integral risk management - isagen · professional integral risk management "our integral management...

INTEGRAL RISK MANAGEMENT

STRUCTURE

Risk management

Business continuity management

Challenges

Carmen Rosa Ángel Cotes Professional Integral Risk Management

"Our Integral Management of Risks is aimed at creating value for ISAGEN and it is a key element in organizational decision making, loss reduction, and optimization opportunities. This enables us to protect corporate soundness and sustainability, through an effective management of risks at all levels of the organization, the administration of all risk transferring mechanisms, and the issuance of effective responses to events that could jeopardize our business continuity. Our business continuity methodology is aimed at identifying potential impacts, establishing the context of the situation, developing recovery

strategies, and building effective responses in preparation for said impacts".

We carried out the exercise of identifying business risks associated with our Senior Management strategy, including two new analysis elements: risk appetite in function of EBITDA and inherent risk.

We trained 100% of management to highlight the importance of integral risk management and strengthen their roles and responsibilities.

We carried out a more complex drill that consisted in the simultaneous activation of the crisis management, emergency management and business continuity plans. We obtained a comprehensive response, addressing operational and strategic aspects.

We carried out 39 business continuity plans to confirm their functionality and to generate learning among the persons involved.

2016 MILESTONES

The current environment requires companies to go beyond mitigation of day to day risks, with an approach of adapting to the global risk and developing the organizational capacity to overcome complex situations. We used these aspects to create business initiatives to secure our business sustainability, ensure its continuity, preserve business resources, and manage adequately the impact of relations with stakeholders.

Our Integral Risk Management understands the risk management and business continuity management. Both practices have different scopes, but are mutually supplementary. The first one is responsible for the comprehensive mitigation of all business risks, acting more forcefully prior to the occurrence of an event. The second one is responsible for establishing an anticipated, comprehensive response to minimize the potential impact from critical activities, operating more forcefully after the events that gave rise to the interruption of operations and reducing their consequences.

In this chapter, we will share the main results and challenges of 2016:

RISK MANAGEMENTRisk management is a logical, systematic process that establishes the context, and identifies, analyzes, assess, addresses, monitors and communicates risks associated with Company processes and strategies. This administration is performed based on a methodology aligned with business strategy and best practices and regulations such as ISO 31000 and NTC 5254.

In 2016 we identified corporate risks associated to our strategy with Senior Management (Management Team). It covers the analysis of our business objectives and Superior Purpose, emerging events, trends and risks identified by the World Economic Forum; we also included the analysis of two elements: risk appetite in function of EBITDA, that is, the maximum amount that we are willing to accept in case of risk materialization and the inherent risk, that is, the risk rating without taking controls into account.

The corporate risk inventory is approved by the Audit and Risk Committee and the Board of Directors. For each risk, we identify and analyze the respective causes and controls, as well as situations that could materialize it. Similarly, we implemented monthly follow up of corporate risk situations and the respective mitigation actions in the Management Committee. The result of this follow up is analyzed during the Audit and Risk Committee and the Board of Directors.

Included below are the 15 corporate risks with their description, level of inherent risk (before controls) and residual (after controls), as well as their association with the trends and risks emerging from the World Economic Forum, the relevant management issues and the Sustainable Development Goals (SDG):

Business Risk Description of RiskLevel of inherent

risk

Level of residual risk

Trends and risks emerging from the World

Economic Forum

Material or relevant management issues*

SDGs prioritized by ISAGEN

Occupational Safety and Health Risk

Inadequate management of activities leading to undermining the protection, safety, health and well-being of personnel. Extreme High

Appearance of chronic diseases

Aging of the population Propagation of infectious diseases

Occupational health and safety

DECENT WORK AND ECONOMIC GROWTH

Physical security of people and facilities risk

Social conditions or malicious actions by third parties that threaten the security of ISAGEN's people (personnel, contractors or community members) or assets and/or affect the business operations. Extreme High

Urbanism Increase of geographical mobility

Changes in power Deep Social instability Inter-state conflict Failure in national governance Terrorist attacks

Occupational health and safetyHuman rights and peace


Environmental and Social Risk

Inadequate social and biophysical management for contributing to environmental sustainability of ISAGEN and its influence areas during the construction or operation of power generation plants.

Extreme Moderate

Environmental degradation Climate change Increased revenues and disparity of wealth

Failures in mitigation and adaptation to climate changes

Extreme climate events Collapsing at ecosystem level and reduction of biodiversity

Environmental catastrophes caused by men

Water crisis Food crisis Large scale involuntary migration

Comprehensive water management Climate changeBiodiversity ManagementTransformation role in the regionsHuman rights and peaceDevelopment of new business opportunitiesEnergy production and commercialization

PEACE, JUSTICEAND STRONGINSTITUTIONS

CLIMATEACTION

LIFE ON LAND

CLEAN WATERAND SANITATION

AFFORDABLE AND CLEAN ENERGY


* We recognize that the good quality of relations is the base to prevent that any risk materializes and, therefore, all corporate risks are connected to this material or relevant aspect of management. Our human-being based company conception is in turn related to material issues.


risk



Economic Forum



Commercial Management Risk

Inadequate commercial management that prevents or hinders the achievement of the EBITDA target. Extreme High

Effects of energy price Failure in management of inflation

Energy production and commercialization

CLIMATEACTION



National disaster risk

Natural phenomenon of certain extent, intensity and duration, with the potential to cause damage on people, assets or the environment, which affect operations. Extreme High

Environmental degradation Climate change Failures in mitigation and adaptation to climate changes

Extreme climate events Environmental catastrophes caused by men

Natural catastrophe

Climate changeCLIMATEACTION


Risk of Unavailability at Power Generating Plants

Internal or external events that affect the operations of the electric power plants and impact their availability. Extreme High

Natural catastrophe Critical drop in technological infrastructure

Failure in physical infrastructure


CLIMATEACTION



Fuel Shortage Risk Fuel shortage (supply and transport) to ensure back up and/or generation of ISAGEN's electric power plant. High Moderate

Effects of energy price Collapsing at ecosystem level and reduction of biodiversity


SupplyCLIMATEACTION



74


risk



Economic Forum



TIC Management and Cyber-Security Risk

Inadequate management of information technology and communications that prevents or limits the achievement of business goals, and vulnerability of information caused by internal or external cyber-attacks.

Extreme Moderate

Cyber Attacks Adverse consequences due to technological progress

Critical drop in technological infrastructure

Fraud or data theft Increased cyber dependency

Innovation and development of competences for management of characteristic technologies


Legal Management Risk

Errors or omissions in the legal representation or legal advisory of the company. Extreme Moderate

Inter-state conflict Failure in national governance Crisis or state collapse Changes in power Changes in international governance perspective

All

PEACE, JUSTICEAND STRONGINSTITUTIONS

CLIMATEACTION

LIFE ON LAND




Human Talent Management Risk

Inadequate management of human talent that hinders the integral development of employees and prevents the company from upholding competent workers, with efficient succession plans. High Low

Large scale involuntary migration

Unemployment or sub-employment

Employees' comprehensive development PEACE, JUSTICEAND STRONG

INSTITUTIONS



75


risk



Economic Forum



Macroeconomic Changes Risk

Macroeconomic changes that negatively affect the Company's operational results and the creation of value therein. Extreme Moderate

Deflation Failure in management of inflation

Company value Development of new business opportunities


Fraud, bribery and corruption risk

Fraud, bribery and corruption acts by company workers or stakeholders.

Extreme Low

Increased cyber dependency Changes in power Changes in international governance perspective

Increased revenues and disparity of wealth

Fraud or data theft Adverse consequences due to technological progress

Failure in national governance Crisis or state collapse

Business EthicsPEACE, JUSTICEAND STRONGINSTITUTIONS


Regulatory and Compliance Risk

Default or ignorance of laws, norms and/or regulations.

Extreme High

Inter-state conflict Failure in national governance Crisis or state collapse Changes in power Changes in international governance perspective


Biodiversity Management Transformation role in the regions

Development of new business opportunities

Comprehensive water management

Climate change Company value PEACE, JUSTICE

AND STRONGINSTITUTIONS

CLIMATEACTION

LIFE ON LAND




76


risk



Economic Forum



Financial Management Risk

Inadequate financial management that negatively affects the business operational results and the creation of value therein. Extreme Low

Fiscal crisis Deflation Failure in management of inflation

Failure in financing mechanisms or their implementation

Inter-state conflict Crisis or state collapse Changes in power Changes in international governance perspective

Effects of energy price Natural catastrophe Climate change

Valor de empresaDECENT WORK AND ECONOMIC GROWTH

Hydrological and climate variability risk

Climate and hydrological variability that affects negatively the production of electric energy at the Company's hydroelectric power plants. Extreme Moderate

Climate change Comprehensive water management

Biodiversity Management Development of new business opportunities.


CLIMATEACTION




77

We trained 100% of management to highlight the importance of integral risk management and strengthen their roles and responsibilities. Similarly, we highlight two encounters:

Annual Encounter of Risk Managers: opportunity to strengthen knowledge and updating of progress of integral risk management. We are assisted by 34 Risk Managers, corresponding to 63% of the 54 Organization managers. Duration of the encounter: 8 hours

Encounter of Business Continuity Managers: opportunity to identify accountability of teams and priority work issues; also, to provide guidelines that strengthen integral planning of training and tests. We are assisted by 38 business continuity managers, corresponding to 68% of the 56 Organization continuity managers. Duration of the encounter: 8 hours.

Policy for Integral Risk Management

and controls

Find out more:

Risk Managers’ Annual Event.

https://www.isagen.com.co/comunicados/integral-risk-management-policy.pdfhttps://www.isagen.com.co/our-company/management-practices/enterprise-risk-management/

78

Our business continuity management is based on national and international reference standards such as ISO 22301 and NTC 5722. It includes: response to emergencies, crisis management and operations continuity, aspects that guide our preparation to address potential impact on people, environment, reputation and operations. We have a management system for its implementation, maintenance and sustainability within a continuous improvement process. To such and, we identify potential threats and impacts that could affect us and, based on such information, we establish response strategies and build guidelines and procedures in advance to strengthen the organizational reaction capability in adverse situations, thus protecting the interests of the parties involved, their reputation, and their value generating activities.

We carried out 39 tests of the plans in order to simulate normal operating conditions in the event of an interruption, confirm functionality of the existing plans, and evaluate results to generate learning and establish improvement actions. The performance of tests corresponded to 75% of plans for responsible processes, mostly due to the fact that some plans were being updated based on changes in regulations or methodology for the plans' preparation and sustainability. These results were used as a base marker to determine improvement goals in subsequent years.

In 2016, we contributed to the strengthening of culture, skills and knowledge relative to business continuity management, through the following activities:

Training to business continuity managers, who coordinate activities required for sustainability of each of the plans.

Implementation and startup of the Information System for Business Continuity Management, which enable integrating information from

BUSINESS CONTINUITY MANAGEMENT

various plans and management systems with increased levels of security, integrity and availability of information.

Planning and performance of tests on the plans. We highlight the drill conducted, which was based on a hypothetical event at the Termocentro power plant. This test implied a coordinated action of several business continuity plans, which enabled as to strengthen the organizational response capacity for greater complexity events.

Finally, we contacted insurance policies, managed the claims received, and assessed some risks that were not covered by the current insurance program and the possibility of transferring them to the insurance market.

Training for Business Continuity Managers.

Strengthening appropriation of integral risk management and implementation of the methodology at all organizational levels, coordinating risk management and business continuity as a natural element of process design and work performance.

Strengthen the planning, execution, monitoring and reporting of individual tests, coordinated with the Business Continuity Management System to generate an adequate organizational culture to face complex situations.

Identify and assess risks associated with contracting to properly transfer them by means of a specific compliance assurance program that must include tailored conditions to facilitate administrative management and minimize associated risks.

Compliance

Continue strengthening the risk management culture through training of employees, risk managers and executives.

Conduct comprehensive tests of business continuity plans, taking into account several system components, which will allow strengthening organizational response capacity in greater complexity events that imply a coordinated action of several plans and, at the same time, contribute to greater efficiency of resources available for performance of these tests.

Manage the Insurance Program and analyze the viability of implementing risk alternative transfer schemes, other than the traditional insurance.

2016 CHALLENGES

2017 CHALLENGES

integral risk management - isagen · professional integral risk management "our integral management...

Documents