On this page:
Like any responsible business, we must constantly identify, assess, treat and monitor risks inherent to our assets, activities and operations. Suncor’s Risk Management Policy drives a culture of being:
- Proactive – we do the right thing by identifying and managing risks in advance.
- Transparent – we foster a culture that is open and honest about our risks. We actively provide and seek out information so we can make better decisions.
- Consistent – we take a disciplined approach to achieve excellence in risk management. We do the right thing the right way.
Our rigorous enterprise risk management process engages all levels of the corporation — from the Board of Directors and Audit Committee, which are responsible for oversight of our principal risks and ensuring there are systems in place to manage their impact, to individual business units and functions, which regularly identify, review and report on critical risks in their areas of business.
Risk matrix tool
Once identified, risks are assessed and evaluated in terms of magnitude of impact and likelihood by using an internal risk matrix tool. A risk owner is assigned who develops a plan to treat and monitor the risk. They also report up the organization to the accountable and responsible people for the risks to ensure decisions are being made at the appropriate leadership level. Follow-up measures are in place to ensure risk management decisions are properly and effectively implemented.
Identifying principal risks
We define principal risks as those that have the potential to materially impact our ability to meet or support Suncor’s business strategy.
In 2015, we focused on 11 principal risks:
- Commodity price: fluctuations due to market dynamics that affect our profitability
- Government policy impact: changes relating to air, water, land, climate change or health regulations or to tax and royalty structures that materially affect us and our competitive position
- Reliability: significant or catastrophic asset failure affecting profitability and/or stakeholder confidence
- Environmental/safety: one that causes potential harm to people or the environment or a threat to our operations
- Regulatory approval and compliance: delays or denials of approvals or non-compliance that could disrupt or stop core operations, projects and Suncor’s growth strategy, resulting in financial penalties or lost opportunity.
- Project execution: inability of a project to meet business requirements, achieve expected benefits or realize optimal life cycle costs
- Fossil fuel industry reputation: inability to meet corporate social responsibilities or a significant event that jeopardizes company goodwill that ultimately impacts our ability to execute our business strategy
- Change capacity: concurrent demand to deliver operational excellence and growth activities exceeds our capacity to adopt and implement change
- Cost pressure : escalating operating costs and/or major project capital costs as well as impact from commodity price could reduce cash flow and profitability
- Market access: macro-economic and political conditions that affect the ability to maintain or increase access to markets
- Information security: pace of technology advancement and sophistication could place us in a vulnerable position to cyberattack and penetration of our information systems that could lead to economic loss and brand damage
All principal risks must be reported annually to the Board of Directors and Audit Committee. Reporting includes details on what’s being done to address these risks, how the risks are being monitored and any changes in the risk profile.
In the constantly evolving energy business, new risks can emerge and established risks can take on new forms or orders of magnitude. In late 2015, we consolidated two of our principal risks, Government Policy – Impact and Regulatory Approval and Compliance were combined into the Government/Regulatory Policy and Effectiveness principal risk.
In 2015, our risk matrix was revised to help prioritize our top critical risks, clarify descriptions and provide clear and consistent accountability of risk ownership. The approved risk matrix is being rolled out across the company in 2016 and is used to support employees in consistently assessing risks and evaluating the consequence and likelihood of risk events. The consequence is based on the following five receptors on the risk matrix:
- health and safety (to the public and employees)
- financial impact
Colin Foley, vice-president enterprise risk and audit, notes that proactive risk conversations, at all levels of the organization, have been driving a culture of risk transparency and clear accountability. “These important conversations are leading to informed risk-based, decision-making across the company.”