Enterprise Risk Management (ERM)

The nature of our business and the competitive environment in which we operate requires some level of risk-taking to achieve our strategic objectives and create growth and shareholder value. A company-specific operating framework has been developed to better protect and enhance shareholder value.

The primary focus of the Enterprise Risk Management (ERM) process is the identification and assessment of significant risks and the implementation of suitable risk responses. The process includes top-down and bottom-up risk identification and assessments from operations, projects, subject matter experts, and management and functional leads; application of standardized risk assessment criteria in terms of likelihood and consequence and development of risk treatment strategies.

On a quarterly basis, significant risk information from these and other sources is consolidated and reviewed through Site/Regional Risk Calls, which involve an assessment and discussion of internal and external risks. Internal risks are identified primarily by operations management during the planning and forecasting process and also through other forums such as risk workshops and SEMS audits. External risks emerging from environmental, social, political and economic issues where we operate are identified primarily through a country-level risk assessment process. However, some external risk, such as cyber-security and workplace respect, are identified through other risk management activities. All risks are revisited and updated regularly to ensure that the previous risk assessment is still appropriate and risk impact and likelihoods are updated where applicable.

Significant risks are consolidated and reviewed with senior management and then reported to the Board on a quarterly basis.

The full Board is entrusted with the responsibility of overseeing the significant risks to which our business is exposed and ensuring that there are processes in place to effectively identify, monitor and manage them. A significant risk is one that, if it were to occur, could materially impact our ability to meet or support our business objectives.

The Board delegates responsibility for the execution of certain elements of risk oversight to Board committees to ensure appropriate expertise, attention and diligence. The committees oversee their relevant risk areas and report to the Board regularly. This oversight responsibility includes the procedures and programs implemented to mitigate risk and the allocation of adequate resources to address risk. Management is responsible for ensuring that the Board and its committees are kept well informed of changing risks.

In 2017, the Risk Integration Project was initiated to update the company-wide risk governance processes and implement a centralized online risk-management tool. This tool allows us to gather a more comprehensive list of risks from different participants of the Risk Management process. It also allows us to rank them according to their impact on Goldcorp, the stakeholder or the receiving environment (i.e., employees, environment and communities).

In 2018, the Risk Integration Project will continue with a focus on ensuring collaboration with internal functions, formalizing risk management standards and implementing target risks rankings. As well, an ERM Committee to oversee risk management governance and resourcing across the company will be implemented.

Several topic-specific risk assessments were carried out in 2017. These are discussed further in the table below.1

Risk Assessment # of sites assessed Purpose of Assessment Examples of Potential Risks Identified

Tailings Risk Assessment

5

Identify and analyze conditions or events associated with our tailings facilities that could impact communities, the environment and/or the safety and health of our workforce.

Uncontrolled process water discharge

Projects Risk Assessments

6

Identify and analyze risks associated with projects that could negatively affect the project’s success or our company.

Lack of properly skilled people

Safety Risk Assessments

All

Identify, analyze and build an inventory of risks and associated controls used to manage the potential consequences for all locations.

Equipment falling into open holes, resulting in a fatality

Assessments

All operating sites

Analyze existing risks under new Corporate Risk Matrix methodology for input into Centralized Risk Management Tool.

Various

The Precautionary Principle

The precautionary principle states that when an activity raises threats of harm to the environment or human health, precautionary measures should be taken, even if some cause-and-effect relationships are not fully established scientifically.

We adopt a risk-based approach to business development. Prior to their implementation, new projects (and upgrades, modifications or expansions of existing operations) undergo an assessment of potential environmental and social impact. For new projects, this is usually in the form of an impact assessment, in which the existing (baseline) conditions are described, the proposed project is outlined, potential impacts (both positive and negative) are pinpointed and modifications and controls are identified to minimize potentially adverse impacts.

Provision is made in the assessment process for public consultation and input. We are committed to engaging in consultations with potentially affected host communities prior to making significant development decisions, regardless of any legal requirement to do so. For upgrades, modifications or expansions of existing operations, the level of assessment is commensurate with the potential impacts of the proposed change.