Statement on Risk Management and Internal Control Governance Step Description 1. Context Setting Understand the business’s strategy, value drivers, and potential risk in the context of the industry, value chain, and stakeholder expectations 2. Risk Identification Define potential risks and uncertainties that could positively or negatively affect the business’s goals and evaluate their impacts and vulnerability to those impacts 3. Risk Assessment & Prioritisation Determine the critical risks facing the business at the enterprise-level 4. Risk Response Develop and implement plan to respond to a risk; Understand its root causes, including the development of Key Risk Indicators (KRIs) to help monitor how the risk changes over time 5. Risk Monitoring & Reporting Track priority risks and engage in routine discussions with leadership on the status and impact of risk treatment plans Read more on Principal Risks on page 56 Proactive, Robust & Consistent Context Setting Monitor & Report Respond Assess & Prioritise Identify 1 5 4 3 2 These policies and procedures are reviewed regularly and, if required, updated. A Whistleblowing Policy is in place within the Group’s business units. This policy encourages employees to report any wrongdoing by any person in the Group to the proper authorities so that the appropriate business action can be taken immediately. Whistleblowing Platform: The Group is committed to a high standard of corporate governance. Consistent with this commitment and to maintain a high standard of integrity in its business conduct, the Group has in place a whistleblowing policy. In January 2023, the Group launched the Navex Whistle Blowing platform, EthicsPoint, where employees and third parties have a trusted channel to report, in confidence, any suspected wrongdoings. Group Internal Audit (GIA) has been designated as the independent function to maintain the whistleblowing channel and investigate all whistleblowing reports. The AC are updated on the status of the reports. The system of risk management and internal control, covers not only financial controls but also operational, risk and compliance controls as well. These systems are designed to manage, rather than eliminate, the risks arising from failure to comply with policies and deviating from goals and objectives. Such systems provide reasonable, rather than absolute, assurance against material incidents or loss. Risk Management Risk Management and Compliance Department (RMCD) assists the Board and RMC in discharging their risk oversight responsibilities. Group management and business units have a primary responsibility for managing risk exposures. RMCD is structured to provide comprehensive risk and compliance advisory support to IHH business units worldwide, particularly in the areas of governance, training, and reporting. RMCD serves as the central resource for managing the portfolio of risks that the Group as a whole has taken on and collaborates closely with business units to strengthen their risk management practices and capabilities as well as to guide the priorities and direction of the Group’s risk management activities. Risk updates are consolidated and analysed for monitoring and reporting to the IHH RMC on a quarterly basis. The Group recognises that Enterprise Risk Management (ERM) is a proactive management system for anticipating emerging risks and putting in place pre-emptive action plans so that the effect of uncertainties on fulfilling business goals and objectives are minimised. Sustainability risks are managed with the same care and discipline as any other business risks. Sustainability is further governed by a newly formed Sustainability Committee chaired by Group CEO. Sustainability risks are assessed, and metrics tracked in Group’s quarterly risk report. Sustainability has been integrated into our ERM framework, where matters that are critical to the Group are assessed IHH Healthcare Berhad 114
RkJQdWJsaXNoZXIy NDgzMzc=