Risk management report

Primary responsibility for risk awareness and mitigation has been embedded across the Group’s business platforms. Given the scale and complexity of the Group, Murray & Roberts cannot comprehensively eliminate all risk from its internal and external business and commercial interfaces.

For this reason, management manages and maintains a planned, coordinated and structured approach to identify, assess, mitigate, monitor, communicate and report the Group’s risks, prioritising those that are complex and large. This includes governance structures (such as the Board risk management committee, the executive risk committee and the business platform committees), organisational leadership, strategic planning and effective management to ensure that the appropriate operational and functional capacities, as well as systems, controls and processes, are in place to manage and mitigate risk. Guiding this approach is the Group Risk Management Framework.

The Group Risk Management Framework constitutes one of three pillars on which the Group Integrated Assurance Framework stands, and aims to:

  • Align strategy with risk tolerance;
  • Improve and streamline decision-making which improves the Group’s risk profile;
  • Promote the strategic and coordinated procurement of a quality order book, which contains a known and planned level of risk and a commensurate level of reward;
  • Ensure equitable commercial terms and conditions are contracted based on a predetermined set of acceptable contracting principles, together with the rational pursuit of commercial entitlement;
  • Promote early and rigorous project reviews, and timeous responses to projects showing early signs of deviation from planned and tendered expectations;
  • Promote continuous improvement through the institutionalisation and application of key past lessons learnt;
  • Reduce operational surprises, improve predictability and build shareholder confidence;
  • Build robust organisational risk structures and facilitate timeous interventions, to promote long-term sustainable growth; and
  • Promote the efficient and proactive pursuit of opportunities.

The Group risk management framework

01ORGANISATIONAL
STRUCTURES

In addition to the various Group operating board responsibilities, organisational structures have been created and tasked with risk governance and include the business platform risk committees, the Murray & Roberts Limited risk committee and the Murray & Roberts Limited project oversight committee.

02FUNCTIONAL
SUPPORT

Dedicated risk management support has been created at Group level and within businesses. This includes enterprise-wide risk leadership, risk management monitoring, risk-based auditing and operational and risk committees.

03STRATEGIC RISK
MANAGEMENT

Strategic risk is evaluated as a hurdle to achieving the Group’s long-term strategy. Direction is set for organic and acquisitive growth to access new markets and create new capacity, and is also applied to acquisitions, disposals, new business development and timely and necessary leadership intervention.

04OPERATIONAL RISK
MANAGEMENT

Operational risk is a potential barrier to achieving planned profits within the Group’s business platforms. Methodologies for identifying, evaluating, mitigating, monitoring and communicating risk are applied in the operational business environment. Business plans with a three-year horizon are developed and performance against these is subject to quarterly review.

05PROSPECT AND
PROJECT LIFE CYCLE

Project risk is evaluated as a potential barrier to delivering contracted scopes against cost, time and technical performance targets, while maintaining health, safety and environmental performance at acceptable levels. A project management framework sets the minimum standard for project management required in the delivery of projects across the Group.

A project management development programme is in place to enhance and refresh project management skills across the Group. The framework also provides internal audit with a consistent set of processes and controls against which project performance is tested. Project risk management activities include the Group risk tolerance filters, lessons learnt and contracting principles schedules, project reviews and project dashboards.

06CORPORATE
RISK MANAGEMENT

Corporate risk management relates to a range of portfolios within the corporate office, which address various forms of risk including risk management standards and procedures, the Group Code of Conduct, the Statement of Business Principles, regulatory compliance, commercial and legal oversight, integrated assurance, business continuity and information technology disaster recovery, treasury, bonds and guarantees, tax, insurance, crisis communication and forensic investigations.


Regulatory compliance

Regulatory compliance constitutes the second pillar of the Group Integrated Assurance Framework. With the continued growth and expansion of the Group, especially in new geographies and disciplines, regulatory compliance is a large and complex area to understand. This in turn requires a structured approach to evaluate compliance failures and ensure adequate responses are initiated timeously to mitigate and avoid any negative impact on the Group's operations and/or performance. The regulatory compliance function provides specific focus on regulatory compliance risk within the context of the Group Integrated Assurance Framework.

The key imperative of regulatory compliance is to ensure compliance across the Group with every law, rule, code and standard where non-compliance could materially impact the Group's performance and/or continued existence, whether from a financial, legal or reputational perspective.

The implementation of the Group Regulatory Compliance Framework focuses on the seamless integration of regulatory compliance (with risk management and internal audit) into business planning, execution and management.

Internal audit

Internal audit is a key element of the Group's assurance structure, and constitutes the third pillar of the Group Integrated Assurance Framework. Internal audit has established a robust, risk-based approach to identify the critical risk management control environment which is relied on by management, and which is to be tested and evaluated for the purposes of providing the Board with the risk management and regulatory compliance assurance it requires to meet its governance objectives. Internal audit follows a planning and execution process through which its risk-based approach is delivered in a consistent manner, followed by detailed reporting and issue tracking.

It is through implementation of the Group Integrated Assurance Framework that the critical risk processes and responses to be included in the internal audit plan are developed. These include interactions with the Group risk executive and the Group legal executive, and with specific reference to their respective mitigation objectives, strategies and plans. The audit plan also encompasses the assessment of Group-wide corporate governance, internal financial controls and risk management procedures, as well as specific areas highlighted by the audit & sustainability committee, Group executive committee and by executive and operational management for separate and dedicated review.

Risk management practices

Corporate leaders, tasked with overall governance but who are not involved in the engine room of the business they govern, require line-of-sight to the mechanics for which they are ultimately accountable.

Likewise with risk management, the Board is responsible for the performance of the Group it governs, but is remote from the details that influence (positively or negatively) the outcomes of the Group. For this reason, leadership requires line-of-sight to the controls, procedures, processes and systems that deliver the outcomes to ensure that they are appropriate, complete, robust and timeously applied.

The Group considers a number of factors to determine its risk tolerance for each risk category. This Risk Appetite Statement characterises the Group's tolerance for each risk as low, moderate or high, according to the following definitions:

  • Low – The level of risk will not impede the ability of the Group to achieve its strategic objectives.
  • Moderate – The level of risk may delay or disrupt achievement by the Group of its strategic objectives.
  • High – The level of risk will impede the ability of the Group to achieve its strategic objectives.

Where applicable, controls are in place to reduce the likelihood, or alternatively the impact, of risk events.

Key risk categories:

HSE: The Group has a low appetite for health, safety and environment risk and strives for Zero Harm in the workplace. This is supported by the Group HSE Framework.

FINANCIAL: The Group has a moderate appetite for financial risk as it is willing to accept risk in order to achieve its financial objectives. The risks are managed and mitigated to an acceptable level through a number of controls, with oversight from Group executive leadership.

LEGAL AND COMPLIANCE: The Group strives to achieve the highest standards of business integrity, ethics and governance in the pursuit of its strategic and business objectives. It has zero tolerance for any unethical behaviour and has a Code of Conduct and a number of related procedures in place to address this risk.

PROJECT PERFORMANCE: The Group is prepared to accept a moderate level of risk in the pursuit of projects in order to be able to achieve its financial objectives. Projects are delivered within a Project Management Framework against a set of contracting principles and lessons learnt from previous projects.

TECHNOLOGY: The Group has a moderate appetite for innovative technology solutions and for exploring digital trends which could add value and assist in meeting strategic objectives. However, the Group has a low appetite for cyber risk and data breaches and has an IT Security Framework in place to manage this risk.

The Group has defined four discrete risk environments, being: Strategic, Corporate, Operational and Project. Each risk has a specific owner, be it a business platform, operating board or an executive manager.

In addition, the risk management and internal audit functions, located in the corporate office (and which advise on risk management approaches, methodologies and systems), monitor that risk management is diligently exercised at every level across the Group, and in turn separately report to various constituted boards and committees on both inherent and residual risks in each risk area across the Group. This reporting is on a materiality basis, so the higher the level of authority, the greater the level of risk filtration.

As a project-based group, the predominant source of risk for the Group is in the project area. Murray & Roberts is an international contractor that contracts on a variety of projects, which differ in contract terms, specification, scope and size, which all introduces significant risk into the Group.

Critical to the preparation of tenders and successful project delivery is the application of two standards to each bid which have been formulated on the basis of the Group's past performance:

  • Group Schedule of Contracting Principles; and
  • Group Schedule of Lessons Learnt.

All bids submitted are tested against the above two standards to ensure that the identified risks are correctly addressed and failures of the past are not repeated.

The three business platforms, which comprise the Murray & Roberts Group's project businesses, are also the source of operational risk. Risk exposures typically relate to infringement of laws, including competition, health and safety, environment, commercial, technical and logistical aspects of a project, through the ordinary course of them carrying out their business activities. Each business platform has its own risk committee or initiatives at which and through which project and operational risks are regularly reviewed and assessed, together with responsible management's mitigation actions.

To reduce project risk as far as possible, the following procedures are followed:

  • Only competent and experienced executives prepare bids for submission.
  • All opportunities are logged on an Opportunity Management System, which tracks and processes opportunities, subjecting them to a series of risk filters in order to develop a risk profile. These filters are in turn extracted from the delegation of authority matrix, which is approved by the Board.
  • In preparing bids, based on first principles and on a bottom-up basis, the estimating tools used across the Group are proven and validated. The costing process is comprehensive, and subject to rigorous and independent internal reviews.
  • Risks are identified based on past experience and carved out of bids contractually or retained but priced and then managed within budget.
  • Critical bid requirements are:
    (i) the exclusion and/or pricing of known risks;
    (ii) projects must be cash positive;
    (iii) unacceptable risks and unusual contracting terms are prohibited; and
    (iv) limits of liability are always contracted.
  • Where a lump sum project is accepted, the design must be mature, the scope and/or specification clear and an efficient mechanism for change management and dispute resolution must form part of the contract.
  • An allowance for contingencies (unforeseen or unplanned risks) is added to the bid price to cater for possible risks (threats) that cannot be proactively priced and managed. These allowances are a hedge against risk, are utilised within the framework for which they are established and fall under the control of the project director. The use of a contingency allowance is ratified by the project review committee.
  • Generally known suites of contracts are preferred, such as FIDIC, NEC, JBCC, GCC, and specific attention is placed on the special conditions. Bespoke contracts are negotiated based on the detailed guidance of internal and external attorneys.
  • Large and complex project bids are subject to independent review and approval by the Murray & Roberts Limited risk committee, which issues a mandate that has to be followed by the project negotiation team. Projects above US$300 million are escalated to the Board for approval. Any deviation from a mandate is referred back to the relevant risk committee for a final decision.
  • The Murray & Roberts Limited project oversight committee reviews large and complex projects to ensure performance is in line with the tendered terms and prevailing circumstances (to recognise changes in market conditions). Projects showing early signs of deviation from planned and tendered expectations are also reviewed by this committee, with the objective of preventing, as far as possible, projects entering into distress by identifying early signs of difficulty and ensuring corrective actions and interventions are initiated.

Strategic and corporate risks are associated with the activities of the office of the Group chief executive and the executive committee members operating in the corporate office. Risks associated with macro factors, such as growth (organic and acquisitive), new markets, new products, accounting, taxation, banking/bonding, funds transfers and the like are managed within the corporate office, reviewed by the risk committee quarterly and reported to the boards of Murray & Roberts Limited and of Murray & Roberts Holdings Limited.

A Group business continuity standard and procedure has been developed and implemented within each business platform. The assurance required with regard to these business plans falls within the mandate of the internal audit function.

The discipline of risk management is embedded across the Group, and embedded risk management is overseen by executive management. As a final control over the management of risk across the Group, every Group area and activity is subject to audit, by both external auditors and internal auditors. The Murray & Roberts internal audit function is well resourced and qualified to carry out its mandated review and evaluation function, which includes assessment of risk management, and its findings are evaluated to corroborate the findings of the risk management function in its assessment of the adequacy of risk management across the Group.

The material Group risks, in no order of priority, are discussed below.

STRATEGIC RISKS

  TREND KEY:
  THREAT INCREASING
  THREAT STABLE
  THREAT DECREASING
MACRO
ECONOMIES
MITIGATION
  • Focus on client relationships to promote negotiated contracts with equitable terms, focusing on value rather than price.
  • Grow further in the natural resources sector, particularly water and complementary markets.
  • Cost reduction across all business platforms and geographies to enhance profitability.
  • JVs with empowered companies have been established for projects where empowerment or indigenisation is required.
  • Diversification across the project life cycle, which includes an emphasis on development, front-end engineering and operations and maintenance.

Global demand for commodities (metals & minerals) continues to improve.

Changes in the global economy have a direct impact on the markets in which Murray & Roberts operates, particularly underground mining and oil & gas. The South African economy has been impacted by past ratings downgrades and business confidence remains low.

The threatened global trade war could also lead to volatility in the markets within which the Group operates.


MITIGATION
  • Establish a presence in geographic areas where the oil and gas majors are located.
  • Establish JVs with other Murray & Roberts business platforms to explore East African oil and gas opportunities.
  • Diversification across the project life cycle, which includes an emphasis on operations and maintenance.
  • Diversify oil and gas capability in Australasia markets into complementary water, power and infrastructure markets.
  • International organisational restructure aligned to drive market diversification.
OIL and GAS
MARKETS

Oil and gas is needed to fuel growing global energy demands. However, the continued soft and volatile oil price and fluctuating supply impacts the revenues of gas producers and has created a reduction in new capital projects and capital spend within the sector. Although oil and gas companies will have to start re-investing in the medium term, profit margins will be under pressure as these companies remain financially stressed.


GROUP
LIQUIDITY
MITIGATION
  • Resolve outstanding claims, including Dubai Airport and other Middle East projects.
  • Continue to manage overheads and improve project and commercial performance.
  • Procure advance payments on projects and ensure that all projects remain cash positive or at least cash neutral.

While Murray & Roberts remains in a strong cash positive position, outstanding claims, project losses and working capital demands may constrain our ability to make additional acquisitions and meet growth targets.


MITIGATION
  • Continuous monitoring and responding to new developments in terms of new BBBEE legislation and other relevant laws.
  • Continue to focus on management control, employment equity, skills development and enterprise and supplier development within each South African business.
TRANSFORMATION

Lack of compliance with employment equity and BBBEE requirements could reduce the likelihood of Murray & Roberts being successful in winning South African public sector tenders and, in limited cases, private sector tenders.


OPERATIONAL RISKS

HEALTH,
SAFETY &
ENVIRONMENTAL
EXPOSURES
MITIGATION
  • The Group HSE Framework guides operations in managing material health, safety and environment issues.
  • The Zero Harm Through Effective Leadership Programme, aimed at establishing a purpose-driven culture, ensures sustainable improvement in health and safety.
  • The VFL Programme implemented across the Group demonstrates leadership commitment to and encourages employee involvement in fostering a healthy and safe environment.
  • Fatal Risk Control Protocols and Life Saving Rules are in place across the Group and on every project site.
  • The MAP Programme has been rolled out across all the operations to proactively manage material HSE issues and prevent major incidents.
  • Health and Wellness Programmes aimed at improving employee health and wellness are in place across all operations.
  • The Environmental Framework, incorporating a number of critical standards, implemented to regulate important environmental issues such as energy efficiency, carbon emissions, waste and water, is in place across the Group’s operations.

Although the Group has made significant progress in managing safety risk, anything more than Zero Harm remains a concern and continues to receive diligent and proactive attention from the executive team across the Group.


MITIGATION
  • The Employee Relations Framework has been embedded across the Group’s South African operations.
  • Improved working relations with employee representatives, appointed on all sites, has mitigated the risk and the VFL safety initiative is addressing a broader range of issues that affect employees.
  • Strike mitigation plans are in place at each operation and project site.
  • Client engagement and contract and commercial management on projects ensures early and comprehensive pursuit of commercial entitlements.
  • The focus on growing our footprint in less risky markets and sectors continues.
  • Key areas of the business are under suitable insurance cover.
INDUSTRIAL
UNREST

Ongoing industrial and community unrest in South Africa continues to cause project delays and disruptions, impacting on productivity, safety and profitability. It also adds a further hurdle to the decision-making process for new investment in capital projects.


PROJECT RISKS

PROJECT LOSSES
MITIGATION
  • Management, including at Group level, timeously reviews underperforming projects to revisit and revise recovery plans and programmes.
  • Clients are engaged to find common cause around recovery plans.
  • The oversight committee continues to review underperforming projects and provide timeous guidance aimed at driving improvements in project performance.
  • Comprehensive project assurance and performance management tools have been developed within the business platforms, based on the experience gained from past project losses. The focus is on obtaining assurance of compliance with project management systems.
  • Project Critical Control Executive Dashboards have been implemented across the Group to provide executives with early insight to key performance indicators of projects under their control.

Losses on projects, while substantially down, continued during the year under review.

The table below reflects the number of projects being executed across the Group, which are experiencing losses in excess of R13 million (US$1 million) during FY2018. These loss-making projects are subject to an additional layer of oversight by the Murray & Roberts oversight committee.

Middle East project losses were accounted for in previous years. The risk will close out when the projects are delivered.

 CONTRACT
 VALUE
ACTIVE PROJECTS
AT 30 JUNE 2018
  PROJECTS
WITH LOSSES
> R13 MILLION
 
 ≤  R100 million 58    
 ≥ R100 million and
 ≤ R500 million
26   1  
 ≥ R500 million and
 ≤ R1 billion
8    
 ≥ R1 billion 17    

MITIGATION
  • Clients are being engaged to resolve outstanding matters.
  • Disputes are immediately referred to adjudication if they cannot be resolved amicably within reasonable time frames.
  • Consultation with employees and trade unions regarding demobilisation terms and conditions are initiated early on in the process.
SOUTH AFRICAN
POWER PROGRAMME

The power programme remains a key focus for the Power & Water business platform. Past delays and current acceleration in the power programme has exacerbated the scarcity of industrial skills and experience.

As the programme is accelerated, unforeseen commercial disputes give rise to an increase in matters being independently adjudicated. These disputes in turn have an impact on cash flows and while a forum is in place to deal with such disputes, this aspect of the programme is not without undue risk.

The power programme is nearing completion and demobilisation of project personnel will introduce risk in terms of safety, productivity and industrial relations.


UNCERTIFIED
REVENUES
MITIGATION
  • In the case of the Dubai Airport dispute, the arbitration has been finalised and the award is expected by 4 November 2018.
  • Other claims will be pursued through negotiation, mediation and/or arbitration to ensure the most effective outcome for the Group.

Uncertified revenues taken to book on Dubai Airport and other projects must still be realised through protracted claims processes. This creates the risk of a write-back of revenues accounted for in prior financial years if the outcomes are less favourable than the accounting position taken.


Strategic Risk