CORPORATE MANAGEMENT

COMPREHENSIVE RISK MANAGEMENT

To preserve and maintain an excellent management of our business resources, and ensuring business continuity, ISA has a comprehensive management approach against possible risks and opportunities.

To this end, ISA has implemented a process of identification, analysis, evaluation, monitoring, and communication of the risks to which we it is exposed. The aim is to minimize the impact on financial resources and reputation as well as to take advantage of the opportunities that may arise.

Find out how these actions are incorporated into ISA’s risk policy.

RISK MANAGEMENT AS A KEY ELEMENT IN BUSINESS DISCUSSIONS

RISK MANAGEMENT AS A KEY ELEMENT IN BUSINESS DISCUSSIONS

High degree of risk coverage in the organization

Allowing to observe future scenarios instead of waiting for things to happen

When applying the risk management model: policy and controls for proper exposure to the defined risk appetite

TYPOLOGY AND CATEGORIES OF RISKS

They allow risks to be associated with common issues and are applicable to all companies. Both typology and the categories make it possible to conduct specific analyses and to produce executive reports and correlations.

For the location of the risks, an association is made with the relevant causes of the risks, rather than with the consequences.

 

  • Governance 
  • Regulatory
  • Legal
  • Political
  • Market, liquidity, and credit
  • Market, competition, mergers, and acquisitions

 

  • Business operation 
  • Design and construction
  • Supply chain
  • Cybersecurity and information technologies
  • Human capital and labor relations
  • Occupational Safety and Health
  • Fraud and corruption (FCPA)
  • Data and information
  • Money Laundering (ML), Terrorism Financing (TF) and Financing of the Proliferation of Weapons of Mass Destruction (FPWMD) 
  • Environmental 
  • Natural phenomena and extreme climate changes
  • Property
  • Social
  • Public order and citizen security

RISK MANAGEMENT GOVERNANCE

The board of directors and senior management have a strong commitment to CRM, through the audit and risk committee, which regularly monitors the most relevant events and signals throughout the organization. The role of the Audit and Risk Committee is framed within the following functions:

The approval and periodic review of the policy, manual, prioritization criteria (appetite and tolerance) and monitoring indicators are noteworthy. In addition to the review and evaluation of the integrity and adequacy of the risk management operation.

Learn more about CORPORATE RISK DEPARTMENT

Risk-based decision making is encouraged in the organization; workshops, forums, training, and the use of new tools are promoted with senior management, leaders, and collaborators to strengthen the culture of risk management and reporting.

This is how we experienced the first LATAM risk management forum at ISA and its companies

Business continuity and crisis training for ISA and companies

The main risks, their current and future management measures, the information reported to the different stakeholders, and work plans associated with the recommendations of the supervisory authorities and control entities are monitored.

The model and review of emerging risks, as well as the most critical business risks and their management measures, work plans, the business continuity plan, analysis of materialized risks, crisis management and compliance risks, insurable risks, cybersecurity, and those associated with nature are promoted.

REPORT TO THE AUDIT AND RISK COMMITTEE

RISK MAPS FOR ISA AND ITS COMPANIES

COMPREHENSIVE RISK MANAGEMENT PROCESS

The risk management cycle is based on the ISO 31000 standard and aligned with best practices, and the implementation is supported under values and standards that guide the comprehensive risk management cycle at all levels and enable the organization to manage the effects of uncertainty on objectives, and they are: 

  • Integrated
  • Structured and exhaustive
  • Adapted
  • Inclusive
  • Dynamic
  • Best information available
  • Human and cultural factors
  • Continuous improvement

Risks map

COMPREHENSIVE RISK MANAGEMENT INCLUDES:

Relevant risks by business

Risks relevant to the reputation resource

COMPREHENSIVE RISK MANAGEMENT MODEL

ISA has implemented a mechanism for identifying, analyzing, and minimizing risks that allows us to be updated on any changes, impacts, or gains we may detect in this process.

Sensitivity analyses during this year were performed mainly for:

  • Regulatory risks associated with changes in tariff formulas in Brazil, using decision tree modeling. 
  • Financial risks, through stress analysis with earnings at risk (EaR) in accordance with the prioritization criteria (appetite and tolerance) defined in the organization. 
  • Climate change risks, through qualitative analysis of RCP 2.6, 4.5, 6 and 8.5 scenarios affecting transmission infrastructure in Colombia.

The identification, analysis, assessment, and treatment of risks associated with climate change is integrated holistically into the enterprise risk management system in the short and medium term.  In the long term, it is included in the analysis of emerging risks.

In 2022, reporting was prepared for the seventh consecutive year on the risks and opportunities associated with climate change in accordance with the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD).  A more in-depth analysis of the risks associated with infrastructure adaptation to climate change has been carried out for Colombia in 2022.  more information (link to climate strategy).

Cyber risk management in ISA and companies is articulated to the comprehensive risk management model and is analyzed from the IT and OT fields, following good practices based on the ISO 27001 and NIST frameworks for the structuring of control mechanisms and monitoring of cyber threats and vulnerabilities. Being a relevant risk and categorized as a priority in its assessment, its management is driven by senior management at all levels of the Company and business units, involving collaborators in the responsibility for its proper identification and treatment.

Given the criticality of this risk for operational continuity and information security, it is managed in the short and medium term at the business and process risk level and in the long term at the emerging risk level, allowing a holistic analysis for the strengthening of the cyber security strategy in the assurance of the stages of the life cycle of the assets and the transfer of the risk to the insurance market.

At ISA, the transfer of risks to the insurance market is based on an objective and quantitative understanding of the impacts of the risks to which the operation is exposed, such as: human resources, the environment, reputation, assets, and technology. This understanding originates in comprehensive risk management through the synergic articulation of risk and insurance teams and advances towards the application of total cost of risk techniques for critical scenarios, risk quantification and loss distribution analysis of historical events, which leverage decision making for optimal negotiation on the risk coverage and insurance cost ratio.

To strengthen monitoring, the compliance dimension (CO) was created, and the categories were expanded to include money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction (ML/FT/FPWMD); privacy of information (PI) and fraud, corruption, and bribery (FC). The scope of compliance risk management is associated with the "Zero illegal, or unethical actions" statement made in the risk appetite and tolerance exercise of ISA and its companies.