Managing operational risk - Suncor's 2013 Report on Sustainability

Managing operational risk - Suncor's 2013 Report on Sustainability

Managing operational risk - Suncor's 2013 Report on Sustainability

Managing operational risk - Suncor's 2013 Report on Sustainability

View the latest Report on Sustainability

Managing operational risk

Like any responsible business, Suncor must constantly identify, assess, monitor and manage risks inherent to our assets, activities and operations.

We do so through a rigorous Enterprise Risk Management (ERM) process that engages all levels of the corporation — from the board of directors, which is responsible for oversight and disclosure of Suncor's principal risks, to our individual business units, which regularly identify, review and report on risks in their areas of business.

Once identified, risks are assessed and evaluated in terms of likelihood and magnitude of impact by using an internal risk matrix tool. A risk owner is assigned and that owner is responsible for developing a plan for addressing the risk. The options include eliminating, reducing, sharing or accepting the risk.

Follow-up measures are in place to ensure risk management decisions are properly and effectively implemented.

Principal risks

Suncor defines principal risks as ones that have "the potential to materially impact one of our businesses or functions to meet or support a Suncor objective."

In 2012, we focused on 12 principal risks. They were:

  • Commodity price (i.e., fluctuations due to market dynamics that affect Suncor's profitability)
  • Government policy impact (i.e., changes relating to air, water, land or health regulations or to tax and royalty structures that materially affect Suncor and its competitive position)
  • Operational outages (i.e., a significant or catastrophic asset failure affecting profitability and/or stakeholder confidence)
  • Major environmental safety incidents (i.e., ones causing harm to people or the environment or posing a threat to our operations)
  • Environment, health & safety (EHS) regulation non-compliance (i.e., being materially offside with EHS regulations, resulting in financial penalties or lost production)
  • Project execution (i.e., the inability of a project to meet business requirements or achieve expected benefits or optimal life cycle costs)
  • Corporate reputation (i.e., an inability to meet corporate social responsibilities or a significant event that jeopardizes company goodwill)
  • Permit approvals (i.e., any delay, denial and/or additional conditions that could affect project execution or disrupt core operations)
  • Skills and resource shortages (i.e., the inability to recruit, retain and logistically position skilled and qualified employees or contractors)
  • Change capacity (i.e., the concurrent demand to deliver operational excellence and growth activities poses potential risk in that these objectives may exceed Suncor's capacity to adopt and implement change)
  • Operating cost management (i.e., escalating operating costs and/or major project capital costs could reduce cash flow and profitability)
  • Partnership management (i.e., ineffective management of key partner relationships could lead to significant erosion in value to Suncor)

All principal risks must be reported up to the board of directors. Reporting includes details on what's being done to address these risks, how the risks are being monitored and any changes in the risk profile.

Evolving risks

In the constantly evolving energy business, new risks can emerge while established risks can take on new forms or orders of magnitude. For example, commodity price volatility (including price differentials between North American and global oil markets) has long been an acknowledged risk in our business. But over the past year, price differentials have been amplified, primarily due to pipeline constraints and the inability to efficiently bring products to market. As a result, Suncor has added market access to its list of principal risks.

Suncor's risk matrix tool was approved by the board of directors and is used to support Suncor employees in assessing risks and evaluating the likelihood and consequence of a risk event. The consequence of a risk is based on the following six receptors on the risk matrix:

  • health and safety (to the public and employees)
  • reputation (legal requirements and commitments)
  • regulatory
  • environmental consequences
  • economic consequences
  • project costs

Khurram Sheikh, manager, enterprise risk management, notes that the impact of social media focused the company's attention on the need to do more to factor in social risks.

Adds Sheikh: "If you look at our current risk matrix, there isn't a really good category for capturing social risks. As a result, guidance was provided to the organization on how to use the existing reputation receptors, which are based more on traditional media, to evaluate social risks. This is an example of Suncor recognizing that we may need to update or refine our tools and processes to analyze new risks as they emerge."