Read more about Suncor's rigorous enterprise risk management program

Read more about Suncor's rigorous enterprise risk management program

Read more about Suncor's rigorous enterprise risk management program

Read more about Suncor's rigorous enterprise risk management program

Suncor is helping create well-paying jobs, promote economic growth in Canada and provide governments and suppliers with valuable revenues.

Managing enterprise risk

On this page:


To drive consistent outcomes that are expected by our stakeholders, we must constantly identify, assess, treat and monitor risks inherent to our assets, activities and operations. Some of these risks are common to operations in the oil and gas industry as a whole, while some are unique to Suncor. Suncor’s Risk Management Policy drives a culture of being:

  • Proactive: we do the right thing by identifying and managing risks in advance.
  • Transparent: we foster a culture that is open and honest about our risks. We actively provide and seek out information so we can make better decisions.
  • Consistent: we take a disciplined approach to achieve excellence in risk management. We do the right thing the right way.

Our rigorous enterprise risk management program engages all levels of the corporation – from the Board of Directors and Audit Committee, which are responsible for oversight of our principal risks and ensuring there are systems in place to manage their impact, to individual business units and functions, which regularly identify, mitigate and report on critical risks in their areas of business.

Colin Foley, vice-president, enterprise risk and audit, notes that proactive risk conversations, at all levels of the organization, have been driving a culture of risk transparency and clear accountability. “These important conversations are leading to informed risk-based, decision-making across the company, helping us to achieve more predictable outcomes.”

Risk matrix tool

Once identified, risks are assessed and evaluated in terms of magnitude of impact and likelihood by using an internal risk matrix tool. A single risk matrix tool allows employees to consistently assess risks and evaluate the consequence and likelihood of risk events. The consequence is based on the following five receptors on the risk matrix:

  1. health and safety (to the public and employees)
  2. environmental
  3. regulatory
  4. reputation
  5. financial impact

A risk owner is assigned who develops a plan to treat and monitor the risk. They also report up the organization to the people accountable and responsible for the risks to ensure decisions are being made at the appropriate leadership level. Followup measures are in place to ensure risk management decisions are properly and effectively implemented and monitored.

Identifying principal risks

We define principal risks as those that have the potential to materially impact our ability to meet or support Suncor’s business strategy.

In 2016, we focused on eight principal risks:

  1. Commodity price: fluctuations due to market dynamics that affect our profitability.
  2. Government/Regulatory Policy and Effectiveness: changes relating to air, water, land, climate change or health regulations or to tax and royalty structures that materially affect us and our competitive position, or delays or denials of approvals that could disrupt or stop core operations, projects and Suncor’s growth strategy – ultimately resulting in financial penalties or lost opportunity.
  3. Major Operational Incident (Safety, Environmental and Reliability): significant or catastrophic incident that causes potential harm to people or the environment or threat to our operations, or an asset failure affecting profitability and/or stakeholder confidence.
  4. Carbon Risk: broad shift in public policy, breakthrough technology and societal attitudes have led to governments in Canada and around the world adopting ambitious emissions reductions targets and supporting legislation.  This includes measures relating to carbon pricing, clean energy and fuels standards, and alternative energy incentives and mandates which could impact profitability and, or Suncor’s reputation.
  5. Market access: macro-economic and political conditions that affect the ability to maintain or increase access to markets.
  6. Information security: pace of technology advancement and sophistication could place us in a vulnerable position to cyberattack and penetration of our information systems that could lead to economic loss and brand damage.
  7. Project execution: inability of a project to meet business requirements, achieve expected benefits or realize optimal life-cycle costs.
  8. Change capacity: concurrent demand to deliver operational excellence and growth activities exceeds our capacity to adopt and implement change.

All principal risks must be reported annually to the Board of Directors and Audit Committee. Reporting includes details on what’s being done to address these risks, how the risks are being monitored and any changes in the risk profile.

Evolving risks

In the constantly evolving energy business, new risks can emerge and established risks can take on new forms or orders of magnitude.  In late 2016, we changed the Fossil Fuel Industry Reputation principal risk to the Carbon Risk principal risk. We also consolidated two of our principal risks: Cost Pressure was consolidated into the Commodity Price principal risk and the Operational Outage and Major Safety Environmental Incident principal risks were consolidated into the Major Operational Incident (Safety, Environmental and Reliability) principal risk.