RISK MATERIALIZATION INDICATOR
During 2024, four (4) strategic risks materialized for the subsidiaries Enlaza (2) and Transportadora de Gas Internacional TGI (2). These risks corresponded to:
- Link: The risk of fatal occupational accidents and the risk of non-compliance with the business plan resulting from the intervention of the Superintendency of Residential Public Services in AIR-E led to systemic portfolio risk due to overdue obligations.
- TGI: Regulatory risk arising from the negative impacts of the implementation of GREG Resolution 175 and its pesification effect and adjustment of the WACC to 11.88%; as well as the materialization of the risk of non-continuity of critical business functions due to the emergency at the Ballena-Barrancabermeja Gas Pipeline on July 4, 2024. (For details of the risks materialized during 2024, see the Integrated Report Supplements.)
2. EFFECTIVENESS OF RISK CONTROLS
The GEB conducts bimonthly monitoring of the execution of actions and controls for addressing risks and opportunities. Risk Management monitors the implementation of controls, early warnings, and risk materialization events. The risk appetite framework, risk matrices, heat maps, and risk levels are reviewed, updated, and monitored periodically to maintain the company's accepted risk levels. In addition, necessary corrections are made to prevent and minimize impacts when deviations from expected results occur.
The effectiveness of these actions is evaluated annually, determining the degree of implementation and the strength of controls. The results of risk management are presented to the President's Committee and the Audit and Risk Committee for feedback and recommendations for continuous improvement and appropriate risk-based decision-making.
Regarding the GEB Control Effectiveness indicator, approximately 200 strategic risk controls and 400 process risk controls were monitored in 2024, yielding an effectiveness indicator result of 85%, which is within the established target of 80%.
Risk exposure analysis is conducted bimonthly for the electric power and gas businesses of GEB and its subsidiaries. The most relevant information is consolidated and presented to the GEB Audit and Risk Committee for feedback.
Below are excerpts from the risk reports submitted to the Committee in which it analyses risk exposure:
Audit and Risk Committee Report – February 15, 2024
Audit and Risk Committee Report – June 20, 2024
Audit and Risk Committee Report – August 22, 2024
Audit and Risk Committee Report – October 24, 2024
Audit and Risk Committee Report – December 10, 2024
Internal and External Audit Reports for the 2023 Process:
As part of the Integrated Management System (IMS) assessment, internal and external audits are conducted annually to verify that the management system implemented by the company has achieved the established objectives, meets the requirements, and is properly maintained. Likewise, through audits, opportunities for process improvement are identified.
The following reports show the results of the internal and external audits carried out in 2024, which evaluated the Comprehensive Risk Management process:
Risk culture is supported by awareness, training, and capacity building plans led by the Risk Management Department and the GEB Academy of the Talent Management Department. Relevant risk topics are coordinated with various areas such as the Compliance Department, the Regulation Department, the Information Security and Cybersecurity Department, the Occupational Health and Safety Department, among others. These departments determine training and capacity building needs related to compliance, regulatory, information security, cybersecurity, and OSH risk management.
Through the GEB Academy, the Talent Department plans and executes these plans by scheduling forums, virtual and in-person courses, expert panels, and support from academic institutions, among others. The company also has the COURSERA platform, accessible to all employees, which offers a broad range of training courses covering strategic, operational, project, and climate change risk management, among others.
Regular risk management education for all non-executive directors.
During 2024, Risk Management planned and implemented an awareness and training plan on Risk Culture, Biases in Risk Management, and Strategic and Operational Risk Management.
To this end, the company enlisted the support of an international firm specializing in risk management, providing over 40 hours of awareness and training to the Board of Directors, management teams, and risk leaders at GEB and its electric power and gas subsidiaries in Colombia, Peru, and Guatemala.
As part of this plan, various awareness-raising sessions were held for members of the GEB Board of Directors and its subsidiaries, focusing on strengthening a risk-based culture and the importance of identifying and managing strategic risks.
Evidence: Extract from the Awareness Raising of the GEB Board of Directors
Organization-wide training on risk management principles.
Likewise, at least 45 employees of the Business Group's management team and more than 100 key employees were trained in risk management at GEB and its subsidiaries.
Through these spaces, we discuss how to continue strengthening the culture and ownership of corporate risks and how to properly manage risk at all organizational levels.
In 2024, virtual training programs, courses through Coursera, talks with experts, panels with experts, and others were developed to promote a culture of risk management.
Within the framework of the Asset Management System, the training initiative in Risk Management for more than 30 employees of the Enlaza subsidiary stands out. This was delivered by the National University through the course Risk Management: Guidelines for its implementation from NTC ISO 31000: 2018. Among the course objectives, the following were highlighted:
- Understand the principles of Risk Management
- Understand the individual impact on risk
- Ability to Assess Risks (identify, analyze and evaluate)
- Ability to create risk treatment strategies
Evidence Risk Management Course (Asset Management):
Additionally, GEB periodically offers training on topics related to understanding and management to all its employees. This is done through various formats that allow for effective communication of these topics and the active participation of participants.
Through these tools and training channels, understanding, evaluation, analysis, and risk management have been promoted in topics such as information security and cybersecurity, compliance, occupational safety and health, climate change, human rights, among others.
Evidence of Risk Management Training Events 2024
Incorporating risk criteria into the development of products and services:
The company conducts risk analysis and assessments for each business opportunity that arises and for each energy infrastructure project it implements. These reviews provide relevant information for decision-making regarding the approval and/or execution of projects, as well as the acquisition of new assets. Risk assessments include criteria such as financial viability in terms of EBITDA and CAPEX, as applicable; a human rights approach regarding potential impacts on employee safety during project performance; and potential environmental, legal, technical, and reputational impacts, among others.
Through the implementation of the Project Management Office (PMO) value creation and maturation model, the company ensures that risk criteria are incorporated into all phases of its projects. Specific risk management criteria are applied to initiatives, project planning, and project performance and closure.
Some of the projects evaluated are presented below:
- UPME 02 2024 Magangué 500 kV
- Elecnor: Ariguaní Solar in Loma 500 kV
- Zelestra: Solar Wimke in San Juan 220 kV
- PROCME: Solar Villavieja in the Huila 230 kV SE
- CEMAR Asset Acquisition UPME La Marina 110 kV – Cartagena
Financial incentives that incorporate risk management metrics:
GEB has a variable compensation scheme that recognizes the achievement of company objectives and incentivizes superior performance. Incentives are paid to employees annually in accordance with parameters established by the Board of Directors; for senior executives the company objectives component has a weight of i) president: 100%; ii) vice president and director: 90% of their total variable compensation". For tactical and support positions, the company objectives component has a weight of 80% of the total variable compensation.
Payment of this incentive depends on the achievement of strategic objectives and indicators, and for some risk managers and leaders, specific initiatives and projects are defined within the framework of the specific objective: "Design and implement policies and methodologies that ensure adequate risk management, contributing to the fulfillment of the Strategy and objectives of the group and its subsidiaries." For these initiatives, compliance plans and targets are established, which are monitored in the performance evaluation process.
During 2024, performance objectives were measured according to the strategic focuses defined by the company. Within the focuses of "Improving lives by being competitive, reliable, and ethical" and "Sustainable company, leader in the energy transition and innovation" objectives and metrics associated with risk management were defined, such as the corporate emissions mitigation indicator, the portfolio of institutional goals that included Compliance Risk Management, and the Disabling Accident Frequency Indicator.
During the analysis of emerging risks carried out in 2024, current emerging risks are confirmed as valid for the period 2023-2024.
To strengthen emerging risk management at GEB and its subsidiaries, a training plan on "Emerging Risk Management and Resilience with Business Continuity" will be implemented through Risk Management in 2025. This training will be aimed at Risk leaders at GEB and its subsidiaries. This course will train risk departments to define and implement an appropriate methodology and then apply it through a practical workshop. This will ensure that emerging risks are identified, analyzed, addressed, and monitored, increasing the likelihood of success in achieving the Group's strategies.
Check out the GEB's emerging risks here:
Name | Maturity of renewable energy technologies for self-generation and mass adoption of prosumers | Shortage of diversified supply of natural gas at efficient prices in the Colombian wholesale market |
Category | Economic | Economic |
Description | As part of Colombia's climate objectives and SDG targets, it is expected to increase its installed capacity of non-conventional renewable energy to 25 GW by 2030. This represents significant growth, as the current capacity is around 3 GW. By 2050, the country's target is 50% renewable energy participation in its electricity generation mix. Achieving these goals could lead to the accelerated development and consolidation of renewable energy technologies for self-generation and the widespread adoption of prosumers (producers and consumers), leading to a decrease in final consumer demand (residential and industrial) for energy in the retail energy market. | Medium-term shortage of natural gas (molecule) supply and significant increase in its price as a result mainly of: 1) the maturation and imminent decline of the large existing gas fields in Colombia (mainly Cusiana, Cupiagua and Ballena), 2) the late commercial entry of new offshore natural gas discoveries (in the best case scenario at the end of 2027), and 3) the non-development of the “Pacific Regasification Plant” project. |
Impact | 1. Lower income due to decreased demand for electricity from residential and industrial consumers 2. Loss of competitiveness against new players in the energy chain that have the capacity to adopt these technologies more quickly and cost-efficiently. 3. Loss of competitiveness against market prices | 1) Lack of availability of the gas necessary for the operation of the compression stations associated with the natural gas transportation business (TGI) 2) Loss of economic efficiency of natural gas compared to other energy substitutes. 3) Increased operating costs and decreased demand for natural gas, leading to a reduction in the volume transported and TGI's operating revenues. |
Mitigation actions | Implementation of a cross-cutting innovation strategy focused on: 1. Open innovation, ensuring articulation with the non-conventional renewable energy ecosystem 2. Technological surveillance to ensure the development of solutions and new businesses in GEB companies 3. Development of initiatives to identify and develop new business solutions around clean energy, renewable gases and other types of non-conventional energy 4. Activation of venture capital investment vehicles to access startups that lead technological development globally. | Participation in new business lines that incorporate renewable energy and circular economy technologies such as biogas, biomethane, and hydrogen, among others, to diversify the current limited supply of natural gas. While this will require substantial changes to current business models, it will also ensure the sustainability of gas companies and the ability to meet demand over time, given the availability of sufficient transportation infrastructure (currently underutilized with natural gas in some sections of the National Transportation System) to move these molecules and their potential blending. This new energy model will guarantee: 1. Security of supply 2. Environmental sustainability 3. Economic efficiency |
The Audit and Risk Committee of the Board of Directors monitors the strategy and identifies the issues it deems relevant in terms of information security and cybersecurity. It identifies relevant emerging risks and approves measures and resources to manage them, in line with business and cybersecurity goals.
Likewise, GEB has a CISO who has an extensive background in leading technology and cybersecurity areas, and his objective is to implement the strategy and structure the information security and cybersecurity governance through the implementation of a governance program, the strengthening of detection and response actions to advanced incidents and threats through the standardization of the Antimalware Crowdstrike solution in GEB and its subsidiaries, and the update of the Disaster Recovery Plan (DRP) documentation of GEB (Application Impact Analysis, Technological Continuity Risks, DRP governance, DRP Testing, and DRP strategies).
Role Description Security and Cyber Security Manager.pdf