At Banco Popular, safeguarding customer trust and maintaining operational resilience are strategic imperatives.
To ensure the protection of client assets and the integrity of institutional information, the Bank has established a robust Risk Management System as a core component of its Internal Control System. This framework adheres to international best practices, including
Tthe COSO framework.
ISO 31000 standards.
The regulatory guidelines issued by the Colombian Financial Superintendency (SFC).
The following outlines the operational structure of the Bank’s Risk Management System, which adopts a comprehensive and preventive approach tailored to the institution’s nature, scale, and complexity, as well as the dynamics of the economic environment and the markets in which it operates.
Objective of the Risk Management
To establish a comprehensive, integrated, and forward-looking risk management framework that enables Banco Popular to execute its strategic objectives, preserve its corporate reputation, ensure business sustainability, and reinforce stakeholder confidence by:
1
Identifying, assessing, and mitigating
Risks in a timely manner.
2
Implementation of effective controls
Process improvements and automation of controls to streamline and secure operations.
3
Conducting rigorous monitoring of risk indicators
Environmental alerts, and critical processes, as well as the implementation of preventive and corrective measures.
4
Ongoing oversight and monitoring
Through internal governance structures based on the type of risk, and independent verification of risk management practices.
Governance and Organizational Structure
Risk management at Banco Popular is supported by a robust governance framework, beginning with the strategic oversight of the Board of Directors, which fulfills its role through the Board Risk Committee. The Board defines the general guidelines through the Risk Appetite Framework, which guides decision-making and determines the level of risk the Bank is willing to assume.
At the management level, responsibility for leading risk management has been assigned to the Risk Vice Presidency, which oversees issuing policies and guidelines related to the identification, measurement, control, and monitoring of risks.
This function is supported by specialized committees that enable technical and segmented risk management, including the Financial Risk Committee, the Non-Financial Risk Committee, and the Credit Risk Committee.
The Integrated Risk Management System (SIAR) is subject to continuous evaluation to ensure its alignment with the business strategy, environmental changes, and market best practices.
Risk Culture
Banco Popular promotes a solid and transversal risk management culture through an integral training and awareness program aimed at all employees, suppliers and third-party workers. This program seeks to strengthen the understanding, appropriation and commitment to risk management, through training, dissemination and participation activities. In this way, it encourages the identification, reporting and timely treatment of risks, as well as compliance with the ethical, normative and regulatory principles that govern the Bank's operations.
Continuous Improvement
The risk management system is reviewed and adjusted on an ongoing basis, incorporating lessons learned, recommendations from oversight bodies, regulatory changes, best practices, and evolving external conditions. This approach ensures the system’s effectiveness, relevance, and contribution to the Bank’s sustainability.
Internal Control System
The Bank's Internal Control System (ICS) is made up of policies, principles, standards, procedures and verification and evaluation mechanisms, defined by the Board of Directors and Senior Management, in order to provide a reasonable degree of security in the fulfillment of the strategic objectives.
The Internal Control System (ICS) incorporates the principles of self-control, self-regulation and self-management, and is structured based on the components of the COSO 2013 model: control environment, risk assessment, control activities, information, communication and supervision. This system is articulated through the three lines of defense model and involves all areas of the Bank in its operation, follow-up and continuous improvement.
Integrated Risk Management System (SIAR)
To manage risks, the Bank has implemented an Integrated Risk Management System (SIAR), which aims to optimize the processes of identifying, measuring, controlling, and monitoring risks. SIAR enables timely and integrated management of risks inherent to the business and is based on internationally recognized frameworks such as COSO, the Basel Committee, and the regulations of the Colombian Financial Superintendence (SFC).
Risk Appetite Framework
The Bank has a Risk Appetite Framework approved by the Board of Directors, which establishes the levels of risk exposure the organization is willing to accept in pursuing its strategic objectives. This framework is reviewed and adjusted periodically based on changes in the external environment, the Bank’s risk profile, and its strategic direction.
Monitoring the indicators defined within the framework enables early warning detection, management of deviations, and timely decision-making. It is also integrated with the Bank’s planning, financial management, and internal control processes.
The Risk Appetite Framework includes:
The Risk Appetite Statement, which outlines the general and specific levels of risk the Bank is willing to assume.
Defined limits by risk type.
Dashboards to support decision-making.
Periodic review approved by the Board of Directors.
The Risk Appetite Framework enables more assertive decision-making by balancing opportunities with the Bank’s risk-taking capacity and avoiding breaches of tolerance thresholds. Its implementation and monitoring are supported by technological tools, organizational culture, key processes, and risk dashboards.
Integrated Risk Management
Below are the stages of risk management and the risk types applicable to Banco Popular:
SOX – Assurance Of Financial Reporting Information Policy: Risk Management For Financial Reporting here
Principles of the Risk Management System
The Bank’s core principles for optimizing its risk management are:
Governance and Oversight
Clearly defined roles and effective structures.
Transparency and Perspective
Alignment with institutional policies and processes.
Adaptability
Periodic evaluation of methodologies and adjustments in response to environmental changes.
Security
Consistency with regulatory requirements, risk appetite, and business objectives.
Zero Tolerance for Bribery and Corruption
Strict adherence to ethical standards.
Priority
Protection of institutional reputation as a cross-cutting principle.
Types of Risks Managed
Emerging Risks: Unknown or Previously Unconsidered Threats
At Banco Popular, we understand that comprehensive risk management not only requires control over known risks but also the ability to anticipate what lies ahead. Emerging risks are new or evolving threats that are not yet fully understood or integrated into traditional risk management frameworks. These may arise from technological, social, environmental, or geopolitical transformations and can significantly impact the Bank’s operations, reputation, or long-term sustainability.
Aligned with ISO 31050, we adopt a prospective and adaptive approach that allows us to identify these risks in a timely manner, prepare ourselves to act swiftly in the face of uncertain scenarios, considering the speed in time with which this risk may occur.
Material Risks: Strategic Threats Under Control
For Banco Popular, material risks are significant threats that could divert or prevent the achievement of strategic objectives. These are risks with the potential to substantially impact our viability, reputation, or financial performance..
We derive these risks from an in-depth analysis of both the global and local environment, and classify them into key categories to enable effective management. Proper identification and control of these risks allow us to anticipate potential impacts, make informed decisions, and ensure the achievement of our strategic objectives.
Financial Risks: The Backbone of Our Strength
Financial risks are at the core of banking management and refer to the possibility of economic losses resulting from market movements or the failure of third parties to meet their obligations. At Banco Popular, we actively manage these risks to protect your investment:
Credit Risk: This is the possibility that the Bank may incur losses and a decrease in asset value due to a debtor or counterparty failing to fulfill their obligations. We manage this risk through rigorous analysis of repayment capacity, portfolio diversification, and ongoing monitoring of the target market.
Liquidity Risk: Refers to the possibility that the Bank may be unable to meet its short-term payment obligations—such as deposit withdrawals—due to a lack of cash or liquid assets. We maintain adequate reserves and prudently manage our funding sources to ensure the availability of your funds at all times.
Market Risk: Arises from the fluctuation in prices of financial assets—such as interest rates, exchange rates, or equity values—which can affect the value of our investments. We continuously monitor the markets to mitigate the impact of such fluctuations.
Interest Rate Risk in the Banking Book (IRRBB): This is the risk that changes in interest rates may affect the income and economic value of banking book positions that are not held for trading purposes. We actively manage this risk to safeguard our profitability and capital from market interest rate volatility.
Country Risk: Understanding Our Environment: Country risk refers to the possibility that the Bank may incur losses from financial operations abroad, as a result of deteriorating economic and/or sociopolitical conditions in the host country. This may include foreign exchange transfer restrictions or other factors unrelated to the country’s specific commercial and financial situation. This definition encompasses, among others, Sovereign Risk (SR) and Transfer Risk (TR), both associated with such external factors.
Non-Financial Risks
Non-financial risks refer to the potential occurrence of events that may impact the Bank's operations, reputation, or regulatory compliance. At Banco Popular, we address these risks through a preventive and structured approach that ensures business continuity, safeguards our clients’ rights, and preserves trust in our institution.
This scope includes operational risk, compliance risk, and the risk associated with money laundering and terrorist financing (AML/CFT), as well as ABAC (Anti-Bribery and Anti-Corruption). Additionally, it encompasses cybersecurity risk, conduct risk, and country risk.
We maintain robust policies and controls that enable us to anticipate threats and respond with integrity and effectiveness.
Operational Risk: Ensuring Continuity and Efficiency: Operational risk is the possibility of suffering losses due to failures in our internal processes, human error, issues with our technological systems, infrastructure failure or unforeseen external events. At Banco Popular, we are committed to operational excellence. That is why we manage this risk with rigorous controls that minimize the probability of errors in transactions, failures in our ATMs or digital platforms, and any event that may affect the fluidity of our services. Your peace of mind is our priority.
Business Continuity: This refers to the possibility that unexpected events—such as natural disasters, large-scale technological failures, or health crises—may disrupt our normal operations. At Banco Popular, we have robust Business Continuity and Disaster Recovery Plans in place. This means we are prepared to rapidly activate alternate systems, ensure the availability of essential services, and protect client information, so we can continue operating and serving you even under adverse circumstances.
Money Laundering and Terrorism Financing Risk (ML/TF): Your Security, Our Priority : This refers to the possibility that the Bank may be used to legitimize funds originating from illicit activities or to finance terrorism. At Banco Popular, we implement strict Know Your Customer (KYC) protocols, continuous transaction monitoring, and ongoing training for all staff. These measures allow us to detect and report any suspicious activity, protecting your funds and contributing to national security.
Applying the risk management framework, the following additional risk types have also been incorporated:
Anti-Bribery and Anti-Corruption Risk (ABAC): Our Commitment to Integrity: This refers to the possibility that the Bank or its associates may be involved in acts of bribery or corruption. At Banco Popular, ethics and transparency are core values; therefore, we maintain a zero-tolerance policy towards such activities. We have a robust compliance program that includes clear policies, strict internal controls, thorough due diligence in third-party relationships, and secure channels for reporting any irregularities. We uphold a culture of integrity, ensuring that all our operations are conducted under the highest ethical and legal standards.
SOX – Assurance of Financial Reporting Information: As part of Grupo Aval — a company listed on the New York Stock Exchange (NYSE) — Banco Popular strictly complies with the requirements established under the Sarbanes-Oxley Act (SOX), a U.S. regulation that demands high standards of internal control over financial reporting. In this context, the Bank continuously reviews the risks and controls associated with processes that affect financial reporting, covering everything from data generation and processing to recording, preparation, and disclosure.
Conduct Risk: Ethics in Every Interaction This refers to the possibility that decisions, actions, or omissions by employees—whether intentional or not—may cause harm to clients, the market, or the Bank’s reputation. These risks may arise from errors or deficiencies in the information provided, unfair treatment, or inappropriate commercial practices, among others
At Banco Popular, we promote an ethical and transparent culture centered on respect for and protection of financial consumers. We have a Code of Ethics that sets out the principles and guidelines that must govern the conduct of all our employees, supported by continuous training programs and oversight mechanisms aimed at ensuring that all our interactions are clear, responsible, and aligned with the best interests of the client. Our goal is to build trust-based relationships, where every action reflects our commitment to an honest, fair, and people-centered banking model.
Cybersecurity and Information Security: Ensuring a secure environment for information: Involves managing the risk of security or cybersecurity incidents that may compromise the confidentiality, integrity, availability, and privacy of data. These risks may stem from data breaches, unauthorized access, or cyberattacks such as malware, phishing, or ransomware, potentially leading to service disruptions, financial losses, and reputational damage.
To mitigate this risk, we implement robust policies, frameworks, and continuous monitoring, both internally and across third-party service providers. We also deploy defense-in-depth strategies, leveraging specialized internal and external expertise to reinforce our protection mechanisms.
Our security measures include data encryption, multi-factor authentication, and real-time detection and response systems, all of which support a secure and reliable banking experience, aligned with the highest standards of the financial industry.
Environmental and Social Risk (SARAS): A Commitment to a Sustainable Future This refers to threats stemming from environmental factors (such as climate change, natural disasters, or resource scarcity) and social factors (such as inequality, community impacts, or human rights concerns). These risks can directly affect our operations. At Banco Popular, we acknowledge our responsibility toward sustainability. We assess how these factors may influence our financing and investment decisions, promoting practices that contribute to sustainable development and mitigate negative environmental and social impacts.
At Banco popular,
We manage risks rigorously and proactively.
With a firm commitment to protecting your resources.
Ensuring the Bank’s sustainability.
Contributing to the achievement of our strategic objectives.
The trust of our clients is our most valuable asset and the driving force behind each of our decisions.
In this way, we help ensure that Banco Popular is present during the best moments of your life.
