For Grupo SURA, the control structure is considered fundamental within the framework of Good Corporate Governance. It includes aspects related to the Internal Control System and Risk Management Process. Its purpose is to ensure a coherent governance structure, as well as internal policies and guidelines that align with the achievement of our strategic objectives and reflect our organizational culture.

Internal Control Structure
For Grupo SURA, the Internal Control System (ICS) is conceived as the set of governance, risk management, and control activities that, when executed systematically and coherently, provide the Company with reasonable assurance in its interactions with stakeholders, as well as in the legitimate and transparent fulfillment of its objectives. Therefore, the ICS is structured in line with the international reference framework COSO9, which is considered a benchmark by local and international regulators such as the Financial Superintendence of Colombia (SFC) and the U.S. Securities and Exchange Commission. To ensure its proper functioning, the ICS must be constantly monitored by the three lines of defense: its first line integrated by business areas; its second line integrated by Risk Management, IT Security, and Compliance areas, and the third line by Internal Audit.

Audit and Finance Committee
The results of periodic evaluations of the ICS are analyzed by the Audit and Finance Committee and presented to the Board of Directors. Based on the findings, respective improvement plans are defined with the purpose of strengthening risk management, corporate governance, and internal control, compliance with which is verified by Corporate Internal Audit. Additionally, the latter holds the International Certification of the Institute of Internal Auditors (IIA Global), confirming its adherence to international professional standards. In accordance with global standards, Internal Audit reports directly to the Audit and Finance Committee, fully integrated by independent members of the Board of Directors.

Risk Management Process
To establish the risk management standards for Grupo SURA and ensure that it is comprehensive and effective, a Risk Management Framework (RMF) has been implemented. Grupo SURA, in its capacity as Holding Company, is responsible for ensuring compliance with this policy throughout the Financial Conglomerate, considering the scope and variability in the capacity to control its subsidiaries and associates.  The RMF provides guidelines and mechanisms for strategic risk management in all subsidiaries and associates and defines the responsibility for the entities that make up the Financial Conglomerate to establish their own risk management systems, following the guidelines of the RMF. In addition, Grupo SURA may intervene to support risk management in situations that may affect the Financial Conglomerate. Likewise, all employees will be responsible for managing the risks arising from their functions, establishing the relevant control mechanisms and, together with the process leaders, keeping their risk matrices up to date. In addition, they must inform Corporate Risk Management in the event of significant changes in risks, controls or the materialization of events.

Corporate Risk Management
Grupo SURA’s Risk Management Area, headed by an independent executive, plays a crucial role in risk management. His responsibilities include developing and overseeing the Risk Management Framework (RMF) and the Risk Appetite Framework (RAF). This involves designing policies, procedures, controls, limits, and alert systems to manage the risks of the financial conglomerate and assess their impact on the risk appetite of the Financial Holding Company (FH). In addition, they are responsible for consolidating information on exposures and risks, reporting on matters that may affect the sustainability of the FH, and reporting deviations in the boundaries of the RAF. They are also tasked with informing and proposing solutions to problems identified in the RMF and designing procedures for their continuous updating.

Risk Committee
The Risk Committee is responsible for overseeing both the Risk Appetite Framework (RAF) and the Risk Management Framework (RMF). This includes early detection of risks, management of exceedances of risk limits, and communication to the Board of Directors. It is also responsible for ensuring that the RAF is consistent with the strategy and capital structure, proposing risk management policies, and annually evaluating the effectiveness of the RMF. In addition, it recommends procedures for the implementation and updating of the RMF and the RAF, ensures compliance, and notifies the Board of Directors of material changes in risk exposures and deviations from the risk appetite defined in the RAF.