In brief
In a recent decision, the Superintendence of Companies determined that an Excel-based risk matrix of the Self-Control and Integral Management System of Money Laundering, Terrorism Financing and Financing of the Proliferation of mass-destruction weapons risks (SAGRILAFT) and of the Business Transparency and Ethics Program (PTEE) was insufficient because it did not allow to individualize, measure, assess and mitigate the risks identified.
Comments
Considering the decision of the Superintendence of Companies, it is important that companies, when preparing a risk matrix, ensure that it allows:
- Assess, monitor and mitigate the identified risks.
- Measure the likelihood of the inherent and residual risk of each identified risk factor and the impact in case of materialization.
- Mitigate risks; to do so, the company must describe the controls applicable to the management of each risk.
In depth
The Superintendence of Companies imposed a fine to an e-commerce platform for, among other conducts, not having a risk matrix that would allow it to identify, measure, assess, mitigate and monitor the identified risks, in accordance with the provisions of Chapter X (SAGRILAFT) and XIII (PTEE) of the Basic Legal Circular of the Superintendence of Companies.
In accordance with the provisions of the Superintendence:
- The platform had an Excel file with the label “Risk Matrix” that did not allow, under a practical use, to show the individualization, measurement, assessment and mitigation of the identified risks.
- The Excel file submitted by the platform was not sufficient to be considered as a risk matrix, in accordance with the provisions of Chapters X and XIII.
- Risk matrices are considered the backbone of compliance programs because they include risk identification and management. For the structuring the SAGRILAFT and PTEE it is relevant to analyze how risky or exceptional situations affect corporate strategies and objectives .
Two fines, each one for COP 353,997,972 (c. USD 90,000), were imposed for failure to comply with obligations applicable to SAGRILAFT and PTEE, of which COP 200,000,000 (c. USD 51,000) were related to the lack of an adequate risk matrix.