In this manner, risk management contributes to the results of the main financial, operating, environmental and social indicators of the Company, which demonstrate fulfillment of the Group’s strategy and priorities, in general terms and within the expected ranges.
The Corporate Risk Management Policy, which establishes the framework for action and the commitments made in this regard, as well as the understanding and application of the Comprehensive Risk Management Model, which is based on the application of international management standards (such as NTC ISO31000) and the COSO framework (Committee of Sponsoring Organizations of the Treadway Commission).
To learn more about risk policy please consult here
Comprehensive risk management methodology
At GEB, risk management contributes to the achievement of its strategic goals in terms of operating, financial, environmental and social indicators.
GEB’s risk management model enables the identification of possible threats, risks and opportunities for the Company, to assess and define the corresponding treatment, and managing and mitigating risks in a proactive manner. This increases the possibility of achieving the strategic and operating objectives that impact its stakeholders, who demand contributing to the energy transition, the development of low-carbon economies and an equitable society that reduces multidimensional poverty and social gaps in access to the basic public services such as electricity and gas.
Figure 1. Comprehensive Risk Management Methodology
Risk management is based on prevention and mitigation and it’s a commitment of all GEB’s employees.
The governance of risk management is led by the Audit and Risk Committee of the Board of Directors, which has within its functions:
- Recommend to the Board of Directors the risk matrix, of the Company and its subsidiaries, as well as the Risk Policy and the risk appetite calculation methodology.
- Regularly monitor and report to the Board of Directors on the effective implementation of the risk matrix of the company and its subsidiaries so that major financial and non-financial risks, including environmental risks, social and corporate governance derived from the sustainability strategy adopted by the Company, on balance sheet and off balance sheet, are identified, managed and disclosed to the Board of Directors appropriately and in a timely manner.
Members and the rules of the Audit and Risk Committee can be found here
The members of the Audit and Risk Committee of the Board of Directors have the experience and knowledge necessary to advise and guide the GEB’s risk management strategy. Every two months, the Risk Department reports to the Senior Management, the Audit and Risk Committee and the Board of Directors on strategic risks. This is to monitor, adjust, and strengthen risk management plans and take action on relevant risks across the organization.
At the management level, GEB and its subsidiaries have specialized teams that monitor risks and their controls, and coordinate with the different areas of their companies the actions necessary to prevent and mitigate risks.
The functions dedicated to operational risk management are framed in the Three Lines Model defined in the Control Architecture Policy.
The Control Architecture Policy can be found here
Through the application of the Comprehensive Risk Management Model, GEB identifies and manages those strategic and process risks, carrying out periodic monitoring and control in coordination with the process leaders. Risk control is based on the three lines of defense model, according to the European Confederation of Institutes of Internal Auditing (ECIIA) standard, which defines the responsibilities towards the Internal Control System.
• The first line (self-control, self-regulation and self-management): corresponds to the activities carried out by each of the Group’s collaborators, including those responsible for processes and controls, by defining and executing controls through policies, procedures, methodological frameworks, among others. The first line of defense of the Internal Control System is based on three key principles: self-control, self-regulation and self-management.
• On the second line they find each other the different supervision and monitoring functions developed by the areas that carry out financial reporting control activities, legal and regulatory compliance, quality management systems, information security, supervision and inspection, and risk management, where it is facilitated and monitors the implementation of control activities to mitigate risks.
• The third line corresponds to independent assurance through the activities of internal and external audit. This line of defense provides corporate governance bodies and Senior Management reasonable assurance on the effectiveness of corporate governance, risk management and control, and independence and objectivity for Group companies.
Based on this, through Internal audit and the execution of the Risk-Based Annual Audit Plan, the risks and the effectiveness of the controls for their mitigation are evaluated. In this process, risk controls are qualified, both in design and in their operation, and reports of audit findings are prepared through which the risk management process is fed back for taking actions and continuous improvement. Annually, this process is evaluated through internal and external quality, management, risk and Integrated Management System audits.
Objective: the objective of the Integrated Risk Management process is to design and implement policies and methodologies that ensure adequate risk management, contributing to the fulfilment of the objectives of the Group and its subsidiaries.
Figure 3. GEB Process Map
Sub-process:
GEB identifies, measures and manages the strategic risks to which its companies are exposed, which correspond to those events that may affect or prevent the achievement of strategic objectives; in order to minimize the likelihood of potential financial and reputational impacts, and to take advantage of opportunities that may arise. Each subsidiary of GEB applies the Comprehensive Risk Management model and has a map where risks are identified and evaluated, and measures and risk management plans in each of the businesses are presented.
At GEB we are committed to contributing to the achievement of strategy, continuous operational improvement, investment protection and company reputation, managing risks at all levels on a permanent and systematic basis through the implementation of Comprehensive Risk Management.
Heat maps allow GEB to represent and describe the specific risk exposure of the company (considering probability and magnitude):
Below are some strategic risks of high impact for GEB:
Risk | Description | Probability | Impact | Mitigation actions |
Regulatory changes unfavorable to the company’s interests | Amendment of existing regulations (laws, decrees, resolutions, circulars, rulings, doctrinal changes) that negatively impact GEB’s interests. | Very high | Very high 110M USD |
|
Work accidents | Work accidents during development, operation and maintenance activities of transmission projects affecting direct workers or third parties, involving serious injuries or deaths. | Medium | Very high May affect a group greater than 10 people and may result in disability injuries greater than 1 month or fatal losses |
|
All GEB´s strategic risks mitigation actions and impacts can be found at
Framework of Risk Appetite:
Risk appetite is a benchmark set by the Board of Directors that allows for financial assessment of the impact of company risks, in order to prioritize risk management and define mechanisms to mitigate and control adverse situations that may affect the profitability and solvency of the company.
GEB has a methodology for the calculation of the Risk Appetite Framework which establishes the reference values of Appetite, Capacity and Tolerance of the GEB and its Subsidiaries; and is represented below:
The risk appetite framework is revised at least once a year and for its calculation takes into account two main variables:
• ROE = It becomes a fundamental indicator to measure the group’s strategic objectives. This is mainly because the objective of the ROE is to evaluate the ability of the GEB to generate value to its shareholders, directly evaluating a component of the objectives of the corporate strategy.
• Standard deviation of the ROE = This measure is used to quantify the dispersion of a set of data with respect to the mean, for this case it indicates a percentage value that estimates the variation that is presented of the ROE against its average, assuming the volatilities of the evaluated periods. The result allows us to calculate the reference value for appetite, tolerance and capacity by multiplying it by the average of the estate of the period evaluated
Indicators of Risk Management:
1. Risk materialization indicator:
On a bimonthly basis, the Risk Materialization indicator is measured, which quantifies the ratio between materialized risks and identified risks. The goal established for the materialization indicator is to have zero (0) materialized risks.
In 2023, three strategic risks were reported to have materialized in TGI and one in GEB. Root cause analyses were conducted for all materialized events, and action plans were defined to correct the materialized event and prevent the occurrence of new events. The strategic risks materialized in TGI correspond to:
• “Regulatory changes unfavorable to the Company's interests,” following the enactment of Resolution CREG 175 of 2021, effective from June 1, 2023.
• “Discontinuation of critical business functions” due to various emergency events caused by pipeline ruptures in specific sections of the gas pipeline.
• “Failure to meet the Company’s financial targets and the required return on capital,” resulting from shifts in the market behavior of fuel gas prices.
At GEB, the materialization of the risk of “Loss of confidentiality, integrity, or availability of the Company’s information and/or cyber assets” was reported, triggered by two cybersecurity incidents that were addressed and resolved.
For all reported materialization events, root cause analyses were performed, and action plans were defined to correct the materialization event and to prevent its recurrence.
2. Effectiveness of Risk Controls:
The Risk Controls Effectiveness indicator is measured annually. This evaluates the measure of risk reduction or mitigation exercised by the established control and the degree of implementation and operation of the control.
With respect to the GEB's Control Effectiveness indicator, during 2023 around 203 strategic risk controls and 395 process risk controls were monitored, obtaining an effectiveness indicator result of 85.19%, which is within the established goal of 80%.
On a bimonthly basis, risk exposure analysis is performed for the electric power and gas businesses in GEB and its Subsidiaries. The most relevant information is consolidated and presented to the GEB Audit and Risk Committee for feedback.
The following are excerpts from the risk reports presented to the Committee in which it analyzes the risk exposure:
Audit and Risk Committee Report - February 16, 2023:
• Debt risk exposure analysis.
• Exposure analysis of the risk of non-compliance with the date of entry into operation of the expansion projects.
• Analysis of cybersecurity risk exposure
AandR Committee February 16, 2023.pdf
Audit and Risk Committee Report - April 20, 2023:
• Analysis of the exposure to the risk of non-business continuity due to the Nevado del Ruiz Volcano alert for Enlaza and TGI businesses
AandR Committee April 20, 2023.pdf
Audit and Risk Committee Report - June 22, 2023:
• Process safety risk exposure analysis for the energy and gas businesses
AandR Committee June 22, 2023.pdf
Audit and Risk Committee Report - August 24, 2023:
• Exposure to risks of the Electric Power Transmission business - Enlaza.
• Analysis of exposure to physical security risks and vulnerability map in projects in Colombia
AandR Committee August 24, 2023
Audit and Risk Committee Report - October 19, 2023:
• Cybersecurity risk exposure
• Exposure to regulatory risk
• Analysis of exposure to the risk of non-continuity of critical functions of the gas business in Colombia.
• Analysis of exposure to the risk of vulnerabilities to cyber-attacks for the gas business in Colombia
AandR Committee October 19, 2023.pdf
Audit and Risk Committee Report - December 12, 2023:
• Assessment of climate change risks and opportunities for the electricity and gas businesses in Peru
AandR Committee December 12, 2023.pdf
External and Internal Reports in 2023:
Annually, as part of the evaluation of the Integrated Management System, internal and external audits are carried out to verify that the management system implemented by the company has achieved the established objectives, meets the requirements and is correctly maintained. Likewise, through the execution of audits, improvement opportunities for the processes are identified.
Internal Audit 2023
• Internal Audit Plan 2023: On February 28, 2023, ICONTEC conducted an internal audit of the integral risk management process, in which the following regulatory criteria were verified:
ISO 45001: 5.2, 5.3, 5.4, 6.1.2, 6.1.3, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1.2, 8.1.3, 8.1.42, 8.1.4.3, 8.2, 10.1 y 10.3
ISO 9001: 5.2, 6.1, 6.2, 6.3, 7.3, 8.1, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.6, 8.7, 9.1.9.1.3, 10, 7.1.3, 7.1.4, 7.1.5.
ISO 14001: 5.2, 6.1, 6.1.2, 6.1.4, 6.2.1, 6.2.2, 8.1, 8.2, 7.3, 8.1, 8.2, 7.4, 10.
ISO 55001: 6.1, 6.2.2, 7.3, 9.1, 10.1, 10.3
Audit Plan of the IMS.xlsx
• Internal Audit Report on the Comprehensive Risk Management Process 2023: As a result of the internal audit, the methodology of the risk management system and the actions to address them, which incorporates a detailed analysis of their causes and effects, were identified as a strength. Likewise, an opportunity for improvement of the process was identified with respect to the assurance of the materialization report by the processes.
External Audit 2023
• External Audit Plan 2023: On May 28, 2023, an external audit was conducted by the certifying entity BUREAU VERITAS with no nonconformity findings for the integrated risk management process.
Comprehensive Risk Management Report.xlsx
• IMS External Audit Report: The external audit report on the IMS (Integrated Management System) shows that there were no findings or opportunities for improvement in the integrated risk management process.
The risk culture is supported by awareness, education and training plans that are led by the risk management area and the GEB Academy of the Talent Management Department. Relevant risk issues are articulated with different areas such as Compliance Management, Regulatory Management, Information Security and Cybersecurity Management, Occupational Safety and Health Management, among others; from which training and education needs are determined regarding compliance risk management, regulatory, information security and cybersecurity and OSH risks.
The Talent Management, through the GEB Academy, plans and executes the plans through the programming of forums, virtual and face-to-face courses, panel of experts, support from academic institutions, among others. The Company also has the COURSERA platform to which all employees have access, and which offers a wide range of training that includes strategic, operational, project and climate change risk management, among others.
1. Periodic risk management education for all non-executive directors.
The members of the Board of Directors and the President's Committee were trained on the most relevant aspects of the outlook for the electricity sector 2023 - 2028 and on the outlook for natural gas supply in Colombia.
Prospects for Natural Gas Supply in Colombia.pdf
2023-2030 Electricity Balance
2. Focused organization-wide training on risk management principles:
The GEB periodically offers training on issues related to understanding and management to all its employees. This is done through different formats that allow effective communication of these topics and the active involvement of the participants.
In 2023, virtual training programs, courses through Coursera, talks with experts, panels with experts, among others, were developed to promote a culture of risk management.
Through these tools and training channels, we have promoted the understanding, evaluation, analysis and management of risks in areas such as information security and cybersecurity, compliance, occupational health and safety, climate change, human rights, among others
3. Communications of new risk management guidelines:
During 2023, the review and update of the Risk Management Policy and Business Continuity Policy was carried out. The risk policy was approved by the GEB Board of Directors in August 2023. In order to socialize these updates and encourage employees to consult them, communication pieces were generated and disseminated through the intranet:
• https://comunicaciones.geb.com.co/informacion-de-tu-interes-12-dic/
• https://comunicaciones.geb.com.co/riesgos-1/
• https://www.youtube.com/watch?v=SEhn64GTH1I
• https://www.youtube.com/watch?v=3r-OLqmU7bU
4. Incorporation of risk criteria in the development of products and services:
The company performs risk analysis and assessment for each business opportunity that arises and for each energy infrastructure project it implements. Such reviews provide relevant information for decision-making regarding the approval and/or execution of projects, as well as in the acquisition of new assets. The risk assessments include criteria such as financial viability in terms of EBITDA and CAPEX, as appropriate, human rights approach in terms of possible effects on the integrity of employees in the performance of the project, and possible environmental, legal, technical and reputational impacts, among others.
Through the implementation of the maturity and value creation model of the Project Management Office - PMO, the company ensures that risk criteria are incorporated into all phases of its projects. Specific risk management criteria are applied to initiatives, project planning and project performance and closure.
Some of the projects evaluated are presented below:
• UPME 01 2022 Huila 230 kV
• UPME 07 2021 Alcaraván 230 kV
• UPME 06 2021 Carreto 500 kV
• UPME 05 2023 3er TRF Bolívar 500/220 kV
5. Financial incentives that incorporate risk management metrics:
GEB has a variable compensation scheme that recognizes the fulfillment of company objectives and incentivizes superior performance. Incentives are paid to employees annually in accordance with parameters established by the Board of Directors; for senior executives the company objectives component has a weight of i) president: 100%; ii) vice president and director: 90% of their total variable compensation". For tactical and support positions, the company objectives component has a weight of 80% of the total variable compensation.
The payment of this incentive depends on the achievement of strategic objectives and indicators, and for some risk managers and leaders, specific initiatives and projects are defined within the framework of the specific objective "To design and implement policies and methodologies that ensure adequate risk management, which contributes to the fulfillment of the strategy and objectives of the group and its subsidiaries". Compliance plans and goals are established for these initiatives, which are monitored in the performance evaluation process.
During 2023, performance objectives were measured according to the strategic focuses defined by the company. Within the "Improving lives by being competitive, reliable and ethical" and "Sustainable company, leader in energy transition and innovation" focuses, objectives and metrics associated with risk management were defined, such as the corporate emissions mitigation indicator, the portfolio of institutional goals that included Compliance Risk Management and the Lost Time Injury Frequency Indicator.
As part of its Comprehensive Risk Management Model, GEB identifies and monitors potential emerging risks that are new, external, and with significant and long-term impact. Two of the main emerging risks identified by GEB are listed below:
Name | Maturing of renewable energy technologies for self-generation and massification of prosumers | Deficit of diversified natural gas supply at efficient prices in the Colombian wholesale market |
Category | Economic | Economic |
Description | As part of Colombia's climate goals and SDG targets, the installed capacity of non-conventional renewable energies is expected to increase to 25 GW by 2030. This represents a significant growth, as the current capacity is around 3 GW. By 2050, a target of 50% share of renewable energies in the country's electricity generation matrix is expected. The achievement of these objectives could lead to the accelerated maturation and consolidation of technologies associated with renewable energies for self-generation and the massification of prosumers (producers and consumers), representing a decrease in the final demand of consumers (residential and industrial) for energy in the retail energy market. | Shortage in the medium term of natural gas supply and significant increase in its price as a consequence of: 1) the maturity and imminent decline of the large existing gas fields in Colombia (mainly Cusiana, Cupiagua and Ballena), 2) the late commercial entry of the new off-shore natural gas discoveries (in the best scenario by the end of 2027), and 3) the non-development of the "Pacific Regasification Plant" project. |
Impact | 1. Lower revenues due to lower demand for electricity from residential and industrial consumers. 2. Loss of competitiveness against new players in the energy chain that have the capacity to adopt these technologies in a faster and more cost-efficient manner. 3. Loss of competitiveness against market prices. | 1. Non-availability of the gas necessary for the operation of the compressor stations associated with the natural gas transportation business (TGI). 2. Loss of the economic efficiency of natural gas compared to other energy substitutes. 3. Increase in operating costs and decrease in the demand for natural gas, which leads to a reduction in the volume transported and TGI's operating income. |
Mitigating actions | Implementation of a cross-cutting innovation strategy focused on:
3. Development of initiatives to identify and develop new business solutions around clean energies, renewable gases and other types of non-conventional energies. 4. Connection to venture capital investment vehicles to access startups that are leading technological development at a global level. | Participation in new business lines that incorporate renewable energy sources and circular economy technologies such as biogas, biomethane and hydrogen, among others, in order to diversify the current low supply of natural gas. Although this will require substantial changes in the current business models, it will also ensure the sustainability of gas companies and meet demand over time, given that there is sufficient transportation infrastructure (currently underutilized with natural gas in some sections of the National Transportation System) to move these molecules and their potential mixtures (blending). With this, this new energy model will guarantee: 1.Security of supply 2. Environmental sustainability 2.Economic efficiency |
The Audit and Risk Committee of the Board of Directors monitors the strategy and identifies the issues it deems relevant in terms of information security and cybersecurity. It identifies relevant emerging risks and approves measures and resources to manage them, in line with business and cybersecurity goals.
Likewise, GEB has a CISO who has an extensive background in leading technology and cybersecurity areas, and his objective is to implement the strategy and structure the information security and cybersecurity governance through the implementation of a governance program, the strengthening of detection and response actions to advanced incidents and threats through the standardization of the Antimalware Crowdstrike solution in GEB and its subsidiaries, and the update of the Disaster Recovery Plan (DRP) documentation of GEB (Application Impact Analysis, Technological Continuity Risks, DRP governance, DRP Testing, and DRP strategies).
Role Description Security and Cyber Security Manager.pdf