Risk Management


The Group Integrated Assurance Framework coordinates the Group's overall approach to risk management.

This entails identifying, assessing, addressing, monitoring, communicating and reporting Group risk, and includes the process of independently auditing adherence to and implementation of Group policies, standards, plans, procedures, practices, systems, controls and activities to ensure that the Group achieves the level of operational efficiency and compliance required by the Board.

The Board-approved Group Integrated Assurance Policy establishes and mandates the risk management, regulatory compliance and internal audit functions; effectively as the following three pillars of the Group Integrated Assurance Framework.

For more information about our Group risks and risk management practices, see our online integrated report.

Primary responsibility for risk awareness and mitigation has been embedded across the Group’s business platforms. Given the scale and complexity of the Group, Murray & Roberts cannot comprehensively eliminate all risk from its internal and external business and commercial interfaces. For this reason, management manages and maintains a planned, coordinated and structured approach to identify, assess, mitigate, monitor, communicate and report the Group’s risks, prioritising those that are complex and large. This includes governance structures (such as the Board risk management committee, the executive risk committee and the business platform committees), organisational leadership, strategic planning and effective management to ensure that the appropriate operational and functional capacities, as well as systems, controls and processes, are in place to manage and mitigate risk. Guiding this approach is the Group Risk Management Framework.

The Group Risk Management Framework constitutes one of three pillars on which the Group Integrated Assurance Framework stands, and aims to:

  • Align strategy with risk tolerance;
  • Improve and streamline decision-making which improves the Group’s risk profile;
  • Promote the strategic and coordinated procurement of a quality order book, which contains a known and planned level of risk and a commensurate level of reward;
  • Ensure equitable commercial terms and conditions are contracted based on a predetermined set of acceptable contracting principles, together with the rational pursuit of commercial entitlement;
  • Promote early and rigorous project reviews, and timeous responses to projects showing early signs of deviation from planned and tendered expectations;
  • Promote continuous improvement through the institutionalisation and application of key past lessons learnt;
  • Reduce operational surprises, improve predictability and build shareholder confidence;
  • Build robust organisational risk structures and facilitate timeous interventions, to promote long-term sustainable growth; and
  • Promote the efficient and proactive pursuit of opportunities.


In addition to the various Group operating board responsibilities, organisational structures have been created and tasked with risk governance and include the business platform risk committees, the Murray & Roberts Limited risk committee and the Murray & Roberts Limited project oversight committee.


Dedicated risk management support has been created at Group level and within businesses. This includes enterprise-wide risk leadership, risk management monitoring, risk-based auditing and operational and risk committees.


Strategic risk is evaluated as a hurdle to achieving the Group’s long-term strategy. Direction is set for organic and acquisitive growth to access new markets and create new capacity, and is also applied to acquisitions, disposals, new business development and timely and necessary leadership intervention.


Operational risk is a potential barrier to achieving planned profits within the Group’s business platforms. Methodologies for identifying, evaluating, mitigating, monitoring and communicating risk are applied in the operational business environment. Business plans with a three-year horizon are developed and performance against these is subject to quarterly review.


Project risk is evaluated as a potential barrier to delivering contracted scopes against cost, time and technical performance targets, while maintaining health, safety and environmental performance at acceptable levels. A project management framework sets the minimum standard for project management required in the delivery of projects across the Group.

A project management development programme is in place to enhance and refresh project management skills across the Group. The framework also provides internal audit with a consistent set of processes and controls against which project performance is tested. Project risk management activities include the Group risk tolerance filters, lessons learnt and contracting principles schedules, project reviews and project dashboards.


Corporate risk management relates to a range of portfolios within the corporate office, which address various forms of risk including risk management standards and procedures, the Group Code of Conduct, the Statement of Business Principles, regulatory compliance, commercial and legal oversight, integrated assurance, business continuity and information technology disaster recovery, treasury, bonds and guarantees, tax, insurance, crisis communication and forensic investigations.

Regulatory compliance constitutes the second pillar of the Group Integrated Assurance Framework. With the continued growth and expansion of the Group, especially in new geographies and disciplines, regulatory compliance is a large and complex area to understand. This in turn requires a structured approach to evaluate compliance failures and ensure adequate responses are initiated timeously to mitigate and avoid any negative impact on the Group's operations and/or performance. The regulatory compliance function provides specific focus on regulatory compliance risk within the context of the Group Integrated Assurance Framework.

The key imperative of regulatory compliance is to ensure compliance across the Group with every law, rule, code and standard where non-compliance could materially impact the Group's performance and/or continued existence, whether from a financial, legal or reputational perspective. The implementation of the Group Regulatory Compliance Framework focuses on the seamless integration of regulatory compliance (with risk management and internal audit) into business planning, execution and management.

Internal audit is a key element of the Group's assurance structure, and constitutes the third pillar of the Group Integrated Assurance Framework. Internal audit has established a robust, risk-based approach to identify the critical risk management control environment which is relied on by management, and which is to be tested and evaluated for the purposes of providing the Board with the risk management and regulatory compliance assurance it requires to meet its governance objectives. Internal audit follows a planning and execution process through which its risk-based approach is delivered in a consistent manner, followed by detailed reporting and issue tracking.

It is through implementation of the Group Integrated Assurance Framework that the critical risk processes and responses to be included in the internal audit plan are developed. These include interactions with the Group risk executive and the Group legal executive, and with specific reference to their respective mitigation objectives, strategies and plans. The audit plan also encompasses the assessment of Group-wide corporate governance, internal financial controls and risk management procedures, as well as specific areas highlighted by the audit & sustainability committee, Group executive committee and by executive and operational management for separate and dedicated review.