Estás en: TESG / Governance TESG / Risk Management at Ecopetrol / Z6_OAH81840OG4G8060L6PICGMLM5

Z6_OAH81840OG4G8060L6PICGMLM5

Error:

Javascript is disabled in this browser. This page requires Javascript. Modify your browser's settings to allow Javascript to execute. See your browser's documentation for specific instructions.

Z7_OAH81840OG4G8060L6PICGMLE6

Z7_OAH81840OG4G8060L6PICGMLE3

Buscador

Z7_OAH81840OG4G8060L6PICGMLU0

Risk Management at Ecopetrol

Apr 16, 2026

Integrated Risk Management System

The Integrated Risk Management System (IRS) is based on the ISO 31000:2009 standard. Through this system, a set of principles, a reference framework, and a process (Single Risk Management Cycle) are established, enabling the organization to manage the effects of uncertainty on the achievement of objectives. The aim is to maximize opportunities and support the development of strategies, the achievement of objectives, and informed decision-making, as shown below:

This system is led by the Corporate Compliance Office through the Risk Management Office and is overseen by the Board of Directors through its Audit and Risk Committee, in accordance with the roles and responsibilities detailed below.

Risk Management Levels at Ecopetrol

Within the framework of the Integrated Risk Management System, risks are classified as strategic, tactical, or operational, depending on the level at which they are managed.

At each of these levels, risks are managed in accordance with the specific regulations and standards adopted by the company.

Examples of risks managed at the operational level include:

Risks associated with new business opportunities, including the management of investment and divestment initiatives.
Commercial risks related to domestic and international markets.
Project-related risks.
Exploration activity risks.
Financial risks – including credit, liquidity, and market risks.
Cybersecurity and information leakage risks.
HSE risks – encompassing occupational health, environmental, industrial safety, and process safety risks.
Compliance risks – including fraud, money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction.

Ecopetrol’s Risk Management Cycle

The risk management process is grounded in the systematic application of Ecopetrol’s Unified Risk Management Cycle, which applies to all types of risks across the strategic, tactical, and operational levels.

This cycle must be executed for all risk categories, consistently oriented toward the achievement of objectives, taking into account both internal and external contexts, while also incorporating the specific methodological frameworks relevant to each risk type.

RISK MANAGEMENT CYCLE

The Unified Risk Management Cycle is executed based on the following stages, which guide the systematic activities to be carried out.

Plan: Define the scope of activities and analyze both internal and external contexts.
Identify: Identify risks based on stakeholder perspectives and information analysis.
Assess: Analyze causes and consequences. Evaluate risks based on likelihood and impact.
Treat: Select and implement appropriate risk response option.
Communicate, Monitor, and Record: Ensure continuous information exchange, feedback, and periodic review of risk exposure. This includes identifying alerts, verifying the implementation of mitigation measures, and ensuring actions are taken in response to materialized risks, with the goal of keeping risks within defined tolerance and acceptance levels.

Risk Appetite and Risk Tolerance

Risk appetite refers to the level of risk the company is willing to assume in the pursuit of its objectives, and it guides risk-based decision-making.

Ecopetrol’s expression of risk appetite is framed within the company’s strategy and its Corporate Governance Code.

Risk tolerance refers to the acceptable outcomes or variations in relation to the achievement of objectives. Some zero-tolerance risks at Ecopetrol include:

Fatalities occurring during the execution of company operations.
Practices that breach the Ecopetrol Group’s Code of Ethics and Business Conduct.
Actions that breach regulations related to environmental protection, personal safety, community well-being, and other stakeholder interests.

In addition, there are certain parameters that complement the company’s risk appetite:

Strategic risk parameters: For example, new products to be introduced, products to be avoided, and capital expenditure investment focus.
Financial risk parameters: For example, the maximum acceptable level of loss or performance variation, including variability in earnings per share, free cash flow growth/margin, earnings before interest and taxes (EBIT)/margin, return on assets, and EBITDA return percentage.
Operational risk parameters: For example, expected sustainability response, existing/projected environmental requirements, safety targets, quality objectives, and customer criteria and concentrations.

Risk Assessment Matrix at Ecopetrol

Ecopetrol applies a risk assessment matrix that includes descriptive scales for the likelihood of occurrence and the impact across various dimensions such as people, environment, economic resources, reputation, and customers.

Based on the combination of likelihood and impact, risk levels are categorized as Very High, High, Medium, Low, and Very Low.

The matrix defines:

Non-tolerance zone, where the risk must be actively managed.
Tolerance zone with controls, where the risk is managed through mitigation measures.
Acceptance zone, where the risk is assumed by the company.

Risk assessment considers the magnitude of consequences and the likelihood of occurrence, providing essential input for prioritizing risks and making informed decisions regarding their treatment.

This risk assessment includes the calculation of both inherent and residual risk levels, based on the defined probability and impact scales, as well as the tolerance and acceptance thresholds established in the Risk Assessment Matrix.

Risk Management Responsibilities at Ecopetrol

According to Ecopetrol S.A.’s Corporate Governance Code, “ECOPETROL has established an organizational structure that supports risk management and the Internal Control System, assigning specific responsibilities to the Board of Directors, the Audit and Risk Committee, the President, and the Risk Management and Internal Control areas under the Compliance Vice Presidency.”

Indeed, Ecopetrol S.A. defines oversight, execution, and reporting responsibilities within the framework of the Integrated Risk Management System, as follows:

Board of Directors:

Approve the Code of Ethics and Conduct and the guidelines of the “Compliance Program System,” which includes the Integrated Risk Management System, the Internal Control System, and the Compliance Management System.
Ensure the effectiveness of the internal control and risk management systems.

Audit and Risk Committee of the Board of Directors:

Verify the establishment of the Risk Management System, which must include the identification, assessment, treatment, and monitoring of the Company’s risks, their materialization, and the corresponding analysis of the impacts of potential risk events.
Analyze and recommend to the Board of Directors the approval of Ecopetrol S.A.’s Corporate Risk Map, in alignment with strategic objectives, and monitor the status of its management.
Recommend to the Board of Directors the approval of guidelines for the retention, transfer, and mitigation of financial risks, including insurance for the Ecopetrol S.A. Group.
Approve the General Audit Plan (GAP) based on the corporate risk map, ensuring the adoption of standards and the application of internationally accepted auditing practices, and monitor its implementation.

Chief Executive Officer:

Establish, maintain, and evaluate the effectiveness of the Company’s Internal Control and Integrated Risk Management Systems. Present, together with the Compliance Officer, the guidelines of the “Compliance Program System” and reports on its effectiveness for approval by the Board of Directors.

Vice presidencies, Offices and Management Areas:

Provide the necessary resources for the implementation of methodologies for managing the types of risks under their responsibility.
Review and monitor the measures implemented for risk management.
Report the required information for monitoring the Integrated Risk Management System.

Corporate Compliance Office:

Lead the Integrated Risk Management System (IRS) as an independent function (second line of defense), through the Risk Management Office (RMO), ensuring the design, implementation, administration, sustainability, and continuous improvement of the IRS.
Additionally, with respect to the Group companies, exercise governance, provide guidance, issue standards, define practices, and monitor risk management activities to unify guidelines and promote synergies, with the objective of enabling timely and well-informed decision-making.

Risk Management Office:

Design, implement, manage, and maintain the Integrated Risk Management System for the Ecopetrol Group, as well as define the system’s guidelines and the risk management cycles at the strategic and tactical levels.

All Ecopetrol S.A. employees:

They are responsible for executing daily tasks with commitment, rigor, and attention to detail. They must also identify, assess, address, control, and communicate the risks to which we are exposed, in alignment with the principles, framework, and processes of the Integrated Risk Management System (IRS), and in adherence to the Code of Ethics and Conduct.

Internal Audit Office:

Responsible for carrying out their daily tasks with commitment, rigor, and attention to detail. They are also expected to identify, assess, treat, control, and communicate the risks to which the organization is exposed, in compliance with the principles, framework, and process of the Integrated Risk Management System (IRS), and in observance of the Code of Ethics and Conduct.

Ecopetrol’s Risk Map

The Corporate Risk Map reflects the events that, in the judgment of Ecopetrol S.A.’s Board of Directors and Senior Management, could potentially divert the company from achieving its strategic objectives and/or its balanced scorecard goals.

Ecopetrol periodically reviews and updates the risk map.

Below is the current Corporate Risk Map of Ecopetrol S.A.:

See further information on current business

Emerging Risks at Ecopetrol

Ecopetrol defines emerging risks as those that could have a long-term impact on the company (3–5 years or more), or in some cases, may have already begun to affect the organization.

Based on the analysis conducted, emerging trends for Ecopetrol were identified and classified into the following categories: Social, Environmental, Economic, Technological, and Geopolitical.

From these trends, emerging risks were identified and assessed, as shown below:

Ecopetrol’s Emerging Risk Radar

See further information for current emerging risks

Risk Culture

The Integrated risk management culture is grounded in informed decision-making, and shared accountability for managing risks across all levels of the organization, to reasonably ensure that risks are managed in a preventive manner.

The Company promotes a culture that:

Recognizes risks as an inherent part of business activities and manages it in a timely manner.
Encourages transparent Communication and reporting, enabling the generation of early warnings.
Integrates knowledge and strengthens capabilities through continuous learning as a systematic risk management practice.
Establishes clear expectations, regarding conduct and risk-based decision-making.
Encourages behaviors aligned with the approved risk appetite
Promotes the perception of risk management as a value-generating practice.
Fosters co-responsibility, recognizing that risk management is an organization-wide responsibility.

Risk management culture is reinforced through continuous training, cross-functional and ongoing communication, leadership, and the monitoring of best practices.

Training, development and continuous learning

Board of Directors: To strengthen a risk-based culture, all members of the Board of Directors receive periodic risk management training through expert-led sessions and internally developed content. Topics include the relationship between risk, corporate governance, and strategic decision-making, as well as external trends and risks associated with emerging technologies, including artificial intelligence, among others.

Workforce: Throughout the year, the Company promotes awareness and training initiatives aimed at strengthening integrated risk management capabilities. Including enterprise and emerging risk management cycles, opportunity management, and the adoption of risk management practices across the Group. This approach is complemented by an institutional virtual learning pathway aligned with ISO 31000, reinforcing common criteria and shared responsibilities, and forming part of the onboarding and continuous development process for both current employees and new hires.

Incentives aligned with Risk Appetite

To Foster strong risk culture across the Company, financial incentives have been designed to support the achievement of objectives directly related to enterprise risks.

Variable compensation is a key component of the overall remuneration package and is designed to align employees with the Company´s annual strategic objectives, measured through the Corporate Management Balanced Scorecard (CMBS). This framework considers financial, operational, ethical, and critical risk management factors.

In this regard, incentives are linked to risks identified by the Company as strategic, such as “Major incidents with human, Environment, and operational Consequences” or “Conduct inconsistency with ethical and compliance standards”. Accordingly, Ecopetrol S.A. incorporates specific performance indicators into the annual variable compensation assessment across all organizational levels, including:

HSE (Health, Safety, and Environment): Fatalities or environmental incidents;
ii) Ethical events or disciplinary breaches and
iii) Internal control deficiencies reported by the external auditor.

This approach supports the direct linkage between preventive management, individual and collective accountability, strategic objectives and risk mitigation efforts.

Risk Management at Ecopetrol

What is Risk

For Ecopetrol S.A., risk is the effect of uncertainty on the achievement of the Company´s objectives, considering such effect as positive, negative, or combined deviation – threats and opportunities – from what is expected. Risk may be expressed in terms of risk sources, potential events probability and / or impact.

Likewise, opportunities are positive deviations, from objectives, identified and managed through the risk management cycle at the strategic, tactical and operational levels.

Risk Management Across the Value Chain

At Ecopetrol S.A., risk management is inherently embedded into the execution of business activities. The Company integrates risk management as a key element of its decision-making process, ensuring that decisions are based on a clear understanding of uncertainty, potential impacts, and alignment with approved risk appetite levels.

This approach supports more informed, consistent, and sustainable decisions aligned with the Company´s strategy and corporate objectives.

Estrategia y Reportes

Human Rights

International reports and standards

Environmental

Environmental planning and compliance

Climate action

Gestión integral del agua

Biodiversity and Ecosystem Services

Circular Economy TESG

Clean air for the environment

Integral Wastes Management Strategy

Prevention of incidents and remediation

Use of energy and alternative sources

Social TESG

Local development

Diversity, Inclusion, Equity and belonging

Ethnic and archaeological cultural heritage

Labor standards

Occupational Health and Safety

Talent attraction, development and retention

Governance TESG

Corporate Governance TESG

Business ethics and risks culture

Risk Management at Ecopetrol

Innovation and Technology TESG

Innovación y Tecnología

Tecnología en Ecopetrol

Centro de Innovación y Tecnología

Innovación abierta

Digital Technology TESG

PautaInternas

buscador

Risk Management at Ecopetrol

Risk Management at Ecopetrol