Ethics, Compliance, and Transparency
Corporate Responsibility and TESG

IV.1.2. Ethics, Compliance, and Transparency

(GRI 2-23)

Commitments and Policies

16 - SDG

(GRI 2-23-a, 2-23-b) (ECP 019) (SFC 7.4.1.3.X) 

The Company’s Ethics and Compliance Strategy

The Ecopetrol Group has a comprehensive policy that frames its actions around the fundamental pillars of ethics and transparency; accordingly, there is zero tolerance for all acts of fraud, corruption, bribery, money laundering, financing of terrorism and the proliferation of weapons of mass destruction, and violations of the Foreign Corrupt Practices Act (FCPA), in compliance with the Political Constitution of Colombia and applicable national and international laws. The same principles are mentioned in Article 46 of Ecopetrol’s bylaws. In addition to the above, the principle of being “Ethical at All Times” was included as one of the pillars of Ecopetrol’s Declaration of Culture, which implies being upright in all actions and complying with the guidelines of the Code of Ethics and Conduct, among others.

Ecopetrol’s ethics and compliance strategy is based on the Compliance Program, which focused on the ethical and encompassing behavior of senior management, workers, beneficiaries, contractors, suppliers, partners and other related parties, assuming special responsibility for the internal control of the Company. The Code of Ethics and Conduct is the pillar of the Compliance Program.

The Code contains an express rejection of acts of money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction, fraud, bribery, and corruption in all its forms (violations of the FCPA Law, transnational bribery, gifts, entertainment and hospitality, conflicts of interest, facilitation payments), lobbying, political contributions, monopolistic and anti-competitive practices, among others.

(SASB EM-EP-510a.2) (WEF 4) (SFC 7.4.1.3.XVI) 

In accordance with Colombian regulations and the FCPA adopted by Ecopetrol, the Company conducts due diligence before engaging with a counterpart. This obligation is contained in the Code of Ethics and Conduct. Additionally, the Manual for the Prevention of ML/FT/FPWMD risks establishes the procedure for becoming acquainted with counterparts, as well as the definition of due diligence actions and warning signs. In turn, the Guide for the prevention of compliance risks in the process of entering new businesses at Ecopetrol, establishes the guidelines for conducting due diligence on the new businesses undertaken by the Company, such as mergers, acquisitions in any capacity, investments, operating agreements or joint bidding, divestments, and others.

On the other hand, Ecopetrol signs contractual clauses with its counterparts, with one of the ethics and transparency obligations being the right to conduct administrative, financial, operating, or compliance audits on the counterparts and on any third party providing services related to the object of the contract (suppliers or subcontractors), as well as to review the information that the Company deems pertinent to verify compliance with anti-bribery laws, the Ecopetrol Code of Ethics and Conduct, and the Company’s ethics and compliance guidelines. Similarly, the third parties entering into these commercial relations sign contractual clauses and formats agreeing to comply with applicable ethics and compliance regulations and related national and international references, and to learn and respect Ecopetrol’s Code of Ethics and Conduct.

Said Code of Ethics also contains superior guidelines of mandatory enforcement that specifically, and within the framework of social responsibility, include the rejection of any form of discrimination and sexual harassment in the workplace, and promote the respect for Human Rights.

Furthermore, the Compliance Program adheres to the laws, regulations, guidelines, and best practice manuals against corruption, fraud, bribery, money laundering, the financing of terrorism, and the financing of the proliferation of weapons of mass destruction.

(WEF 19E)

Below are the objectives of this program:

Consolidate an ethical culture in the Company, under the principles set forth in the Code of Ethics and Conduct (integrity, responsibility, respect, and commitment to life).

Identify and manage the Company’s compliance risks and ensure relevant oversight to prevent the materialization thereof, with special emphasis on fraud, corruption, bribery, money laundering, the financing of terrorism and the proliferation of weapons of mass destruction (ML/FT/FPWMD), violations of the Code of Ethics and Conduct and anti-bribery regulations, such as the FCPA, Law 1778/2016, among others.

Promote the adequate execution of the necessary processes for the expansion of the business to avoid the manifestation of risks deriving from failures in the controls implemented. 

Generate trust in the Company from investors, society, the Stakeholder Groups, and the general public.

Contribute to the fulfillment of the Ecopetrol Group’s strategic objectives and ensure the reasonableness of the financial statements.

To meet the objectives of the Compliance Program, four (4) pillars are considered with the following activities:

1

Prevention: management of the ethics hotline, regular and permanent training and education, communications, follow-up and monitoring, assurance of control processes and the risk management cycle, collective initiatives, among others.

2

Detection: ethical checks, disciplinary investigations, and cooperation with control bodies and other national and international authorities, such as the SEC- Securities and Exchange Commission, the DOJ- Department of Justice, the Office of the Inspector General of the Nation, the Office of the Attorney General of the Nation, the Office of the Comptroller General of the Republic, Superintendencies, the Financial Information and Analysis Unit – UIAF, and the Secretariat of Transparency under the Vice Presidency of the Republic.

3

Response: corrective actions and ethical and disciplinary sanctions.

4

Continuous improvement: adjustment of control processes, and regulatory updates, and strengthening of skills and management tools, among others.

(GRI 2-23-c)
The links to all commitments and policies are available on the Ecopetrol/Company/Ethics, Transparency and Compliance.
(GRI 2-23-d)

El liderazgo en los asuntos éticos y de cumplimiento se imparte desde el más alto nivel (Tone at the Top), por lo cual la Junta Directiva aprueba el Código de Ética y Conducta y conoce y hace seguimiento al cumplimiento del Código, quejas de corrupción, soborno, fraude contable y financiero que impacten los estados financieros de Ecopetrol, a través del Comité de Auditoría y Riesgos de la Junta Directiva.  

(GRI 2-23-e)

The commitments adopted in the Code of Conduct extend to the Ecopetrol Group, and also to: 

Código de Conducta
  • The staff members and boards of directors of Ecopetrol and all companies under the Business Group.
  • Natural or legal persons that have any relationship with the Group, including beneficiaries, shareholders, contractors, suppliers, agents, partners (also joint ventures), clients, partners, and suppliers, as well as security service contracts.
  • Personnel and firms engaged by the counterparts for the execution of activities with the Ecopetrol Group.

Every year, the workers at Ecopetrol and the Group ratify their pledge to ethics and transparency by means of the Commitment to Transparency.

The third parties that engage in commercial relations with Ecopetrol sign contractual clauses and forms, in which they agree to comply with national and international ethics and compliance regulations and benchmarks, and to learn and respect Ecopetrol’s Code of Ethics and Conduct.

Given the above, the Code is of mandatory knowledge and implementation for all its recipients, who must ensure that their actions are always framed within the rules contained therein.

(GRI 2-23-f, 2-24-a)

In 2022, Ecopetrol provided training to 100% of its employees, ethical mentors, Board of Directors and senior management, contractors, associates, suppliers, and partners (including joint ventures), by means of preventive activities, targeted training, and dissemination of communication pieces. The activities conducted included virtual courses, supplier and contractor events, recreational activities, higher ethics workshops, ethical moments, streaming, e+ Knowledge talks, newsletters, lessons learned, comics, radio soap operas, dilemmas, use of internal social media (yammer), community of practice, and posting frequently asked questions, in order to generate awareness in our counterparts and ensure their commitment to the company’s ethical principles and guidelines, promote the use of the ethics hotline, and set up anti-corruption compliance programs. 10 workshops were also held with the community.

(GRI 2-19-a, 2-20)  (WEF 3E)  (SFC 7.4.1.3.I)

Mechanisms for Advising on the Implementation
of the Compliance Program and its Guidelines.

13 According to Ecopetrol’s Code of Ethics and Conduct, some of the doubts that may arise in the actions of its recipients, with respect to the principles of the Code and its guidelines on conflicts of interest or ethics, include gifts, acts of hospitality, corruption, bribery, fraud, money laundering, financing of terrorism, the FCPA, human rights, social responsibility, the use of assets, and information management, among others. Accordingly, the purpose is for them to receive guidance so as not to engage in improper acts in breach of the Company’s ethics.
14 These are due diligence requirements associated with the prevention of acts of fraud, corruption, bribery, money laundering, the financing of terrorism, and breaches of the FCPA. These consultations allow the
review of possible signals pertaining to contractors, suppliers, partners or workers, among others,
and recommendations are issued to mitigate the alert signals detected.
15 Survey included in the Compliance Program, taken annually by all Company workers, including senior management, which evaluates the awareness and implementation of ethical guidelines. This instrument ratifies the rejection of acts of corruption, local and transnational bribery, fraud, and violations of the
provisions of the Code of Ethics and Compliance.
16 Ecopetrol created the Network of Ethical Mentors as a prevention tool to encourage outstanding ethical behavior and to turn the designation of Ethical Mentor into a recognition to the workers in each area who
stand out for their spirit of leadership and ethical behavior. Currently, the Network of Ethical Mentors is made up of 68 workers who play an important role as ethics and compliance ambassadors in each of their areas.

Ecopetrol and its Group admit zero tolerance for retaliatory actions against whistleblowers, as indicated in the Code of Ethics and Conduct, for which the Company ensures the following: 

The reports received are analyzed in accordance with the Management Procedure for Ethics and Compliance Issues (VEI-P-001), based on the principles of the Code and other applicable regulations, as necessary.

In 2022, 401 concerns and 632 queries were addressed. None of the issues verified during 2022 were related to bribery, facilitation payments, violations of the FCPA, financial fraud, or events that affect the Company’s accounting records or reasonableness of financial statements.

Neither Ecopetrol, or the natural persons acting on its behalf and representation, were sanctioned or investigated by external authorities in connection to acts of corruption, bribery, fraud, or violations of the FCPA.

 

(GRI 2-24)

The Corporate Vice Presidency of Compliance is an independent area, with functional report to the Board of Directors’ Audit and Risk Committee, responsible for the adoption and monitoring of the Compliance Program and assurance of the Risk Management and Internal Control Systems at Ecopetrol and its Group.

It is in charge of periodically reviewing and updating the activities deriving from the Group’s Compliance Program, generating actions for improvement according to its effectiveness results; conducting preventive and corrective monitoring of the counterparts, and also against potential compliance risks (corruption, facilitation payments, political contributions and donations, fraud, national and transnational bribery, ML/FT/FPWMD, violations of the Code of Ethics and Conduct and the FCPA).

It also issues guidelines for Group companies on matters within its competence and monitors the management thereof. Its different areas are responsible for the processing of ethical, compliance, and disciplinary complaints, among others.

Periodic reports are submitted to the Board of Directors’ Audit and Risk Committee pertaining to the activities conducted by the Vice Presidency and its work teams. This falls under the scope of work of the Ethics Committee, led by the President of the Company, whose purpose is to evaluate and issue recommendations to strengthen the ethical environment of the organization.

 

The Corporate Vice Presidency of Compliance assigns responsibilities through its different units: 

Coordination of Excellence in Transparency

Monitoring Coordination

Corporate Comprehensive Risk Management

Corporate Management of Internal Control Assurance

Corporate Management of Ethical Affairs and Compliance

Disciplinary Investigation Management

Disciplinary Judgment Management

(SFC 7.4.1.3.X)

Statutory Auditor

The General Shareholders’ Meeting appointed statutory auditing firm Ernst & Young Audit SAS for the period of 2021 on March 26, 2021, with the option of extending it to the period of 2022. The firm’s fees are indicated below:

 Figures in COP (not including VAT)
 20212022
Fee4,279,813,2004,408,207,596

During 2021 and 2022, the firm executed the duties determined by law and the bylaws, including the evaluation and issuance of an independent opinion on the overall internal control system and in the scopes that have an impact on the preparation of financial information, in accordance with the provisions of the Sarbanes Oxley Act and Standard No. 5 of the Public Company Accounting Oversight Board (PCAOB), whose results have been periodically presented to the Board of Directors’ Audit and Risk Committee. Additionally, to ensure the best practices regarding the rotation of the external audit firm/statutory auditing firm, Ecopetrol’s bylaws provide for the appointment of said firm for periods of four (4) years, with the possibility of being reelected consecutively up to ten (10) years and rehired after being one (1) period away from office. The partner assigned to the Company must in any case rotate after completing five (5) years in practice.

(GRI 205-2)  (WEF 4)  (SASB EM-EP 510a.2)   (ECP 020) 

To prevent acts of corruption, bribery, fraud, money laundering, and the financing of terrorism, the following actions were adopted within the framework of the Compliance Program:

Capacitaciones, formaciones y entrenamientos:

1

99.64% of the Company’s employees, including all the members of the steering committee, signed the annual Commitment to Transparency, which evaluates the awareness and implementation of the Code of Ethics and Conduct and the internal regulations, and ratifies the rejection of violations of said internal regulations. 

2

100% of the business partners (joint ventures) ratified their awareness of the principles and guidelines of the Code of Ethics and Conduct adopted by Ecopetrol and its Group. 

3

100% (68) of the ethical mentors were trained in 2022, who launched more than 2,700 replications of the information in their areas, in support of the preventive plan.

4

Regular training in risk management and anti-corruption practices was provided to the members of the Board of Directors, senior management, all work teams, the special risk areas, and their counterparts.

5

2022 Prevention Strategy – Ethical Tour: gamification exercise17 conducted throughout the business group (with more than a thousand pieces of evidence). Based on issues such as: conflicts of interest, Code of Ethics and Conduct, respect for and rejection of discrimination, sexual harassment, information leakage, money laundering, bribery, and others. This tour was also conducted with suppliers (more than 2,500 pieces of evidence).

6

E+ knowledge streaming talks: 7,907 connections on the following topics: prevention of ML/FT/FPWMD, fraud, corruption, risks, conflicts of interest, sexual harassment, workplace harassment, bribery and the FCPA, ESG risks, domestic violence, and the prevention of discrimination, among other issues, with material published in the Community in Practice.

7

Targeted training: training and education was provided for specific recipients (population and the regions), selected based on the analysis of ethical reports and issues corroborated in previous periods, early warnings (mentors, reports on the ethics hotline, ethical leadership exercise, results arising from actions carried out by control entities), and regulatory requirements based on national and international standards, radars, and indicators. 13,139 participations were registered in 2022.

8

The members of the Board of Directors received training on the following topics:

  • i) Risks.
  • ii) Transparency.
  • iii) OFAC and FCPA sanctions.
  • iv) Induction to the Compliance Program adopted by Ecopetrol and its Group.
  •  

9

The Steering Committee received training on the following topics:

  • i) Labor disconnection law.
  • ii) Irregular management of contractor resumes.
  • iii) Disciplinary control reform at Ecopetrol.
  • iv) Right to petition.
  • v) Audits by the Comptroller General of the Republic.
  • vi) Ethical Leadership Tour results.
  • vii) Recognition of ethical mentors, with 320 participants.

10

Moreover, to promote ethical leadership in Senior Management, permanent training was given to all leaders in the organization on critical ethics and compliance issues, with emphasis on the prohibition of specific economic activities and conflicts of interest (main behavior confirmed
at the organizational level).

11

Training for contractors, suppliers, partners: communication pieces and bulletins were distributed in 2022 to all Ecopetrol contractors, suppliers, associates, and partners on the following topics:

  • i) Code of Ethics and Conduct.
  • ii) ML/TF/FPWMD.
  • iii) Fraud.
  • iv) Ethics hotline.
  • v) Risks, among others.

Training and educational materials on issues related to the Code of Ethics and Conduct and the Compliance Program (including the issue of sexual harassment), conflicts of interest, ML/FT/FPWMD, and the rejection of discrimination and respect for human rights were also given to more than 3,500 suppliers and contractors, with more than 11,400 recipients in total.

 

12

Community: workshops on the Code of Ethics and Conduct and the Compliance Program were held in the municipalities impacted (Putumayo: Orito and Puerto Caicedo; Santander: San Miguel; Huila: Neiva and Aipe).

13

Ethical culture plan for risk prevention: this plan included the virtual course related to the Comprehensive Risk System, which was approved by 5,962 workers. Similarly, risk-based training was given to 381 people, and 358 work sessions were held with the personnel of each of the responsible areas to discuss Ecopetrol’s comprehensive risk management model.

13

Communication actions: more than 100 communication pieces were designed and distributed, with 1,014,466 electronic receptions on the following topics:

  • i) Code of Ethics and Conduct.
  • ii) Compliance Program.
  • iii) Prevention of ML/TF/FPWMD.
  • iv) Transparency.
  • v) Information security.
  • vi) Conflicts of interest.
  • vii) Disciplinary capsules.
  • viii) Discrimination and sexual harassment.
  • ix) Ethical hotline.
  • x) Fraud.
  • xi) The FCPA.
  • xii) Fight against corruption.
  • xiii) Labor exclusivity clause.
  • xiv) Ethics in the access and use of health services.
  • xv) Prevention of ML/TF/FPWMD.
  • xvi) Anti-bribery, and others.
17 Gamification is a learning technique that transfers the mechanics of games to the educational-professional field in order to achieve better results, either to better absorb specific insights, improve skills, or reward specific actions, among many other objectives.

Preventive Monitoring:

A data analysis routine plan was executed throughout the year, in order to mitigate ML/FT/FPADM risks and identify breaches of the FCPA or the Code of Ethics and Conduct. New analysis routines were implemented in 2022 (depending on the risks and needs of the Company), while execution activities were systematized using tools developed in-house and with the adoption of new analysis methodologies.

(SFC 7.4.1.3.XII)

Internal Control System (SCI)

The Internal Control System is designed to provide reasonable assurance in the achievement of strategic, operational, reporting, and regulatory compliance objectives, through timely risk management and the effectiveness of the controls. Self-control is a fundamental pillar, understood as the attitude of undertaking daily work with self-criticism and self-management, promoting transparent and effective performance to streamline the achievement of organizational goals. Self-control is exercised permanently to confirm that the controls operate in accordance with their design and with the reality and context of the process in the Company.

As part of the self-control and supervision exercise, certifications and self-assessments are conducted periodically to corroborate the effectiveness of the controls, the existence of additional risks, relevant risk issues, and mitigation measures, and the monitoring of key risk indicators (KRIs).

This is a process involving the entire Company. It is supervised by the Board of Directors’ Audit and Risk Committee as the highest control body responsible for monitoring the management and effectiveness of the internal control system.

In 2022, the management of 426 risks and 1,113 process controls were monitored at Ecopetrol, as well as 2,491 risks and 4,915 process controls in the subordinate companies, which contributed to the Statutory Auditor issuing an independent opinion, rendering the Company’s internal control effective.

The SIC works under the following monitoring scheme:

Three Lines of Defense Model at Ecopetrol

First Line

The first level of the control environment is the business, which exerts risk management and controls on a daily basis.

Second Line

Internal control assurance division, defines the guidelines and monitors the System.

Third Line

Internal and external audit are the third line of defense, challenging the definitions of the previous levels.

Source: Corporate Vice Presidency of Compliance.

The Corporate Management of Internal Control Assurance, in its role as second line of defense, defines the guidelines for risk management and process controls and implements prevention and continuous monitoring schemes by verifying the internal control elements implemented in Ecopetrol’s processes, including monitoring activities associated with the recommendations issued by external and internal control entities, together with the monitoring of risk management and process controls, which allow reasonable assurance in the achievement of the objectives, thereby guaranteeing the sustainability and continuous improvement thereof at Ecopetrol, as well as its affiliates and subsidiaries.

Regulatory Update:

The following documents were updated:

  • (i) Form for the prevention of money laundering, the financing of terrorism and financing for the proliferation of weapons of mass destruction.
  • (ii) Form for the commitment to contractual integrity (contracts and agreements).
  • (iii) Form for the declaration of related parties, conflicts of interest, and independence of members of the Board of Directors.
  • (iv) Annex – ethics, transparency, and compliance obligations applicable to contracts and agreements.
  • (v) The ethics, transparency, and compliance rules applicable to the methods of choice.
Table 41 Casos por infracciones al Código de Ética y Conducta u otros lineamientos
Conduct Category Total reported incidents Closed reports that did not result in breaches Reports currently under investigation Closed reports that resulted in breaches
Conflicts of interest, corruption, bribery, theft 47 19 13 7
Failure to comply with rules or procedures 117 61 30 34*
Lack of respect, abuse, or hostile environment 11 5 6 1**
Discrimination 0 0 0 0
Sexual harassment 5 1 2 1
Other reasons 7 4 3 0

Note:

*Eight (8) of the 34 closed cases were reported as conflicts of interest, corruption, bribery, theft.

**This case was reported as sexual harassment.

(GRI 205-2)  (WEF 4)  

Anti-Corruption Policy

(GRI 205-1-a, 11-20-2)

Total Number of Operations Evaluated
for Corruption-related Risks

Table 42 Operations Evaluated for Corruption-related Risks
Categories Unit of measurement 2022
Number of operations # 45
Percentage of operations % 100
Source: Vice Presidency of Compliance.
(GRI 205-1-b, 11-20-2)

Within the framework of the 2022 process risk management cycle, significant compliance risks were identified and assessed (including those associated with: corruption, fraud, bribery) in the processes executed in the organization, considering all locations and physical facilities where Ecopetrol conducts its operations.

71 risks have been identified in the anti-corruption/anti-bribery category and 122 associated with fraud. Below are the main corruption risks detected in this exercise:

Irregularities in managing the procurement of goods and services.

Conflict of interest between the participants and/or with the outsourced support for contract management.

Inadequate management of trade negotiations with counterparts.

Gifts, considerations, or acts of hospitality that may be perceived as bribery.

The respective controls are defined to mitigate this type of risk. 

(SASB EM-EP-510a.1)
Table 43 Percentage of Proven and Probable Reserves in the 20 Lowest-raking Countries According to the Corruption Perception Index Published by Transparency International
Percentage of proven and probable reserves Unit of measurement 2022
Proven reserves in the 20 lowest-ranking countries according to Transparency International’s Corruption Perception Index Bbbls 0
Probable reserves in the 20 lowest-ranking countries according to Transparency International’s Corruption Perception Index Bbbls 0
Total proven reserves Bbbls 1,291,954
Total probable reserves Bbbls 387,182
Percentage of proven reserves in the 20 lowest-ranking countries according to Transparency International’s Corruption Perception Index % 0
Percentage of probable reserves in the 20 lowest-ranking countries according to Transparency International’s Corruption Perception Index % 0
Source: Vicepresidencia Corporativa de Cumplimiento y Vicepresidencia Financiera.

(GRI 205-3, 206-1, 11-20-4, 11-19-2)  (WEF 4)  

Investigations Associated with
Corruption Practices and Unfair Competition

There were no confirmed cases of corruption in 2022. Ecopetrol is not involved in cases of corruption, bribery, unfair competition, monopolistic practices, or practices against free competition, nor have any related cases, fines, or disputes been confirmed on these grounds in the last four (4) fiscal years. 

(GRI 405-1, 11-11-5)  (WEF 2, 11)  

Annual Monetary Contributions and
Other Expenses for Political or Related Purposes

Ecopetrol did not make any type of donation to political parties in 2022 or in previous years. Similarly, due to its legal nature, Ecopetrol does not participate in any lobbying activity. In Colombia, the Company formalizes its observations in the different legislative and regulatory initiatives that may affect the hydrocarbon or energy sector with the Ministry of Mines and Energy, as the head of the sector, and its affiliated entities.

The Company has a procedure for engaging with Congress, in which it describes step-by-step guidelines for the following actions:

  • Attending meetings requested by members of the congress and following up on commitments to them.
  • Attending invitations to political control debates.
  • Responding to requests for information and questioning about invitations to political control debates presented by congressmen in due time and with high quality.
  • Following up and monitoring draft bills of interest to Ecopetrol.

However, Ecopetrol is part of several associations and institutions in which it makes membership or affiliation contributions that are equally monitored. The contributions made to such associations can be verified on annex 12 of this report.

(WEF 6)

Risk Management System

Comprehensive risk management at Ecopetrol responds to the ISO 31000, COSO 2013, and COSO ERM 2017 standards, and it is governed by the internal regulations incorporated into the bylaws, as well as the comprehensive policy, the Code of Good Governance, manuals and internal guides and instructions defined for this purpose, all of which allow the Company to make informed decisions and contemplate possible events that positively or negatively impact the objectives of the Company and its Group.

The Comprehensive Risk Management System (SRI, as per its Spanish acronym) is led by the Corporate Vice Presidency of Compliance, as an independent area that ensures the design, implementation, administration, maintenance, and continuous improvement thereof, as well as its deployment to Group companies, and it is supervised by the Board of Directors’ Audit and Risk Committee, which verifies the establishment of the system, analyzes and formulates recommendations to the Board for the approval of business risks, and learns about the management efforts exerted and monitors them.

(WEF 2)

At Ecopetrol, the Corporate Vice President of Compliance, María Juliana Albán, is the person in the highest ranking position, after the President, with the responsibility for risk management at the operational level. Her reporting line on risk management issues is to the President of the Company and the Board of Directors’ Audit and Risk Committee. For his part, the President of Ecopetrol, Felipe Bayón, holds the highest-ranking position with risk management and auditing responsibilities at an operational level. In this position, the reporting line is directly to the Board of Directors’ Audit and Risk Committee.

Corporate Internal Audit Management is responsible for evaluating and proposing actions to improve the effectiveness of the Company’s SRI.

Employees are responsible for understanding and identifying the risks to which they are exposed in the exercise of their duties and within the processes in which they participate, and for adequately handling the risks that are manageable within the exercise of their duties, in compliance with the principles, framework, and processes under the SRI, and also with the Code of Ethics and Conduct.

Sistema de gestión de riesgos

In relation to the Ecopetrol Group companies, the Vice Presidency of Compliance exercises governance, steers, issues guidelines, defines practices, and monitors risk management, in order to unify guidelines, promote synergies, improve, and ensure oversight, and contribute to timely and appropriate decision-making. The management exerted in the subsidiaries is evidenced through periodic compliance reports to the Vice Presidency, which reports to Ecopetrol’s Audit and Risk Committee.

The SRI allows the Company to manage the effects of uncertainty over the fulfillment of its objectives, in order to maximize opportunities, define strategies, and make informed decisions.

Figure 34 Comprehensive Risk Management System
Source: Vice Presidency of Compliance.

The risk levels at Ecopetrol, managed under the SRI, are specified below:

Figure 35 Niveles de riesgos
Related to the risks directly associated with the Company's strategy, strategic objectives, and/or balanced management board, represented in the corporate risk map.
Associated with the risks that respond to the objectives of the processes and/or management systems, according to the Company's process map.
Associated with the risks that are at a technical level of detail.
Source: Vice Presidency of Compliance.

The SRI works by executing the risk management cycle, which analyzes the objectives (strategic or process-related) to identify risks and define the appropriate controls to mitigate them or restrain their impacts. This cycle comprises the following stages:

Figure 36 Risk Management Cycle
  • Plan: define the scope of the activities and analyze internal and external context.
  • Identify: identify risks based on the perspectives of the people involved and the analysis of the information.
  • Evaluate: analyze the causes and consequences. Assess according to probability and impact.
  • Address: selection and implementation of options to address the risk.
  • Communication, follow-up, and registration: information exchange, feedback, and continuos monitoring.
Source: Vice Presidency of Compliance.

The construction and updating of the business risk map is a collective process based on the analysis of the internal and external environment, considering market trends and the specific risks and management standards applicable to the Group companies and the industry, which are normally subject to analysis and review by sustainability indices and radars.

The monitoring of business and process risks serves to identify alerts, verify the execution of the mitigants, and ensure actions against the materializations reported by the persons in charge, in order to maintain the risks within defined tolerance and acceptance levels. The relevant results of this follow-up were periodically reported to the Executive and Audit and Risk Committees according to occurrence or criticality thereof, by means of management reports in the monthly sessions. 

(SFC 7.4.1.3.VII)

Market Risks and Procedure to Assess and
Measure the Degree of Exposure to Relevant Risks

Relevant Risks Pressing on the Issuer and Mitigation Mechanisms Implemented

The risks that may affect the advancement of the corporate purpose, the strategy, the financial situation, the investment plan, the operating results, the cash flow, and the growth prospects are identified in the business risk map18. To appraise and measure the degree of risk exposure, Ecopetrol and its subsidiaries19 conduct a quantitative and qualitative evaluation considering the probability of occurrence20 and the possible impact21 on the people, the environment, the economic resources, reputation, and on customers. The risk levels are assessed using an established appraisal matrix22. The resulting assessment derives from the combination of probability and impact, as follows: Very High, High, Medium, Low, and Very Low.

Below are the probability estimates and level of economic impact (quantitative) for business risks: 

Business Risk Probability Level of impact Economic **
1 Unsuccessful protection and incorporation of resources and reserves Unlikely Level 5
2 Asset competitiveness in light of the energy transition Unlikely Level 5
3 Impact on financial sustainability and value generation Possible Level 4
4 Subordinates that do not fulfill the value promise Possible Level 5
5 Operational interruption incidents due to environmental causes Likely Level 3
6 Unsuccessful transition and incorporation of ISA to the Ecopetrol Group Unlikely Level 5
7 Spread of epidemics that affect the operation Likely Level 3
8 HSE events due to operating causes Possible *
9 Projects that do not meet their value expectation Unlikely Level 4
10 Ethics and compliance breaches Likely *
11 Cyberattacks, leakage or loss of information Likely Level 3
12 Organizational culture that does not leverage the strategy Possible *
13 Breach of commitments by third parties Possible Level 3
14 Impact on the operation or on corporate governance due to geopolitical or regulatory changes, or provisions set forth by control entities and the state Unlikely Level 5
15 Inadequate climate change and water management Unlikely Level 4
Source: Vice Presidency of Compliance.

**1 being the lowest level and 5 being the highest level.

*Its level of impact is given by qualitative estimates (e.g., people, environment, reputation).

18 For more information on business risks, visit
https://www.ecopetrol.com.co/wps/portal/Home/es/NuestraEmpresa/QuienesSomos/GestionDeRiesgos
19 The Ecopetrol Group is made up of all subordinate companies and those in which it holds some shareholding,
as well as the financial and investment vehicles in Colombia and abroad.
20 The probability of occurrence is defined using the following levels: most certainly, likely, possible, unlikely, and rare.
21 The dimensions of the impact are: catastrophic, major, moderate, minor, insignificant.
22 RAM-Risk Assessment Matrix.
Below is a description of the nature of the business risks identified, the corresponding monitoring and mitigation mechanisms, as well as a brief explanation of the materializations presented and the measures adopted for the reporting period:
Unsuccessful protection and incorporation of resources and reserves Asset competitiveness in light of the energy transition Impact on financial sustainability and value generation
Risk description
Inability to protect and incorporate resources and/or reserves (crude oil and gas) that impact the advancement of the exploratory and production portfolio and the management of new opportunities and resources associated with project management, thereby failing to meet the goal of incorporating resources and reserves for the term and causing an adverse variation in the reserve replacement rate compared with to the previous year. Failing to achieve competitiveness and resilience for the Oil & Gas business and for Company assets in light of the energy transition, thus generating possible entrapments due to non-compliance with the required fuel quality and outside the parameters established by regulation, as well as non-compliance with environmental regulations that interrupt the development or operation of the asset. Impact on Ecopetrol’s financial sustainability and on the fulfillment of value generation due to illiquidity, access restrictions to bank debt or capital markets, financial ratios outside acceptable limits, significant breaches of EBITDA, lack of key coverage in the insurance market.
Management, monitoring, and mitigation mechanisms
  • Creation of the Exploration Tactical Control Committee.
  • Creation of Exploration Planning Portfolio Committee.
  • Monitoring and quarterly reporting of reserves to the Audit and Risk Committee.
  • Implementation of Ecopetrol’s stake in Micro LNG (Liquefied Natural Gas) to supply a low-emission fuel.
  • Implementation of the chapters associated with the development strategy that impact the risk of entrapment and affect the competitiveness of the assets.
  • Definition and implementation of the methodology for identifying assets at risk of losing value prematurely.
  • Implementation of a digital tool to strengthen the management of upstream assets to avoid loss of value.
  • Execution of the Fuel Quality project at the Barrancabermeja refinery.
  • Implementation of price forecasting methodologies, both TRM and capex.
  • Monitoring activities on the accounts receivable of the Fuel Price Stabilization Fund.
  • Design of hedging strategies.
Materializations
No materializations were reported in the year. No materializations were reported in the year. No materializations were reported in the year.
Subordinates that do not fulfill the value promise Operational interruption incidents due to environmental causes Unsuccessful transition and incorporation of ISA into the Ecopetrol Group
Risk description
Non-compliance by the subsidiaries that affect the financial performance of the Ecopetrol Group (operating profit, refining margin, EBITDA, and illiquidity), as well as the operating performance (negative deviation from the target for the incorporation of resources and reserves and unfavorable ruling in litigation against the subsidiaries). FIncidents of low manageability in the environment that make it impossible to maintain the Company’s operation and cause deferred production, attacks, de facto actions, sabotage, seizure, and violent takeover of stations. Unsuccessful transition of ISA to the Ecopetrol Group’s control, consolidation, and reporting scheme, and incorporation of new business lines unrelated to ECP’s traditional activity, thereby generating results that differ from those expected, due to causes attributable to management, as well as sanctions, operating interruptions, and reputational impacts.
Management, monitoring, and mitigation mechanisms
  • Follow-up on the progress of the strategy and analysis of business performance by comprehensively monitoring the objectives and performance indicators of the Ecopetrol Group.
  • Quarterly monitoring of compliance with EBITDA and financial debt ratios.
  • Identification and implementation of preventive actions deriving from the analysis of materialized events.
  • Social investment promotion plan.
  • Implementation of the Human Rights Risk Management Cycle under the annual human rights plan.
  • Strengthening the relationship with stakeholder groups.
  • Design and implementation of the Corporate Governance model for ISA.
  • Promote the strategic management of change and culture at Ecopetrol – ISA.
  • Implementation and readiness for the ISA’ alignment to Ecopetrol’s Compliance Program.
Materializations
No materializations were reported in the year. During the year, the Group reported 36 blockades, 24 attacks, and 759 illegal connections(1). Response measures
  • Inter-institutional approach led by Ecopetrol, with the involvement of the Police, the Army, the Navy, the Prosecutor’s Office, the Ombudsman, and representatives to review joint actions.
  • Application of transportation system inspection technologies.
  • Permanent scanning of illegal connections in the transport assets of the Ecopetrol Group in the most affected areas.
  • Monitoring together with community leaders, community actions, and the regional government.
  • (1) The blockades are attributed as follows: 21 to Ecopetrol, two (2) to Hocol, six (6) to OBC, and seven (7) to Ocensa.
  • As for the attacks, four (4) correspond to Ecopetrol and 20 to Cenit. The 759 illegal connections are related to Cenit.
No materializations were reported in the year.
Spread of epidemics that affect the operationHSE events due to operational causesProjects that do not fulfill their value promise
Risk description
Possible massive spread of infectious, epidemic diseases that compromise the health of employees, contractors, third parties, and other stakeholder groups, which can lead to the suspension of critical operations, delays, or non-availability of equipment or supplies required for the operation, as well as impacts on trade agreements with suppliers and customers, and on the supply chain due to lower demand
for crude oil and products.
Undesired and foreseeable events originating from the operation (industrial safety, process safety, or environmental events regarded as severity level 5 in terms of the impact on the people, property and infrastructure, the environment, the reputation and/or relationship with customers, and/or process safety events regarded as level 1) that may have an impact on people, assets and infrastructure, the environment, the reputation of the company and/or the relationship
with the client.
Negative deviations in the value expectation (VPN and negative ENPV)
of the projects, in the terms committed in the strategy.
Management, monitoring, and mitigation mechanisms
  • Incorporation of lessons learned from real activation scenarios in COVID-19 business continuity plans.
  • Evaluation of the response capacity of Ecopetrol S.A.’s critical facilities.
  • Communications plan associated with COVID-19.
  • Comprehensive management of high consequence scenarios.
  • Environmental risk assessment, aligned with the environmental studies methodology under Resolution 1402 of 2018, Decree 2127 of 2017, and with Resolution 40411 of 2021.
  • Implementation of HSE Committees in the boards of directors of the subsidiaries / HSE Agenda in current Boards of Directors.
  • Definition of alerts for changes in the variables that affect the VPN.
  • Determining value expectation (VPN) as a variable for assessing the risk impact of the projects.
  • Training in monitoring the value expectation of investments to improve their adoption.
Materializations
No materializations were reported in the year.

Ecopetrol recorded two (2) containment losses and ISA one fatality in 2022.

Response measures

  • Root cause analysis identifying the basic and immediate reasons that caused the event.
  • Training in reporting materialized events and root causes.
  • Staff training and qualification plan – training in working at heights with certified entities.

Project with a forecast lower than previous reserve estimates.

Response measures

Analysis by the Board of Directors on the continuity of the project.

Ethics and compliance breachesCyberattacks, leakage or loss of informationOrganizational culture that does not leverage the strategy
Risk description
Occurrence of inappropriate behaviors associated with breaches of the Code of Ethics and Conduct, fraud, corruption, bribery, money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction, and violations of the FCPA, which cause a reputational impact that affects the strategy.Cyber-attacks (phishing, malicious code, brand theft, viruses, seizure of assets or data, service denial, cyber espionage, among others) that affect the Company’s operations or critical infrastructure, as well as unauthorized access or extraction of classified or reserved information through information systems, technological devices, or unsafe cybersecurity behaviors by employees, contractors, or third parties.Behaviors and competencies that are not governed by cultural principles or the business strategy, which must be leveraged in agile processes and technology, affecting the goals of cultural transformation, people retooling, and culture in terms of processes.
Management, monitoring, and mitigation mechanisms
  • Management, monitoring, and mitigation mechanisms
  • Approval of preventive and corrective actions deriving from the monitoring of ethical performance, behavior management, and the organization’s ethics and compliance program.
  • Supervising the efficiency and outcomes of the activities under the Compliance Program (prevention, detection, response, and continuous improvement), by following up on the management report presented by the Corporate Vice President of Compliance.
  • Supply Chain Protection (governance third-party cybersecurity risks).
  • Cybersecurity program to incorporate capabilities that reduce the probability of occurrence.
  • Upgrading and preparing the infrastructure for the 4.0 industry or for digital transformation and mitigating the risk of technological obsolescence in IT and OT.
  • Cross-cutting Cultural Transformation and People Retooling Plan.
  • Verifying the quality of the performance management process in planning, monitoring, and evaluation.
  • Verifying compliance with the parameters for the alignment of individual performance objectives and Ecopetrol’s strategic objectives.
Materializations
No materializations were reported in the year.No materializations were reported in the year.No materializations were reported in the year.
Third party breachesImpact on the operation or on corporate governance due to geopolitical and regulatory changes or provisions set forth by control entities and the stateInadequate climate change and water management
Risk description

Breach of contractual commitments by an associate in the course of a joint venture (activation of clauses for Ecopetrol to contribute the corresponding partner/associate resources, to request the removal of the partner/associate-operator, or for breaches in the execution of the exploratory or exploitation program, or of abandonments), as well as non-compliance by third parties (client/supplier) with the supply of required goods and services.

Events or situations that influence the Company’s corporate governance and its actions or decisions, due to:

  • Geopolitical instability.
  • Possible difficulty in the signing of civil liability policies.
  • Changes in regulations or the jurisprudence, or in the national or international regulatory environment.
The Company’s exposure to negative impacts in its value chain (operating continuity, environment, reputation, regulatory, financial), as well as its ability to implement measures to reduce and offset carbon and methane emissions, adapt to climate change and variability, to the country’s normal weather conditions that affect the availability and security of water in the regions, and to other climate-related transition risks, leading to non-compliance with the goal of reducing greenhouse gas emissions, restrictions on discharges, and catchment of water volumes for the execution of projects and the continuity of operations.
Management, monitoring, and mitigation mechanisms
  • Identification of potential improvements related to non-compliance in collaboration contracts.
  • Approving the negotiation conditions of commercial portfolio clients with trustworthy credit, confirming that they have the credit risk profile analysis.
  • Management of findings and recommendations deriving from audits for the joint operation of the exploratory asset.
  • Strategy to reduce recurrences in matters identified by the Comptroller General of the Republic (CGR).
  • Implementation of project deliverables with the update of Governance elements: Senior Management Committees and Engagement Model.
  • Review of roles and responsibilities in the regulatory management of issues contemplated within the scope of the Regulatory Strategy Procedure.
  • Monitoring and implementation of projects, actions, and initiatives to reduce greenhouse gas emissions and availability of resources.
  • Implementation of projects and nature-based solutions (SBN, as per its Spanish acronym) to contribute to the emission reduction goal.
  • Structuring and updating decarbonization and integrated water management portfolios. Execution of plans for conversion to clean technologies and management of discharges at the refineries.
Materializations
No materializations were reported in the year.No materializations were reported in the year.No materializations were reported in the year.

Risk culture

HSE: Fatalities or environmental incidents (5% to 10%).

Internal control failures reported by the external auditor (2.5% to 100%).

Ethical events or disciplinary judgments (100%).

The Company has also implemented a self-assessment exercise and a quarterly report by process owners through the Internal Control System.

Furthermore, in 2022:

  • i) The Risk Community of Practice was launched.
  • ii) Communication pieces alluding to comprehensive risk management were produced.
  • iii) A virtual Risk Management course was made available to all staff members.
Figure 37 Business Risks and their Relationship with Environmental, Social, and Governance Issues
Source: Vice Presidency of Compliance.

The previous correspondence gave rise to the relationship of business risks with the 28 material elements identified by the Company in 2020.

Table 44 Business Risks and their Relationship with TESG
Exceptional material elements Business Risk
Climate change 2, 15
Integrated water management 15
Territorial development 5
Notable material elements Business Risk
Biodiversity and ecosystem services 15
Circular economy 2
Use of energy and alternative sources 6, 9, 15
Fuel quality 2
Talent attraction, development, and retention 12
Air quality 2, 15
Health and security 5, 7, 8
Prevention and management of operating incidents 5, 8
Differentiated material elements Business Risk
Corporate governance 4, 14
Diversity/inclusion 12
Business ethics and risk culture 10
Operational continuity system 5, 8
Compliance with material elements Business Risk
Transparency and prevention of compliance risks 10
Publicity of information 11
Disincorporation of wells and facilities 1
Supply chain management 3, 13
Cultural heritage (ethnic – archaeological) 5
Labor standards 12
Management of real estate rights 5
Land use 5
Conservation and environmental protection areas 15
Public policy 3, 14
Comprehensive Management System 12
Access to information and citizen participation 5
Prevention and management of incidents caused by third parties 5, 8
Source: Vice Presidency of Compliance.