Enterprise Risk Management

The nature of our business and the competitive environment in which we operate requires some level of risk-taking in order to achieve our strategic objectives and create growth and shareholder value. The corporate Enterprise Risk Management (ERM) team has developed and implemented a company-specific operating framework in order to better protect and enhance shareholder value.

The primary focus of the ERM process is the identification and assessment of significant risks and the implementation of suitable risk responses. The process includes top-down and bottom-up risk identification and assessment from operations, projects, subject matter experts, management and functional leads; application of standardized risk assessment criteria in terms of likelihood and consequence; as well as development of risk treatment strategies.

On a quarterly basis, significant risk information from these and other sources is consolidated and reviewed by the Canada and Latin America Risk Committees, which involves an assessment and discussion of internal and external risks. Internal risks are identified primarily by operations management during the planning and forecasting process and also through risk workshops and SEMS audits. External risks emerging from environmental, social, political and economic issues where we operate are identified primarily through a country-level risk assessment process. However, some external risk, such as cyber-security, is identified through the ERM process. All risks are revisited and updated regularly to ensure that the previous risk assessment is still appropriate and the risk impact and likelihoods have not changed.

Significant risks are consolidated and reviewed with senior management and then reported to the Board on a quarterly basis.

The full Board is entrusted with the responsibility for overseeing the significant risks to which our business is exposed and ensuring that there are processes in place to effectively identify, monitor and manage them. A significant risk is one that, if it were to occur, could materially impact our ability to meet or support our business objectives.

The Board delegates responsibility for the execution of certain elements of risk oversight to Board committees to ensure appropriate expertise, attention and diligence. The committees oversee their relevant risk areas and report to the Board regularly. This oversight responsibility includes the procedures and programs implemented to mitigate risk, and the allocation of adequate resources to address risk. Management is responsible for ensuring that the Board and its committees are kept well informed of changing risks.

Several topic-specific risk initiatives were carried out in 2016, including:

  • Social risk assessments
  • Tailings risk assessments
  • Project risk assessments
  • Closed-site risk assessments
  • Information Technology risk assessment

Moving forward, we will streamline the collection and review of risks by restructuring the current quarterly review process and designing a new centralized risk-management tool. This new tool will provide sites with the ability to better manage their controls, monitor action items and reduce time required to consolidate risk information.

Risk Assessment Number of sites assessed Purpose of Assessment Examples of Risk Identified

Social Risk Assessments

4

Identify and analyze potential events involving external stakeholders which could negatively impact us

Loss of enjoyment of property due to water quantity issues generates formal complaints/negative publicity, resulting in potential risks to community members

Tailings Risk Assessments

10

Identify and analyze conditions or events associated with our tailings facilities that could impact communities, the environment and/or the safety and health of our workforce

Uncontrolled process water discharge

Project Risk Assessments

2

Identify and analyze risks associated with projects that could negatively affect the project’s success or Goldcorp

Project will not fulfill the local expectation for employment opportunities

IT Risk Assessment

1

Identify and analyze IT and cyber security–related risks that could negatively affect us

Inappropriate or unauthorized access to critical technology assets and data

Closed-Site Risk Assessments

37

Identify, analyze and build an inventory of existing controls used to manage the potential consequences associated with uncertain events or conditions at our closed sites

Public accessing hazardous areas, resulting in security or safety issues on site

The Precautionary Principle

The precautionary principle states that when an activity raises threats of harm to the environment or human health, precautionary measures should be taken, even if some cause-and-effect relationships are not fully established scientifically.

We adopt a risk-based approach to business development. New projects (and upgrades, modifications or expansions of existing operations) undergo an assessment of potential environmental and social impact prior to implementation. For new projects, this is usually in the form of an impact assessment, in which the existing (baseline) conditions are described, the proposed project is outlined, potential impacts (both positive and negative) are identified, and modifications and controls are identified to minimize potentially adverse impacts.

Provision is made in the assessment process for public consultation and input. We are committed to engaging in consultations with potentially affected host communities prior to making significant development decisions, regardless of any legal requirement to do so. For upgrades, modifications or expansions of existing operations, the level of assessment is commensurate with the potential impacts of the proposed change.