Risk Management and Business Continuity

Almaviva S.A., aware of the importance of being prepared to respond appropriately to events that interrupt the provision of services and business processes, has adopted a business continuity management system that, based on the detection of risks and vulnerabilities, allows the establishment of the necessary measures to ensure compliance with the promise of services, regulations, expectations of partners and suppliers, as well as the protection of people, information and infrastructure.

The Board of Directors and Senior Management of Almaviva and Almaviva Global Cargo recognize the strategic, operational and financial potential of risk management as a management system that ensures the fulfillment of its organizational objectives; it also considers the Business Continuity Management Model as an essential part of the risk management system, associated with service interruptions and the importance of maintaining viable capacity to continue business and processes with minimal impact in the event of an emergency; the practice of which is the responsibility of each and every member of the organization, and is framed within the company's self-control culture.

The strategy used by Almaviva is based on business requirements and international best practices and consists of an established methodological structure to follow a series of steps that promote the protection of employees, information, critical services, infrastructure and processes, against events that may interrupt the normal course of operations.

Continuity Management is the structural basis of the Comprehensive Risk Management System of Almaviva S.A. and its subsidiaries, so this management is based on an adequate identification, assessment and monitoring of risk, as well as the determination of action plans to control the materialization of risk and to deal with any emergency that may arise.

Almaviva’s Comprehensive Risk Management is based on world renown methodologies and principles such as the Basilea Committee, ISO 31000 and national regulation issued by different bodies such as the Colombian Financial Superintendence. Comprehensive Risk Management is part of the company’s strategic model, and it is made up of stages of identification, measurement, and risk control and monitoring. It is founded on institutional policies and culture creation processes that effectively ensures that each and every employee becomes a risk administrator linked to the activity they perform.

According to its corporate vision and strategic objectives for Growth, Profitability, Technology Improvement and Development of Human Talent, guidelines and policies are developed and communicated at every level of the company, so that by using proper activity and risk management, they work day-to-day to achieve said objectives.

By using methodologies with known technical value, process risks and company activities are identified to locate the most relevant ones to achieve objectives, which are then analyzed in order to determine, improve and implement controls that reduce the possibility or impact on the organization.

With constant monitoring of the surroundings, processes and the results of audits, inspections and change controls, we can assess changes to the risks identified that enable us to analyze needs to carry out specific risk treatment activities, in order to ensure that the residual risk is within the limits established and accepted by the Board of Directors.

Almaviva’s Comprehensive Risk System is made up of:

  • The Code of Ethics and the Asset Laundering and Financing of Terrorism Risk Administration System “SARLAFT”.
  • The Operational Risk Administration System “SARO”.
  • The Quality Management System, according to ISO 9001:2008.
  • The Financial Consumer Service System “SAC”.
  • The Occupational Health and Safety Management System, according to ISO 18001:2007.
  • The Information Security Management System.
  • The Environmental Management System, according to ISO 14001:2004.
  • The Security System, according to BASC.

Asset Laundering and Financing of Terrorism (AL/FT) risks are the possibility of losses or damages that a company can suffer because of its tendency to be used directly, or through one of its operations, as an instrument to launder assets and/or channel resources to carry out terrorist activities, or the intent to hide assets that are the result of said activities. The AL/FT risks materialize through risks called associated: Legal, Reputational, Operational, and Spillover to which the company is exposed. SARLAFT is managed by using the aforementioned Risk Management methodology, and it has a defined organizational structure, control organisms, policies, procedures, documents, and technological support which, along with training and constant disclosure of information, enable compliance with the requirements established by control bodies and enable risk management.

Operational risk is the possibility of incurring losses due to failures or inadequacies in human resources, processes, technology, infrastructure, or due to external events. This definition includes the Legal and Reputational Risk that is associated with these factors. Just like SARLAFT, the operational risk management system, “SARO”, is developed with risk management methodologies and is made up of minimal elements that are required by current legislation (policies, procedures, documentation, organizational structure, record of operational risk events, control organisms, technology platform, disclosure of information and training) through which operational risk management is developed.