Business Continuity & Risk Management

Almaviva S.A., understanding how important it is to be prepared to properly respond to events that interrupt the delivery of services and business processes, has adopted a business continuity management system that, starting from the detection of risks and vulnerabilities, enables us to implement the necessary measures aimed at ensuring compliance with the service promise, regulations, expectations of partners and suppliers, as well as the protection of people, information and infrastructure.

The Board of Directors and Senior Management at Almaviva and Almaviva Global Cargo, understand the strategic, operational and financial potential of managing risks with a management system that ensures compliance of organizational objectives. Moreover, it considers the Business Continuity Model as an essential part of the risk management, related to service interruptions and the importance of keeping viable ability for the continuity of business and processes with minimum impact in the event of an emergency. Using this model is the responsibility of each and every one of the members of the organization, and it falls within the company’s culture of self-regulation.

The strategy used by Almaviva is based on business requirements and best international practices, and it is made up of a methodological structure established to follow a series of steps that are aimed toward protecting employees, information, critical services, infrastructure and processes against events that could interrupt the normal course of the operations.

Continuity Management is the structural base of the Comprehensive Risk Management System used by Almaviva S.A.. and its affiliates; consequently, said management is fed by proper risk identification, assessment and monitoring, as well as establishing action plans to control the materialization of risk and to face any emergency that may arise.

Almaviva’s Comprehensive Risk Management is based on world renown methodologies and principles such as the Basilea Committee, ISO 31000 and national regulation issued by different bodies such as the Colombian Financial Superintendence. Comprehensive Risk Management is part of the company’s strategic model, and it is made up of stages of identification, measurement, and risk control and monitoring. It is founded on institutional policies and culture creation processes that effectively ensures that each and every employee becomes a risk administrator linked to the activity they perform.

According to its corporate vision and strategic objectives for Growth, Profitability, Technology Improvement and Development of Human Talent, guidelines and policies are developed and communicated at every level of the company, so that by using proper activity and risk management, they work day-to-day to achieve said objectives.

By using methodologies with known technical value, process risks and company activities are identified to locate the most relevant ones to achieve objectives, which are then analyzed in order to determine, improve and implement controls that reduce the possibility or impact on the organization.

With constant monitoring of the surroundings, processes and the results of audits, inspections and change controls, we can assess changes to the risks identified that enable us to analyze needs to carry out specific risk treatment activities, in order to ensure that the residual risk is within the limits established and accepted by the Board of Directors.

Almaviva’s Comprehensive Risk System is made up of:

  • The Code of Ethics and the Asset Laundering and Financing of Terrorism Risk Administration System “SARLAFT”.
  • The Operational Risk Administration System “SARO”.
  • The Quality Management System, according to ISO 9001:2008.
  • The Financial Consumer Service System “SAC”.
  • The Occupational Health and Safety Management System, according to ISO 18001:2007.
  • The Information Security Management System.
  • The Environmental Management System, according to ISO 14001:2004.
  • The Security System, according to BASC.

Asset Laundering and Financing of Terrorism (AL/FT) risks are the possibility of losses or damages that a company can suffer because of its tendency to be used directly, or through one of its operations, as an instrument to launder assets and/or channel resources to carry out terrorist activities, or the intent to hide assets that are the result of said activities. The AL/FT risks materialize through risks called associated: Legal, Reputational, Operational, and Spillover to which the company is exposed. SARLAFT is managed by using the aforementioned Risk Management methodology, and it has a defined organizational structure, control organisms, policies, procedures, documents, and technological support which, along with training and constant disclosure of information, enable compliance with the requirements established by control bodies and enable risk management.

Operational risk is the possibility of incurring losses due to failures or inadequacies in human resources, processes, technology, infrastructure, or due to external events. This definition includes the Legal and Reputational Risk that is associated with these factors. Just like SARLAFT, the operational risk management system, “SARO”, is developed with risk management methodologies and is made up of minimal elements that are required by current legislation (policies, procedures, documentation, organizational structure, record of operational risk events, control organisms, technology platform, disclosure of information and training) through which operational risk management is developed.