The risk management of GEB and its subsidiaries is framed within strategic priorities and consistent with corporate values, capabilities, roles, and responsibilities, ensuring compliance with the Corporate Risk Management Policy.
The Risk Management Policy establishes the framework for action and commitments regarding risk management for GEB and its subsidiaries, as well as the understanding and application of the Integrated Risk Management methodology, which is based on the international standard NTC ISO 31000 and the COSO framework.
Please consult the GEB Risk Management Policy here:
At GEB, risk management contributes to achieving its strategic objectives in terms of operational, financial, environmental, and social indicators.
GEB's risk management model allows the Company to identify potential threats, risks, and opportunities, assess and define the corresponding treatment, and proactively manage and mitigate risks. This increases the possibility of achieving the strategic and operational objectives that impact its stakeholders, which require contributing to the energy transition, the development of low-carbon economies, and an equitable society that reduces multidimensional poverty and social gaps in access to basic public services such as electricity and gas.
Risk management is a cross-cutting commitment across the entire Group to risk prevention and mitigation.
Risk Oversight at Board Level:
Oversight is led by the Audit and Risk Committee of the Board of Directors, whose main functions in relation to risk management are:
- Recommend to the Board of Directors the risk matrix for the Company and its subsidiaries, as well as the Risk Policy and the methodology for calculating risk appetite.
- Oversee and periodically report to the Board of Directors on the effective application of the risk matrix of the company and its subsidiaries so that the main financial and non-financial risks, including environmental, social and corporate governance risks arising from the sustainability strategy adopted by the Company, both on and off the balance sheet, are identified, managed and reported to the Board of Directors appropriately and in a timely manner.
The regulations of the Audit and Risk Committee of the GEB Board of Directors can be found here:https://www.grupoenergiabogota.com/en/corporate-governance/corporate-governance-bodies/board-of-directors/board-of-directors-committees/audit-and-risk-committee
The members of the Board of Directors' Audit and Risk Committee have the experience and knowledge to assist in the Group's risk management. Every two months, management reports to the management team, the Audit and Risk Committee, and the Board of Directors on strategic risks. This is done with the purpose of monitoring, adjusting, and strengthening treatment plans and taking action on relevant risks throughout the organization.
At the administrative level, GEB and its subsidiaries have specialized teams that monitor risks and their controls, and coordinate across different areas of their companies the necessary actions to prevent and mitigate risks.
The functions dedicated to operational risk management are framed within the Three Line Model defined in the Control Architecture Policy
Through the application of the Comprehensive Risk Management Model, GEB identifies and manages strategic and process risks, conducting periodic monitoring and control in coordination with process leaders. Risk control is based on the three lines of the defense model, according to the European Confederation of Institutes of Internal Audit (ECIIA) standard, which defines the responsibilities for the Internal Control System.
First Line (self-control, self-regulation, and self-management): This refers to the activities carried out by each of the Group's employees, including those responsible for processes and controls, through the definition and execution of controls through policies, procedures, methodological frameworks, among others. The first line of defense of the Internal Control System is based on three key principles: self-control, self-regulation, and self-management.
Second line: The different supervision and monitoring functions developed by the areas that carry out financial reporting control activities, legal and regulatory compliance, quality management systems, information security, supervision and inspection, and risk management are found among themselves, when the execution of control activities is facilitated and supervised to mitigate risks.
Third line: Corresponds to independent assurance through internal and external audit activities. This line of defense provides corporate governance bodies and senior management with reasonable assurances regarding the effectiveness of corporate governance, risk management and control, and the independence and objectivity of the Group's companies.
Based on this, through Internal Audit and the execution of the Annual Risk-Based Audit Plan, risks and the effectiveness of controls for their mitigation are assessed. In this process, risk controls are assessed, both in design and operation, and audit results reports are prepared, providing feedback to the risk management process for action and continuous improvement. This process is evaluated annually through internal and external audits of quality, management, risk, and the Integrated Management System.
Risk Management is part of the second line of responsibility, defining policies and guidelines for managing strategic risks and its processes, as well as promoting initiatives to strengthen GEB's risk management culture.
The GEB Risk Management team is comprised of the Manager, a strategic risk management specialist, an operational risk management specialist, and a risk professional.
Additionally, to support risk management in each subsidiary, there is the role of Risk Leader, who is in turn accompanied by a risk professional.
Through these teams, we contribute to the proper identification, assessment, and mitigation of potential risks. In this way, we ensure the protection of our assets and investments, improve decision-making, and guarantee long-term sustainability.
GEB's Risk Management ensures that risk management objectives are achieved by supervising, monitoring, supporting, and advising on processes for the proper management of risks identified within the company. Effective risk management demonstrates to stakeholders that the organization is committed to safety and sustainability.
*Alex Vladimir Garcés serves as Risk Manager, reporting to the Operational Excellence Directorate and the Vice Presidency of Business Management and Innovation. The Risk Management Office submits quarterly reports on GEB's and its subsidiaries' Risk Management performance to the Board of Directors' Audit and Risk Committee.
Objective:
Objective: To implement and deploy guidelines and methodologies that ensure adequate risk management, business continuity, and crisis management, contributing to the achievement of the Group's and its subsidiaries' objectives.
Sub-processes:
GEB has a robust structure for Comprehensive Risk Management. At the highest level of the organizational structure, the Vice Presidency of Business Management and Innovation leads risk management, facilitating direct engagement and reporting of risk information to the Group President and the Audit and Risk Committee of the GEB Board of Directors. This Vice Presidency promotes risk transformations and initiatives, as well as their coordination and alignment across GEB subsidiaries.
In 2024, the Operational Excellence Direction was created, as part of the Vice Presidency of Business Management and Innovation. Along with the Direction, the Risk Management Department was created as a department of the Direction.
The Operational Excellence Direction, through its Risk Management Department, designs strategies and defines objectives and goals for strategic risk management at GEB and its subsidiaries. They are also responsible for implementing various initiatives and guiding and supporting the other risk areas in its subsidiaries in the implementation of guidelines, policies, and any decisions made regarding Corporate Risk Management.
GEB identifies, measures, and manages the strategic risks to which companies are exposed. These are events that can affect or impede the achievement of strategic objectives, with the aim of minimizing the likelihood of potential financial and reputational impacts and taking advantage of any opportunities that may arise. Each subsidiary of the Group applies the Comprehensive Risk Management model and has a map that identifies and assesses risks and presents the measures and plans for addressing them in each business.
At GEB, we are committed to contributing to the achievement of our strategy, continuous operational improvement, investment protection, and the company's reputation by managing risks at all levels in a permanent and systematic manner through the implementation of Comprehensive Risk Management.
Risk assessment is estimated based on the most critical risk scenario and is underpinned by probability and impact analysis to determine exposure levels across the financial, reputational and people dimensions.
The following are some of the high impact strategic risks for the GEB:
Risk | Description | Probability | Impact (Magnitude) | Mitigation Actions |
|---|---|---|---|---|
Controlled and non-controlled subsidiaries failing to leverage value creation | Portfolio company risks that limit value generation, achievement of strategic objectives, and/or group profitability. | Very Low | Very High | • Deployment and monitoring of GEB strategy (long-term with subsidiary scope) |
Capital expenditure deviations in strategic projects | Deviations in capex against business case and change controls that affect value generation and project profitability. | Low | Very High
| • Ensure adoption and monitoring of Portfolio and Project Management policy guidelines in controlled subsidiaries |
| Social and environmental complexity affecting operations and project development | Socio-environmental complexity factors generating risks of interference in operations and project development cycle. | Medium | Very High | • Social and environmental investments, and infrastructure public-private partnerships |
Unfavorable regulatory and normative changes affecting GEB interests | Modification of current regulations (laws, decrees, resolutions, circulars, court rulings, legal doctrine) negatively impacting GEB interests. | Low | Very High | • Continuous monitoring of government entities and regulatory changes with jurisdiction over the energy sector (executive and legislative) |
Consult GEB's strategic risks in the Annexes of the 2024 Sustainability Report
Risk Appetite Framework:
Risk appetite is a reference amount established by the Board of Directors that allows for the financial evaluation of the impact of the company's risks, in order to prioritize risk management and define mechanisms to mitigate and control adverse situations that could affect the company's profitability and solvency.
GEB has a methodology for calculating the Risk Appetite Framework, which establishes the reference values for the Appetite, Capacity, and Tolerance of GEB and its Subsidiaries; it is represented below:
The risk appetite framework is reviewed at least once a year, and its calculation considers two main variables:
- ROE = It becomes a fundamental indicator for measuring the group's strategic objectives. This is primarily because the objective of ROE is to assess GEB's ability to generate value for its shareholders, directly evaluating a component of the group's strategic objectives.
- Standard deviation of ROE = This measure is used to quantify the dispersion of a data set with respect to the mean. In this case, it indicates a percentage value that estimates the variation that occurs in ROE compared to its average, assuming the volatilities of the periods evaluated. The result allows us to calculate the reference value for appetite, tolerance, and capacity by multiplying it by the average equity for the period evaluated.
During 2025, the risk appetite framework (appetite, tolerance, and capacity) was reviewed for all of the Group's controlled subsidiaries, and its results were presented to the Audit and Risk Committee of GEB's Board of Directors, whose recommendation was to maintain the current risk appetite framework.
Risk Management Indicators
1. RISK MATERIALIZATION INDICATOR
During 2025, 6 strategic risks materialized across the Group: 2 at Enlaza and 4 at Transportadora de Gas Internacional (TGI). These risks are detailed as follows:
Enlaza · Non-compliance with the Business Plan due to accumulated debt from AIR-E · Occupational accidents in operations and activities related to electrical hazards
TGI · Revenue impact due to tariff proceedings · Emergency on the Villavicencio – Usme pipeline (Estaqueca – Quetame) involving pipeline rupture caused by stress on the pipeline · Emergency on the Cusiana – Miraflores pipeline caused by gas leak · Emergency at Guayuriba River Crossing – Acacias Branch due to gas leak in the Natural Gas Transportation System (SNT)
2. EFFECTIVENESS OF RISK CONTROLS
The GEB conducts bimonthly monitoring of the execution of actions and controls for addressing risks and opportunities. Risk Management monitors the implementation of controls, early warnings, and risk materialization events. The risk appetite framework, risk matrices, heat maps, and risk levels are reviewed, updated, and monitored periodically to maintain the company's accepted risk levels. In addition, necessary corrections are made to prevent and minimize impacts when deviations from expected results occur.
The effectiveness of these actions is evaluated annually, determining the degree of implementation and the strength of controls. The results of risk management are presented to the President's Committee and the Audit and Risk Committee for feedback and recommendations for continuous improvement and appropriate risk-based decision-making.
Regarding GEB's Control Effectiveness indicator: during 2025, approximately 82 strategic risk controls and 605 process risk controls were monitored, yielding a control effectiveness indicator result of 85%, which falls within the established target of 80%.
Risk exposure analysis is conducted bimonthly for the electric power and gas businesses of GEB and its subsidiaries. The most relevant information is consolidated and presented to the GEB Audit and Risk Committee for feedback.
Below are excerpts from the risk reports submitted to the Committee in which it analyses risk exposure:
Internal and External Audit Reports for the 2023 Process:
As part of the Integrated Management System (IMS) assessment, internal and external audits are conducted annually to verify that the management system implemented by the company has achieved the established objectives, meets the requirements, and is properly maintained. Likewise, through audits, opportunities for process improvement are identified.
The following reports show the results of the internal and external audits carried out in 2024, which evaluated the Comprehensive Risk Management process:
Strengthening the appropriation of risk management in geb's culture and subsidiaries
During 2025, GEB consolidated Integrated Risk Management through methodological strengthening and synergy generation among corporate and subsidiary teams to drive strategic and process risk management, based on the development of key initiatives such as:
- Creation of a GEB and Subsidiaries Risk Community, with the participation of risk teams from each subsidiary and across different risk types, seeking to share best practices, experiences and knowledge, as well as notify about relevant changes in risk management, promote synergies to strengthen capabilities and maintain active and participatory communication.
- Definition of a new methodology, encompassing procedures and guides for strategic and process risk management covering risk identification, scenario analysis and quantitative assessment, control effectiveness evaluations, treatment plan formulation and implementation of key risk indicators – KRIs for the generation of early warnings.
- Reformulation of the strategic risk map, with 13 risks approved at GEB by the Board of Directors and quantified under the new methodology.
- Update of strategic risk matrices across Business Group subsidiaries.
- Strengthening of risk management within GEB's cultural framework, through the development of the ITC (Cultural Transformation Initiative) for risk awareness and appropriation, encompassing workshops, training sessions, discussion forums and internal awareness campaigns.
- Business continuity drill, in which a critical failure at a relevant substation was simulated, resulting in disconnection of the SIN (National Interconnected System) and impacting service delivery in Bogotá, Cundinamarca and the department of Meta (blackout). It involved active participation of more than 40 employees and enabled evaluation of emergency response, validation of business continuity protocols for critical processes, activation of the crisis committee and generation of lessons learned.
Implementation of the ITC for risk awareness and appropriation.
The three major objectives of the ITC to leverage adoption of risk management principles were framed as follows:
- Develop mobilizing actions with GEB and subsidiary leaders and employees for integrated risk management, promoting desirable behaviors regarding individual responsibility, commitment, transparency and methodological adherence.
- Integrate risk management practices in GEB and subsidiary employees, ensuring clarity is generated in roles and responsibilities.
- Promote the identification and discussion of risks, controls, action plans and indicators.
These objectives were supported by activities across different levels of GEB and subsidiaries, achieving the following results:
January
- Virtual course on cognitive biases
- Risk podcast
March
- GEB strategic risks workshop
April – May
- Supply chain risks workshop
- Emerging risks awareness session
- Strategic Risks Workshops Contugas and ELD
June
- Strategic risks workshops (Enlaza, TGI)
- Training on project risk management
January – June
- 120 meetings with process owners for 2025 Risk Matrix update
- 6 sessions of GEB and Subsidiaries Risk Community
July
- Generation of risk management infographics
September
- Conecta strategic risks workshop (September 10)
- Development of risk website (Intranet)
- (7) Business Continuity training sessions
- GEB_Enlaza Business Continuity and Crisis drill
December
- Update of risk management and business continuity procedures
- Emerging risks workshop
July – December
- 6 sessions of GEB and Subsidiaries Risk Community
Financial incentives incorporating risk management metrics:
GEB has a variable compensation scheme that recognizes the achievement of company objectives and incentivizes superior performance. Incentives are paid to employees annually in accordance with the parameters established by the Board of Directors. For senior executives, the company objectives component carries a weight of: i) President: 100%; ii) Vice President and Director: 90% of their total variable compensation. For tactical and support positions, the company objectives component carries a weight of 80% of total variable compensation.
Payment of this incentive depends on the achievement of strategic objectives and indicators. For certain managers and risk leaders, specific initiatives and projects are defined within the framework of the specific objective "Design and implement the policies and methodologies that ensure adequate risk management, contributing to the fulfillment of the Strategy and the objectives of the Group and its subsidiaries." For these initiatives, compliance plans and targets are established, which are monitored through the performance evaluation process.
During 2025, performance objectives were measured in accordance with the strategic priorities defined by the company. Within the priorities "Improving lives by being competitive, reliable, and ethical" and "Sustainable company, leader in energy transition and innovation," objectives and metrics associated with risk management were defined, including the corporate emissions mitigation indicator, the institutionality targets portfolio — which encompassed Compliance Risk Management — and the Disabling Accident Frequency Rate indicator.
In 2025, GEB designed a methodology for emerging risk management that establishes the activities of identification, analysis, assessment, treatment, and monitoring. To strengthen this process, a training and capacity-building plan was implemented, targeting risk leaders across the Group and its subsidiaries, with a focus on understanding and applying said methodology. Within the framework of this initiative, risk leaders, senior management, and boards of directors were sensitized to the importance of aligning emerging risk management with business resilience and continuity.
In addition, a practical workshop was conducted to apply the methodology and evaluation criteria across the social, environmental, technological, geopolitical, and economic dimensions. As a result, GEB's emerging risks were identified and prioritized, ensuring appropriate follow-up to increase the probability of success in achieving the strategic objectives of the Group's companies.
Name | Demographic and migratory shifts affecting the availability of critical technical talent. | Escalation of social conflict driven by inequitable access to energy. |
Category | Social | Social |
Description | Structural demographic trends at the global and regional level — including a sustained decline in birth rates, an aging workforce, the international migration of highly skilled talent, and growing urban concentration — are reducing the availability of specialized technical profiles. Compounding these trends are shifts in immigration policies and declining interest in traditional academic training. | Widening social gaps in access to reliable energy, combined with increasing demands for territorial equity and community rights, are heightening the risk of social conflict across Latin America. This phenomenon is intensified by structural factors such as energy poverty, the perception of an unequal distribution of benefits, and a greater capacity for social mobilization. |
Impact | 1. Delays in construction schedules and the commissioning of strategic projects (missed commissioning dates and structural increases in labor costs). 2. Decline in the technical quality of execution due to scarcity of specialized profiles. 3. Increased dependence on international contractors and external suppliers. 4. Cost overruns resulting from high turnover and low productivity. 5. Loss of critical technical knowledge in the operation of existing infrastructure. | 1. Delays or suspension of environmental and social licensing processes. 2. Prolonged blockades of projects under construction or in operation — significant increase in costs associated with security, logistics, and rescheduling. 3. Loss of project viability in strategic territories. 4. Restriction of infrastructure expansion corridors. 5. Impaired access to international financing (green bonds, multilateral sources). |
Mitigation actions | 1. Implementation of a regional talent intelligence system integrated into investment planning. 2. Inclusion of talent risk as a critical variable in project evaluation. 3. Standardization and industrialization of technical knowledge (digital manuals, digital twins, automation). 4. Development of regional hubs for operations and remote support. 5. Global talent attraction strategies (international mobility and remote work). 6. Accelerated critical technical knowledge transfer programs. | 1. Implementation of predictive social risk models (territorial analytics and conflict mapping). 2. Integration of social variables into investment evaluation (social viability criteria). 3. Design of differentiated territorial strategies according to conflict level. 4. Development of shared value schemes with tangible benefits for communities. 5. Integration of communities into project value chains. |
Information security/Cybersecurity
Information Security and Cybersecurity Governance Structure
GEB has established robust governance mechanisms to oversee information security and cybersecurity activities. The Audit and Risk Committee of the Board of Directors supervises the compliance and strategic implementation of information security and cybersecurity initiatives. The Committee monitors information security and cybersecurity strategy, identifies and evaluates relevant risks and issues, approves emerging risk mitigation
measures and resource allocation, and ensures alignment with business objectives and cybersecurity goals. This Board-level responsibility ensures executive accountability and strategic alignment of information security with organizational priorities.
The Vice Presidency of Talent and Administrative Management is responsible for managing and ensuring all information security and cybersecurity activities that support the company's business strategy. This Vice Presidency exercises technical oversight of services provided by the Shared Services Center to the subsidiaries and corporate offices of Grupo GEB. The Vice Presidency of Talent and Administrative Management and its Information Security and Cybersecurity team report directly to the President and to the Audit and Risk Committee of the Board of Directors, establishing a direct line of accountability and ensuring regular communication regarding security status, risks and strategic initiatives to Board leadership.
Strategic Objectives and Implementation
The Information Security and Cybersecurity governance structure is designed to:
- Implement comprehensive information security and cybersecurity governance through the development and deployment of a formalized governance program that establishes policies, procedures, roles and responsibilities across all organizational levels and subsidiaries.
- Strengthen detection and response capabilities against advanced incidents and threats through the standardization and implementation of the Crowdstrike Antimalware solution across GEB and its subsidiaries, ensuring consistent threat prevention, detection and response protocols.
- Enhance business continuity resilience through comprehensive update of the Disaster Recovery Plan (DRP) documentation, encompassing Application Impact Analysis, Technological Continuity Risk Assessment, DRP governance framework, DRP testing protocols and DRP strategies to ensure operational resilience and rapid recovery capabilities.
The Audit and Risk Committee of the Board of Directors monitors the strategy and identifies the issues it deems relevant in terms of information security and cybersecurity. It identifies relevant emerging risks and approves measures and resources to manage them, in line with business and cybersecurity goals.
Likewise, GEB has a CISO who has an extensive background in leading technology and cybersecurity areas, and his objective is to implement the strategy and structure the information security and cybersecurity governance through the implementation of a governance program, the strengthening of detection and response actions to advanced incidents and threats through the standardization of the Antimalware Crowdstrike solution in GEB and its subsidiaries, and the update of the Disaster Recovery Plan (DRP) documentation of GEB (Application Impact Analysis, Technological Continuity Risks, DRP governance, DRP Testing, and DRP strategies).
Role Description Security and Cyber Security Manager.pdf