Risk Management at Ecopetrol

May 18, 2022

At Ecopetrol, risk is understood as the effect of uncertainty on the fulfillment of the company's objectives, considering the effect as the positive, negative or both (threats and opportunities) deviation from forecasts.

Integrated risk management allows Ecopetrol to adequately support risk-based decision-making, using a common language and tools that allow it to act in a timely and effective manner under the uncertainty associated with the achievement of objectives.

Integrated risk management is part of the Integrated Risk Management System based on the ISO 31000 standard, the Code of Good Governance, the Code of Ethics and Conduct, the Comprehensive Policy and the Compendium of Good Practices for Comprehensive Management and Control. Processes, among others. In turn, there are other regulatory references applicable to the specific management of the risks managed in the company, all of them in alignment with the Integrated Risk Management System.

Integrated Risk Management System

The Integrated Risk Management System (IRS) is defined as the set of principles, reference framework and process that allow the organization to manage the effects of uncertainty on the fulfillment of its objectives, to maximize opportunities and assist in setting strategies and making informed decisions. This system is led by the Corporate Vice Presidency of Compliance through the Corporate Integrated Risk Office and is supervised by the Board of Directors through the Audit and Risk Committee of the Board of Directors.

The principles of IRS provide guidance on the characteristics of risk management in the Ecopetrol Group.

The reference framework contains the provisions to integrate risk management in the activities and functions of the company.

The risk management cycle contains five stages that guide the systematic activities to be carried out:

  • Plan: Definition of scope of activities and analysis of internal and external context.
  • Identify: Identification of risks based on the points of view of the people involved and on the analysis of information.
  • Evaluate: Analysis of causes and consequences. Asessment according to probability and impact.
  • Treat: Selection and implementation of options to address the risk.
  • Communication and consultation, Monitoring and review Reporting and reporting: Exchange of information, feedback, continuous monitoring, documentation and reporting of the results of each stage of the cycle, Example: new or modified risks, materialization of risks, potential risks.



Risk levels in Ecopetrol

In Ecopetrol risks are managed at the strategic, tactical, and operational layer:

For the tactical layer, see risks of the Anticorruption and Citizen Service Plan.




Ecopetrol´s Business Risk Map

Emerging Risks

Ecopetrol defined emerging risks as those that are expected to have a long-term future impact on the company (3-5 years and beyond) or in some instances, they have already begun to impact Ecopetrol. Emerging risks are considered those that meet some of the following characteristics:

  • 1. The risk is new, developing, or significantly increasing in importance.
  • 2. A familiar risk in a new or unfamiliar context or under new context conditions (re-emerging)
  • 3. The potential material financial or reputational impact of the risk is long-term and significant.
  • 4. It is an external risk that arises from events external to the company which are beyond its influence or control.
  • 5. The risk and its impact on the company are specific.
  • 6. Has a high potential impact to Ecopetrol and may require Ecopetrol to adapt its strategy and/or business model

Click on the next links for more details about the emerging risks of Ecopetrol:

Complementary Content
Tu navegador no es compatible con la versión actual del portal Ecopetrol. Para una mejor experiencia, te recomendamos usar uno de los siguientes navegadores: