Skip to main content

Risks are inherent in our business operations, including, among others, health, safety and operational risks, human capital risks, regulatory and compliance risks, cybersecurity risks, climate and other environmental risks, business and financial risks and reputational risks. Sempra’s management has developed an integrated risk management framework to assess and monitor risks across the company’s operations. Sempra’s board has ultimate responsibility for risk oversight under this framework. Consistent with this approach, the corporate governance guidelines adopted by Sempra’s board that set forth various policies for the company’s governance provide that the specific functions of the board of directors include assessing and monitoring risks and risk management strategies.

The board believes that risk oversight stretches beyond any one committee. As a result, the board has diversified its risk oversight responsibilities across its membership, housing categories of risk oversight within standing board committees by topic and forming ad hoc committees to manage and oversee certain specific risks as needed. For example, the responsibilities of the SS&T committee include oversight of a variety of sustainability matters, including climate change, diversity and inclusion, human rights developments and other environmental and social issues affecting the company’s business. This committee, the members of which are all independent directors, also oversees the company’s overall health and safety policies, reinforcing our company’s strong commitment to robust safety practices. Additionally, this committee oversees cybersecurity and other information technology risks and keeps abreast of technology advancements important to our business and other current events or developments that could impact our cyber risk. Any risk oversight that does not fall within the responsibility of a particular committee remains with the full board. The committee chairs periodically report to the full board regarding their respective committees’ risk oversight roles.

The board and its appropriate committees periodically review and evaluate the material risks we face. In addition, a review of what are believed to be Sempra’s most material risks and mitigation strategies for these risks is presented by senior management to the full board annually. The board also reviews and monitors strategic, financial and operating plans and goals intended to support sustainable long-term growth and each of our principal operating companies is responsible for identifying and moderating risk in a manner consistent with these plans and goals. The board fulfills its risk oversight function by, among other things, reviewing reports provided to the board and to appropriate board committees, discussing material risks and opportunities with management, appointing outside experts, selecting director candidates with diverse experience and qualifications, forming ad hoc committees to manage and oversee certain specific risks as needed, and staying informed about developments in our industry and other current events that may impact the company. Based on the foregoing, the board and its committees establish new or monitor and, as needed, amend existing risk oversight and control mechanisms, policies and practices. In addition, the company has a robust internal audit function that reports directly to the Audit committee.

The board and its committees seek to manage risk by establishing policies and practices that apply to various aspects of our business, including, among others:

  • Utility investment plans consistent with state policy objectives and regulatory review and approval of significant investments
  • Non-utility investment policies, including requiring contractual commitments from third parties to purchase a substantial portion of the capacity or output of major non-utility projects before commencing construction on the projects, subject to exceptions
  • The appropriate capital structure for our businesses
  • An employee compensation program that encourages and rewards sustainable growth in our business and is within an acceptable risk profile
  • Commitment policies that require board review and/or approval above certain dollar thresholds
  • Reviews of the company’s high-performance culture with a focus on key areas of our operations, such as safety, sustainability, diversity and inclusion of our workforce and customer service
  • With respect to investments in which we do not operate or control the applicable entity, careful selection of business partners and representation on the entity’s board or equivalent governing body when possible

Management systems and processes help us manage risk and operate efficiently and effectively. Our compliance program is based on five elements:

Sempra’s management team implements policies and processes at the Sempra level and provides policy guidance, governance and oversight of our operating companies. Each operating company is responsible for implementing these policies and managing risk, safety and compliance.

More information on identified risks may be found in our 2021 Annual Report on Form 10-K.

Each operating company is responsible for managing its risks with support from the Sempra Compliance and Enterprise Risk Committee. Sempra’s chief sustainability officer serves on this committee, helping to link the company’s sustainability strategies and practices to each enterprise risk area.
  • Leadership oversight and accountability
    Through their words and actions, we expect our leaders to demonstrate integrity, honesty and respect.
  • Codes of conduct, policies and procedures
    Our Code of Business Conduct is the foundation of our compliance program and our guide for maintaining a workplace that follows legal and ethical standards in compliance with federal, state and local laws and regulations and is in line with our company’s values and ethical standards. Corporate policies provide additional details. Our Supplier Code of Conduct is based on the same standards that apply to all employees of the Sempra companies. We expect our suppliers to embrace our commitment to do the right thing and conduct their businesses in compliance with all laws, rules and regulations. For any cases of suppliers found to be out of compliance with our supplier code of conduct, we reevaluate our business relationship with these suppliers, which could include the creation of corrective action plans or termination of contracts.
  • Education, communication and awareness
    All employees complete three mandatory ethics and compliance training courses each year. An additional 16 compliance-related courses may be assigned based on an employee’s work location and responsibilities. This training covers a wide range of topics including, but not limited to, safety; discrimination and harassment-free workplace; information management; privacy; environmental protection; charitable activities; political participation; anti-trust and unfair competition; anti-bribery and anti-corruption; conflicts of interest; and securities trading. Pulse surveys, videos and other communications build and maintain awareness. All employees who are directly or indirectly involved in activities that could involve contact with a government official, and/or who have access to, or control of, funds or accounts relating to such activities are required to complete anti-corruption and anti-bribery training and certifications, which are provided on a periodic basis.
  • Risk assessments, auditing and monitoring
    We periodically assess compliance risks based on the potential impact and frequency of a hypothetical occurrence of noncompliance. Compliance programs are informed by the results of our compliance risk assessment and are regularly monitored. Compliance program owners collaborate and interact with internal and external auditors.
  • Reporting processes and procedures
    Sempra maintains an ethics and compliance helpline through which employees and third parties can report suspected violations of our code of conduct, including any cases of corruption or anti-competitive behavior as well as other concerns. There were 409 reports made to the helpline in 2021, representing a case volume per 100 employees of 2.2%. 53% of reports were made anonymously and 107 were substantiated as of January 2022.1 Every report is investigated.

Ethics & Compliance Helpline

Reports related to discrimination and harassment 16%
Reports related to employee relations 40%
Reports related to other matters 44%
Total reports received 409

1. Includes calls received through Sempra’s Ethics and Compliance Helpline and Mexico’s Contigo line.

Management systems and processes help us track our performance and protect the company from exposure to unnecessary risk. Representative systems and processes include:

  • Sempra’s audit services department reports its key findings directly to the Audit Committee of Sempra’s board of directors. In 2021, 68% of its 91 audits were linked to Sempra’s top ten identified enterprise risks.
  • Environmental management systems are in place across our operations. The Environmental and Safety Compliance Management Program, used at Sempra California, helps ensure compliance with environmental and safety laws and regulations and company standards. ISO-14001 is utilized at Sempra Infrastructure’s primary facilities in Mexico.
  • Business resumption plans outline how to recover and resume operations following a natural or human-caused disaster or other unforeseen disruption.
  • A lobbying activity tracking system helps us manage political activity and meet local, state and federal political reporting requirements.
  • A Continuous Monitoring System supplements our anti-corruption and anti-bribery training and policies and tracks our third parties with government interaction. No incidents of corruption or bribery were identified in 2021. See our policy here.


As an energy infrastructure company responsible for the delivery of energy to millions of customers, Sempra understands the important role that robust cybersecurity practices play in delivering that energy in a safe and reliable manner. In addition to the nearly 40 million consumers we serve, our companies’ service territories include one of the nation’s busiest ports, some of the largest cities and critical military bases, as well as countless defense contractors and small businesses.

Over the past several years, adversaries have deployed an increasingly sophisticated set of tools and strategies to conduct cybersecurity attacks on the energy sector. These include advanced malware, complex phishing attacks, identification of non-public vulnerabilities and ransomware, among others. Sempra has robust management systems in place to help protect company and customer information from cyberattacks. Our board of directors maintains oversight over cybersecurity issues, while our director of cybersecurity risk and compliance is responsible for overseeing implementation of cybersecurity policies and programs across Sempra and its companies. A dedicated cybersecurity team leads the development, delivery and maintenance of a cybersecurity program designed to prevent or reduce the impact to the company from unauthorized use, disclosure, modification, damage or loss of Sempra’s information, assets and supporting infrastructure.

Cybersecurity risks can impact the company in a number of ways:

  • Disruption of energy flow systems
  • Data corruption or unavailability
  • Theft or destruction of systems/data
  • Exposure of sensitive company and/or customer data
  • Compliance and regulatory impact
  • Reputational impact
  • Loss of revenue

To mitigate these risks, we utilize an extensive system of rigorous security protocols, including perimeter defenses, internal defenses, sensitive data protections, operational technology cybersecurity protections and obsolete information technology infrastructure and application replacement.

We rely on federal, state and local government partnerships for intelligence feeds, along with peer utility industry relationships and private services for industrial control systems cybersecurity threat intelligence. We also obtain cybersecurity threat intelligence from sources such as Information Sharing and Analysis Centers, the Federal Bureau of Investigations, the Federal Energy Regulatory Commission, the Department of Energy, the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, the Transportation Security Administration and various U.S. intelligence community agencies.

Sempra’s dedicated cybersecurity team offers cybersecurity-focused communications and town hall meetings, an advocacy program, anti-phishing campaigns and other monitoring and reporting tools to help protect the company’s information assets. The team also participates in department staff meetings, safety stand-downs and safety congresses to provide training on cybersecurity issues. Our employees know they have a major role to play in protecting company information and pledge annually to be aware of cybersecurity issues and abide by the company’s cybersecurity guidelines. Escalation of security events identified by employees are handled through notification to Sempra’s information security operations center. This process is advertised and communicated through internal cybersecurity communications and events.

  1. Includes calls received through Sempra’s Ethics and Compliance Helpline and Mexico’s Contigo line.

View your customized report

Download the full 2021 PDF report

Add this section to your report
Added to Your Report