As a global mining company, we have a risk profile that is inherently broad and evolving, and effectively managing these risks is crucial to delivering on our strategy and achieving our purpose.
Our global Risk Management Standard and supporting risk management system procedure (MSP) detail the minimum requirements for managing our material risks across the business.
All operating regions and functions use a common risk assessment framework throughout the mine lifecycle based on the International Standard for Risk Management (ISO 31000:2009). This six-step framework helps create informed decisions on risk treatment options that directly impact the bottom line.
Our Enterprise Risk Management (ERM) process provides Newmont’s senior leaders and Board of Directors updates on the top risks facing the Company along with details of the risk assessments and corresponding management plans. These risks and plans are reviewed quarterly, or as needed, by an internal disclosure committee and annually with the full Board.
Augmenting our ERM process is Newmont’s systematic country risk program, which allows us to make investment and business decisions based on a uniform understanding of geopolitical risks in existing and new jurisdictions. Country strategies provide a baseline from which to track and manage the identified risks. Each tier 1 country (defined as a country where we have operations) has an executive leadership team sponsor, who conducts country risk reviews on an annual basis with the respective regional senior vice president to ensure that the socio-political risks have been identified and that appropriate risk management strategies are in place. An internal cross-functional Country Risk Council is responsible for reviewing and implementing the proprietary model that assesses country risks.
Our Integrated Management System (IMS) has established a common framework to support tracking and reporting our risk information in a company-wide risk register. This approach minimizes duplication and greatly improves our ability to prioritize and holistically understand, analyze and manage risks across the business.
The IMS risk register documents identified risks in support of the six-step framework outlined in our Risk Management Standard, with risk ownership assigned to the region and/or function within Newmont that has the most knowledge and experience of the risk. Management periodically reviews all risks classified as “significant” (i.e., those with a consequence level of 4 or 5) to determine whether additional risk analysis is required.
An effective risk management program helps ensure that we have identified credible event scenarios that could occur. In the event of a crisis or significant incident, Newmont’s Rapid Response system ensures timely activation of the plans, people and resources required to respond and engage with all relevant stakeholders. Teams at site, region and corporate use the system to support an effective and coordinated response at the local, regional and global levels. Every team must conduct annual training, as well as drills and simulations, to ensure a state of readiness.
We conducted a number of ongoing and regular risk assessments and reviews during the year.
One focus area was on maturing our approach to information security management. We completed a third-party business impact assessment to align business continuity and IT disaster recovery plans to the business processes being protected. To enhance our cyber security prevention and detection capabilities, we also launched our global cyber security program.
Other actions taken to improve our ability to effectively manage the risks in our business include:
- As part of the annual review of our Risk Management Standard and MSP, we updated the standard and modified the MSP to clarify requirements for risks requiring a greater level of analysis and to align common definitions of risk.
- We developed a common understanding with senior leadership around risk appetite (i.e., the level of risk we are willing to tolerate) and held a session with our Board of Directors that focused on risk appetite and what were Newmont’s specific risk tolerances. We began to integrate the concept into key business processes including projects, value assurance and business planning.
- We completed implementation of the second phase of our IMS, which focused on the standards – including those related to legal requirements and voluntary commitments, records and document management, monitoring and measurement, and leadership and management review – that support the overall management and governance of the system.
More detailed information about the sustainability risks considered most material to our stakeholders and our business is included throughout this report. In addition, a list of our significant risk factors can be found in our 2017 10-K report, beginning on page 13.
One of Newmont’s key priorities in 2018 will be the implementation of the Supplier Risk Management (SRM) program, which will greatly improve our ability to identify and manage the risks and opportunities throughout our supply chain.
We will continue to innovate and mature our cyber security prevention and detection capabilities to address the constantly changing cyber security threat environment. Our focus will be on ensuring all three core elements of cyber security – people, processes and technology – are in place and effectively working together to address our cyber security risks. This includes evaluating our cyber security personnel, continuously assessing risks, and updating our processes, standards and advanced technologies to address current and emerging threats.
Our IMS will be fully implemented in 2018. Activities include completing the final set of standards related to planning, competency and awareness, communication and emergency management; integrating the SRM program into the IMS; and achieving global ISO 14001 umbrella certification, which is expected to reduce costs and drive a risk- and performance-based focus.
Work will continue on expanding our view for identifying and defining emerging risks. For example, mine closure and climate change are two risks we have identified as emerging, but this view can differ by site depending on experiences and stages in the mine lifecycle. We also will continue to strengthen our intelligence capabilities to better understand, anticipate and prepare for factors driving risks, such as artisanal and small-scale mining, increased expectations for benefit sharing, resource nationalism, and corruption.