Canadian Natural Resources Ltd. - Annual Report CV2425-006

Canadian Natural Resources Ltd - Annual Report CV2425-006 [PDF 449 KB]

Executive Summary

The Canada Energy Regulator (CER) expects pipelines and associated facilities within the Government of Canada’s jurisdiction to be constructed, operated, and abandoned in a safe and secure manner that protects people, property, and the environment. To this end, the CER conducts a variety of compliance oversight activities, such as audits.

Section 103 of the Canadian Energy Regulator Act (S.C. 2019, c.28, s.10) (CER Act) authorizes inspection officers to conduct audits of regulated companies. The purpose of these audits is to assess compliance with the CER Act and its associated Regulations.

The purpose of operational audits is to ensure that regulated companies have established and implemented both a management system and its associated programs, as specified in the Canadian Energy Regulator Onshore Pipeline Regulations (SOR/99-294) (OPR).

The CER conducted an Annual Report operational audit of Canadian Natural Resources Ltd.
(CNRL or the company or the auditee) between 12 April 2024 and 4 July 2024. The annual report requirements within section 6 of the OPR support fundamental components of a management system, such as continual improvement and leadership. The annual report must be signed by the accountable officer, and it must describe: the adequacy and effectiveness of the management system and programs; any deficiencies identified through the company’s quality assurance measures; and the status of the actions being taken to rectify any deficiencies.

The objective of this audit was to verify that CNRL’s 2023 Annual Report, “The CER Annual Report (2023)”, meets the requirements of the OPR and that the company has the necessary processes, procedures, and work instructions in place to fulfil the requirements of section 6 of the OPR.

The Annual Report audit was based on five audit protocols (APs) and all five were deemed non-compliant. For AP-01, CNRL was unable to demonstrate they had performance measures to meet company goals, objectives, and targets. For AP-02, “The CER Annual Report (2023) (the Annual Report)” did not link performance to goals or objectives and it did not provide an evaluation of how the company achieved its goals, objectives, and targets, additionally, it did not contain goals and objectives for all program areas and it did not contain any targets. For AP-03, CNRL did not demonstrate it has a process in place to evaluate the adequacy and effectiveness of its management system. For AP-04, the content required by paragraph 6.6(1)(b) of the OPR, the adequacy and effectiveness of the management system, was missing in the Annual Report. Lastly, for AP-05, there were deficiencies related to the content of the 2023 Annual Report for the Environmental Protection, Emergency Management, and Safety Management program areas. Corrective actions taken were not described with enough detail about the actions or fixes that were implemented and could not be linked with the deficiencies identified. In addition, corrective actions taken for Damage Prevention were not described. The findings from the audit are summarized in Table 2 and explained in detail in Appendix 1 of this report.

Within 30 calendar days of receiving the Final Audit Report, the company shall file with the CER a Corrective and Preventive Action (CAPA) Plan that outlines how the non-compliant findings will be resolved. The CER will monitor and assess the implementation of this CAPA Plan to confirm that it is completed in a timely manner.

Note that all findings are specific to the information assessed at the time of the audit as related to the audit scope.

While non-compliant findings exist, the CER is of the view that the company can still construct, operate, and abandon pipelines in a manner that will preserve the safety of persons, the environment, and property.

The Final Audit Report will be made public on the CER website.

Top of Page

Table of Contents

• Executive Summary
• 1.0 Background
  • 1.1 Introduction
  • 1.2 Description of Audit Topic
  • 1.3 Company Overview
• 2.0 Objectives and Scope
• 3.0 Methodology
• 4.0 Summary of Findings
• 5.0 Discussion
• 6.0 Next Steps
• 7.0 Conclusion
• Appendix 1: Audit Assessment
  • AP-01 - Performance measures to meet company goals, objectives, and targets
  • AP-02 - Performance in achieving company goals, objectives, and targets
  • AP-03 - Process to evaluate adequacy and effectiveness of the management system
  • AP-04 - Adequacy and effectiveness of the management system
  • AP-05 - Actions taken to correct deficiencies
• Appendix 2: Terms and Abbreviations

List of Tables and Figures

• Table 1. Audit Scope
• Table 2. Summary of Findings

Top of Page

1.0 Background

1.1 Introduction

The Canada Energy Regulator (CER) expects pipelines and associated facilities within the Government of Canada’s jurisdiction to be constructed, operated, and abandoned in a safe and secure manner that protects people, property, and the environment.

Section 103 of the Canadian Energy Regulator Act (S.C. 2019, c.28, s.10) (CER Act) authorizes inspection officers to conduct audits of regulated companies. The purpose of these audits is to assess compliance with the CER Act and its associated Regulations.

The purpose of operational audits is to ensure that regulated companies have established and implemented both a management system and its associated programs, as specified in the Canadian Energy Regulator Onshore Pipeline Regulation (SOR/99-294) (OPR).

The CER conducted an annual report operational audit of Canadian Natural Resources Ltd. (CNRL or the company) between 12 April 2024 and 4 July 2024.

1.2 Description of Audit Topic

The OPR requires that the company generate an annual report that is reviewed and signed by the accountable officer. This annual report must describe the company’s performance in achieving its goals, objectives, and targets during the previous year, as evaluated by the company’s performance measures. In addition, the report must describe the adequacy and effectiveness of the company’s management system in achieving the company’s policies, goals, and objectives; and the actions taken during the year to correct any deficiencies identified by the company’s quality assurance program.

Once the company has prepared its annual report and it has been reviewed and signed by the accountable officer, the company must advise the CER of this in writing. This written advisory is to be signed by the accountable officer and delivered to the CER no later than 30 April of each year.

The receipt of this notification each year serves to advise the CER that the accountable officer is aware of and has signed off on an annual report which details:

• The adequacy and effectiveness of the management system and programs;
• Any deficiencies identified through the company’s quality assurance measures; and
• The status of the actions being taken to rectify any deficiencies.

The CER does not normally ask companies to provide a copy of this annual report, but simply to verify that it has completed it and that it has been reviewed and signed by the accountable officer. However, the CER can ask companies to produce the report, as it did during this audit.

More detailed explanations of the CER’s expectations for this audit are explained in Appendix 1.

1.3 Company Overview

CNRL has ~165 kilometres (km) of CER-regulated pipelines (66 pipelines), mostly gas (five of those 66 pipelines contain oil and have a length of 1.56 km).

The map below depicts the company’s CER-regulated assets.

This map is a graphical representation intended for general informational purposes only. Map produced by the CER, June, 2024. Last updated on June 14, 2024.

2.0 Objectives and Scope

The objective of this audit was to verify that the CNRL’s annual report meets the requirements of the OPR; and that the auditee has the necessary processes, procedures, and work instructions in place to fulfil the requirements of section 6 of the OPR.

The table below outlines the scope selected for this audit.

Table 1. Audit Scope

Table 1. Audit Scope

Audit Scope	Details
Audit Topic	Annual Report
Lifecycle Phases	x  Construction  x  Operations  x  Abandonment
Section 55 Programs	x  Emergency Management  x  Integrity Management  x  Safety Management  x  Security Management  x  Environmental Protection  x  Damage Prevention
Time Frame	Annual Report and supporting processes that assess the 2023 calendar year

3.0 Methodology

The auditors assessed compliance through:

• document reviews;
• record sampling; and
• interviews.

The list of documents reviewed, records sampled, and the list of interviewees are retained on file with the CER.

An audit notification letter was sent to the company on 12 April 2024 advising the company of the CER’s plans to conduct an operational audit. The lead auditor provided both the audit protocol and initial information request and held a meeting with the company staff to discuss the plans and schedule for the audit on 15 April 2024. The audit protocol and initial information request (IR) is a detailed document that outlines the OPR requirements for each AP as well as all of the expected outcomes required for that AP. Companies have 30 days to complete this information request and are asked to describe how they meet the expected outcomes and provide specific documents and references to their program that demonstrate they are meeting these requirements. This process allows companies to illustrate how they are complying with the regulations. CNRL met its original document submission deadline and auditors began the document review on 20 May 2024. The audit team recognized gaps in what was presented in the initial audit request and sent CNRL a second IR on 4 June 2024 prior to the interviews. The second IR was a repeat of the initial IR and contained the same regulatory requirements as the initial IR however it pointed out the gaps with what was initially submitted by CNRL. The purpose of the second request was to allow CNRL additional time to answer the questions being asked and provide appropriate support documentation. Interviews were conducted between 17 June 2024 and 28 June 2024. No inspections were conducted for this audit.

In accordance with the established CER audit process, the lead auditor shared a pre-closeout summary of the audit results on 4 July 2024. At that time, the company was given five business days to provide any additional documents or records to help resolve the identified gaps in information or compliance. Although CNRL provided a written response regarding AP-01, the response did not contain any new documentation or records and therefore the findings from the pre-closeout meeting remained the same and the pre-closeout meeting became the closeout meeting.

4.0 Summary of Findings

The lead auditor has assigned a finding to each audit protocol. A finding can be either:

• No Issues Identified – No non-compliances were identified during the audit, based on the information provided by the company, and reviewed by the auditor within the context of the audit scope; or
• Non-compliant – The company has not demonstrated that it has met the legal requirements. A CAPA plan shall be developed and implemented to resolve the deficiency.

All findings are specific to the information assessed at the time of the audit, as related to the audit scope.

The table below summarizes the findings. See Appendix 1: Audit Assessment for more information.

Table 2. Summary of Findings

Table 2. Summary of Findings

Audit Protocol (AP) Number	Regulation or Other Requirement	Regulatory Reference	Topic	Finding Status	Finding Summary
AP-01	OPR	6.5(1)(b)	Performance measures to meet company goals, objectives, and targets	Non-compliant	The records provided by CNRL and the results of the interviews did not serve as sufficient evidence that CNRL has performance measures to meet company goals, objectives, and targets. CNRL did not demonstrate that it has established goals and objectives for all of the section 55 program areas and where goals and objectives did exist, CNRL did not demonstrate how these were linked to performance measures and targets.
AP-02	OPR	6.6(1)(a)	Performance in achieving company goals, objectives, and targets	Non-compliant	The CER Annual Report (2023) did not link performance to goals or objectives, it did not provide an evaluation of how the company achieved its goals, objectives. and targets, it did not contain goals and objectives for all program areas and it did not contain any targets.
AP-03	OPR	6.5(1)(v)	Process to evaluate adequacy and effectiveness of the management system	Non-compliant	The documents provided by CNRL and the results of the interviews did not serve as evidence that CNRL has a process in place to evaluate the adequacy and effectiveness of its management system.
AP-04	OPR	6.6(1)(b)	Adequacy and effectiveness of the management system	Non-compliant	The content required by the OPR was missing in the Annual Report. The Annual Report does not describe the adequacy and effectiveness of the company’s management system.
AP-05	OPR	6.6(1)(c)	Actions taken to correct deficiencies	Non-compliant	CER auditors noted deficiencies related to the content of the 2023 Annual Report for the Environmental Protection, Emergency Management and Safety Management program areas. Corrective actions taken were not described with enough detail about the actions or fixes that were implemented and could not be linked with the deficiencies identified. In addition, corrective actions taken for Damage Prevention were not described. Therefore, CNRL did not fully satisfy the expected outcomes of paragraph 6.6(1)(c) of the OPR.

5.0 Discussion

The annual report requirements within section 6 of the OPR support fundamental components of a management system, such as continual improvement and leadership.

Management systems follow a plan-do-check-act framework, with an aim to continually improve. The annual report requirement within the OPR supports the check and act portions of the framework. It requires companies to assess and describe the performance of their management system, as it relates to achieving goals, objectives, and targets over the previous year. The annual report also requires the company to describe the adequacy and effectiveness of its management system, and the actions taken to address deficiencies.

Leadership is another important component of management systems, which is why the OPR requires regulated companies to assign an accountable officer to oversee the management system. The accountable officer must sign the annual report and submit a statement to the CER that the report has been completed.

There were several gaps that were identified during this audit. The auditors noted that much of the information that was provided related to the Certificate of Recognition (COR) audit standard, which is a non-regulatory audit protocol that is administered by a Certifying Partner provincially. There is a distinct difference between the requirements of the COR management system and the OPR management system requirements. Companies who work under multiple jurisdictions should be aware that the completion of one set of requirements for one jurisdiction does not automatically ensure they meet the requirements of another jurisdiction. Companies should complete a gap assessment of the tools they are using to evaluate their management system to ensure they are meeting all of their regulatory requirements.

6.0 Next Steps

The company is required to resolve all non-compliant findings through the implementation of a CAPA plan. The next steps of the audit process are as follows:

• Within 30 calendar days of receiving the Final Audit Report, the company shall file with the CER, a CAPA plan that outlines how the non-compliant findings will be resolved.
• The CER will monitor and assess the implementation of the CAPA plan to confirm that it is completed:
  • on a timely basis; and
  • in a safe and secure manner that protects people, property, and the environment;
• Once implementation is completed, the CER will issue an audit closeout letter.

7.0 Conclusion

In summary, the CER conducted an operational audit of CNRL related to the 2023 Annual Report. Out of a total of five audit protocols, zero were classified as no issues identified, resulting in an audit score of zero percent.

The non-compliant findings are a result of the requirements of, and to the level of detail required by, the OPR. The findings from the audit are summarized in Table 1 and explained in detail in Appendix 1 of this report.

CNRL is expected to resolve these deficiencies through the implementation of a CAPA Plan. The CER will monitor and assess the implementation of this CAPA Plan, and issue an audit close out letter upon its completion.

Top of Page

Appendix 1: Audit Assessment

AP-01 Performance measures to meet company goals, objectives, and targets

AP-01 Performance measures to meet company goals, objectives, and targets

Finding Status	Non-compliant
Regulation	OPR
Regulatory Reference	6.5(1)(b)
Regulatory Requirement	A company shall, as part of its management system and the programs referred to in section 55, develop performance measures for evaluating the company’s success in achieving its goals, objectives, and targets.
Expected Outcome	The expected outcomes are as follows: The company has developed performance measures that are relevant to its documented goals, objectives, and targets. The following two items will be confirmed in connection with the company’s annual report per paragraph 6.6(1)(b) of the OPR: The performance measures support the ability to assess the achievement of the company’s goals, objectives, and targets; and The company applies the performance measures to assess its success in achieving its goals, objectives, and targets.
Relevant Information Provided by the auditee	The following key documents and records are related to this finding: 2024 KPI Targets Stewardship Final_CER SMS Element 1 Leadership Commitment SMS Element 5 - Emergency Management SMS Element 7 - Incident Analysis SMS Element 11 - Safety Meetings SMS Element 14 - Evaluation of Management System Safety Management System Supporting Processes 2023 Scorecard Analysis_Final 2022 Stewardship Report to Stakeholders Emergency Management an(EM) Exercises (2023 Completed) Safety News Emergency Management System (EMS) Element 1 Leadership Commitment EMS Core Manual Audit List 2024 Audit File Folder Path Tech Deliverable Matrix - KPI Summary (Tableau Link) Pipeline Management System Framework Pipeline Project Process Enterprise Security Plan The following interviews are related to this finding: Interviews for this audit were arranged by program areas, with each area providing responses to all APs (1-5). The following program areas were interviewed (these program names represent CNRL’s organizational structure and naming convention): Safety Management and Emergency Response, Environmental Management, Asset Integrity, Corporate Security and Damage Prevention/Safety. Additionally, the accountable officer was interviewed and, like the other interviewees, was asked questions about multiple APs. A list of people interviewed is kept on file with the CER.
Finding Summary	The records provided by CNRL and the results of the interviews did not serve as sufficient evidence that CNRL has performance measures to meet company goals, objectives, and targets. CNRL did not demonstrate that it has established goals and objectives for all of the section 55 program areas and where goals and objectives did exist, CNRL did not demonstrate how these were linked to performance measures and targets.

Detailed Assessment

For this assessment, the CER was looking for CNRL to demonstrate that it had developed performance measures or key performance indicators (KPIs) to evaluate the company’s success in achieving its goals, objectives, and targets, including the specific goals in paragraph 6.3(1)(b) of the OPR which includes: goals for the prevention of ruptures, liquid and gas releases, fatalities and injuries and for the response to incidents and emergency situations.

There are several gaps that were identified for AP-01 which will be detailed below. Each of the bullets below represents a specific gap that will need to be addressed in the CAPA Plan:

1. CNRL did not demonstrate how performance measures are linked to goals and objectives. One of the key documents provided by CNRL as evidence was the “2024 KPI Targets Stewardship Final CER document”. This document contained tables that were labeled KPI, 2021 Actual, 2022 Actual, 2023 Actual, and 2024 Target range.
   • Under the columns there were rows under the following headers: Health & Safety, Asset Integrity and Environment. The other section 55 program areas, namely security management, damage prevention and emergency management, were not listed. The OPR requires performance measures be developed for each of the section 55 program areas.
   • Additionally, this document did not contain any goals or objectives. CNRL could not demonstrate how the company’s performance measures are linked to goals or objectives. In the absence of this linkage, it could not be determined how the performance measures were being applied and what they were measuring.
   • In the second IR sent on 4 June 2024, the CER explicitly asked CNRL to, “provide documented goals, objectives, and targets and match them to the KPIs that were provided”. In response to this second request, CNRL referred the auditors back to the following documents: TC-OVR-PRG-INT-000500 Pipeline Management System Framework, C-OVR-PRG-LM-000006 Ground Disturbance Code of Practice, Ground Disturbance Steering Committee (GDSC) minutes, Enterprise Security Plan v26, CNRL-OVR-MAN-RE-000001 EMS Core Manual, Safety Management System Supporting Processes and Corporate Emergency Response Plan.
     
     The CER notes that none of the documents that were provided answered the question that was asked. As the document titles imply, these documents are program related documents that outlined program requirements. For example, with the, “Pipeline Management System Framework”, CNRL directed the CER staff to section “8.1 Setting Objectives and Targets”, which outlined some guidance for setting pipeline objectives and specific performance targets, however it did not contain any actual goals, objectives, targets or performance measures within the document which was what was required.
2. CNRL did not demonstrate they had developed goals and objectives for all program areas. The expected outcomes require that performance measures are linked to goals and objectives. In the absence of goals and objectives, CNRL cannot provide this link, nor do they have the ability to assess the achievement of the company’s goals, objectives, and targets. This assessment allows companies to clearly understand how well they are performing and identify areas for improvement. It aims to facilitate decision-making and resource allocation by providing data-driven insights into what is working and what is not.
   
   The CER noted that, within the Annual Report, there were objectives for the Integrity program and the draft - 2024 Goals – Corporate Security included goals, however these were not linked to performance measures.
3. Company must demonstrate how its performance measures are linked to its goals developed under paragraph 6.3(1)(b) of the OPR.
   
   Paragraph 6.3(1)(b) of the OPR outlines specific goals that every company must establish, which include: goals for the prevention of ruptures, liquid and gas releases, fatalities and injuries, and for the response to incidents and emergency situations. In its IR response on 10 July 2024, CNRL provided the following information as evidence that it had met these goals:
   
   CNRL provided the following corporate statement for Asset Integrity:
   1. Asset Integrity

      “The corporate statement for Asset Integrity highlights the following: Canadian Natural Resources Limited (Canadian Natural) is committed to high levels of asset integrity to ensure safe, reliable, efficient and effective operations. We conduct our operations in a manner that will evaluate and mitigate impacts to the integrity of our assets.

      - Provide strong leadership to the identification, assessment and management of asset integrity risks at all levels of the organization and promote a participative culture;

      The above statements may not explicitly state, “prevent ruptures or liquid and gas releases”, however the statement is clearly aimed at the safe, reliable, efficient and effective operation of Canadian Natural’s pipelines and managing risks to pipeline infrastructure. Inherently, this operationalizes a proactive approach at preventing pipeline ruptures, liquid and gas releases”.

      The CER agrees with CNRL’s assessment that its statements are not explicit. The goals for the prevention of ruptures and liquid and gas releases need to be clear and explicit.

   2. Prevention of Fatalities and Injuries:
      

      CNRL provided the following statement from its “Emergency Management Program Process” as evidence of its goals for the prevention of fatalities and injuries:

      “Within the “Emergency Management Program Process” the following statement is made and references the corporate statement provided for Health & Safety:

      Canadian Natural adheres to the following Statements to achieve safety excellence and the goal of “No Harm to People – No Safety Incidents.”

      • Corporate Statement on Health & Safety
      • Corporate Statement on Environmental Management
      • Corporate Statement on Asset Integrity Management

      Canadian Natural monitors our success with the Total Recordable Injury Frequency and Reducing Recordable Injury Incidents metrics found in Stewardship KPI’s provided to the CER. In addition, our Emergency Management Program Process outlines additional goals related to prevention of injuries and fatalities”.

      The CER requires that goals for the prevention of fatalities and incidents be written explicitly. The language provided by CNRL, “No Harm to People – No safety Incidents” is too vague to be considered as a goal for the prevention of fatalities.

      It is also noted that CNRL states that its Emergency Management Program Process outlines goals for the prevention of injuries and fatalities, however there is no mention of fatalities or goals to prevent fatalities within the document.

      Further, the CER notes that CNRL’s “2024 KPI Targets Stewardship_Final_CER, does not contain any tracking for fatalities. The absence of tracking for fatalities would align with the absence of explicit goals for the prevention of fatalities. As was observed with the other goals, those outside of paragraph 6.3(1)(b) of the OPR, there was no link between the goal and any existing performance measures.

      In its response to the pre-close out meeting findings regarding paragraph 6.3(1)(b) of the OPR, CNRL provided the following response, “Canadian Natural strongly believes that we fully comply with the spirit and intent of the regulation through our culture of safety as a core value, and our robust systems and practices, despite the difference from the CER’s prescribed language”. The CER does not assess the spirit or intent of its regulated companies and companies are required to have a management system and goals that are explicit and comprehensive.

      The CER expects the management system to be explicit such that it doesn’t take further explanation to understand how it works and how it is applied to the company’s activities. Comprehensive means the management system addresses each of the requirements for a management system and the associated processes, programs and other supporting materials required by the OPR for the management system. It also must apply to all of a company’s regulated assets and activities and must address the entire lifecycle of the company’s pipelines and facilities. In addition to the expectations outlined within the OPR and the audit protocols, see, “CER Management System Requirements and CER Management System Audit Guide”.

4. The auditors identified a gap regarding how the company’s performance measures are linked to its specific objectives and targets developed under paragraph 6.5.(1)(a) of the OPR.

   CNRL did not demonstrate they had developed objectives for all program areas. The CER noted that the Annual Report contained objectives for the Integrity program only, however there was no evidence of objectives for the other section 55 program areas.

5. The auditors noted that in some instances, goals did not meet the definitions of a goal. The CER’s published definition of a goal is as follows: A broad statement of what is aimed to be accomplished within a certain timeframe. They represent the overarching aspirations or desired outcomes that guide actions and decision-making. Goals provide direction and purpose, helping to focus efforts and resources toward achieving specific results. For example, here are the goals taken from the Safety Management System Supporting Process sec. 2.3.1 – “Canadian Natural’s Safety Management System (SMS) establishes goals using leading and lagging data including but not limited to; AER Compliance Tracking, Total Recordable Injury Frequency (TRIF), Total Lost Time Incident (LTI) Frequency, Worksite Safety Observations (WSO), Recordable Injury Incidents, facility audits, root cause analysis, safety meetings, Key Performance Indicator’s (KPIs)”. The CER would not consider these to be goals as, by definition, a goal needs to “provide direction and purpose, helping to focus efforts and resources toward achieving specific results”.
6. Lastly, the CER noted that both documents and interviews indicated that goals, objectives, performance measures, KPIs, policies, and corrective actions are used interchangeably. Specifically, it was noted in one of CNRL’s responses that an item labeled as a corrective action was concurrently being referred to as either a goal or an objective (or both). For example, the signed Annual Report that listed items as corrective actions within the report were then categorized as goals in the IR response provided on 2 July 2024. The CER requires goals, objectives, targets, performance measures, and corrective actions to be clearly defined. Each of these is a distinct item with a specific definition. The CER does not accept CNRL’s view that a corrective action is also a goal or that a performance measure is also a goal and an objective. CNRL needs to be explicit regarding each of the items listed in this OPR requirement.

In summary, CNRL did not demonstrate that it has established goals and objectives for all of the section 55 program areas and, where goals and objectives did exist, CNRL did not demonstrate how these were linked to performance measures and targets.

Top of Page

AP-02 Performance in achieving company goals, objectives, and targets

AP-02 Performance in achieving company goals, objectives, and targets

Finding Status	Non-compliant
Regulation	OPR
Regulatory Reference	6.6(1)(a)
Regulatory Requirement	A company shall complete an annual report for the previous calendar year, signed by the accountable officer, that describes the company’s performance in achieving its goals, objectives, and targets during that year, as evaluated by the performance measures developed under paragraph 6.5(1)(b) of the OPR.
Expected Outcome	The company has completed an annual report for the previous calendar year that is signed by the accountable officer. The annual report describes the company’s performance in achieving its goals, objectives, and targets. The company utilizes the performance measures developed as part of paragraph 6.5(1)(b) of the OPR as part of its evaluation.
Relevant Information Provided by the auditee	The following key documents and records are related to this finding: Safety Management System Supporting Processes 2022 Stewardship Report to Stakeholders Safety News CER Annual Reports (2022, 2023) Pipeline Management System Framework The following interviews are related to this finding: Interviews for this audit were arranged by program areas, with each area providing responses to all APs (1-5). The following program areas were interviewed (these program names represent CNRL’s organizational structure and naming convention): Safety Management and Emergency Response, Environmental Management, Asset Integrity, Corporate Security, and Damage Prevention /Safety. Additionally, the accountable officer was interviewed and, like the other interviewees, was asked questions about multiple APs. A list of people interviewed is kept on file with the CER.
Finding Summary	The CER Annual Report (2023) did not link performance to goals or objectives, it did not provide an evaluation of how the company achieved its goals, objectives, and targets, it did not contain goals and objectives for all program areas and it did not contain any targets.

Detailed Assessment

Although CNRL provided its 2023 Annual Report that was signed by the accountable officer, the Annual Report did not fulfill the requirements of paragraph 6.6(1)(a) of the OPR. The following deficiencies exist:

• The Annual Report only contained goals and objectives for the Integrity program and none of the other section 55 programs.
• The Annual Report did not contain any targets and therefore performance was not evaluated.
• The KPIs within the report were not linked to any goals or objectives; and as such, the Annual Report did not describe the company’s performance in achieving its goals, objectives, and targets. As discussed in AP-01, when goals and objectives are missing or when performance measures are not linked to goals and objectives, there is limited ability to determine if the company is performing as expected or whether changes need to be made. The Annual Report is developed for and signed by the accountable office who has authority over the human and financial resources, and it does not contain an assessment of whether or not CNRL has met its goals, objectives, and targets.
• Several KPIs within the report appeared to be topic areas or themes rather than a measure, for example Emergency Response Plan (ERP) training exercises. A performance measure or KPI should be used to measure progress towards goals. These metrics measure progress towards a particular goal, objective, and target.

In summary, CNRL’s Annual Report did not describe the company’s performance in achieving its goals, objectives, and targets in 2023.

Top of Page

AP-03 - Process to evaluate adequacy and effectiveness of the management system

AP-03 - Process to evaluate adequacy and effectiveness of the management system

Finding Status	Non-compliant
Regulation	OPR
Regulatory Reference	6.5(1)(v)
Regulatory Requirement	A company shall, as part of its management system and the programs referred to in section 55, establish and implement a process for evaluating the adequacy and effectiveness of the company’s management system and for monitoring, measuring, and documenting the company’s performance in meeting its obligations under these Regulations.
Expected Outcome	The company has a compliant process that is established and implemented. The company has developed methods for evaluating the adequacy and effectiveness of its management system. The company’s management system has been evaluated for adequacy and effectiveness. The company’s performance in meeting its obligations under these Regulations has been monitored, measured, and is documented. The company has implemented corrective actions based on the results of its monitoring and measuring the adequacy and performance of its management system.
Relevant Information Provided by the auditee	The following key documents and records are related to this finding: 2024 KPI Targets Stewardship Final_CER SMS Element 5 - Emergency Management SMS Element 7 - Incident Analysis SMS Element 8 - Inspections and/or audits SMS Element 14 - Evaluation of Management System Safety Management System Supporting Processes 2023 CNRL COR Audit Certificate 2022 Stewardship Report to Stakeholders Master SMS Audit Action Plan Tracker Master COR Audit Action Plan Tracker EMS Core Manual Risk Management Handbook Weekly Leadership Meetings (Example) Integrity Weekly Report (Example) Corporate Statement on Document Management Controlled Document Numbering Standard Governing Document FAQs Enterprise Security Plan The following interviews are related to this finding: Interviews for this audit were arranged by program areas, with each area providing responses to all APs (1-5). The following program areas were interviewed (these program names represent CNRL’s organizational structure and naming convention): Safety Management and Emergency Response, Environmental Management, Asset Integrity, Corporate Security, and Damage Prevention / Safety. Additionally, the accountable officer was interviewed and, like the other interviewees, was asked questions about multiple APs. A list of people interviewed is kept on file with the CER.
Finding Summary	The documents provided by CNRL and the results of the interviews did not serve as evidence that CNRL has a process in place to evaluate the adequacy and effectiveness of its managment system.

Detailed Assessment

For this assessment, the CER was looking for CNRL to demonstrate that it had established and implemented a process for evaluating the adequacy and effectiveness of the company’s management system and for monitoring, measuring, and documenting the company’s performance in meeting its obligations under the OPR.

For companies under the CER’s jurisdiction, the management system must be designed to include all of the elements that are outlined in the OPR and similarly, any evaluation to determine the effectiveness of the management system must be designed to include all of the elements outlined in the OPR and not those from a different jurisdiction. If a company is using another jurisdiction’s requirements, then the company must be able to demonstrate equivalency of the other jurisdiction with the requirement of the OPR.

At a minimum, the management system and its evaluation must address the requirements of a system as set out in sections 6.1 to 6.6 of the OPR and must be assessed in accordance with the CER’s terminology and definitions. The management system must include the necessary organizational structures, resources, accountabilities, policies, processes and procedures for an organization to fulfil all tasks related to safety, security and environmental protection. The management system and its protection programs, listed in section 55 of the OPR, must take into consideration all applicable requirements of the CER Act, its applicable regulations, standards referenced in the regulations as well as company-specific standards, and company-specific CER orders and certificates.

CNRL provided its “Pipeline Management Framework, Section 8.17” document and its “Enterprise Security Plan”, Element 8: Audits & Inspections and Element 9: Management System Review, as evidence of its process for evaluating the adequacy and effectiveness of the management system.

The CER has published a list of definitions which includes a definition for process. The documents that were provided by CNRL do not meet the CER requirements for a process based on the following:

• The documents are not integrated with each of the section 55 programs or each other, and they do not cover an evaluation of the other section 55 programs (security looks at security only and Integrity looks at the Integrity framework only). Therefore, the other section 55 programs do not have a process that ensures they are being evaluated.
• These documents do not consider the specific technical requirements associated with each section 55 program nor do they describe the overall purpose, scope, objective, and specific results that the process is intended to achieve.
• These documents do not adequately describe the series of interacting actions or steps that take place in an established order.

As evidence of implementation of this process, CNRL provided a record of its Certificate of Recognition issued by the Alberta Association for Safety Partnerships. The COR audit is based on the COR audit standard, which is not related to or approved as an auditing tool by the CER and does not meet the management system requirements of the OPR. As outlined above, a company’s performance must be based on meeting its obligations under the CER’s regulations and not a provincial standard.

Interviews indicated that CNRL’s Workplace Safety Observations were another tool used to evaluate the adequacy and effectiveness of the management system. When asked if these observations evaluated the management system or looked at behaviours, interviewees stated they focused solely on worker behaviour and therefore do not provide an evaluation of CNRL’s management system.

Additionally, CNRL provided documents representing its internal audits for Safety, Security and Environment. However, these documents did not include what was audited, what was assessed or the audit protocols used. Instead, the documents only summarized the audit findings. Therefore the CER auditors could not determine if these management system element audits included the requirements of the OPR. As these audits are conducted on select elements only, there was no evidence provided to demonstrate that CNRL completed an evaluation of the adequacy and effectiveness of its entire management system as required by the OPR.

In summary, CNRL does not have a compliant process that is established and implemented. Some of the activities that are being conducted are not responsive to the OPR requirements. Other activities do not evaluate the adequacy and effectiveness of the management system wholistically.

Top of Page

AP-04 - Adequacy and effectiveness of the management system

AP-04 - Adequacy and effectiveness of the management system

Finding Status	Non-compliant
Regulation	OPR
Regulatory Reference	6.6(1)(b)
Regulatory Requirement	A company shall complete an annual report for the previous calendar year, signed by the accountable officer, that describes the adequacy and effectiveness of the company’s management system, as evaluated by the process established and implemented under paragraph 6.5(1)(v) of the OPR.
Expected Outcome	The company has completed an annual report for the previous calendar year that is signed by the accountable officer. The annual report describes the adequacy and effectiveness of the company’s management system for the previous calendar year. The process established and implemented in paragraph 6.5(1)(v) of the OPR is appropriately used to evaluate the company’s management system.
Relevant Information Provided by the auditee	The following key documents and records are related to this finding: CER Annual Reports (2022, 2023) Internal audit reports for Safety, Emergency Management, Security, and Environmental Protection The following interviews are related to this finding: Interviews for this audit were arranged by program areas, with each area providing responses to all APs (1-5). The following program areas were interviewed (these program names represent CNRL’s organizational structure and naming convention): Safety Management and Emergency Response, Environmental Management, Asset Integrity, Corporate Security, and Damage Prevention / Safety. Additionally, the accountable officer was interviewed and, like the other interviewees, was asked questions about multiple APs. A list of people interviewed is kept on file with the CER.
Finding Summary	Content required by the OPR was missing in the annual report. The annual report does not describe the adequacy and effectiveness of the company’s management system.

Detailed Assessment

CNRL did not satisfy all the expected outcomes listed above.

The company has developed an annual report for the 2023 year that is signed by the accountable officer. However, content required by the OPR was missing; the Annual Report did not describe the adequacy and effectiveness of the company’s management system. CNRL also acknowledged that a title block related to describing the adequacy and effectiveness of the management systems was not included in its 2023 Annual Report. CNRL indicated that several activities are taking place to assess the adequacy and effectiveness of its management system but, as discussed in AP-03, the company has not established the required process. Therefore, CNRL was unable to describe the adequacy and effectiveness of the company’s management system and CER auditors could not assess whether the process required by paragraph 6.5(1)(v) of the OPR was appropriately used.

CER auditors expect that the CAPA plan required to address the AP-03 deficiency will also address the deficiency noted in AP-04. As such, the CER will monitor the CAPA plans for AP-03 and their effect on AP-04 to ensure compliance.

Top of Page

AP-05 - Actions taken to correct deficiencies

AP-05 - Actions taken to correct deficiencies

Finding Status	Non-compliant
Regulation	OPR
Regulatory Reference	6.6(1)(c)
Regulatory Requirement	A company shall complete an annual report for the previous calendar year, signed by the accountable officer, that describes the actions taken during that year to correct any deficiencies identified by the quality assurance program established under paragraph 6.5(1)(w) of the OPR.
Expected Outcome	The company has completed an annual report for the previous calendar year that is signed by the accountable officer. The annual report identifies the actions taken to correct identified deficiencies. A description of the actions taken to correct deficiencies for each program referred to in section 55 in annual report is in accordance with the requirements of paragraph 6.5(1)(w) of the OPR.
Relevant Information Provided by the auditee	The following key documents and records are related to this finding: CER Annual Reports (2022, 2023) Emergency Management Program (Thermal Conventional) Enterprise Security Plan Safety Management System Supporting Processes Safety Management System Element 8 Pipeline Management System Framework EMS Core Manual Ground Disturbance Steering Committee meeting materials Internal audits reports for Safety, Emergency Management, Security, and Environmental Protection The following interviews are related to this finding: Interviews for this audit were arranged by program areas, with each area providing responses to all APs (1-5). The following program areas were interviewed (these program names represent CNRL’s organizational structure and naming convention): Safety Management and Emergency Response, Environmental Management, Asset Integrity, Corporate Security, and Damage Prevention / Safety. Additionally, the accountable officer was interviewed and, like the other interviewees, was asked questions about multiple APs. A list of people interviewed is kept on file with the CER.
Finding Summary	The content in the 2023 Annual Report for the Safety Management, Environmental Protection and Emergency Management program areas did not describe corrective actions taken to address identified deficiencies. Also, CNRL could not demonstrate how information labelled as “corrective action” was linked to, or the result of deficiencies identified by quality assurance activities. Corrective actions taken specific to the Damage Prevention program area were missing.

Detailed Assessment

CNRL has developed an annual report for the 2023 year that is signed by the accountable officer, with a section dedicated to lessons learned and corrective actions.

The Annual Report features a section titled “Pipeline Failure Lookback” that provides information about pipeline incidents. For 2023, there was one incident on a CER-regulated pipeline which was summarized and the corrective actions taken in relation to that incident were described.

Under the “Corrective Actions” section of the CNRL Annual Report, there are five separate tables for the different program areas. While all six protection programs required by the OPR were listed in the 2023 Annual Report, CER auditors noted several deficiencies.

To demonstrate compliance with paragraph 6.6(1)(c) of the OPR, the Annual Report had to describe corrective actions taken with sufficient details about the actions or fixes that were implemented. CER auditors also verified whether those actions were related to, or the result of deficiencies identified by quality assurance activities. CNRL had to provide evidence that those activities were performed and demonstrate their linkage to the quality assurance program required by paragraph 6.5(1)(w) of the OPR. It should be noted, however, that CER auditors did not assess the implementation and adequacy of the quality assurance program pursuant to paragraph 6.5(1)(w) of the OPR as it was outside the scope of this audit.

CER auditors found deficiencies in the following program areas:

Damage Prevention

CNRL indicated that Damage Prevention and Ground Disturbance (GD) are components of several programs and integrated within the Safety Management System, Integrity Management System, and numerous business processes. During interviews, CNRL representatives explained how the company conducted several GD audits to identify deficiencies. They also elaborated on compliance issues with employees and contractors involved in ground disturbance activities identified by GD audits, and how CNRL instituted face-to-face presentations to resolve those issues.

The Annual Report groups the information about corrective actions for Damage Prevention together with Integrity Management (i.e., one table for both program areas). CER auditors noted, however, that the Annual Report did not contain information about corrective actions for Damage Prevention even though CNRL shared that deficiencies were identified by its quality assurance activities (i.e., GD audits). Therefore, the absence of the required content in the Annual Report for the Damage Prevention program area is a non-compliance with paragraph 6.6(1)(c) of the OPR.

Emergency Management

To demonstrate the link between paragraph 6.6(1)(c) of the OPR and the quality assurance program required by paragraph 6.5(1)(w) of the OPR, CNRL provided its Emergency Management Program document. Quality assurance activities described in this document included COR and Internal audits as well as Site Specific ERP audits and ERP Exercise audits. This document also described that program evaluation reviews must be conducted annually by the Program Coordinator, Manager of Corporate Safety and Senior Management.

CNRL was able to demonstrate that quality assurance activities were performed. Evidence provided included the 2021 internal audit report for the Emergency Management System - E&P Operations and copies of emergency response exercise evaluation reports.

While CNRL demonstrated that quality assurance activities were completed for the Emergency Management program area, CER auditors noted that content in the Annual Report labelled as “corrective action” did not describe corrective actions taken to address deficiencies that would have been identified by those activities. More specifically:

• Corrective action #1 outlined that ERPs are reviewed and evaluated annually for updates as required. This information does not describe any corrective actions taken, but rather summarized the annual ERPs review process in a general way; and
• Corrective action #2 identified that, “company ICS processes may be impacted in the future by new provincial emergency management legislation”, thus pertaining to future corrective actions that may be necessary to comply with new legislative requirements.

In both cases, CNRL was also unable to demonstrate how these were linked to, or the result of deficiencies identified by quality assurance activities.

Therefore, CER auditors determined that CNRL has not satisfied the expected outcomes for paragraph 6.6(1)(c) of the OPR for the Emergency Management program area.

CNRL has developed an annual report for the 2023 year that is signed by the accountable officer, with a section dedicated to lessons learned and corrective actions.

The Annual Report features a section titled “Pipeline Failure Lookback” that provides information about pipeline incidents. For 2023, there was one incident on a CER-regulated pipeline which was summarized and the corrective actions taken in relation to that incident were described.

Under the “Corrective Actions” section of the CNRL Annual Report, there are five separate tables for the different program areas. While all six protection programs required by the OPR were listed in the 2023 Annual Report, CER auditors noted several deficiencies.

To demonstrate compliance with paragraph 6.6(1)(c) of the OPR, the Annual Report had to describe corrective actions taken with sufficient details about the actions or fixes that were implemented. CER auditors also verified whether those actions were related to, or the result of deficiencies identified by quality assurance activities. CNRL had to provide evidence that those activities were performed and demonstrate their linkage to the quality assurance program required by paragraph 6.5(1)(w) of the OPR. It should be noted, however, that CER auditors did not assess the implementation and adequacy of the quality assurance program pursuant to paragraph 6.5(1)(w) of the OPR as it was outside the scope of this audit.

CER auditors found deficiencies in the following program areas:

Damage Prevention

CNRL indicated that Damage Prevention and Ground Disturbance (GD) are components of several programs and integrated within the Safety Management System, Integrity Management System, and numerous business processes. During interviews, CNRL representatives explained how the company conducted several GD audits to identify deficiencies. They also elaborated on compliance issues with employees and contractors involved in ground disturbance activities identified by GD audits, and how CNRL instituted face-to-face presentations to resolve those issues.

The Annual Report groups the information about corrective actions for Damage Prevention together with Integrity Management (i.e., one table for both program areas). CER auditors noted, however, that the Annual Report did not contain information about corrective actions for Damage Prevention even though CNRL shared that deficiencies were identified by its quality assurance activities (i.e., GD audits). Therefore, the absence of the required content in the Annual Report for the Damage Prevention program area is a non-compliance with paragraph 6.6(1)(c) of the OPR.  Emergency Management

To demonstrate the link between paragraph 6.6(1)(c) of the OPR and the quality assurance program required by paragraph 6.5(1)(w) of the OPR, CNRL provided its Emergency Management Program document. Quality assurance activities described in this document included COR and Internal audits as well as Site Specific ERP audits and ERP Exercise audits. This document also described that program evaluation reviews must be conducted annually by the Program Coordinator, Manager of Corporate Safety and Senior Management.

CNRL was able to demonstrate that quality assurance activities were performed. Evidence provided included the 2021 internal audit report for the Emergency Management System - E&P Operations and copies of emergency response exercise evaluation reports.

While CNRL demonstrated that quality assurance activities were completed for the Emergency Management program area, CER auditors noted that content in the Annual Report labelled as “corrective action” did not describe corrective actions taken to address deficiencies that would have been identified by those activities. More specifically: • Corrective action #1 outlined that ERPs are reviewed and evaluated annually for updates as required. This information does not describe any corrective actions taken, but rather summarized the annual ERPs review process in a general way; and • Corrective action #2 identified that, “company ICS processes may be impacted in the future by new provincial emergency management legislation”, thus pertaining to future corrective actions that may be necessary to comply with new legislative requirements.

In both cases, CNRL was also unable to demonstrate how these were linked to, or the result of deficiencies identified by quality assurance activities.

Therefore, CER auditors determined that CNRL has not satisfied the expected outcomes for paragraph 6.6(1)(c) of the OPR for the Emergency Management program area.

Safety Management

To demonstrate the link between paragraph 6.6(1)(c) of the OPR and the quality assurance program required by paragraph 6.5(1)(w) of the OPR, CNRL provided the document titled “Safety Management System supporting processes”. Quality assurance activities described in this document included Safety Management System and COR audits, corporate internal audits, and external audits. Element 8 of the Safety Management System was also submitted for review, which described the different types of inspections that are conducted (e.g., worksite safety observations).

CNRL was able to demonstrate that quality assurance activities were performed and tracked to completion. Evidence provided included the 2021 internal audit report for E&P Safety Management System Oversight and audit plan update screenshots that showed when audit findings were closed.

However, upon review of the 2023 Annual Report, CER auditors noted that the content labelled as “corrective action” did not represent corrective actions taken to address deficiencies, but rather general themes or focus areas for improvement. CNRL was also unable to demonstrate how those items listed were linked to or the result of deficiencies identified. CER auditors are of the view that outlining topics for continuous improvement is not sufficient to meet the requirement of describing corrective actions under paragraph 6.6(1)(c) of the OPR.

Therefore, CER auditors determined that CNRL has not satisfied the expected outcomes for paragraph 6.6(1)(c) of the OPR for the Safety Management program area.

Environmental Protection

To demonstrate the link between paragraph 6.6(1)(c) of the OPR and the quality assurance program required by paragraph 6.5(1)(w) of the OPR, CNRL provided its Environmental Management System Core Manual which described environmental inspections and audits. CNRL submitted the 2021 internal audit report to demonstrate that quality assurance activities were performed.

However, CER auditors noted concerns with the content in the company’s 2023 Annual Report. More specifically, the information labelled as “corrective action” did not represent corrective actions taken to address deficiencies, but rather general themes or headings which could not be linked to deficiencies that would have been identified by the quality assurance activities.

Therefore, CER auditors determined that CNRL has not satisfied the expected outcomes for paragraph 6.6(1)(c) of the OPR for the Environmental Protection program area.

CER auditors did not find non-compliance issues with the Security Management and Integrity Management program areas. Key observations are detailed below.

Integrity Management

To demonstrate the link between paragraph 6.6(1)(c) of the OPR and the quality assurance program required by paragraph 6.5(1)(w) of the OPR, CNRL provided the document titled “Pipeline Management System Framework”. Ongoing monitoring and periodic audits were listed as quality assurance activities. CNRL representatives clarified during the interviews that ongoing monitoring includes activities such as risk assessments and failure investigations, among other things.

Upon review of the 2023 Annual Report, CER auditors noted that corrective actions for the Integrity Management program area were present and sufficiently detailed. During interviews, CNRL representatives were able to explain the deficiencies that required those corrective actions and how they were identified by the various quality assurance activities.

Therefore, CER auditors determined that the required content was present in the 2023 Annual Report for the Integrity Management program area.

Security Management

To demonstrate the link between paragraph 6.6(1)(c) of the OPR and the quality assurance program required by paragraph 6.5(1)(w) of the OPR, CNRL provided a document titled “Enterprise Security Plan”. CNRL specified that its quality assurance program is outlined under Element 8 which included inspections to identify threats, non-conformance and risk as well as audits.

CNRL was able to demonstrate that activities were performed and tracked to completion. Evidence provided included the 2021 internal audit report for Corporate Security Management and audit plan update screenshots that showed when audit findings were closed. During interviews, CNRL representatives also explained security vulnerability assessments conducted throughout the year.

CER auditors noted that the content labelled as “corrective action” described corrective actions taken with sufficient detail as to what was implemented. A description of the related deficiencies was also provided during interviews to demonstrate that the corrective actions listed resulted from and were meant to address deficiencies identified by the quality assurance activities. Therefore, CER auditors determined that the required content was present in the 2023 Annual Report for the Security Management program area.

In summary, CER auditors noted deficiencies related to the content of the 2023 Annual Report for the Environmental Protection, Emergency Management and Safety Management program areas as corrective actions taken were not described with sufficient details about the actions or fixes that were implemented and could not be linked with the deficiencies identified. In addition, corrective actions taken for Damage Prevention were not described. Therefore, CNRL did not fully satisfy the expected outcomes of paragraph 6.6(1)(c) of the OPR.

Top of Page

Appendix 2: Terms and Abbreviations

For a set of general definitions applicable to all operational audits, please see Appendix I of the CER Management System Requirements and CER Management System Audit Guide found on the CER website.

Appendix 2: Terms and Abbreviations

Term or Abbreviation	Definition
Annual Report	An annual report for the previous calendar year, signed by the accountable officer, that describes: (a) the company’s performance in achieving its goals, objectives and targets during that year, as evaluated by the performance measures developed under paragraph 6.5(1)(b) of the OPR; (b) the adequacy and effectiveness of the company’s management system, as evaluated by the process established and implemented under paragraph 6.5(1)(v) of the OPR; and (c) the actions taken during that year to correct any deficiencies identified by the quality assurance program established under paragraph 6.5(1)(w) of the OPR.
CER	Canada Energy Regulator
CER Act	Canadian Energy Regulator Act (S.C. 2019, c.28, s.10)
OPR	Canadian Energy Regulator Onshore Pipeline Regulations (SOR/99-294)
The company	Canadian Natural Resources Ltd. (CNRL)
CAPA	Corrective and preventive action

Top of Page