Annual Integrated Report

2019

Gathering
Momentum

Menu

Underground Mining + Oil & Gas + Power & Water

Risk management
report

Risk Management, Regulatory Compliance and Independent Assurance (internal and external audits) are the three pillars of the Group Integrated Assurance Framework.

THE GROUP RISK MANAGEMENT FRAMEWORK AIMS TO:

  • Align strategy with risk tolerance;
  • Improve and streamline decision-making, which improves the Group’s risk profile;
  • Promote the strategic and coordinated procurement of a quality order book, which contains a known and planned level of risk and an appropriate level of reward;
  • Ensure reasonable commercial terms and conditions are contracted based on a predetermined set of acceptable contracting principles, together with the rational pursuit of commercial entitlement;
  • Promote rigorous project reviews, and early responses to projects deviating from planned and tendered expectations;
  • Promote continuous improvement through the institutionalisation and application of lessons learnt;
  • Reduce operational surprises, improve predictability and build shareholder confidence;
  • Build robust organisational risk structures and facilitate timeous interventions, to promote long-term sustainable growth; and
  • Promote the efficient and proactive pursuit of opportunities.

RISK MANAGEMENT IS INTEGRAL TO GOVERNANCE AND OUR VALUE CREATION STRATEGY. SIGNIFICANT EFFORT IS MADE TO EMBED RISK AWARENESS, PREVENTION AND MITIGATION MEASURES ACROSS GROUP OPERATIONS.

The appropriate governance structures, including the Board risk committee, executive risk committee, project oversight committee and business platform risk committees, ensure that the appropriate operational and functional procedures, systems and controls are in place to mitigate risks and harness opportunities in pursuit of our strategic objectives.

Given the Group’s scale and complexity, it is not possible to completely eliminate all risks arising from internal and external business and commercial interfaces. Our experienced management teams manage and maintain a planned, coordinated and structured approach to identify, assess, address, monitor, communicate and report the Group’s risks. The mitigation of those risks, most likely to prevent the Group from achieving its strategic objectives are prioritised. Guiding this approach is the Group Risk Management Framework, which promotes a consistent risk management culture across the Group.

THE GROUP RISK FRAMEWORK

THE GROUP RISK FRAMEWORK
01

ORGANISATIONAL STRUCTURES

In addition to the various Group operating board responsibilities, organisational structures have been created and tasked with risk governance, including the business platform risk committees, the Murray & Roberts Limited risk committee and the Murray & Roberts Limited project oversight committee.

02

FUNCTIONAL SUPPORT

Dedicated risk management support has been created at Group level and within businesses. This includes enterprise-wide risk leadership, risk management monitoring, risk-based auditing and operational and risk committees.

03

STRATEGIC RISK MANAGEMENT

Strategic risk is evaluated as a hurdle to achieving the Group’s long-term strategy. Direction is set for organic and acquisitive growth to access new markets and create new capacity, and is also applied to acquisitions, disposals, new business development, timely and necessary leadership intervention.

04

OPERATIONAL RISK MANAGEMENT

Operational risk is a potential barrier to achieving planned profits within the Group’s business platforms. Methodologies for identifying, evaluating, mitigating, monitoring and communicating risk are applied in the operational business environment. Business plans with a three-year horizon are developed and performance against these is subject to quarterly review.

05

PROSPECT AND PROJECT LIFE CYCLE

Project risk is evaluated as a potential barrier to delivering contracted scope against cost, time and technical performance targets, while maintaining HSE performance. A Project Management Framework sets the minimum standard for project management required in the delivery of projects across the Group. A Project Management Development programme is in place to enhance and refresh project management skills across the Group. The framework also provides internal audit with a consistent set of processes and controls against which project performance is tested. Project risk management activities include the Group risk tolerance filters, lessons learnt and contracting principles schedules, project reviews and project dashboards.

06

CORPORATE RISK MANAGEMENT

Corporate risk management relates to a range of portfolios within the corporate office, which address various forms of risk including risk management standards and procedures, the Group Code of Conduct, the Statement of Business Principles, regulatory compliance, commercial & legal oversight, integrated assurance, business continuity & IT disaster recovery, treasury, bonds & guarantees, tax, insurance, crisis communication and forensic investigations.

RISK MANAGEMENT PRACTICES

The Board approves the risk appetite for the Group at several levels and has established a clear line of sight and responsibility to ensure effective risk management across the organisation. Several factors are considered in determining the risk appetite in each risk category. This Risk Appetite Statement categorises the Group’s appetite for each risk as low, moderate or high, according to the following definitions:

LOW – The level of risk will not impede the Group’s ability to achieve its strategic objectives.

MODERATE – The level of risk may delay or disrupt the achievement of its strategic objectives.

HIGH – The level of risk will significantly impede its ability to achieve its strategic objectives.

Where applicable, controls are in place to reduce the likelihood or alternatively mitigate the impact of risk events.

Key risk categories

Key risks are those that have a financial, operational and reputational impact and include:

  • HEALTH, SAFETY & ENVIRONMENT: The Group has a low appetite for health, safety and environment risk and strives for Zero Harm in the workplace. This is supported by the Group HSE Framework.
  • FINANCIAL: The Group has a moderate appetite for financial risk and is willing to accept risk in order to achieve its financial objectives. The risks are managed and mitigated to an acceptable level through several controls, with oversight from Group executive leadership.
  • LEGAL & COMPLIANCE: The Group strives for the highest standards of business integrity, ethics and governance. It has zero tolerance for unethical behaviour and has a Code of Conduct and a number of related procedures in place to address this risk.
  • PROJECT PERFORMANCE: The Group is prepared to accept a moderate level of risk in the projects it undertakes, to achieve its financial targets. A Project Management Framework, as well as contracting principles and past project lessons learnt schedules are in place and enforced to mitigate project delivery risk.
  • TECHNOLOGY: The Group has a moderate appetite for innovative technology and digitalisation solutions that could add value in meeting its strategic objectives. As the Group formalises and advances its digital strategy, an IT Security Framework is in place to manage the risk of cybercrime and data breaches.

The Group has defined four discrete risk environments: strategic, corporate, operational and project. Each risk has a specific owner, be it a business platform CEO, operating board or an individual executive.

The primary responsibility for managing risk lies with business line management. The risk management, regulatory compliance and internal audit functions in the corporate office advise on risk management approaches, methodologies and systems. They also monitor the diligent execution of risk management at every level of the Group, reporting to various boards and committees on inherent and residual risks in each risk area.

Murray & Roberts is a specialised multinational contractor that contracts on projects which differ in complexity, scope and size. Project risk is therefore the predominant source of risk for the Group. Critical to the preparation of tenders and effective project delivery is the application of three standards, which have been formulated and are regularly updated on the basis of past performance:

  • Group Schedule of Contracting Principles;
  • Group Schedule of Lessons Learnt; and
  • Minimum Requirements for Contracts.

All bids submitted are tested against these standards to ensure that the identified risks are correctly addressed and past failures are not repeated.

Operational risk exposures typically relate to the infringement of laws, including competition, company, labour, health and safety and environment, as well as commercial, technical and logistical aspects of a project. Each business platform has its own risk committee ensuring that these risks are regularly reviewed and assessed, and effectively mitigated.

To reduce project risk as far as possible, the following procedures are followed:

  • Competent and experienced executives oversee the preparation and submission of bids.
  • An Opportunity Management System tracks and processes all opportunities, subjecting them to a series of risk filters to develop a risk profile. These filters are extracted from the Risk Appetite Matrix, which is approved by the Board.
  • Estimating tools used across the Group to prepare bids are proven and validated. The costing process is comprehensive, and subject to rigorous internal reviews, including independent and peer reviews where necessary.
  • Risks are identified based on past experience and mitigated either through contractual terms or priced for and managed within budget.
  • Critical bid requirements are (i) the exclusion and/or pricing of known risks, (ii) that projects must be cash positive, (iii) the prohibition of unacceptable risks and unusual contracting terms, and (iv) the inclusion of limits of liability in contracts.
  • Where a fixed-price project is accepted, the design must be mature, the scope and/or specification clear and an efficient mechanism for change management and dispute resolution must form part of the contract.
  • An allowance for contingencies (unforeseen or unplanned risks) is added to the bid price to cater for potential risks that cannot be priced and mitigated at bidding stage. These allowances are a hedge against risk, are utilised within the framework for which they are established and fall under the control of the project director. The project review committee plays an oversight role on the use of the contingency allowances.
  • Generally known types of contracts such as FIDIC, NEC, JBCC, GCC, are preferred, and specific attention is placed on special conditions. Bespoke contracts are negotiated based on the detailed guidance of internal and external legal counsel.
  • Large and complex project bids are subject to independent review and approval by the Murray & Roberts Limited Board risk committee, which issues a mandate to the project negotiation team. Projects above US$300 million are escalated to the Board for approval. Any deviation from a mandate is referred back to the relevant risk committee for a final decision.
  • The Murray & Roberts Limited Board project oversight committee reviews large and complex projects to ensure performance is in line with the tendered terms and prevailing market conditions. The committee also reviews projects showing early signs of deviation from planned and tendered expectations. This helps to prevent distressed projects by identifying early signs of difficulty and ensuring that corrective actions and interventions are initiated.

Strategic and corporate risks are associated with the activities of the Group chief executive and executive committee and include risks associated with:

  • Organic and acquisitive growth;
  • New markets and new capabilities; and
  • Accounting, taxation, banking/bonding and funds transfers etc.

The corporate office manages these risks which are reviewed by the executive risk committee quarterly and reported to the boards of Murray & Roberts Limited and Murray & Roberts Holdings Limited.

A Group business continuity standard and associated procedures are in place within each business platform. Internal audit provides assurance on these business continuity plans.

REGULATORY COMPLIANCE

Regulatory compliance is the second pillar of the Group Integrated Assurance Framework. The implementation of the Group Regulatory Compliance Framework focuses on the seamless integration of regulatory compliance (with risk management and internal audit) into business planning, execution and management. The regulatory compliance function provides focus on these risks in line with the Group Integrated Assurance Framework.

As a multinational organisation, regulatory compliance is complex. It is therefore imperative to ensure that the Group complies, across all jurisdictions, with legal and other requirements that could materially impact its performance and sustainability, whether from a financial, legal or reputational perspective. The Group employs a structured approach to evaluate potential compliance failures and ensures adequate responses to prevent and, where necessary, to mitigate any negative impact.

INDEPENDENT ASSURANCE

Independent assurance, the third pillar of the Group Integrated Assurance Framework, consists of two complementary parts i.e. internal and external audit. This function provides an independent and objective challenge to the levels of assurance provided by business operations, risk management and regulatory compliance.

The internal audit function is well resourced and qualified to carry out its mandate. In executing its mandate, internal audit applies a robust, risk-based approach to identify critical risk management controls that management relies on, and which must be tested and evaluated to provide the Board with the risk management and regulatory compliance assurance it requires to meet its governance objectives.

The development of the internal audit plan includes interactions with the Group risk and legal functions, with specific reference to their respective risk and compliance mitigation objectives, strategies and plans. The audit plan also encompasses the assessment of Group-wide corporate governance, financial controls and risk management procedures, as well as specific areas highlighted by the audit & sustainability committee, Group executive committee and by executive and operational management for dedicated review.

External audit provides assurance on the Group’s financial statements.

TOP RISKS

The Group’s material risks, in no order of priority, are outlined below.

TREND KEY:

Opportunity

Threat increasing

Threat stable

Threat decreasing

Closed out


STRATEGIC RISKS

VULNERABILITY TO MACROECONOMIC FACTORS

Changes in the global economy have a direct impact on the markets in which the Group operates, particularly Underground Mining and Oil & Gas. Global demand for commodities (metals and minerals) has continued to improve in step with global economic recovery. However, the sustainability of rising commodity prices remains uncertain. Downside risks to the global economy, and therefore to growth prospects in the Group’s markets, include escalation in trade tensions between the USA and China, a no-deal Brexit, impacts of climate change and geopolitical volatility. In South Africa, economic growth remains subdued despite various economic measures introduced by the new administration.

MITIGATION

  • Continue to focus on growth in the natural resources sector, underpinned by positive long-term demand drivers.
  • Position businesses in selected high-growth complementary markets to mitigate the impact of adverse cycles in core markets.
  • Focus on client relationships and maintain competitive advantages to secure negotiated contracts with reasonable terms and opportunities for early contractor involvement.
  • Continue to diversify services across the project life cycle, which includes an emphasis on front-end engineering and operations and maintenance.
  • Invest in long-term investment opportunities that generate constant income at attractive rates of return, either as a project co-developer or operator.
  • Establish JVs with local contractors to win work in geographies where this is a requirement.

OIL & GAS MARKETS

Oil and gas are needed to fuel growing global energy demands. However, the continued soft and volatile oil price and fluctuating supply continues to impact revenues of producers resulting in subdued growth in new capital projects in the sector. A recovery in the global LNG sector is expected from 2022, as global energy producers move to meet demand.

MITIGATION

  • Leverage established capability in Australasia to win work in infrastructure and mining markets.
  • Leverage new capacity in North America to secure additional work in petrochemicals and gas projects, as these are expected to show the greatest capital expenditure growth.
  • Target international LNG projects in geographic areas where the oil and gas majors are located.
  • Diversify across the project life cycle, including an emphasis on operations and maintenance.

GROUP LIQUIDITY

The Group remains in a strong cash positive position, outstanding claims, project losses and working capital demands may constrain our ability to make additional acquisitions and meet growth targets.

MITIGATION

  • Resolve outstanding claims, specifically on the Dubai Airport project.
  • Expedite claims resolution and commercial close-out on the Medupi and Kusile power projects.
  • Continue to manage overheads, with all platforms targeting overhead costs of about 5% of revenue through the cycle, and continually improve project performance.
  • Procure advance payments on projects and ensure that all projects remain cash positive or at least cash neutral.
  • Vigorously drive the philosophy of Engineered Excellence to ensure excellent project delivery.
  • Continue to ensure high quality earnings through a diversified order book.

OPERATIONAL RISKS

HEALTH, SAFETY AND ENVIRONMENTAL EXPOSURES

Although the Group has made significant progress in managing safety risk, anything more than Zero Harm remains a concern and continues to receive diligent and proactive attention from the executive team across the Group.

MITIGATION

  • The Group HSE Framework guides operations in managing material health, safety and environment issues.
  • The Zero Harm Through Effective Leadership programme, aimed at establishing a purpose-driven culture, ensures sustainable improvement in health and safety.
  • The MAP/CRM programme has been rolled out across all operations to proactively manage material HSE issues and prevent major incidents.
  • Programmes aimed at improving employee health and wellness are in place across all operations.
  • The Environmental Framework, which incorporates a number of critical standards and is implemented to regulate important environmental issues such as energy efficiency, carbon emissions, waste and water, is in place across the Group’s operations.

COMMUNITY AND INDUSTRIAL UNREST

Community and industrial unrest have an impact on productivity, safety and profitability by causing project delays and disruptions. This has emphasised the need for ongoing, direct and meaningful engagement with all employees and host communities.

MITIGATION

  • The Employee Relations Framework has been embedded across the Group’s South African operations.
  • Improved working relations with employee representatives, who are appointed on all sites, has served to mitigate the risk and the visible felt leadership safety initiative is addressing a broader range of issues that affect employees.
  • Strike mitigation plans are in place at each operation and project site.
  • The Group engages in strategic CSI and socioeconomic development activities, focusing on the communities in which we operate.
  • The focus on growing our footprint in less risky markets and sectors continues.
  • Key areas of the business are under suitable insurance cover.

PROJECT RISKS

PROJECT LOSSES

Some of our projects are technically complex with long durations, increasing risk exposures during execution. These risks, together with risks beyond our direct control, may result in our failure to meet contractual cost or schedule commitments and other performance parameters, leading to material loss of project earnings. An emerging trend is an increasing expectation among clients for fixed-price and hybrid-type contracts, resulting in 38% of the Group’s project portfolio consisting of fixed-price contracts.

The table below reflects the number of projects across the Group at year end with losses in excess of R15 million. These loss-making projects are subject to additional oversight by the Group executive committee.

Middle East project losses have been accounted for in previous years. These projects have been delivered and the risk will close out when commercial closure on the projects is achieved.

CONTRACT
VALUE
ACTIVE
PROJECTS
AT 30 JUNE
2019
  PROJECTS
WITH
LOSSES
> R15 MILLION
≤ R100 million 29   1
≥ R100 million and ≤ R500 million 37   2
≥ R500 million and ≤ R1 billion 19   2
≥ R1 billion 20   1

MITIGATION

  • Strong oversight processes are in place to mitigate the risk associated with an increasing proportion of fixed-price contracts in the Group’s order book.
  • Comprehensive project assurance and performance management tools are in operation within the business platforms, based on the experience gained from past project losses. The focus is on obtaining assurance of compliance with project management systems.
  • Project Critical Control Executive Dashboards apply across the Group to provide executives with early insight into performance indicators on projects under their control.
  • Management, including at Group level, timeously reviews underperforming projects to revisit and revise recovery plans and programmes.
  • Clients are engaged to find common cause around the recovery plans.
  • The oversight committee continues to review underperforming projects and provides timeous intervention aimed at driving improvements in project performance.

SOUTH AFRICAN POWER PROGRAMME

The power programme has reached the completion phase, which includes the demobilisation of project personnel. This phase is subject to heightened risks mainly relating to safety, productivity and industrial action, which may give rise to commercial disputes on the Medupi and Kusile power station projects. The outcome of these disputes may impact cash flows, although the accounting position on these projects is considered to be prudent and risk provisions to be adequate.

MITIGATION

  • Consultation with employees and trade unions regarding demobilisation terms and conditions are ongoing.
  • Clients are engaged to resolve outstanding commercial matters.
  • Disputes are immediately referred to adjudication if they cannot be resolved amicably and within reasonable timeframes.

UNCERTIFIED REVENUES

Occasionally the Group raises claims against clients for costs incurred relating to matters not included in the contract price of the project. These claims or commercial entitlements, often arising from delays caused by clients or changes to initially agreed project scopes, are accounted for in our financial statements as uncertified revenues, until such time that the claims are approved by the client at which time the uncertified revenue becomes certified. Failure to convert uncertified revenue to certified revenue, may result in the reversal of previously declared income.

The uncertified revenues taken to book on the Dubai Airport and other projects must still be realised through extensive claims resolution processes. This creates the risk of income accounted for in prior financial periods being reversed to the extent that the outcomes of the claim settlement process are less favourable than the accounting position taken.

MITIGATION

  • Claims are pursued through negotiation, mediation and/or arbitration to ensure the most beneficial outcome for the Group.