In line with our policies, we adopted the Comprehensive Risk Management model of our parent company, which provides a focus for continuous improvement and effective risk management in a systematic and transversal manner for TGI. Based on the ISO 31000:2018 standard, this model establishes the reference frameworks to identify and assess the risks related to the activities of our business and to be able to implement the necessary actions to mitigate them.
We have an Information Security Model
This Information Security Model (MSPI) seeks to protect the Confidentiality, Integrity and Availability of information assets, for its Administrative Headquarters located at Carrera 9 No. 73-44 in Bogotá, and all other headquarters nationwide. , which has the support of Senior Management to guarantee the necessary resources for the continuous improvement of the model, and to demand compliance with the guidelines, policies and other security guidelines that are defined, which must be known, understood and accepted by all interested parties of the Information Security and Privacy Model (MSPI).
As a fundamental part of the Information Security and Privacy Model (MSPI), there is an internal regulation that provides TGI S.A. ESP., the guidelines, guidelines and guidance regarding information security and the proper use of information assets, seeking to preserve the confidentiality, integrity, availability and privacy of information.
In reference to the possible anomalous event that may occur, TGI S.A ESP has the management of information security incidents duly documented and socialized to the organization in the different data for awareness.
M-ADI-006 Modelo de Seguridad y Privacidad de la Información (MSPI).pdf
At TGI, we have a robust system in place to monitor and control our information systems and cybersecurity management. We conduct internal audits at least once a year, following a risk-based approach and aligned with international best practices such as the ISO/IEC 27001 and NIST standard. These assessments cover key areas including access control, data protection, incident management, and network security. Findings are reported to the technology committee and addressed through corrective action plans.
In addition, we undergo at least one external audit per year conducted by Grupo Energía Bogotá, as part of the group-wide cybersecurity management system assessments. Our statutory auditor also performs periodic reviews that include the verification of IT controls, and additional audits may be conducted based on emerging risks or regulatory requirements. Both internal and external audits are carried out in accordance with recognized standards such as ISO/IEC 27001, NIST and frameworks such as COBIT.
We have also established internal procedures that enable our employees to report and escalate any incidents or suspicious activities detected in our information systems, thereby strengthening our ability to respond effectively to potential threats.
Information Security and Cybersecurity Training: Commitment to Organizational Awareness
As part of the institutional commitment to information protection and in compliance with the guidelines on information security training and awareness, the company has established a School of Information Security and Cybersecurity, as part of its training strategy and endorsed by the Human Talent area. The main purpose of this school is to implement a comprehensive training and awareness program aimed at strengthening the culture of information security and cybersecurity at all levels of TGI S.A.ESP.
Throughout the year, various activities are carried out to promote employees’ knowledge and responsibility regarding the protection of information assets, both in physical and digital environments. These activities include training sessions, interactive modules, educational videos, and simulated attacks such as phishing and ransomware, among other training resources.
This program not only aims to ensure regulatory compliance but also seeks to raise awareness of the risks associated with the use of emerging technologies and the constant evolution of threats. Through knowledge and active participation, employees are expected to understand the importance of their role in protecting the confidentiality, integrity, and availability of TGI S.A.ESP's information.
Below are some statistics that demonstrate the program’s reach and the level of employee participation during 2024.
Training statistics.pdf
Item | Emerging Riskk | Description | Portencial Impacts | Mitigation Measures |
1 | Loss of Competitiveness Due to Signals of an Accelerated and Misaligned Energy Transition | The global trend toward accelerated decarbonization and the adoption of clean energy sources could generate unexpected regulatory, financial, and operational pressure and fragmentation—particularly if Colombia’s regulatory frameworks change rapidly or remain undefined, becoming inconsistent with the strategy for expanding local and imported natural gas infrastructure. This misalignment could affect project planning, the availability of long-term contracts, and natural gas demand, directly impacting business stability. To ensure its sustainability, the company may also face the need to make additional investments to diversify its revenue portfolio at an accelerated pace, resulting in unforeseen costs associated with the transition toward more sustainable energy sources. | - Loss of competitiveness compared to alternative energy sources in the short term - Structural demand loss - Revenue loss - Reduced investment capacity |
Monitor and actively participate in regulatory and policy definition scenarios to ensure natural gas is recognized as a necessary energy source for the transition
|
2 | Regulatory Instability Due to Political, Social, and Legislative Changes in the Context of the Energy Transition | Global and domestic pressure for a faster energy transition with lower carbon emissions—combined with potential political and social instability stemming from Colombia’s 2026 government change—could trigger unexpected regulatory shifts. These may include new fees, environmental taxes, or operational restrictions, as well as increased social mobilization and media scrutiny regarding service delivery and the development of traditional energy projects. This combination of factors could disrupt expansion planning, the operation of existing infrastructure, and relationships with communities and key stakeholders across the value chain. A lack of anticipation of these changes may result in additional costs, project delays, significant reputational risks, and increased pressure on business sustainability. | - Reduced Recognition of Investments - Revenue loss - Reduced investment capacity - Declining public trust in natural gas as an energy source - Demand loss
| · Ongoing monitoring of government plans and political proposals related to the development of the energy sector, particularly natural gas in Colombia
|
Oversight of the risk management system is led by the Audit, Risk, Talent, and Corporate Governance Committee of the Board of Directors. Its core responsibilities regarding risk management include:
- Recommending to the Board of Directors the risk matrix, the Risk Policy, and the methodology for calculating risk appetite.
- Monitoring and periodically reporting to the Board on the effective implementation of the company’s risk matrix, ensuring that key financial and non-financial risks—including environmental, social, and corporate governance risks arising from the company’s sustainability strategy, both on- and off-balance sheet—are identified, managed, and disclosed to the Board in a timely and appropriate manner.
The Committee members possess the expertise and knowledge required to support the Group’s risk management. Every two months, management reports to the executive team, the Audit, Risk, Talent, and Corporate Governance Committee, and the Board of Directors on strategic risks. This process enables ongoing monitoring, adjustment, and strengthening of treatment plans, as well as the implementation of actions to address relevant risks across the organization.
Operational risk management functions are framed within the Three Lines Model defined in the Control Architecture Policy.
Through the application of the Comprehensive Risk Management Model, TGI identifies and manages strategic and process-related risks, conducting periodic monitoring and control in coordination with process leaders. Risk control is based on the three lines of defense model, in accordance with the standards of the European Confederation of Institutes of Internal Auditing (ECIIA), which outlines responsibilities within the Internal Control System.
First Line (Self-control, Self-regulation, and Self-management): This line comprises activities carried out by all employees, including process and control owners, through the definition and execution of controls via policies, procedures, methodological frameworks, and more. The first line of defense in the Internal Control System is grounded in three key principles: self-control, self-regulation, and self-management.
Second Line: This includes various oversight and monitoring functions performed by departments responsible for financial reporting controls, legal and regulatory compliance, quality management systems, information security, supervision and inspection, and risk management. These functions facilitate and supervise the execution of control activities to mitigate risks.
Third Line: This refers to independent assurance provided through internal and external audit activities. This line of defense offers corporate governance bodies and senior management reasonable assurance regarding the effectiveness of governance, risk management, and control systems, as well as the company’s independence and objectivity.
