The aim of this policy is to outline the framework of action for the administration and risk management of Team Foods Colombia S.A. and all the companies that are part of the business group of which it is the parent and controlling company (referred to hereafter as “Alianza Team” or the “Organization”). This document establishes and defines the principles, guidelines, roles, responsibilities, concepts, structure, communication, disclosure and training, as well as its objectives, strategies and procedures to be followed in regards to the Comprehensive Risk Management System, as defined in section four of this Policy. In order to guide actions towards the improvement, prevention, mitigation and assurance of risks, as well as the use of opportunities, in order to effectively and efficiently achieve the strategic objectives and growth of the organization in the short, medium and long term.
This policy has been developed to be applied to all the companies that integrate Alianza Team, as well as administrators, collaborators, contractors, suppliers and other stakeholders. This policy may be extended by Alianza Team to other activities in its value chain in which the need to develop risk management is established.
The lack of administration and risk management may affect the organization’s processes, generating consequences and effects in the short, medium and long term, causing deviations from the objectives set. Therefore, we seek to mitigate the following types of risks:
The following is a list of the main terms used in Risk Management and Administration.
Risk Appetite: Level tolerated by the organization on the identified risks.
Cause: The means, circumstances and agents that generate the risks.
Consequence: Result of an event that affects the objectives.
Control or Control Activity: Measure that maintains and/or modifies a risk.
Event: Occurrence or change of a particular set of circumstances.
Risk Factor: Risk generating sources that may or may not generate loss. They can be internal or external to the organization.
Impact: Affectation that can be generated in the event that a risk materializes.
Risk Management Leaders: These are the employees appointed by the Chairman’s Committee to perform the analysis, evaluation, assessment and execution of the actions proposed to manage risks, as well as any additional activities that may arise in the area of risk management and control.
Risk maps: A tool that allows to make an inventory of risks in an orderly and systematic manner according to defined risk levels.
Risk Materialization/Loss Event: Incidents that may or may not generate loss due to the materialization of one or more risks.
Risk Treatment Measures: Avoiding, reducing, transferring, retaining and accepting the risk.
Risk Level: Measurement given by the risk qualification, according to a defined scale, the risk level can be; Extreme, High, Moderate or Low.
Opportunity: It is understood as the benefits or possibilities that arise as a consequence of the occurrence of a certain event.
Action Plan: Treatment measure established for the mitigation of one or more risks, which is carried out to reduce the level of impact or probability of occurrence of the risk or to strengthen the controls or control activity associated with the risk.
Crisis Management Plan: Detailed set of activities to be carried out in order to resolve any unexpected event that may occur and that may have an impact on the image and reputation of the Organization.
Business Continuity Plan: Detailed set of actions that describe the procedures, resources, systems and roles necessary to partially or totally resume the operation and continue in the event of an interruption.
Probability: The likelihood of something happening.
Risk: Possibility that an event materializes and generates an impact or negative affectation to the Organization.
Inherent Risk: Risk assessed without taking into account the existing control measures.
Residual Risk: Risk assessed after the Control measures implemented to mitigate each Risk.
Priority Risks: Risks whose residual level is Extreme or High, for which there is a higher priority in the generation and execution of action plans for their mitigation.
Comprehensive Risk Management System: Dynamic process containing several defined stages, which when handled in sequence support the proper administration and management of risks, providing a broad overview of the risks and their impact for decision making with the purpose of increasing the short, medium and long term value of the Organization.
This document has been developed taking into account the international standard on Risk Management ISO 31000:2018, the Internal Control Model COSO ERM:2017 and the Australian Risk Standard AS/NZ 4360:2004, which establish different guidelines for the risk administration and management process.
Through the application of the Integrated Risk Management System, Alianza Team will be able to:
As defined in the internal control standards, and in the good practices in administration and risk management, Alianza Team must preserve the effectiveness, efficiency and efficacy in management and operational capacity, as well as safeguard the resources that are managed. Which means it must have an Integral Risk Management System that allows minimizing costs and damages caused, as well as the determination of methods for the treatment and monitoring of its Risks, with the purpose of preventing or avoiding the materialization of events that may affect the normal development of the processes and the fulfillment of the proposed objectives, or in case it is not reasonably possible to mitigate its impact.
Within the Risk Management System, responsibilities have been defined which must be carried out by the following areas:
Board of Directors / Audit Committee: Has knowledge of the main aspects related to the Organization’s Risks for adequate decision making. It monitors the periodic management and evolution of the relevant Risks of the business.
Chief Executive Officer: Approve the policies and guidelines related to the Comprehensive Risk Management System. Monitors the periodic management of the evolution of the relevant risks of the business.
Vice-Presidency of Corporate Affairs: Approve the procedures related to the Integral Risk Management System. Monitor the periodic management of the evolution of the relevant risks of the business.
Corporate Risk Management Coordination: As the second line of defense, its function is to coordinate the activities of identification, measurement, control, monitoring, consolidating, and reporting of the Comprehensive Risk Management System, while supporting Management (First line of defense). Design and update the system’s policy and procedures. Promote effective compliance with the system’s policy and procedures, as well as the system’s operation and effectiveness.
Risk Management Leaders: In charge of overseeing the effective operation of the Comprehensive Risk Management System, managing risks tailored to individual processes or domains (risk mapping), and addressing novel risks arising from evolving business dynamics and emergent scenarios.
Risk Management Committee: Committees integrated by the Risk Management Leaders and the Corporate Risk Management Coordination, with the purpose of monitoring the risk levels, the plans associated with risk mitigation, the treatment of materialized Risks and other activities that compose or will compose the Integral Risk Management System.
Alianza Team has established the following guidelines within the framework of risk management and administration.
The Integral Risk Management System consists of a dynamic process that contains several defined stages, which when managed in sequence support the appropriate decision-making process, providing a broad overview of risks and their impact.
The risk management methodology contemplates the following stages:
The development of each of these elements constitutes the fundamental stages of this methodology, and will result in the risk matrix of the process, area, program, project, headquarters, plant, country and/or corporate, providing the necessary information for the organization to make decisions regarding the management of risks that may generate deviations from its objectives.
The Comprehensive Risk Management System can be applied at different levels of the organization (strategic, operational, financial, project, process, programs or other activities), it is important to be clear about the scope considering the objectives of each level, which must be aligned with the objectives of the Organization.
The context of the risk management process should be established from the understanding of the external and internal environments in which the organization operates and should reflect the specific environment of the activities in which the risk management process will be applied.
The management of internal factors is the responsibility of all the officers of the Organization.
The management of external factors is the responsibility of the Board of Directors, president, vice presidents, general managers, directors and managers.
The organization shall specify the amount and type of risk it may or may not take, in relation to its objectives. It shall also define the criteria for assessing the importance of Risk and for supporting decision-making processes. Risk criteria should be aligned with the risk management framework and adapted to the purpose and scope of the activity under consideration. The Risk criteria shall reflect the values, objectives and resources of the Organization and be consistent with the policies and statements about Risk management and administration. The criteria shall be defined taking into consideration the Organization’s obligations and the views of its stakeholders.
The Corporate Risk Management Coordination will carry out an annual risk updating process (risk maps) and in the event that this cannot be done, it will proceed to update the risks based on the criteria defined in the Comprehensive Risk Management System procedure.
Risks are evaluated in two stages:
Once the risks have been identified, they will be qualified and quantified using three variables: Probability, Impact and Control.
Risk assessment can be qualitative, semi-qualitative or quantitative, depending on the data and information available.
The purpose of Risk analysis is to understand the nature of the Risk and its characteristics including, where appropriate, the level of Risk. Risk analysis involves a detailed consideration of uncertainties, sources of risk, consequences, probabilities, events, scenarios, controls and their effectiveness. An event may have multiple causes and consequences and may affect multiple objectives.
The Inherent Risk is the intrinsic risk of each activity, regardless of the controls that are made internally. This risk arises from the exposure to the particular activity and the probability that a negative shock will affect the objectives of the organization.
Once the Controls or Control Activities have been identified, they will be evaluated taking into account the design, implementation, execution, effectiveness and materialization of events.
The Residual Risk is that Risk that subsists or remains after having implemented the Controls. It is important to clarify that the level of Risk to which an organization is exposed to can never be eliminated, therefore, a balance must be sought between the level of resources and mechanisms to minimize or mitigate these Risks, and a certain level of confidence that can be considered sufficient for the Organization (Risk appetite).
The Organization must take measures to control the level of Residual Risk to which it is exposed, in order to mitigate those Risks that may have a significant impact on the objectives set, for which purpose it must generate action plans that will result in the mitigation or reduction of the levels of Risks detected.
The process of monitoring the action plans shall ensure that such plans comply with the proposed objectives in terms of risk mitigation, both in terms of probability, impact and/or controls. Likewise, it shall ensure that the action plans are executed in accordance with the defined dates and with the agreed deliverables.
Monitoring and supervision is essential to ensure that actions are being carried out to evaluate the efficiency of their implementation and to carry out on-the-fly reviews to highlight any situations or factors that may be influencing the application of corrective or preventive actions.
The communication process must ensure that the members of the Organization understand that Risk Management and Risk Prevention are a fundamental part of the Organization’s corporate culture, and therefore are a relevant input for decision making and for the achievement of objectives.
Information must be disclosed annually to the different levels within the Organization, maintaining the principles of confidentiality, integrity and availability.
The Integrated Risk Management System process and its results must be documented and reported through the risk map, in order to have traceability on risks, analysis and treatment.