Integrated Risk Management

Organizational structure associated with risk management

Icono tab Board of Directors Icono tab Board of Directors Board of Directors
Icono tab Risk Committee Icono tab Risk Committee Risk Committee
Icono tab Audit Committee Icono tab Audit Committee Audit Committee
Icono tab Internal Audit Icono tab Internal Audit Internal Audit
Icono tab Corporate Risk Management Icono tab Corporate Risk Management Corporate Risk Management
Icono tab Presidency Icono tab Presidency Presidency

Board of Directors

The Board of Directors assumes the primary responsibility regarding the company's risk management system. Its key functions include the approval of the Financial Conglomerate's Risk Management Framework Policy, the approval of the Risk Appetite Framework, the supervision of indicator thresholds, and the supervision of the implementation of the company's risk management systems. In addition, the Board of Directors evaluates the reports and recommendations submitted by the Financial Holding (FH) Risk Committee and the Legal Representatives on the comprehensive functioning of the risk management system, including the timely identification of risk situations and the management of breaches in the defined risk limits. It is also responsible for evaluating the recommendations of the Risk Committee on the annual effectiveness of the risk management system and approving any recommendations provided by it.

Risk Committee

The Risk Committee is responsible for overseeing both the Risk Appetite Framework (RAF) and the Risk Management Framework (RMF). This includes early detection of risks, management of exceedances of risk limits, and communication to the Board of Directors. It is also responsible for ensuring that the RAF is consistent with the strategy and capital structure, proposing risk management policies, and annually evaluating the effectiveness of the RMF. In addition, it recommends procedures for the implementation and updating of the RMF and the RAF, ensures compliance, and notifies the Board of Directors of material changes in risk exposures and deviations from the risk appetite defined in the RAF.

Audit Committee

The Audit Committee assists the Board of Directors through the preparation of specific recommendations related to the evaluations made of the functioning of the Company's general risk management process, as well as those made on the level of compliance and implementation of the risk policies and the evolution of the work plans required to adjust the Company's risk exposure in accordance with the previously established limits.

Internal Audit

The Financial Holding (FH) Internal Audit conducts an annual review and evaluation of the effectiveness and compliance with the Risk Management Framework (RMF). In addition, it reports to the Audit Committee in a timely manner on the results of this assessment and closely monitors the recommendations and deficiencies identified in risk management. If certain corrective measures and actions are not addressed by the FH, the Internal Audit will report to the Financial Superintendence of Colombia (SFC), with a copy to the Board of Directors, along with proposals for improvement. This entire audit process will be carried out under a risk-based approach.

Corporate Risk Management

Grupo SURA's Risk Management Area, headed by an independent executive, plays a crucial role in risk management. His responsibilities include developing and overseeing the Risk Management Framework (RMF) and the Risk Appetite Framework (RAF). This involves designing policies, procedures, controls, limits, and alert systems to manage the risks of the financial conglomerate and assess their impact on the risk appetite of the Financial Holding Company (FH). In addition, they are responsible for consolidating information on exposures and risks, reporting on matters that may affect the sustainability of the FH, and reporting deviations in the boundaries of the RAF. They are also tasked with informing and proposing solutions to problems identified in the RMF and designing procedures for their continuous updating.


Grupo Sura's Presidency assumes several key responsibilities, including the comprehensive supervision of the operation of the Risk Management Framework (RMF) and the Risk Appetite Framework (RAF). This involves the early identification of risk situations within the Financial Conglomerate (FC) and management, as well as the escalation of exceedances of risk appetite limits to the Risk Committee. In addition, it is responsible for presenting the policies of the RMF, the RAF and the strategic plan of the Financial Holding Company (FH) to the Risk Committee and, subsequently, to the Board of Directors for approval, in addition to supervising compliance with them. It must also ensure the adequacy of the RMF in the face of significant changes in the financial structure and the risks of the environment in the markets where the FC operates, report in a timely manner to the Risk Committee on situations that require modifications in the RAF and the strategy of the FH, as well as notify the Financial Superintendence of Colombia about situations that may affect the viability of the FH and propose improvements to the RMF if necessary. In addition, they oversee proposing procedures

Lines of defense

The company's risk management objective is to achieve effective treatment of exposures and their severity level, considering the financial goals of the business, overall risk appetite, and external legal constraints. The company follows a "Three Lines of Assurance" model, where each line has a clearly defined organization, responsibilities, and functions to ensure the effective implementation of risk management mechanisms. These three lines include the operational areas that execute processes, the Risk and Compliance areas responsible for prevention and monitoring, and the Internal Audit department, which independently evaluates risk management.

1st line of defense

It is composed of the areas that carry out processes in the Company. lts
performance is based on self-control, and its responsibilities include identifying
and managing risks, as well as reporting them if necessary.

2nd line of defense

It is composed by the Risk and Compliance areas, its responsibilities are related
to prevention, supporting the first line, and defining guidelines.

3rd line of defense

It is the Internal Audit department, which independently assesses risk

Risk Management Process

To establish the risk management standards for Grupo SURA and ensure that it is comprehensive and effective, a Risk Management Framework (RMF) has been implemented. Grupo SURA, in its capacity as Holding Company, is responsible for ensuring compliance with this policy throughout the Financial Conglomerate, considering the scope and variability in the capacity to control its subsidiaries and associates.  The RMF provides guidelines and mechanisms for strategic risk management in all subsidiaries and associates and defines the responsibility for the entities that make up the Financial Conglomerate to establish their own risk management systems, following the guidelines of the RMF. In addition, Grupo SURA may intervene to support risk management in situations that may affect the Financial Conglomerate.

Likewise, all employees will be responsible for managing the risks arising from their functions, establishing the relevant control mechanisms and, together with the process leaders, keeping their risk matrices up to date. In addition, they must inform Corporate Risk Management in the event of significant changes in risks, controls or the materialization of events.

Risk management at Grupo SURA is focused on two fundamental objectives:

Generate timely information that reveals the degree of exposure of the company to factors that may represent both significant opportunities and threats to its sustainability and that of the Financial Conglomerate.
Measure and model the phenomena associated with each identified factor to anticipate impacts in Grupo SURA’s search for sustainable profitability as an investment manager.

This process focuses on both the internal risks inherent to its business model, including those linked to people, systems and processes, as well as the risks related to the financial conglomerate. For the management of internal risks, there is a system that includes policies, own methodologies, the management of senior management and the collaboration of process leaders. In addition, in its role as a holding company, Grupo SURA assumes responsibility for managing the risks affecting the Financial Conglomerate, paying special attention to systemic factors and their influence on the overall sustainability of the portfolio. The company is also actively involved in overseeing its investments by serving on Boards of Directors and Committees, as well as providing regular reports on investment performance and playing a key role in the corporate arena.

To carry out the process, Grupo SURA has a generic methodology for managing risks. It is important to remember that considering the variations that exist between the different types of risks, variations may occur in these stages, which are specified in the Risk Management Manual, previously mentioned.

Contextualization: Analysis of the issue to be evaluated, identification of possible risks and their evolution in the Company.

Identification: A list of possible risks and their causes, regardless of whether they are under the Company’s control.

Analysis and evaluation: Assess the likelihood and impact of risk, considering causes and consequences.

Management: Define the treatment of risk, including acceptance, transfer, treatment, prioritization or avoidance, with action plans and responsible parties.

Monitoring and reporting: Regularly monitor risk and adjust action plans as needed.

Given that each type of risk has its own definitions, nature and scope, Grupo SURA has developed specific manuals detailing the methodologies adopted for its management. Next, the description of each type of risk will be presented, which are evaluated at least annually, and their results are presented: internally to senior management on the Board of Directors and publicly through the through the Quarterly Report and the Annual Report on the Company’s website.

Systemic risks

It refers to the probability that an event or series of events may compromise the proper functioning and stability of a system; in the case of Grupo SURA, the one or those related to the financial system. This risk is usually associated with participants who have a high degree of interconnectedness or share material exposures to common risk factors, derived from their economic activities or external sources, such as the economic, political, social, regulatory, environmental and technological environment of the territories where they operate.


This is the one that arises from exposures whose potential for loss is borne by the Companies of the SURA Business Group, and which is significant enough to compromise the solvency or general sustainability of the entities that make it up. Such exposures may be caused by risk factors associated with counterparty events, credit, investment, insurance, market, other risks, or a combination or interaction thereof. This type of risk arises when its source is the same and, therefore, its effect is immediately manifest in the Company(s) sharing such exposure. 


It is the result of the concatenation of situations generated by the materialization of a specific event (financial, operational, reputational, business, or a combination of these) that occurs in any of the Companies of the SURA Business Group, the economic sector or territory where they operate; based on the existing interconnections, it allows the propagation of risk in different forms. which leads to an affectation in which a material portion of the set of Companies is involved. 


Threats and opportunities that may manifest themselves on Grupo Sura’s investment portfolio because of the effects generated by sources external to its operation from the different dimensions that make up the environment of the territories where it operates.

Strategic risks

These are derived from internal and external events and trends that may generate a deviation from the trajectory of value generation and impact the sustainability of the Company.


Refers to the external opportunities and threats that originate in the dimensions of the environment in which the Company operates, specifically, the economic, social, political, regulatory and environmental dimensions.

Human Talent

Associated with the need to have people who have the knowledge and skills required to comply with the strategy, with the ability to adapt and react in a timely manner to changes in the environment, and with an adequate level of understanding and commitment to the Company’s strategic definitions.


The perception of the various stakeholders with whom the Company interacts represents a fundamental asset for the fulfillment of strategic objectives. A situation of disrepute, bad image, negative publicity, among others, whether true or not, with respect to the Company and its business practices, could have effects on relations with stakeholders. 

Corporate Governance

Possible situations or challenges that may arise due to the Company’s governance structure. By properly managing these risks, Grupo SURA can promote greater investor confidence, ensure fairness and accountability, and strengthen its reputation in the market and generate a more solid and sustainable environment for its success and growth. 

Capital Markets

Refers to the challenges associated with investing and financing through capital markets. They relate to external factors, such as changes in economic, political, and regulatory conditions; By properly managing these risks, the Company can protect its investments and expand its financing alternatives in the capital markets environment. 

Financial risks

It refers to variations that affect the Company's results, derived from changes in market conditions, asset prices or non-compliance with its own obligations or those that third parties have with the Company.


Refers to the Company’s ability to generate the resources that allow it to meet its obligations to stakeholders and to properly operate its businesses.


The management of this risk seeks to reduce the probability of incurring losses derived from the non-compliance of financial obligations contracted by third parties with the Company.


The management of this risk seeks to mitigate the impact of market price variations on the value of the portfolios managed and the Company’s revenues.


This refers to the financial and capital capacity of an entity to cover its unexpected risks, based on its ownership structure and the exposures that arise from its business.

Operational risks

These are those that, due to internal or external events, directly affect the Company's operation and, with it, its results. In the case of internal events, they correspond to those that derive from the operation of the Organization and that are associated with people, technology, processes and information. External events are those beyond the Company's control, such as the materialization of natural hazards or cyberattacks, among others.

Financial Reporting (SOX)

These refer to events that prevent the Company’s economic reality from being adequately reflected in the financial statements that are disclosed to its different stakeholders.


These are defined as the set of individual and/or collective behaviors of employees and other stakeholders that are not aligned with the frameworks of action declared or promoted by the Company and with current regulations.

Business Continuity

These are those that may generate an interruption of business functions due to the unavailability of key personnel, critical technology services and/or impossibility of access to the Company’s physical facilities.

Information Security and Cybersecurity

These are related to the effects derived from the uncertainty associated with having information, processes or devices exposed in cyberspace and the interactions that are generated there.


Emerging Risks and Trends

Risk management in the financial industry is undergoing significant changes due to increasing regulatory requirements globally, the rapid advancement of emerging technologies, and the growing threat of climate change. In anticipation of this trend, the Company constantly monitors emerging risks and establishes plans and actions to further improve the efficiency and effectiveness of risk control. Grupo SURA has been monitoring risks such as climate change, erosion of social cohesion, extra-longevity, growth of the middle class and the evolution of FinTech as a priority. Any significant changes related to these risks will be communicated in the annual report and should a material threat be identified at any time, this update will be included in the corresponding quarterly report.


4Q2023 Financial Results Conference Call

Register for 4Q2023 Financial Results

Register here
Icono cerrar