At Banco Popular, safeguarding customer trust and maintaining operational resilience are strategic imperatives.
In order to safeguard clients’ assets and safeguard the integrity of information, we have established a Risk Management System, with the Internal Control System as a core pillar and a fundamental component of the Bank’s strategy. We manage risks comprehensively, in compliance with the requirements set forth by the Colombian Financial Superintendence and in alignment with international best practices, including:
The COSO framework.
ISO 31000 standards.
The Basel Accords.
The following outlines the operational structure of the Bank’s Risk Management System, which adopts a comprehensive and preventive approach tailored to the institution’s nature, scale, and complexity, as well as the dynamics of the economic environment and the markets in which it operates.
Objective of the Risk Management
To establish a comprehensive, integrated, and forward-looking risk management framework that enables Banco Popular to execute its strategy, protect its reputation, ensure sustainability, and strengthen stakeholder trust, in alignment with the Comprehensive Risk Methodology, through:
1
Identifying, assessing, and mitigating
Risks in a timely manner.
2
Implementation of effective controls
Aligned with the inherent nature of the risks and designed to remain responsive to evolving environmental conditions.
3
Conducting rigorous monitoring of risk indicators
Environmental alerts, and critical processes, as well as the implementation of preventive and corrective measures.
4
Ongoing oversight and monitoring
Through internal governance structures aligned with the type of risk, and through independent assessments of risk management effectiveness.
Governance and Organizational Structure
Risk management at Banco Popular is supported by a solid governance framework, led by the Board of Directors, which oversees the Bank’s comprehensive risk management system and approves the Risk Appetite Framework. This framework guides strategic decision-making and defines the levels of risk exposure the institution is willing to assume.
The Bank has established a Risk Vice Presidency with technical autonomy and specialized teams by risk type. This unit leads the implementation of the risk management framework, ensuring the identification, measurement, control, and monitoring of the various risks to which the institution is exposed, in accordance with the guidelines approved by the Board of Directors.
The Board relies on specialized committees for the oversight and review of policies, structures, and decisions related to the integrated management of risks. These include the Financial Risk Committee, the Non-Financial Risk Committee, and the Credit Risk Committee, which enable technical, cross-functional, and risk-specific oversight according to the nature of each risk.
The risk management function is carried out in a structured manner and aligned with the Bank’s business strategy, under regulatory and legal frameworks that ensure the protection of both the institution and its clients. This is supported by clearly defined risk governance structures, with assigned roles for the Board of Directors, risk committees, and operational areas.
To support this approach, the Bank has implemented Integrated Risk Management System (SIAR), which provides a holistic view of risk and serves as a foundation for strategic decision-making. It also delivers clear insights into assumed risks, facilitates adaptability to changing environments, fosters accountability and organizational integration, and ensures the sustainability and resilience of the institution — all supported by a strong risk management culture.
The Integrated Risk Management System (SIAR) is subject to continuous evaluation to ensure its alignment with the Bank’s corporate strategy, changes in the regulatory and external environment, and industry best practices.
Risk Culture
Banco Popular fosters an organizational culture grounded in ethics, transparency, and cross-functional alignment through a comprehensive training and awareness program targeting all employees, suppliers, and third-party workers. This program aims to strengthen understanding, ownership, and commitment to risk management through capacity-building, communication, and active participation initiatives. In doing so, the Bank promotes timely identification, reporting, and mitigation of risks, while ensuring adherence to the ethical, legal, and regulatory principles that govern its operations.
Continuous Improvement
The risk management system is reviewed and adjusted on an ongoing basis, incorporating lessons learned, recommendations from oversight bodies, regulatory changes, best practices, and evolving external conditions. This approach ensures the system’s effectiveness, relevance, and contribution to the Bank’s sustainability.
Internal Control System
The Bank's Internal Control System (ICS) is made up of policies, principles, standards, procedures and verification and evaluation mechanisms, defined by the Board of Directors and Senior Management, in order to provide a reasonable degree of security in the fulfillment of the strategic objectives.
The Internal Control System (ICS) incorporates the principles of self-control, self-regulation and self-management, and is structured based on the components of the COSO 2013 model: control environment, risk assessment, control activities, information, communication and supervision. This system is articulated through the three lines of defense model and involves all areas of the Bank in its operation, follow-up and continuous improvement.
Integrated Risk Management System (SIAR)
To manage risks, the Bank has implemented an Integrated Risk Management System (SIAR), which aims to optimize the processes of identifying, measuring, controlling, and monitoring risks. SIAR enables timely and integrated management of risks inherent to the business and is based on internationally recognized frameworks such as COSO, the Basel Committee, and the regulations of the Colombian Financial Superintendence (SFC).
Risk Appetite Framework
Banco Popular has a Risk Appetite Framework (RAF), approved by the Board of Directors, which consists of a set of policies, methodologies, procedures, controls, and limits through which the Bank establishes, communicates, and monitors its risk appetite. The risk appetite defines the level of risk the Bank is willing to assume in the normal course of its operations and in pursuit of its strategic objectives.
The RAF includes the formalization of the Risk Appetite Statement (RAS), which defines the indicators in terms of aggregate variables, metrics, and thresholds, as well as the Bank’s overall risk appetite and tolerance scheme. This framework is periodically reviewed and adjusted in response to changes in the external environment, the Bank’s risk profile, and strategic direction.
Monitoring the indicators defined in the framework enables the identification of early warnings, management of deviations, and timely decision-making. Additionally, the RAF is integrated with the Bank’s planning, financial management, and internal control processes.
The RAF includes:
Policies and methodologies.
The Risk Appetite Statement (RAS), which sets out the general and specific levels of risk the Bank is willing to assume.
Risk-specific limits by risk type.
Dashboards for decision-making.
Periodic reviews approved by the Board of Directors.
The RAF enables more assertive decision-making by balancing opportunities with the Bank’s capacity to assume risk exposure within normal operational parameters, while avoiding breaches of tolerance thresholds. Its implementation and monitoring are supported by technological tools, organizational culture, key processes, and risk dashboards.
Integrated Risk Management
Below are the stages of risk management and the risk types applicable to Banco Popular:
SOX – Assurance Of Financial Reporting Information Policy: Risk Management For Financial Reporting here
Principles of the Risk Management System
The Bank’s core principles for optimizing its risk management are:
Governance and Oversight
Clearly defined roles and effective structures.
Transparency and Perspective
Alignment with institutional policies and processes.
Adaptability
Periodic evaluation of methodologies and adjustments in response to environmental changes.
Security
Consistency with regulatory requirements, risk appetite, and business objectives.
Zero Tolerance for Bribery and Corruption
Strict adherence to ethical standards.
Priority
Protection of institutional reputation as a cross-cutting principle.
Types of Risks Managed
Emerging Risks: Unknown or Previously Unconsidered Threats
At Banco Popular, we understand that comprehensive risk management not only requires control over known risks but also the ability to anticipate what lies ahead. Emerging risks are new or evolving threats that are not yet fully understood or integrated into traditional risk management frameworks. These may arise from technological, social, environmental, or geopolitical transformations and can significantly impact the Bank’s operations, reputation, or long-term sustainability.
Aligned with ISO 31050, we adopt a prospective and adaptive approach that allows us to identify these risks in a timely manner, prepare ourselves to act swiftly in the face of uncertain scenarios, considering the speed in time with which this risk may occur.
Material Risks: Strategic Threats Under Control
For Banco Popular, material risks are significant threats that could divert or prevent the achievement of strategic objectives. These are risks with the potential to substantially impact our viability, reputation, or financial performance..
We derive these risks from an in-depth analysis of both the global and local environment, and classify them into key categories to enable effective management. Proper identification and control of these risks allow us to anticipate potential impacts, make informed decisions, and ensure the achievement of our strategic objectives.
Financial Risks: The Backbone of Our Strength
Financial risks are at the core of banking management and refer to the possibility of economic losses resulting from market movements or the failure of third parties to meet their obligations. At Banco Popular, we actively manage these risks to protect your investment:
Credit Risk: This is the possibility that the Bank may incur losses and a decrease in asset value due to a debtor or counterparty failing to fulfill their obligations. We manage this risk through rigorous analysis of repayment capacity, portfolio diversification, and ongoing monitoring of the target market.
Liquidity Risk: Refers to the possibility that the Bank may be unable to meet its short-term payment obligations—such as deposit withdrawals—due to a lack of cash or liquid assets. We maintain adequate reserves and prudently manage our funding sources to ensure the availability of your funds at all times.
Market Risk: Arises from the fluctuation in prices of financial assets—such as interest rates, exchange rates, or equity values—which can affect the value of our investments. We continuously monitor the markets to mitigate the impact of such fluctuations.
Interest Rate Risk in the Banking Book (IRRBB): This is the risk that changes in interest rates may affect the income and economic value of banking book positions that are not held for trading purposes. We actively manage this risk to safeguard our profitability and capital from market interest rate volatility.
Country Risk: Understanding Our Environment: Country risk refers to the possibility that the Bank may incur losses from financial operations abroad, as a result of deteriorating economic and/or sociopolitical conditions in the host country. This may include foreign exchange transfer restrictions or other factors unrelated to the country’s specific commercial and financial situation. This definition encompasses, among others, Sovereign Risk (SR) and Transfer Risk (TR), both associated with such external factors.
Non-Financial Risks
Non-financial risks refer to the potential occurrence of events that may impact the Bank's operations, reputation, or regulatory compliance. At Banco Popular, we address these risks through a preventive and structured approach that ensures business continuity, safeguards our clients’ rights, and preserves trust in our institution.
This scope includes operational risk, compliance risk, and the risk associated with money laundering and terrorist financing (AML/CFT), as well as ABAC (Anti-Bribery and Anti-Corruption). Additionally, it encompasses cybersecurity risk, conduct risk, and country risk.
We maintain robust policies and controls that enable us to anticipate threats and respond with integrity and effectiveness.
Operational Risk: Ensuring Continuity and Efficiency: Operational risk is the possibility of suffering losses due to failures in our internal processes, human error, issues with our technological systems, infrastructure failure or unforeseen external events. At Banco Popular, we are committed to operational excellence. That is why we manage this risk with rigorous controls that minimize the probability of errors in transactions, failures in our ATMs or digital platforms, and any event that may affect the fluidity of our services. Your peace of mind is our priority.
Business Continuity: This refers to the possibility that unexpected events—such as natural disasters, large-scale technological failures, or health crises—may disrupt our normal operations. At Banco Popular, we have robust Business Continuity and Disaster Recovery Plans in place. This means we are prepared to rapidly activate alternate systems, ensure the availability of essential services, and protect client information, so we can continue operating and serving you even under adverse circumstances.
Money Laundering and Terrorism Financing Risk (ML/TF): Your Security, Our Priority : This refers to the possibility that the Bank may be used to legitimize funds originating from illicit activities or to finance terrorism. At Banco Popular, we implement strict Know Your Customer (KYC) protocols, continuous transaction monitoring, and ongoing training for all staff. These measures allow us to detect and report any suspicious activity, protecting your funds and contributing to national security.
Applying the risk management framework, the following additional risk types have also been incorporated:
Anti-Bribery and Anti-Corruption Risk (ABAC): Our Commitment to Integrity: This refers to the possibility that the Bank or its associates may be involved in acts of bribery or corruption. At Banco Popular, ethics and transparency are core values; therefore, we maintain a zero-tolerance policy towards such activities. We have a robust compliance program that includes clear policies, strict internal controls, thorough due diligence in third-party relationships, and secure channels for reporting any irregularities. We uphold a culture of integrity, ensuring that all our operations are conducted under the highest ethical and legal standards.
SOX – Assurance of Financial Reporting Information: As part of Grupo Aval — a company listed on the New York Stock Exchange (NYSE) — Banco Popular strictly complies with the requirements established under the Sarbanes-Oxley Act (SOX), a U.S. regulation that demands high standards of internal control over financial reporting. In this context, the Bank continuously reviews the risks and controls associated with processes that affect financial reporting, covering everything from data generation and processing to recording, preparation, and disclosure.
Conduct Risk: Ethics in Every Interaction This refers to the possibility that decisions, actions, or omissions by employees—whether intentional or not—may cause harm to clients, the market, or the Bank’s reputation. These risks may arise from errors or deficiencies in the information provided, unfair treatment, or inappropriate commercial practices, among others
At Banco Popular, we promote an ethical and transparent culture centered on respect for and protection of financial consumers. We have a Code of Ethics that sets out the principles and guidelines that must govern the conduct of all our employees, supported by continuous training programs and oversight mechanisms aimed at ensuring that all our interactions are clear, responsible, and aligned with the best interests of the client. Our goal is to build trust-based relationships, where every action reflects our commitment to an honest, fair, and people-centered banking model.
Cybersecurity and Information Security: Ensuring a secure environment for information: Involves managing the risk of security or cybersecurity incidents that may compromise the confidentiality, integrity, availability, and privacy of data. These risks may stem from data breaches, unauthorized access, or cyberattacks such as malware, phishing, or ransomware, potentially leading to service disruptions, financial losses, and reputational damage.
To mitigate this risk, we implement robust policies, frameworks, and continuous monitoring, both internally and across third-party service providers. We also deploy defense-in-depth strategies, leveraging specialized internal and external expertise to reinforce our protection mechanisms.
Our security measures include data encryption, multi-factor authentication, and real-time detection and response systems, all of which support a secure and reliable banking experience, aligned with the highest standards of the financial industry.
Environmental and Social Risk (SARAS): A Commitment to a Sustainable Future This refers to threats stemming from environmental factors (such as climate change, natural disasters, or resource scarcity) and social factors (such as inequality, community impacts, or human rights concerns). These risks can directly affect our operations. At Banco Popular, we acknowledge our responsibility toward sustainability. We assess how these factors may influence our financing and investment decisions, promoting practices that contribute to sustainable development and mitigate negative environmental and social impacts.
At Banco popular,
We manage risks rigorously and proactively.
With a firm commitment to protecting your resources.
Ensuring the Bank’s sustainability.
Contributing to the achievement of our strategic objectives.
The trust of our clients is our most valuable asset and the driving force behind each of our decisions.
In this way, we help ensure that Banco Popular is present during the best moments of your life.
