Mining activities have the potential to adversely impact people, host communities and the environment, which in turn impacts our reputation and license to operate. Effectively identifying and managing our material risks and capitalizing on opportunities are central to our strategy and our ability to deliver shared value to all our stakeholders.
We developed a Risk Management Standard to guide and manage our broad risk profile in order to minimize exposures across the organization and optimize activities to protect stakeholder value. This standard requires all operating regions and functions – during all phases of the mine lifecycle – to use a common risk assessment framework based on the International Standard for Risk Management (ISO 31000). This six-step framework helps create informed decisions on risk treatment options that directly impact the bottom line.
- Establish the context – Identify factors to be assessed and understand the scope, schedule, stakeholders and deliverables that must be completed ahead of assessing the risk.
- Identify the risk – Define the source of potential exposure.
- Analyze the risk – Capture all pertinent details to ensure the potential impacts of each risk are accurately understood and prioritized.
- Evaluate and treat the risk – Determine which risks are potentially most impactful; rank and develop plans to avoid, transfer, mitigate or accept risks.
- Monitor and review – Effectively monitor plans and make course adjustments as necessary.
- Communicate and consult – Flow significant information through each level of the Company horizontally (e.g., across and within regions and sites) and vertically (e.g., from regional function to corporate function) to drive well-informed decision making.
Management reports are completed for all formal risk assessments, and each region and corporate function must maintain corresponding risk registers. Risk reviews, including layered audits of critical control management plans (CCMP), are conducted at least annually, with significant risks reviewed with the executive leadership team and Board of Directors quarterly, or more frequently as required depending on potential internal and external influences upon the risk.
A key element of risk identification is our country risk program, which guides our approach to understanding and managing the top economic, political – including risks related to corruption – social, environmental, infrastructure and security risks in the countries that are important to our business. After countries are identified and ranked, country strategies are developed to provide a baseline from which to track and manage the identified risks.
When significant events or issues require a crisis or emergency response, Newmont’s Rapid Response system ensures quick activation of the plans, people and resources required to respond, and engagement with all relevant stakeholders such as communities and first responders. The system features common language, processes and clear accountabilities to support an effective and coordinated response at the local, regional and global levels. Every team must conduct annual training as well as drills and simulations to ensure a state of readiness in the event of a major incident.
Our Enterprise Risk Management (ERM) process provides Newmont’s executive leadership team (ELT) and Board of Directors quarterly updates on the top risks facing the Company, as well details of the corresponding management plans. Top risks are categorized as either Tactical (anticipated risk horizon of one to three years) or Strategic (anticipated risk horizon of three-plus years), with risk ownership assigned to the appropriate region and/or function within the Company.
In 2015, we updated our Risk Management Standard to further improve data integrity, communication of risk information and the effectiveness of our risk analysis techniques. Implementation of the standard, and the associated global standard operating procedures (SOP) describing the process by which risk, associated control strategies and actions are managed, is expected in 2016.
The updated standard and SOPs are part of the overall Integrated Management System (IMS) project. The IMS aims to improve risk management and drive consistent risk management communications by streamlining information related to employee health and safety, security, environment and community relations, based upon risk analysis within these functions. Human rights considerations are integrated into the global risk management process as well as our tools for stakeholder relationship management.
In 2015, we updated our country risk model to better evaluate mining sector risk for ongoing operations and potential investments, and implemented a new Country Entry Standard to establish minimum requirements prior to initiating exploration or merger and acquisition (M&A) activity in countries where we have not had a presence in the past three years.
For health and safety risks, we developed critical control management plans (CCMP) during the year and initiated a catastrophic risk review process that will identify fatality risks in the business.
With cyber security risks growing – among the top 10 according to EY’s latest report on business risks facing the mining industry – Newmont commissioned a comprehensive security assessment to benchmark our program against best practice. Based on findings, we developed an action plan to better prepare people and the business for potential breaches, and continue to enhance our security controls across the entire Company.
More detailed information about risks considered most material to our business is included throughout this report. In addition, a list of our significant risks can be found in our 2015 10-K report beginning on page 12.
Implementation of the IMS project is a multi-year, multi-phased project. Phase one – which is focused on the development and implementation of standards, SOPs and guidance documents – is expected to be complete by mid-2016. The remaining phases will focus on transitioning regions and functions to the IMS platform and continuous improvement.
Other priorities include conducting a review of catastrophic health and safety risks in early 2016, and monitoring and managing escalating or evolving risks through our enterprise risk management (ERM) process. These include environmental risks at legacy sites; expropriation; community support of operational expansions; long-term human capital requirements; security vulnerability assessments; and cyber security threats.
In 2016, our efforts to mitigate and manage cyber security risks will include:
- Governance – improving responsibility and accountability through a new security steering committee and updated standards and procedures;
- Security awareness and training – increasing awareness company-wide and conducting specialized training for key roles;
- Security engineering – enhancing our technical security infrastructure with additional controls and features to improve our effectiveness; and
- Vulnerability and threat management – improving our ability to identify cyber security risks and effectively respond to and recover from significant cyber security events.