Murray & Roberts : Risk Management Report

86

MURRAY & ROBERTS Annual Integrated Report 2022

04

RISK AND REMUNERATION REPORTS

Murray & Roberts Cementation, Arnot Mine, Mpumalanga, South Africa

87

			GOVERNANCE,RISK ANDRISK AND
GROUP	LEADERSHIP	BUSINESS		SUMMARISED	SHAREHOLDERS'
OVERVIEW	REVIEW	PLATFORM REVIEWS	REMUNERATIONREPORTS		FINANCIAL RESULTS	INFORMATION

88

MURRAY & ROBERTS Annual Integrated Report 2022

Risk management report

As a global engineering and contracting group, risk is an inherent feature of our business. The global economy continues to experience periods of uncertainty driven by various factors ranging from the pandemic, geopolitical tensions, climate change and supply chain disruption to rising inflation.

In FY2022, the Group continued to trade under these challenging and dynamic conditions. Our market sector, geographic and project life cycle diversification, and diligent risk management have been instrumental in mitigating the impact of some of the risks we face.

Established by the Board, our enterprise-wide risk management framework guides us in mitigating threats to our business and exploiting business opportunities. The Board approves the Group's risk appetite and risk tolerance, and monitors risk exposures which are regularly reviewed and updated. It has established clear governance structures for managing risk and opportunities across the organisation, thereby ensuring that it receives appropriate attention. The Board is supported by the risk and audit committees whose mandates include periodic reviews, guidance and objective challenge to management, and independent verification that risks and internal controls are effectively managed.

During the year, sustainable development continued to feature prominently on the global agenda with many stakeholders calling for visible action on environment, social and governance issues. We continued to align our business priorities with these developments, with an increased focus on ESG in our risk reviews and improvement actions. The ultimate custodianship of ESG lies with the Board which receives regular updates from management on ESG risks, opportunities, and performance.

The Group follows an integrated assurance approach in verifying that risks are effectively managed. Risk Management, Regulatory Compliance, and Independent Assurance (internal and external audits) are the three pillars of the Group integrated assurance framework, which aims to:

• Align strategy with risk tolerance;
• Improve and streamline decision-making, which improves the Group's risk profile;
• Promote the strategic and coordinated procurement of a quality order book, which contains a known and planned level of risk and an appropriate level of reward;
• Ensure reasonable commercial terms and conditions are contracted based on a predetermined set of acceptable contracting principles, together with the rational pursuit of commercial entitlement;
• Promote rigorous project reviews, and early responses to projects deviating from planned and tendered expectations;
• Promote continuous improvement through the institutionalisation and application of lessons learnt;
• Reduce operational surprises, improve predictability and build shareholder confidence;
• Build robust organisational risk structures and facilitate timeous interventions, to promote long-term sustainable growth; and
• Promote the efficient and proactive pursuit of opportunities.

During the year, sustainable development continued to feature prominently on the global agenda with many stakeholders calling for visible action on ESG issues.

The Group risk management framework

The Group risk management framework sets clear roles and responsibilities and provides management teams with a structured and coordinated approach to identify, assess, address, monitor, communicate and report the Group's risks and opportunities. We implement preventative and mitigative controls to reduce the likelihood and consequence of identified risks and manage potential impacts. However, there remain threats, especially those that are largely beyond our control, such as natural disasters and pandemics, where there is limited opportunity to effectively mitigate their

1 STRUCTURESORGANISATIONAL

3 STRATEGIC

Risk to achieving long-term sustainabili and value creation objectives. Direction set for organic growth or growth through acquisition to access new markets and/ or create new capacity.

4 OPERATIONAL

Risk to activities related to the generation of profits within the business platforms.

6

CORPORATE

Centralised disciplines sitting outside strategic and operational environments.

2

SUPPORTFUNCTIONALFUNCTIONLSUPPORT

89

GROUP OVERVIEW

LEADERSHIP REVIEW

impact. We closely monitor all threats and where possible, have implemented business resilience plans to ensure sustainability of our operations.

The Group has defined four discrete risk environments, namely strategic, corporate, operational and projects, with organisational structures and functional support in place to guide and set direction.

5 PROSPECT AND PROJECT LIFE CYCLE

Lessons learnt and contracting principles applied to future prospects and projects.

BUSINESS PLATFORM

1	4
ORGANISATIONAL STRUCTURES	OPERATIONAL RISK MANAGEMENT

REVIEWS

To facilitate effective risk management, organisational structures have been established and tasked with risk governance at various levels within the organisation.

In addition to Board committees, the Murray & Roberts Limited risk committee is tasked with risk governance at executive management level.

Operational risk is a potential barrier to achieving our business plans. Methodologies for identifying, evaluating, mitigating, monitoring, and communicating risk are applied in the operational business environment. Three- year business plans, which consider threats and opportunities, are developed and performance against these plans is reviewed on a quarterly basis. Operational risk exposures typically relate to major incidents and infringement of laws such as competition, company, and health and safety laws, as well as the commercial, technical and logistical aspects of projects. Business platforms have governance structures and systems that ensure that these risks are effectively managed.

RISK REMUNERATION

2

FUNCTIONAL SUPPORT

Dedicated risk management support has been created at Group level and within businesses. This includes enterprise-wide risk leadership, risk management monitoring, and risk-based auditing. The Group risk forum, comprising of risk managers from all businesses, facilitates learning and sharing, and adoption of consistent standards and practices across the Group.

3

STRATEGIC RISK MANAGEMENT

Strategic risk is evaluated as a hurdle to achieving the Group's long-term strategy. Management is tasked by the Board to develop, implement and adapt the Group strategy, considering changes in the business environment and subject to the approved risk appetite and risk tolerance levels. Direction is set for organic and acquisitive growth to access new markets and create new capacity. The corporate centre has the oversight role on these risks, which are periodically reviewed by the executive risk committee and reported to the Board. Reviews include consideration of emerging risks in the business environment and their potential impact on the Group.

5

PROJECT RISK MANAGEMENT

Project risk is evaluated as a potential barrier to delivering contracted scope against cost, time, and technical performance targets, while maintaining industry leading ESG performance. Critical to the preparation of tenders and effective project delivery is the application of three standards, which have been formulated considering past project experience and lessons learnt. These standards are regularly updated to include new learnings:

• Group Schedule of Contracting Principles;
• Group Schedule of Lessons Learnt; and
• Minimum Requirements for Contracts.

All bids submitted are tested against these standards to ensure that risks are appropriately addressed, and past failures are not repeated.

A project management framework sets the standard for project management and provides internal audit with a consistent set of processes and controls against which the delivery of projects is tested.

6

CORPORATE RISK MANAGEMENT

Corporate risk management relates to a range of portfolios and activities within the corporate office, including risk management standards and procedures, regulatory compliance, integrated assurance, business continuity, tax, insurance, crisis communication and other ESG policies, such as the Climate Change Position Statement, Code of Conduct and Statement of Business Principles. Oversight of the three main elements of ESG lies with the relevant Board committees.

REPORTS	AND
RESULTS FINANCIAL	SUMMARISED
INFORMATION	SHAREHOLDERS'

90 Risk management report continued

2022	Risk management
Report
process
Integrated
which sets the overall risk appetite for the Group,
	The ultimate responsibility for risk lies with the Board,
Annual	monitors overall risk exposure and evaluates internal
controls. The Group's top risks are regularly monitored
	and managed in accordance with the business priorities.
	A competent risk management function is in place to
ROBERTS	guide and support management in managing risk across
We define risk appetite as the type and extent of risk the
	the organisation.
&	Group is willing to take in pursuit of its strategic
MURRAY
objectives. Several factors are considered in determining
	the risk appetite in each risk category. The Risk Appetite
	Statement classifies the Group's appetite for each risk
	category as low, moderate, high, or extreme according
	to the following definitions:

LOW

The level of risk will not impede the Group's ability to achieve its strategic objectives.

MODERATE

The level of risk may delay or disrupt the achievement of its strategic objectives.

HIGH

The level of risk will impede its ability to achieve its strategic objectives.

EXTREME

The level of risk will significantly impede its ability to achieve its strategic objectives.

Where applicable, controls are in place to reduce the likelihood or alternatively mitigate the impact of risk events.

Key risk

categories

Key risks are those that have a strategic, financial, operational, and reputational impact and include:

Health, safety & environment:

The Group has no appetite for health, safety and environment risk and strives for Zero Harm in the workplace. This is supported by the Group HSE framework.

Financial:

The Group has a moderate appetite for financial risk and is willing to accept risk to achieve its financial objectives. These risks are managed and mitigated to an acceptable level through several controls, with oversight from Group executive leadership.

Legal and compliance:

The Group strives for the highest standards of business integrity, ethics, and governance. It has zero tolerance for unethical behaviour and has a Code of Conduct and several related procedures in place to address this risk. The Group also complies fully in all jurisdictions with regulated requirements to protect personal information.

Project performance:

The Group is prepared to accept a moderate level of risk in the projects it undertakes, to achieve its financial targets. A project management framework, as well as contracting principles and past project lessons learnt schedules are in place and used to mitigate project delivery risk.

Technology:

The Group has a moderate appetite for innovative technology and digitalisation solutions that could add value in meeting its strategic objectives. As the Group formalises and advances its digital strategy, an IT security framework is in place to manage the risk of cybercrime and data breaches.