For Celsia, Risk Management is decisive in the fulfillment of its Strategy and is reflected in the daily work of our employees.
GRI (3-3) Risk management is a differentiating, essential factor to achieve business sustainability. In addition, it is a priority principle for our employees and an aspect that allows us to plan events that may significantly affect our Mission, prepare the mitigation of their impacts in order to reduce the perception of uncertainty related to decision making and safely ensure the achievement of our goals. Likewise, at Celsia, we identify opportunities to promote them and manage them correctly.
Our Management
GRI (3-3) At Celsia, we manage risks under the guidelines of the Comprehensive Risk-Management System (CRMS) Policy and the Manual. Our methodology includes the permanent identification, measurement, treatment and monitoring of the risks to which we are exposed, and its purpose is to quickly and proactively evaluate those impacts, both favorable and unfavorable, that may affect the achievement of Strategic Objectives and the business performance. Additionally, we have a technological tool that is managed by each of the teams and that supports us in the management and monitoring of risks and opportunities in each of our processes
The Risk-Management Tool allows us to integrate risks in one place with their level of exposure, causes, controls, responsible parties and action plans, among others.
The CRMS focuses on identifying the most-relevant risks in the Strategy to address the incidence and criticality of the impacts on our objectives in:
Processes;
Projects:
New business or products; and
Facilities.
Evaluation of the Magnitude and Potential Scope of Risks
TCFD: risk Management – a The Risk-Management Process at Celsia is defined in the CRMS and aligned with good international practices, such as the ISO 31000 Standard and the COSO Enterprise Risk-Management (ERM) Standard, which define similar components, based on an understanding of the business, objectives, environment and trends.
Subsequently, the relevant risks are identified and analyzed, the mitigation controls are associated, the risk is evaluated, its treatment is defined, and they are recorded and reported. We apply this same process to manage risks and opportunities derived from climate change. Our risk of climate change and scarcity of resources is strategic for the Company and is assessed qualitatively and quantitatively, from the physical impacts to our assets caused by climate threats to the implications associated with the transition, such as changes in the market, technology and the regulation.
We have Mitigation, Compensation, Adaptation, Communication and Treatment Plans defined and focused on Business-Continuity Strategies, risk transfer through the insurance program and taking advantage of opportunities, such as the diversification of the energy matrix with unconventional renewable sources, energy efficiency and sustainable mobility, among others.
Risk governance
Board of Directors
- Oversee the implementation of the CRMS;
- Approve the Policy; and
- Approve the Risk Appetite.
CEO
- Respond to the Board of Directors and Shareholders for the implementation of the CRMS;
- Report on the Risk Profile; and
- Report on the status of Risk-Mitigation Plans.
Steering Committee
- Report on the operation of the CRMS in the processes; and
- Warn about new identified risks.
Audit, Finance and Risk Committee
- Support the Board of Directors in all responsibilities related to the supervision of the CRMS; and
- Monitor Strategic Risks.
Risk Area
- Design and lead the implementation of the Risk Policy, Processes and Methodology;
- Monitor effective Risk Management; and
- Support the different teams in carrying out risk assessments.
Internal Audit
- Evaluate the efficiency and effectiveness of the CRMS;
- Issue recommendations to improve the operation of the CRMS;
- Evaluate the effectiveness of Risk-Mitigation Plans; and
- Validate the effectiveness of controls.
Risk Managers
- Build and update the Risk and Control Maps of their processes;
- Provide support in training and dissemination of the Risk Culture; and
- Support the Risk Area in the implementation of the CRMS in its process.
Employees
- Apply comprehensive risk management in accordance with the policy and methodology;
- Warn about possible risks in their processes; and
- Report risk-materialization events.
This work methodology covers the risk of climate change; additionally, some specific issues are presented to the Sustainability Committee.
Structural Independence in the Risk-Management Function
GRI (2-13) Risk Management is transversal to the Organization and external to the Business Lines: Asset Management, Homes and Companies (managed from the Generation, Transmission and Distribution; and Marketing Areas).
The Financial Leader maintains constant interaction with Senior Management and the Board of Directors’ Audit, Finance and Risk Committee, bodies that have the greatest responsibility for risk management in the Company.
In addition, our CRMS is supported by the Risk Management Policy, which establishes the elements and the general framework for action against risks of all kinds, which the Organization faces, as well as the Governance Structure, which indicates the instances, roles and responsibilities to manage and ensure the proper functioning of the CRMS.
Risk-Management Training for Non-Executive Directors in 2022
The Company promotes the training of the members of the Board of Directors on issues related to the Business and Risk Management. During 2022, knowledge was provided in cybernetic risk and in the current trends on which the new strategic risks were based, such as world news and the country’s political-economic variables.
Additionally, they were sensitized to environmental, social and governance (ESG) risks and the quantification of the climate-variability risk.
The Risk Module also continued to be used in the application of the Board and the Steering Committee. This tool provides access to updated information on strategic risks, a risk map and its characterization, as well as the initiatives that are being executed as mitigation measures.
Risk Culture
In order to strengthening the culture of risk management, we have online training for all employees of the organization:
- Adopting Risk Management, the purpose of which is to raise awareness of risks.
- Guardian of Information, as a preventive cyber risk-management measure, which helps to raise awareness among employees about the importance of protecting information.
- The Crisis-Management Plan, to control and mitigate adverse events.
Likewise, we carried out testing exercises of our Business Continuity Plan and Crisis Management, for the cyber-crisis reporting year.
With our principal businesses, we carry out Operational-Risk Workshops and implement a more-intuitive application for Risk and Opportunity Management.
We have the permanent accompaniment of risk specialists to share trends and best practices.
Strategic and Emerging Risks
This is how we advance in interdisciplinary work to identify and assess Strategic and Emerging Risks:
Strategic Risks
These are the internal and external events and trends that can generate a positive or negative deviation from the Company’s expected growth trajectory, our Strategy and value for Shareholders.
- Have the human talent that enables the Company’s Strategy;
- Regulatory;
- Changes in the political environment and macroeconomic variables;
- Climate change and scarcity of resources;
- Cybersecurity;
- Changes in the dynamics of energy-market supply and demand; and
- Relations with Stakeholders.
Emerging Risks
These are risks and opportunities generated by changes in society and in the environment, which are characterized by being new, increasing and about which there is little information, which makes it difficult to measure the impact.
Principal Results in 2022
GRI (3-3) During 2022, we identified global trends with an influence on our businesses and we created value based on them:
We updated our strategic risks after carrying out the Trend and Risk Management (T&RM) exercise.
We implemented a new application for Risk and Opportunity Management. This allows us to integrate the risks, their level of exposure, the causes, controls, responsible parties and action plans, among others in a single place.
We carried out Risk-Management Workshops in processes, projects and new businesses with the different teams.
We made progress in the implementation of Business-Continuity Plans in Central America and in the Internet business.
We continued to update the Disaster Risk-Management Plans for our assets in accordance with current regulations.
We carried out test exercises in a cyber-risk scenario with the Crisis Committee.
We implemented an Organizational Cyber-Risk Protocol.
We updated the quantification of climate-change risk, including the Representative Concentration Pathway (RCP) scenarios, and we advanced in the exercise of vulnerabilities within the framework of climate resilience.
We advanced the analysis of climatic parametric solutions.
We apply diagnostic tools in ESG Risk Management to identify the aspects that need to be strengthened.
With the Compliance Team, progress was made in the identification and assessment of compliance risks with Central American processes.
We implemented simplification initiatives to improve our process and the interrelationship with our Stakeholders.
GRI (3-3) Short-, Medium- and Long-Term Objectives:
Short Term(0 to 2 years)
- Manage trends as a mechanism to mitigate risks and develop opportunities.
- Continue analyzing alternative risk transfer.
- Carry out test exercises in the Business Continuity Plans for Colombia, Central America and the Crisis Management Plan, as well as strengthen cyber-risk test scenarios.
- Continue implementing the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) in relation to climate change.
- Continue with the implementation of data analytics and business intelligence to facilitate the reporting of information and contribute to decision making.
- Advance in the quantitative analysis of the assessment of relevant strategic and operational risks.
- Continue to establish correlations between strategic and operational risks.
- Accompany business teams in the implementation of plans that contribute to climate resilience.
Medium Term(3 to 5 years)
- Strengthen strategic-risk assessment and correlation exercises by implementing risk-measurement and quantification mathematical models for the adoption of appropriate mitigation strategies.
- Optimize the Risk-Management Model with the appropriate transfer and retention mechanisms.
Long Term(6 or more years)
- Lead the Organization towards a Trend And Risk-Management Approach, strengthened in valuation methodologies, by implementing a model of correlations between strategic and operational risks.
ESG: Environmental, Social and Corporate Governance
Comprehensive Risk Management System (CRMS) (SGIR, in Spanish): A systematic application of policies, procedures and practices for the identification, analysis, evaluation, treatment, monitoring and review of risk, communication and monitoring. It comprises four Pillars: Governance, Process, Risk Culture, and Technology.
