The entity's comprehensive risk management is carried out in compliance with current regulations and the internal standards defined by the Board of Directors, in relation to credit and/or counterparty risk, market, liquidity, bank book interest rate, operational, business continuity, technological and cybersecurity risk, country risk, among others. Click to see information about the Risk Manual (CRMS) here >>>

ERM

Comprehensive risk management in the Bancolombia Group is framed in three main components: (I) Risk organization and governance, (II) Risk Appetite Framework (RAF) and (III) Risk management tools and information, and is developed according to the size of the entity, the local systemic importance and the nature and complexity of the operation. In addition, megatrends are considered as inputs for such management, as global axes of transformation of societies, organizations and the environment, strategic business planning and the consideration of belonging to a regional economic conglomerate.

Information on the three main components in which Enterprise Risk Management (ERM) is framed is detailed below:

I. Risk organization and governance

Components of integrated risk management, organization chart, structure, governance, boards and committees.

II. Risk Appetite Framework (RAF)

Definitions, indicators, limits, SVA model - Profitability and price, management report, capital allocation.

III. Risk management tools and information

Dashboard and risk maps, risk position tracking and maturity models.

I. Risk organization and governance

a. Organizational Structure

The Board of Directors is composed of 5 members. Under the Dow Jones criteria, all 5 members of the Board of Directors are considered independent.

As part of the corporate governance model, the Board of Directors, as the highest body, knows and approves the resources, structure and processes of the entity associated with risk management, which implies appointments and assignment of responsibilities and attributions to the areas and/or instances in charge of such management. For the development of its supervisory functions, the Board of Directors has the support of the Risk Committee, the entity in charge of accompanying it in the approval, monitoring and control of policies, methodologies, tools, guidelines and strategies for risk management. In addition, the Board of Directors is also supported by other legal and internal committees, including the Non-Financial Risk Committee and the Technology and Cybersecurity Committee.

Both the Board of Directors and the Risk Committee, in the performance of their functions, evaluate through periodic management reports, in monthly sessions, the levels of exposure of the risks to which the organization is exposed, their impact and mitigation strategies; additionally, they provide guidelines for setting the limits of tolerance and risk appetite; and carry out monthly monitoring of capital, provisions and main indicators of market risks (e.g., VaR), credit (e.g., the behavior of the loan portfolio, non-performing loans, cost of credit, portfolio concentration, coverage, among others), liquidity (e.g., survival horizon, liquidity indicator, NSFR/CFEN, among others), operational risk (evolution of materialized losses, exposure and materiality indicator), interest rate (VaR LB and margin sensitivity), solvency, among others.

Three-line model

b. Three-line model

As part of the corporate governance framework for risk management, the organization has adopted the Three Lines Model, aligned with internationally recognized best practices. This model provides a clear, consistent, and comprehensive definition of the roles and responsibilities assigned to each line of defense in risk management, with the objective of ensuring effective and efficient coordination among risk owners and enhancing the internal control function, as outlined below:

The first line is responsible for the identification, assessment, control, and mitigation of risks. This line is supported by the second line, which provides advisory and support functions in risk identification and the design of controls.

The third line role is exclusively fulfilled by Internal Audit function, which strengthens Grupo Bancolombia ability to create, protect, and sustain value by providing the Board of Directors, the Audit Committee, and Senior Management with independent, objective, and risk-based assurance and advisory services. This role reports functionally to the Audit Committee and administratively to the President, and it does not engage in any operational activities in order to maintain its objectivity and avoid conflicts of interest.

Learn about the audit process, and the results of the Internal and External Audit evaluations

II. Risk Appetite Framework (RAF)

It is a tool for the general definition of risk appetite, which includes policies, methodologies, procedures and controls from which the organization (i) identifies the risks associated with the business plan, (ii) evaluates whether such risks are assumed, mitigated, avoided or transferred, and (iii) monitors and controls that such risks are within the limits defined by Senior Management and approved by the Board of Directors here.

III. Risk Management Tools and Information >>>

Organizational Culture

Aligned with the culture model of the Bancolombia Group (Movement B), the Vice Presidency of Risks, by virtue of the guidelines granted by the Board of Directors and the Risk Committee, carries out internal corporate communication programs as part of the strategies to generate a culture around risk management in all employees, having as a premise that the banking business is a risk business and managing it is the responsibility of everyone in the organization. These strategies are created for different audiences and have been focused on understanding and raising awareness of the risks to which the organization is exposed (traditional, non-traditional and/or emerging), on the three-line model, on the adequate management of credit risk (emphasizing the complete cycle) and the importance of internal control in the Bank. Additionally, spaces are generated for the knowledge of trends and best practices in work methodologies, use of technologies and risk tools, with peer companies, competitors, industry leaders, and consultants, among others, as part of the risk management evolution strategy.

Learn about the training programs and training strategies, defined and implemented for the organization's employees, including Senior Management and the Board of Directors, to strengthen the organization's commitment to risk management >>>