Risk management report

Taking and managing risk responsibly is central to value creation and the long-term resilience, relevance and sustainability of the Group. Our enterprise-wide Risk Management programme ensures that we effectively mitigate threats and create opportunities in line with our Values, strategy, and goals.

The Group's market sector, geographic and project life cycle diversification is instrumental in mitigating some of the risks we face, including the uncertainty brought by the
COVID-19 pandemic. During the pandemic, the Group's strength and resilience enabled it to adapt and continue to operate, delivering services to its clients and contributing to socioeconomic recovery and community wellbeing where it operates.

The Board is ultimately responsible for risk management and provides strategic direction through policies and frameworks that ensure the effective management of all economic, financial, environmental, social and governance issues. The Board considers and approves the overall risk appetite for the Group, monitors risk exposure and sets risk tolerances, which are regularly reviewed and updated. In discharging its responsibility, the Board is supported by the risk and audit committees whose mandates include periodic reviews, guidance and objective challenge to management, and independent verification that risks and internal controls are effectively managed.

While risk management is a key accountability and performance criteria for all leaders, employees are responsible for identifying and managing risks within their work environment. This requires effective risk governance structures and a strong culture that we continue to develop and foster. Our risk governance includes risk committees at different levels in the organisation, and systems and procedures that guide all employees in the execution of their responsibilities.

The Group follows an integrated assurance approach in verifying that risks are effectively managed across all lines of defence. Risk Management, Regulatory Compliance, and Independent Assurance (internal and external audits) are the three pillars of the Group Integrated Assurance Framework, which aims to:

  • Align strategy with risk tolerance;
  • Improve and streamline decision-making, which improves the Group's risk profile;
  • Promote the strategic and coordinated procurement of a quality order book, which contains a known and planned level of risk and an appropriate level of reward;
  • Ensure reasonable commercial terms and conditions are contracted based on a predetermined set of acceptable contracting principles, together with the rational pursuit of commercial entitlement;
  • Promote rigorous project reviews, and early responses to projects deviating from planned and tendered expectations;
  • Promote continuous improvement through the institutionalisation and application of lessons learnt;
  • Reduce operational surprises, improve predictability and build shareholder confidence;
  • Build robust organisational risk structures and facilitate timeous interventions, to promote long-term sustainable growth; and
  • Promote the efficient and proactive pursuit of opportunities.

The Group Risk Management Framework

The primary responsibility for managing risk lies with business line management. The risk management, regulatory compliance and internal audit functions advise on risk management approaches, methodologies, and systems. They also monitor the diligent execution of risk management at every level of the Group and report to various boards and committees on inherent and residual risk in each risk area.

The Group Risk Management Framework sets clear roles and responsibilities and provides management teams with a structured and coordinated approach to identify, assess, address, monitor, communicate and report the Group's risks and opportunities. Preventative and mitigative controls are implemented to reduce the likelihood and consequence of identified risks and manage potential impacts. However, there remains threats such as natural disasters and pandemics, where there is limited opportunity to effectively mitigate their impact. These threats are closely monitored and the Group has implemented business resilience plans to ensure sustainability of our operations.

The Group has defined four discrete risk environments, namely strategic, corporate, operational and projects, with organisational structures and functional support in place to guide and set direction.


1ORGANISATIONAL STRUCTURES

In addition to the various Group operating board responsibilities, organisational structures have been created and tasked with risk governance, including the business platform risk committees, the Murray & Roberts Limited risk committee and the Murray & Roberts Limited project oversight committee.

2FUNCTIONAL SUPPORT

Dedicated risk management support has been created at Group level and within businesses. This includes enterprise-wide risk leadership, risk management monitoring, risk-based auditing and operational and risk committees. The Group risk forum, comprising of risk managers from all businesses, facilitates learning and sharing, and adoption of consistent standards and practices across the Group.

3STRATEGIC RISK MANAGEMENT

Strategic risk is evaluated as a hurdle to achieving the Group’s long-term strategy. Management is tasked by the Board to implement and adapt the Group strategy, considering changes in the business environment and subject to the approved risk appetite and risk tolerance levels. Direction is set for organic and acquisitive growth to access new markets and create new capacity, and is also applied to acquisitions, disposals, new business development, and timely and necessary leadership intervention.

The corporate centre has the oversight role on these risks, which are periodically reviewed by the executive risk committee and reported to the Board. Reviews include consideration of emerging risks in the business environment and their potential impact to the Group.

4OPERATIONAL RISK MANAGEMENT

Operational risk is a potential barrier to achieving planned profits within the Group’s business platforms. Methodologies for identifying, evaluating, mitigating, monitoring and communicating risk are applied in the operational business environment. Three-year business plans, which take into account risks and opportunities, are developed and performance against these plans is reviewed on a quarterly basis.

Operational risk exposures typically relate to major incidents and infringement of laws such as competition, company, health and safety laws, as well as commercial, technical and logistical aspects of projects. Business platforms have governance structures and systems that ensure that these risks are effectively managed.

5PROSPECT AND PROJECT LIFE CYCLE

Project risk is evaluated as a potential barrier to delivering contracted scope against cost, time and technical performance targets, while maintaining HSE performance. A Project Management Framework sets a minimum standard for project management while the Project Management Development programme ensures enhancement of project management skills across the Group. The Project Management Framework also provides internal audit with a consistent set of processes and controls against which project performance is tested. Project risk management activities include the Group risk tolerance filters, lessons learnt and contracting principles schedules, project reviews and project dashboards.

6CORPORATE RISK MANAGEMENT

Corporate risk management relates to a range of portfolios within the corporate office, which includes risk management standards and procedures, regulatory compliance, integrated assurance, business continuity, tax, insurance, crisis communication and other ESG policies such as the Climate Change Position Statement, Code of Conduct, Statement of Business Principles, etc. The risk management committee has overall oversight, but due to the nature of the individual elements of ESG, other committees, including the social & ethics committee, deal with related matters.

RISK MANAGEMENT PRACTICES

We define risk appetite as the type and extent of risk the Group is willing to take in pursuit of its strategic objectives. Several factors are considered in determining the risk appetite in each risk category. The Risk Appetite Statement classifies the Group's appetite for each risk category as low, moderate, high, or extreme according to the following definitions:

LOW

The level of risk will not impede the Group's ability to achieve its strategic objectives.

MODERATE

The level of risk may delay or disrupt the achievement of its strategic objectives.

HIGH

The level of risk will impede its ability to achieve its strategic objectives.

EXTREME

The level of risk will significantly impede its ability to achieve its strategic objectives.

Where applicable, controls are in place to reduce the likelihood or alternatively mitigate the impact of risk events.

KEY RISK CATEGORIES

Key risks are those that have a financial, operational and reputational impact and include:

HEALTH, SAFETY & ENVIRONMENT:
The Group has no appetite for health, safety and environment risk and strives for Zero Harm in the workplace. This is supported by the Group HSE Framework.
FINANCIAL:
The Group has a moderate appetite for financial risk and is willing to accept risk to achieve its financial objectives. The risks are managed and mitigated to an acceptable level through several controls, with oversight from Group executive leadership.
LEGAL & COMPLIANCE:
The Group strives for the highest standards of business integrity, ethics and governance. It has zero tolerance for unethical behaviour and has a Code of Conduct and a number of related procedures in place to address this risk. The Group also complies fully in all jurisdictions with regulated requirements to protect personal information and other regulations.
PROJECT PERFORMANCE:
The Group is prepared to accept a moderate level of risk in the projects it undertakes to achieve its financial targets. A Project Management Framework, as well as contracting principles and past project lessons learnt schedules are in place and enforced to mitigate project delivery risk.
TECHNOLOGY:
The Group has a moderate appetite for innovative technology and digitalisation solutions that could add value in meeting its strategic objectives. As the Group formalises and advances its digital strategy, an IT Security Framework is in place to manage the risk of cybercrime and data breaches.

Murray & Roberts contracts on projects which differ in complexity, scope and size. Project risk is the predominant source of risk for the Group. Critical to the preparation of tenders and effective project delivery is the application of three standards, which have been formulated and are regularly updated on the basis of past performance:

All bids submitted are tested against these standards to ensure that the identified risks are correctly addressed and past failures are not repeated.

Operational risk exposures typically relate to the infringement of laws, including competition, company, labour, health and safety and environment, as well as the commercial, technical and logistical aspects of a project. Each business platform has its own risk committee that oversees these risks and ensures that they are regularly reviewed and assessed, and effectively mitigated.

To reduce project risk as far as possible, the following procedures are followed:

Strategic and corporate risks are associated with the activities of the Group chief executive and executive committee and include:

The corporate office manages these risks, which are reviewed by the executive risk committee quarterly and reported to the boards of Murray & Roberts Limited and Murray & Roberts Holdings Limited.

A Group business continuity standard and associated procedures are in place and are embedded within each business platform. Internal audit provides assurance on these business continuity plans.

REGULATORY COMPLIANCE

Regulatory compliance is the second pillar of the Group Integrated Assurance Framework. The implementation of the Group Regulatory Compliance Framework focuses on the seamless integration of regulatory compliance (with risk management and internal audit) into business planning, execution and management. The regulatory compliance function provides focus on these risks in line with the Group Integrated Assurance Framework.

As a multinational organisation, regulatory compliance is complex. It is therefore imperative to ensure that the Group complies, across all jurisdictions, with legal and other requirements that could materially impact its performance and sustainability, whether from a financial, legal or reputational perspective. The Group employs a structured approach to evaluate potential compliance failures and ensures adequate responses to prevent and, where necessary, to mitigate any negative impact. A regulatory compliance plan is set out in the Group's compliance standard and the social & ethics committee provides oversight through regular reviews of regulatory compliance reports provided by management.

INDEPENDENT ASSURANCE

Independent assurance, the third pillar of the Group Integrated Assurance Framework, consists of two complementary parts - internal and external audit. This function provides an independent and objective challenge to the levels of assurance provided by business operations, risk management and regulatory compliance.

The internal audit function is well resourced with experienced and skilled employees to carry out its mandate. In executing its mandate, internal audit applies arobust, risk-based approach to identify critical risk management controls that management relies on, and which must be tested and evaluated to provide the Board with the risk management and regulatory compliance assurance it requires to meet its governance objectives.

The development of the internal audit plan includes interactions with the Group risk and legal functions, with specific reference to their respective risk and compliance mitigation objectives, strategies and plans. The audit plan also assesses Group-wide corporate governance, financial controls and risk management procedures, as well as specific areas highlighted by the audit & sustainability committee, Group executive committee and by executive and operational management.

External audit provides independent assurance that the annual financial statements and the integrated report are free from material misstatements and errors and comply with IFRS requirements.

TOP RISKS

The top risks outlined in this section are those that could materially affect the Group's performance, future prospects and reputation.

STRATEGIC RISKS

Vulnerability to macroeconomic factors

Changes in the global economy have a direct impact on the markets in which the Group operates. Downside risks to the global economy and therefore to growth prospects in the Group's markets, include low commodity prices, geopolitical stability and its impact on trade and investments, impact of the COVID-19 pandemic, climate change and regulatory factors amongst others. These changes are likely to lead to fluctuations in the Group's order book and projected earnings.

MITIGATION
  • Strategic focus on the natural resources sector, which is underpinned by positive long-term demand fundamentals.
  • Broader strategic scope includes selected high-growth markets, geographies and sectors to mitigate the impact of adverse cycles in natural resources.
  • Focus on client relationships and maintaining competitive advantages to secure negotiated contracts with reasonable terms and opportunities for early contractor involvement.
  • Continue to diversify services across the project life cycle, which includes an emphasis on front-end engineering, and operations and maintenance.
  • Invest in long-term investment opportunities that generate constant income at attractive rates of return, either as a project co-developer or operator.
  • Establish joint ventures with local contractors to win work in geographies where this is a requirement.

Group liquidity

Although the Group remains in a strong cash position, outstanding claims and payments, potential future project losses and working capital demands may introduce liquidity stress and constrain the Group's ability to make value accretive acquisitions and meet growth targets.

MITIGATION
  • Continue to ensure high-quality earnings through a diversified order book.
  • Pursue claims through negotiation, mediation and/or arbitration and ensure the most beneficial outcome for the Group.
  • Continue to manage overheads and improve project performance.
  • Procure advance payments on projects and ensure that all projects remain cash positive or at least cash neutral.
  • Procure advance payments on projects and ensure that all projects remain cash positive or at least cash neutral.
  • Vigorously drive Engineered Excellence to ensure project delivery that is differentiated by excellence.
  • Secure payment guarantees to manage client credit risk, where relevant.
OPERATIONAL RISKS

Health, safety and environmental exposures

Failure to manage our health, safety and environmental aspects could result in major incidents that may harm our reputation, people and prospects. Many clients require that we meet certain safety criteria to be eligible to bid on contracts and some of the contracts provide for safety performance penalties. Unsafe work conditions and lack of environmental stewardship have a potential to affect our ability to attract and retain talent.

Although the Group has made significant progress in managing safety risk, anything more than Zero Harm remains a concern and continues to receive diligent and proactive attention across the Group.

MITIGATION
  • The Group HSE Framework guides operations and ensures a consistent approach in improving health, safety and environment performance.
  • The Zero Harm Through Effective Leadership programme ensures sustainable improvement in health and safety.
  • The MAP and CRM programmes have been rolled out across all operations to proactively manage material HSE issues and prevent major incidents.
  • Programmes aimed at protecting and improving employee health and wellness are in place across all operations, including COVID-19 risk management plans.
  • The Environmental Management Framework, which incorporates a number of critical standards and is implemented to regulate important environmental issues such as energy efficiency, carbon emissions, waste and water, is in place across the Group's operations.
  • The Climate Change Position Statement commits the Group to play a meaningful role in efforts aimed at mitigating the impact of climate change and ensures a consistent approach.

Project delivery risks

Some of the Group's projects are technically complex with long durations that increase risk exposures during execution. These risks, together with risks beyond our direct control, may result in failure to meet contractual cost or schedule commitments and other performance parameters, potentially leading to material loss of project earnings. Client preference for higher risk lump sum and hybrid-type contracts, especially in market sectors serviced by the Energy, Resources & Infrastructure, and the Power, Industrial & Water platforms, continues. As a result of this trend, 61% of the Group's order book comprises lump sum contracts.

Middle East project losses have been accounted for in previous years. These projects have been delivered and the risk will close-out upon completion of the sale of entities.

MITIGATION
  • Strong oversight processes are in place to mitigate the risk associated with an increasing proportion of lump sum contracts in the Group's order book.
  • Independent reviews are conducted early on projects to ensure early identification and remedy of potential issues. Comprehensive project assurance and performance management tools are applied within the business platforms, based on the experience gained from past project losses. The focus is on obtaining assurance of compliance with project management systems.
  • Project Critical Control Executive Dashboards apply across the Group to provide executives with early insight into performance indicators on projects under their control.
  • Management, including at Group level, timeously reviews underperforming projects to revisit and revise recovery plans and programmes. Clients are engaged to find common cause around the recovery plans.
  • The oversight committee continues to review underperforming projects and provides timeous intervention aimed at driving improvements in project performance.

Business impact of the COVID-19 pandemic

The COVID-19 pandemic has had, and could continue to have, a material impact on our business operations and financial performance. The outbreak of the disease and the implementation of response measures have created uncertainty and economic disruption which have impacted, and may continue to impact, our employees, operations and financial performance. Impacts include restrictions on the movement of people and the shutdown of certain economic sectors which resulted in manufacturing and supply chain disruptions, travel bans, deferral of new project awards, operational disruptions and project delays.

MITIGATION
  • Implemented business resilience measures and strict health protocols to protect employees, business partners and communities. Globally, increased emphasis on, and adoption of vaccinations, is expected to provide a turning point in the fight against the pandemic.
  • Commercial entitlement is being pursued where applicable.
  • Contracting principles have been updated to include reasonable terms to manage similar risk exposures.

Cybersecurity

The potential for disruption or damage to the business caused by the failure of IT systems and cyber breaches or attacks are real threats. Various privacy and security laws require us to protect sensitive and confidential information from unauthorised disclosure. The increase in frequency and sophistication of cybercrime incidents highlights the importance of implementing and maintaining robust cybersecurity frameworks.

MITIGATION
  • An IT Security Framework is in place and is independently tested.
  • The Group’s IT security framework was further improved by strengthening the security governance processes and technical defences. These include implementing:
  • Contracting principles have been updated to include reasonable terms to manage similar risk exposures.
    • Latest technology firewalls with strict rules to manage access and web applications;
    • Protection of external facing sites to ensure encryption and that email, servers and other endpoints are secured;
    • Cybersecurity training, including simulated phishing tests;
    • A cybersecurity standard which prescribes a minimum set of controls required to provide system and data security.
  • The Group has a vulnerability management standard that provides guidance on identification of controls that need to be in place to manage vulnerability within the IT environment.
  • Backup solutions to recover from system failures or breaches are in place.
  • Insurance cover for cybercrime related losses is in place.