Jul 23, 2025
Ecopetrol’s Corporate Governance Code identifies risk management as one of the best practices in transparency, governance, and control, as follows
“ECOPETROL operates in a highly dynamic and uncertain industry. Therefore, it must manage risks and internal control comprehensively to seize opportunities and mitigate adverse effects on the Company’s interests. Integrated risk management at Ecopetrol seeks to establish general guidelines for risk administration and to foster a culture that enables informed decision-making, considering potential events that may positively or negatively impact the Company’s objectives.”
To learn more, please consult:
https://www.ecopetrol.com.co/.../Anexo+2+C%C3%B3digo+de+Buen+Gobierno+de+Ecopetrol.pdf
The Integrated Risk Management System (IRS) is based on the ISO 31000:2009 standard. Through this system, a set of principles, a reference framework, and a process (Single Risk Management Cycle) are established, enabling the organization to manage the effects of uncertainty on the achievement of objectives. The aim is to maximize opportunities and support the development of strategies, the achievement of objectives, and informed decision-making, as shown below:
This system is led by the Corporate Compliance Office through the Risk Management Office and is overseen by the Board of Directors through its Audit and Risk Committee, in accordance with the roles and responsibilities detailed below.
According to Ecopetrol S.A.’s Corporate Governance Code, “ECOPETROL has established an organizational structure that supports risk management and the Internal Control System, assigning specific responsibilities to the Board of Directors, the Audit and Risk Committee, the President, and the Risk Management and Internal Control areas under the Compliance Vice Presidency.”
Indeed, Ecopetrol S.A. defines oversight, execution, and reporting responsibilities within the framework of the Integrated Risk Management System, as follows:
Board of Directors:
Audit and Risk Committee of the Board of Directors:
Chief Executive Officer:
Vice presidencies, Offices and Management Areas:
Corporate Compliance Office:
Risk Management Office:
All Ecopetrol S.A. employees:
Internal Audit Office:
Risk appetite refers to the level of risk the company is willing to assume in the pursuit of its objectives, and it guides risk-based decision-making.
Ecopetrol’s expression of risk appetite is framed within the company’s strategy and its Corporate Governance Code.
Risk tolerance refers to the acceptable outcomes or variations in relation to the achievement of objectives. Some zero-tolerance risks at Ecopetrol include:
In addition, there are certain parameters that complement the company’s risk appetite:
Within the framework of the Integrated Risk Management System, risks are classified as strategic, tactical, or operational, depending on the level at which they are managed.
At each of these levels, risks are managed in accordance with the specific regulations and standards adopted by the company.
Examples of risks managed at the operational level include:
The risk management process is grounded in the systematic application of Ecopetrol’s Unified Risk Management Cycle, which applies to all types of risks across the strategic, tactical, and operational levels.
This cycle must be executed for all risk categories, consistently oriented toward the achievement of objectives, taking into account both internal and external contexts, while also incorporating the specific methodological frameworks relevant to each risk type.
RISK MANAGEMENT CYCLE
The Unified Risk Management Cycle is executed based on the following stages, which guide the systematic activities to be carried out.
Ecopetrol applies a risk assessment matrix that includes descriptive scales for the likelihood of occurrence and the impact across various dimensions such as people, environment, economic resources, reputation, and customers.
Based on the combination of likelihood and impact, risk levels are categorized as Very High, High, Medium, Low, and Very Low.
The matrix defines:
Risk assessment considers the magnitude of consequences and the likelihood of occurrence, providing essential input for prioritizing risks and making informed decisions regarding their treatment.
This risk assessment includes the calculation of both inherent and residual risk levels, based on the defined probability and impact scales, as well as the tolerance and acceptance thresholds established in the Risk Assessment Matrix.
The Corporate Risk Map reflects the events that, in the judgment of Ecopetrol S.A.’s Board of Directors and Senior Management, could potentially divert the company from achieving its strategic objectives and/or its balanced scorecard goals.
Ecopetrol periodically reviews and updates the risk map.
Below is the current Corporate Risk Map of Ecopetrol S.A.:
Ecopetrol defines emerging risks as those that could have a long-term impact on the company (3–5 years or more), or in some cases, may have already begun to affect the organization.
Based on the analysis conducted, emerging trends for Ecopetrol were identified and classified into the following categories: Social, Environmental, Economic, Technological, and Geopolitical.
From these trends, emerging risks were identified and assessed, as shown below:
Ecopetrol’s Emerging Risk Radar