The document discusses risk management, critical controls, and auditing. It shares perspectives on how these elements play an essential role in operational excellence. Specifically: - Risk management and auditing critical controls help organizations understand their risks and opportunities, processes, compliance status, and focus on continual learning and improvement. - Many operational losses are preventable but organizations often see repeat issues because they don't adequately learn from history or identify and address risks. - Successful organizations go beyond compliance to understand their full risk profile, empower employees, and focus on eliminating waste and improving quality, energy efficiency, and safety through robust management systems and frequent auditing.

1. THE LINK BETWEEN RISK MANAGEMENT,
CRITICAL CONTROLS & AUDITING

2. John Wolfe
Partner
Kim Chanel Vallée-Séguin
Communications Manager

3. Webinar Objectives
✓ To share knowledge and perspectives about
operationally excellent management systems and the
essential role that risk management and auditing
critical controls play in operational excellence
✓ To share the Nimonik passion for developing a
compliance plus culture

4. 60% of all operational losses result
from preventable causes
80%of incidences are repeat issues
25-30%of an organization’s costs this year
will be wasted fixing the same issues
*Source: Peter Merrill – Do it Right the Second Time
Operational Risk Management and Audit – A Safety Moment

5. 5
“Those who don't know history are destined to repeat it.”
- Edmund Burke
“You cannot find what you do not seek”
- St. Paul
A Few Wise Words

6. In my experience the organizations with robust integrated ISO
9001, ISO 14001 – OHSAS 18000 HSEQ management programs
that also employ Six Sigma Lean management programs
are the most successful. Why?
They go beyond simple regulatory compliance
✓ They understand their risks and opportunities
✓ They understand their processes
✓ They have simple up-to-date procedures that they follow,
they have competent staff and contractors, the right metrics
✓ They empower their people
✓ They focus initially on HSE bad actors, waste, first time quality,
energy efficiency – building a base for continual learning and
improvement
✓ They audit – a lot

7. Management System Framework
1. Leadership, Integrity & Accountability
2. Risk Identification, Assessment &
Management
3. Legal Requirements & Commitments
4. Objectives, Targets and Planning
5. Management of Change
6. Structure, Responsibility & Resources
7. Training & Competence
8. Facilities Design & Construction
9. Operations & Maintenance Controls
10.Contractor Management & Third Party
Services
11.Data & Document Management
12.Emergency Preparedness & Response
13.Information & Communication Management
14. Quality Assurance
15. Incident Reporting, Investigation & Learning
16. Operations Integrity Monitoring, Audit & Assessment
17. Corrective & Preventative Action
18. Stewardship &
Management Review
PLAN
ACT
CHECK
DO

8. Regulatory Compliance
• Create a Legal Registry that identifies all your legal and
other requirements
• Create processes (including audits) to verify compliance
status
• At a minimum - operate within compliance requirements
• Have a compliance plus philosophy where it adds value
and a robust risk management process

9. Sample – Legal Registry
Tracking Location Permit Description Dates Documents & Filing Compliance Turnover
Approval
Registry
Number
Approval
Type
Priori
ty /
Tier
Project
Area Plant
Sub-
Plant
System /
Tag Number
Legal Land
Description
Approval
Issuer
Approval
Name / Title Description
Person
Responsible
to Obtain
Approval
Activity
for which
Approval
is
Required
Forecast /
Actual
Date to
Submit
Appl'n
Appova
l Turn
Around
Time
(days)
Forecast
Date
Approval
Required
Actual
Date
Approval
Received
Permanent
/
Temporary
(expiry
date)
Renewa
l
Require
d (Y/N)
Operating
Controls
(reference
documents)
Oil Sands
Legal
Registry
(hyperlink)
Approval
Application
(hyperlink
to Livelink)
Approval
Number and
Hyperlink to
Livelink
Compliance
Document
(descriptor, or
hyperlink to
Livelink)
MPG Compliance
Status
Ultimate
Approval
Owner Notes
At a minimum:
✓ What is the requirement?
✓ How, why and where is it applicable in your operations?
✓ Who is responsible for demonstrating compliance?
✓ What evidence do you have?
✓ If monitoring and reporting are required - who looks after it and
at what frequency
Lots of good examples – Suncor had 30 plus data fields

10. The Risk Management Framework
Communicate & Train
Communication
Reporting
Training
Communicate & Train
Communication
Reporting
Training
Risk Structure &
Accountability
Risk Roles & Responsibilities:
Executive Leadership Team
Chief Risk Officer
Business & Function Leaders &
Management
Risk Structure &
Accountability
Risk Roles & Responsibilities:
Executive Leadership Team
Chief Risk Officer
Business & Function Leaders &
Management
Mandate & Commitment
Policy
Standards
Procedures/Guidelines
Mandate & Commitment
Policy
Standards
Procedures/Guidelines
Measure, Review & Improve
Control Assurance
Policy
Standards & Guidelines
KPI’s
KRI’s
Measure, Review & Improve
Control Assurance
Policy
Standards & Guidelines
KPI’s
KRI’s
CommunicateandconsultCommunicateandconsult
Establish the contextEstablish the context
Identify risksIdentify risks
Analyze risksAnalyze risks
Evaluate risksEvaluate risks
Treat risksTreat risks
Risk management information to action
- Risk Assurance - Risk Registers
- Treatment Plan - Reporting Templates
MonitorandreviewMonitorandreviewStrategic Process
(Framework continuous
improvement cycle)
Strategic Process
(Framework Implementation)
Strategic Process
(Framework Implementation)
Strategic Process
(Framework continuous
improvement cycle)
Tactical Process
Risk assessment
Process for Managing Risk
1.
2.
2a.
2b.
2c.
3.
4.
5.
Figure 1. Risk Management Framework
IV.
I. II.
V. III.
Risk Management Framework --Adapted from CAN/CSA –ISO 31000–Q31001-11

11. Risk and Decision Making
The concept of risk includes five components:
1. Hazard inherent in an activity otherwise deemed
beneficial
2. An undesirable event, which brings out the hazard
3. Adverse consequence of the undesirable event
4. Uncertainty of whether the undesirable event will
happen or not (likelihood/ probability/ frequency)
5. Perception about the combination of the above

12. Definition of Risk
Issues/
“Hazards”
Undesirable
event
Consequences
Risk
Likelihood of
Consequences
Layers of
Protection -
Prevention
Layers of
Protection -
Mitigation
Causes

13. 13
L ik e lih o o d C a te g o ry - F re q u e nc y
G u id e lin e s (B u sin e ss U n it B a sis)
D e sc rip tio n
f > = 1 /y r
O c c u rs o n c e o r m o re p e r y e a r in B U /
fa c ility / p ro je c t, a n d is lik e ly to re c c u r
w ith in o n e y e a r
6 III II I I I I
0 .1 = < f < 1 /y r
(b e tw e e n 1 /y r a n d 1 /1 0 y e a rs )
E x p e c te d to o c c u r s e ve ra l tim e s in th e
B U /fa c ility /p ro je c t life tim e 5 III III II I I I
0 .0 1 = < f < 0 .1 /y e a r
(b e tw e e n 1 /1 0 a n d 1 /1 0 0 y e a rs )
E x p e c te d to o c c u r in th e B U /fa c ility /p ro je c t
life tim e 4 IV III III II I I
0 .0 0 1 = < f < 0 .0 1 /y e a r
(b e tw e e n 1 /1 0 0 a n d 1 /1 ,0 0 0 y e a rs )
M a y h a p p e n le s s th a n o n c e d u rin g th e
B U /fa c ility /p ro je c t life tim e 3 IV IV III III II I
0 .0 0 0 1 = < f < 0 .0 0 1 /y e a r
(b e tw e e n 1 /1 ,0 0 0 a n d 1 /1 0 ,0 0 0 y e ars )
*R e m o te c h a n c e o f h a p p e n in g *2 IV IV IV III III II
f < 0 .0 0 0 1 /y e a r
(le s s th a n 1 /1 0 ,0 0 0 y e a rs )
*E x tre m e ly re m o te c h a n c e o f h a p p e n in g *1 IV IV IV IV III III
*N o te : L ik e lih o o d c a te g o rie s 1 & 2 a re
ty p ic a lly fo r fa c ility d e s ig n p u rp o s e s C 1 C 2 C 3 C 4 C 5 C 6
Social
In c id e n t - n o
Tre a tm e n t
F irs t a id / m in o r
illn e s s
M e d ic a l a id , in ju ry
o r illn e s s /
re s tric te d w o rk /
N u is a n c e p u b lic
im p a c t
T e m p o ra ry
d is ab ility/ lo s t tim e /
P e rm a n e n t
d is a b ility/ fa ta lity/
M u ltip le o n -
s ite fa ta litie s /
Environmental
R e le a s e to o n -s ite
e n viro n m e n t,
c o n ta in e d
im m e d ia te ly
S m a ll u n c o n ta in e d
re le a s e b e lo w le g a l
lim it o r w ith m in o r
im p a c ts / p o s s ib le
c u m u la tive im p a c t
o n -s ite
M in o r
e n viro n m e n ta l
im p a c t, b u t re s u lt in
p e rm it vio la tio n o r
a d m in is tra tive
p e n a ltie s
S ig nific a n t a d ve rs e
im p ac t, s ig n ific a n t
lo n g-te rm lia b ility,
e n forc e m e n t a c tio n
C a ta s tro p h ic
im p a c t, m a te ria l
(c o rp o ra te ) lo n g -
te rm lia b ility
Economic
C < $ 1 0 k $ 1 0 k = < C < $ 1 0 0 k $ 1 0 0 k = < C < $ 1 M $ 1 M = < C < $ 1 0 M $ 1 0 M = < C <
$ 1 0 0 M
C > $ 1 0 0 M
Social
In d ivid u a l c o n c e rn /
lo c a l m e d ia
a tte n tio n / n o im p a c t
o n S u n c o r's
re p u ta tio n
C o m m u n ity
c o n c e rn / re g io n a l
n e w s / a d ve rs e
im p a c t o n S u n c o r's
re p u ta tio n a t
re g io n a l le ve l
P ro vin c ia l n e w s /
a d ve rs e im p a c t o n
S u n c o r's re p u ta tio n
a t p ro vin c ia l/ s ta te
le ve l
N a tion a l n e w s /
p u b lic o u tra g e /
s h o rt-te rm d ro p in
m a rke t s h a re a n d
s h a re p ric e
R e c u rrin g n a tio n a l
a tte n tio n / p u n itive
a c tio n b y
g o ve rn m e n t
a g a in s t c o m p a n y/
lo n g -te rm m a jo r
im p a c t o n m a rk e t
s h a re a n d s h a re
p ric e
F in a n c ia l /
D a m a g e
(E q u ip m e n t +
B u sin e ss
In te rru p tio n )
(B u sin e ss U n it/
C lie n ts)
H e a lth & S a fe ty
(P u b lic a n d
E m p lo y e e s)
In c r e a s in g C o n s e q ue n c e
LikelihoodCategory
R e p u ta tio n
(P o litic a l/
R e g u la to ry )
IncreasingLikelihood
C o n s e q u e n c e C ate g o ry
E n v iro n m e n ta l
Action Priorities
Residual Risk Level Action Priority
I
II
III
IV Employees and contractors are aware of the risk, and follow established procedures
Responsible EVP & CEO to be made aware of risk, along with mitigation and risk reduction plans
Business Unit EVP is responsible to obtain approval from CEO for continued operation
Responsible VP ensures preventive controls and mitigation plans are established and maintained, and risks are re-assessed at appropriate intervals
Operations management monitors the risk, ensures preventive controls and mitigation plans are functioning and procedures are followed
Suncor Risk Matrix

14. • A Risk Map thus provides a means of ranking the risk of events
relative to each other and also providing guidance for action levels
III II I I I I
III III II I I I
IV III III II I I
IV IV III III II I
IV IV IV III III II
IV IV IV IV III III
Consequence C
LikelihoodL
Individual Event Types
• For different events that we identify through a risk analysis, once
we also know their consequence C and likelihood L, we can
plot them on a graph
Presentation of Risk - Risk Maps

15. Integrated Risk Analysis Methods
Hazard Identification Methods
• Brainstorming
• Field Level Risk Assessment
• Job Safety Analysis/ Task Analysis
• What-if
• HAZOP
• FMEA

16. Bow-Tie Risk Analysis
RISK
EVENT
Preventive
controls
Reactive
controls
Causes
Causes
Causes
Consequence
Helping to ensure that risks are managed rather
than just analyzed
Consequence
Consequence
Preventive
controls
Reactive
controls

17. THREATS
PREVENTIVE CONTROLS
Governance and Oversight
•Policies and procedures
•Delegation of authorities
•Functional segregation of duties
•Continuous Improvement
mindset
Approval of Vessels
•Marine technical expertise and
experience
•Marine Risk Management System
(IT tool)
•Consistent vetting process and
rules
•Vessel Acceptance Report
issuance
•Document administration
Tools and Processes
•AQUARIUS IT tool data
management
•Cargo handling instructions
•Loss Control
•IT general controls (disaster
recovery, backup of AQUARIUS,
internally hosted)
•vessel tracking
-Capturing of contract terms
Compliance and Benchmarking
•Meet applicable legal
requirements
•Consistent with best industry
practice
•Compliance with company X
Vessel Selection Criteria
Information Technology
Management
•Marine Risk Management
System (MRMS) IT tool
•MRMS data and
documentation retention
Financial Management
•Volume actualization
•Logistic settlement
•Counter-party / broker
settlement
•Exchange settlement
•Invoice management
(include netting)
•A/R and A/P management
•Demurrage and cargo claims
•Loss control
•Tariff validation
CONSEQUENCES
RECOVERY CONTROLS
MARINE TRANSPORTATION
Reputational
• Public outcry from Oil Spill
• Investor confidence/Share price
(shareholders)
Operational
• Crude supply to refineries affected
Financial
• Cost of Cleanup
• Insurance Deficiency
• Impact from Refinery shut- down
Legal and Regulatory
• Fines and sanctions
• Lawsuits
• Prosecution of Executives
Strategic
• SEMI Growth Objectives
• Impact on other major initiatives
due to residual reputational
damage
Strategic
-Misalignment with current and future
company strategy and risk tolerance
People
•Skills/experience of staff
•Workforce demographics
Roles & Responsibilities
•Marine accountability for
transportation vs. contractual
agreement made by operating groups
Environmental and Reputational
•Operating business units non-
compliance
•Employment of sub-standard
vessels
•Engagement of unapproved vendors
•Geographic operating environment
•Inadequate insurance coverage
•Public Perception –
•Readiness to respond to a major
event
•Increasing Environmental
consciousness
Assets
•Use of Aging Fleets/infrastructure
Commercial
•Commercial needs are not aligned
with company’s risk tolerance
•Inadequate insurance coverage
•Structured deals
•High cargo volumes
•High dollar values
•Freight market volatility
•Cargo quality and Loss Control
Unsafe (release of
Petroleum Product
in Waterway) or
non-compliant
transportation
activity
Core Business Objectives:
1.Safe, efficient, regulatory compliant movement of crude and products
transportation on water)
Who is the Client:
Marine Transportation, other stakeholders involved in or supporting
marine transportation activities.Risk Analysis
Financial
•Commercial and market expertise
• competitive commercial
advantage
•Centralized market knowledge
•Cost controls (GOA/CA limits)
Risk Management
•Major Emergency Team
process
•Marine Dept people and
processes
•Corporate Public Relations
process
•Internal and External Legal
support
•Corporate Charterers
Liability Insurance
▲No material findingsGrayed out: excluded from scope
based on planning meetings
◄ Process improvement or
increased formalization
▼ Gap or control failure
warranting attention
Key:
II
II
II
III
III
III
III
III
I
I
I
Current State Future State Current State Future State
Governance and Oversight
•Marine policy should be a
company X PG&S
•Identify all stakeholders
•Marine policy improved by
appropriate level of company
X executive management
•Appropriate individual
responsible for updating and
maintenance of policy
•Formalized process for
communicating Marine policy
Marine Department
Procedures
•Formalized procedures
should be documented
Tools and Processes
•AQUARIUS / MRMS systems
should be documented
•Formal documented
guidance provided to users
East Coast
•Formalized communication
channels with Marine
department
•Update East Coast Marine
procedures
•Compliance to policy
•SCM Logistics group
interaction with marine group
BC Terminal
•Formalized communication
channels with Marine
department
•Use of TSW
RR
RL= Risk Level
RR= Residual Risk
RL
I
I
II
I
I
II
II
II
I
II
II
Emergency Response
Procedures
•EH&S and Terminal spill
procedures
•Spill reporting/control
procedures

18. SIGNIFICANTRISK
RECOVERY MEASURES
Unplanned
Event
Emergency
Condition
CONSEQUENCES
RiskAssessmentElement2ProcessHazardAnalysis
Managementof
Changes
CompetencyProgram
EngineeringControlsStandard,Procedure,
Guideline
ContractorSelectionContractorPerformance
StakeholderConcerns
ComplianceTasks
LessonsLearned
EmergencyResponse
IncidentInvestigationRootCauseAnalysis
GoalsandTargets
ManagementofChange
RiskAssessment
DecisionMakingAuthority
PMPrograms
HazardReportingNearMisses
Trending&Analysis
Element3
Element4
BusinessPlans
Element5
Element6
Element7
Element9
Element10
Element12
Element13
EmergencyPlans
Element15
Element12
Element15
Element17
Element5
Element12
PREVENTIVE BARRIERS
OEMS
Risk and Control based audits will audit both preventative and recovery
control adequacy and effectiveness using OEMS criteria

19. End Result of a Risk Assessment
• “Risk Inventory” or “Risk Registry”
• Risk assessments are “integrated” risk
assessment
• Risk assessment worksheet to record the
results in summary form.

20. HAZOP worksheet in Stature

21. 21

22. Hazard Controls
Last resort
Personal Protective Equipment (PPE):
the least effective way to protect workers.
If the PPE fails, the workers are exposed
to the hazard.
Engineering Controls:
Separate: Isolate the hazard by guarding or enclosing
Redesign: Change a process or reconfigure equipment
Substitute: Replace materials or processes
Administrative:
changing the way workers do their jobs,
changing policies and procedures for safe
work practices, training, etc.
M
osteffective
to
leasteffective
The Hierarchy of Hazard Controls
Control of hazards starts at the top and works down with PPE being the last line of defense.
Figure 1: The Hierarchy of Controls: a method for determining appropriate Operational Controls.
Eliminate the hazard:
Completely remove the hazard

23. Cost/Benefit Analysis

25. Dynamics of an Incident
System 1
System 2
System 3
System 4
System 5
System 6
System 7
“Hardware” Defenses
- Process design
- Plant layout
- Protection systems
“Software” Defenses
- Procedures
- Audits
- Management systems
“Liveware” Defenses
- Safety culture
- Motivation
- Alertness
Unusual conditions
Latent failures in systems
Incident

26. Deepwater Horizon

27. Incident and KPI Analysis
Major Operational Risks
and Control Review
Strategy and Values -
Emerging EHS and PS Risks
OEMS Self Assessments &
Audits
Coverage - Prior Audits &
Assessments
Audit and Assessment Planning
Audit Scope Value Proposition

28. Management
Consultations
Principal Risks
Suncor Strategy &
Value Drivers
Audit Plan
Idea Generation
& Project Scoping
Coverage Over Time
Resourcing
Risk, Value, OEMS Alignment
Prioritization
& Selection
Prior Audit Insights External Risks
• 5 Year Audit Plan Established
• Process Audit Approach
OEMS Audits – Non Hazardous
Operations / Functions
• Embedded into OEMS Process
Audits
• Process Hazard Analysis
• Mechanical Integrity
• Quality Assurance
OEMS Audits – Hazardous
Operations • Annual Determination of Targets
• Significant Risks / Key Controls
• Environmental
• Safety (Personnel and Process)
• Emerging Risks
• Business Process Effectiveness
• Compliance
Risk- Based Audits
Planning Process
In-Year High Risk
Requests
Process Improvement Project
GRC implementation
Continuous Improvement

29. Audit Area Description
Proposed
Timing
ENTERPRISE ASSESSMENTS (Potential impact based on Scope of Audit)
Facility Siting Organizational assessment of conformance to the company X 2110 Standard on Facility Siting requirements.
Review of status of studies, API and SU 2110 requirements, reporting, risk management, mitigative actions
and budgeting
TBD
Risk Transparency Risk Transparency / Efficacy of Ranking & Reporting
RRI and RRII identification, assessment, monitoring and reporting requirements. company X Standards and
Process support effective risk transparency and governance of high risk exposures identified by the
organization. (Including and internal review of past incidents and risk ranking/reporting)
TBD
Pipeline Integrity
Non-Regulated Lines
Process Pipelines Compliance, Conformance to Standards and Risk Management
Assessment of compliance against regulatory requirements and conformance against related corporate
standards.
TBD
(Western Canada)
Decommissioned
Equipment
Operational excellence; policies, standards, procedure review of decommissioned equipment processes
utilized throughout the organization.
TBD
Contaminated Sites
Liability
Compliance, Conformance and Risk Management
Assessment of compliance against regulatory requirements and conformance against related corporate
standards.
TBD
Capital Allocation Process
(Joint with IA)
Capital Allocation and Risk Management
Assessment of current capital allocation process and risk management/mitigation of projects identified by
the business to mitigate RRI and RRII items.
TBD
Critical Equipment Back-
up
Critical Equipment and Exposure to Significant Operational Outages
Targeting of assets that if taken offline (e.g. external threat / incident) could lead to a significant operational
outage. How exposed are we on certain systems and what security exists to protect identified critical assets.
TBD
Contractor Management
TBD
Risk Management
Process design effectiveness review to mitigate company X Contractor Management risks. Scope to be
determine with IA.
TBD
Audit Plan - Summary

30. Auditing of Critical Controls
• Minimize impact on operations because of limited resources
• Focus on efficacy
• Start with Level 1 inherent risk

31. Auditing of Critical Controls
• All audit programs have limited resources, and need to
minimize their impact on operations
• It is therefore important to focus efforts on providing
assurance that the controls used to prevent incidents
with the highest consequences are operating with
efficacy
• I suggest you start with your level I inherent risk
controls and work your way down the food chain –
recognizing that the front line risk and control owner
have the ultimate responsibility and in an ideal world
should already have said data and you are simply
confirming it
31