To preserve and maintain an excellent management of our business resources, and ensuring business continuity, ISA has a comprehensive management approach against possible risks and opportunities.
To this end, ISA has implemented a process of identification, analysis, evaluation, monitoring, and communication of the risks to which we it is exposed. The aim is to minimize the impact on financial resources and reputation as well as to take advantage of the opportunities that may arise.
Find out how these actions are incorporated into ISA’s risk policy.
They allow risks to be associated with common issues and are applicable to all companies. Both typology and the categories make it possible to conduct specific analyses and to produce executive reports and correlations.
For the location of the risks, an association is made with the relevant causes of the risks, rather than with the consequences.
The board of directors and senior management have a strong commitment to CRM, through the audit and risk committee, which regularly monitors the most relevant events and signals throughout the organization. The role of the Audit and Risk Committee is framed within the following functions:
The approval and periodic review of the policy, manual, prioritization criteria (appetite and tolerance) and monitoring indicators are noteworthy. In addition to the review and evaluation of the integrity and adequacy of the risk management operation.
Risk-based decision making is encouraged in the organization; workshops, forums, training, and the use of new tools are promoted with senior management, leaders, and collaborators to strengthen the culture of risk management and reporting.
The main risks, their current and future management measures, the information reported to the different stakeholders, and work plans associated with the recommendations of the supervisory authorities and control entities are monitored.
The model and review of emerging risks, as well as the most critical business risks and their management measures, work plans, the business continuity plan, analysis of materialized risks, crisis management and compliance risks, insurable risks, cybersecurity, and those associated with nature are promoted.
The risk management cycle is based on the ISO 31000 standard and aligned with best practices, and the implementation is supported under values and standards that guide the comprehensive risk management cycle at all levels and enable the organization to manage the effects of uncertainty on objectives, and they are:
ISA has implemented a mechanism for identifying, analyzing, and minimizing risks that allows us to be updated on any changes, impacts, or gains we may detect in this process.
Sensitivity analyses during this year were performed mainly for:
The identification, analysis, assessment, and treatment of risks associated with climate change is integrated holistically into the enterprise risk management system in the short and medium term. In the long term, it is included in the analysis of emerging risks.
In 2022, reporting was prepared for the seventh consecutive year on the risks and opportunities associated with climate change in accordance with the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD). A more in-depth analysis of the risks associated with infrastructure adaptation to climate change has been carried out for Colombia in 2022. more information (link to climate strategy).
Cyber risk management in ISA and companies is articulated to the comprehensive risk management model and is analyzed from the IT and OT fields, following good practices based on the ISO 27001 and NIST frameworks for the structuring of control mechanisms and monitoring of cyber threats and vulnerabilities. Being a relevant risk and categorized as a priority in its assessment, its management is driven by senior management at all levels of the Company and business units, involving collaborators in the responsibility for its proper identification and treatment.
Given the criticality of this risk for operational continuity and information security, it is managed in the short and medium term at the business and process risk level and in the long term at the emerging risk level, allowing a holistic analysis for the strengthening of the cyber security strategy in the assurance of the stages of the life cycle of the assets and the transfer of the risk to the insurance market.
At ISA, the transfer of risks to the insurance market is based on an objective and quantitative understanding of the impacts of the risks to which the operation is exposed, such as: human resources, the environment, reputation, assets, and technology. This understanding originates in comprehensive risk management through the synergic articulation of risk and insurance teams and advances towards the application of total cost of risk techniques for critical scenarios, risk quantification and loss distribution analysis of historical events, which leverage decision making for optimal negotiation on the risk coverage and insurance cost ratio.
To strengthen monitoring, the compliance dimension (CO) was created, and the categories were expanded to include money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction (ML/FT/FPWMD); privacy of information (PI) and fraud, corruption, and bribery (FC). The scope of compliance risk management is associated with the "Zero illegal, or unethical actions" statement made in the risk appetite and tolerance exercise of ISA and its companies.