IHH Annual Report 2024

IHH Healthcare Berhad | Annual Report 2024 104 Evaluate-Response-Monitor (E-R-M) Process For the year ended 31 December 2024, the major risk management activities undertaken during the year were as follows: 1. Advancing our ERM transformation and leveraging technology to enhance risk management maturity and better manage dynamic business environment and emerging challenges; 2. Conducted annual risk reviews through workshops and/or questionnaires in line with the business planning cycle; 3. Assessed emerging risks and developed risk action plans with internal stakeholders; 4. Enhanced and monitored Group Key Risk Indicators (KRIs) to serve as an early warning system for the Group, facilitating improved data analysis for more effective risk management; 5. Strengthened the ERM capabilities of our staff by launching an ERM Awareness e-Learning programme; 6. Organised our Risk and Compliance Forum to foster collaboration, strengthen networks, and recognise the valuable contributions of Division Risk & Compliance Leads; 7. Conducted a post-flood afteraction review of business continuity preparedness and a property loss control survey for a business unit to identify gaps and opportunities for improvement, with findings to be shared across IHH; Included business resilience awareness as part of annual risk reviews to provide a holistic view on the interrelationship to risk management; 8. Organised trainings with external subject matter experts to train and equip our Business Resilience Leads with the necessary business resilience knowledge and skills for their roles; 9. Developed an eLearning module to enhance Business Resilience awareness, equipping employees to respond to disruptions and strengthening our culture of resilience; 10. Facilitated a workshop with a panel law firm to explore the non-delegable duty of care in hospitals concerning thirdparty specialist doctors in Malaysia, with the objective of identifying and implementing effective risk allocation and control measures; 11. Managed the placements and renewals for the Group Insurance Programme, including Directors & Officers and Cyber Liability Policies; 12. Facilitated regular insurance reviews and claims meetings with service providers to monitor claim statuses, ensure timely settlements, and identify opportunities for risk control improvements; 13. Ongoing efforts in developing Guidelines on Operationalisation of Anti-Bribery and Anti-Corruption Framework, as well as the Third-Party Corruption Management Framework; 14. Developed a refreshed Anti-Bribery and Corruption (ABC) online training module following revisions to the IHH Anti-Bribery and Corruption Policy (“IHH ABC Policy”); 15. Ongoing efforts to automate and digitalise the records and reporting of inbound and outbound Gifts, Hospitality, Donations and Sponsorship (GHDS) as part of the Group’s initiative to strengthen our anti-bribery and corruption governance and enhance the monitoring of GHDS activities; 16. Successfully implemented the IHH Personal Data Protection Policy by strengthening Group-wide data protection risk management practices; 17. Initiated a comprehensive review of the IHH Personal Data Protection Policy to align with evolving legislative requirements and industry best practices; 18. Collaborated with the IHH Cybersecurity Centre of Excellence to conduct data flow analyses on clinical workflows, enhancing data protection and cybersecurity measures; 19. Collaborated with Group Sustainability to establish a structured framework for sustainable reporting and tracking of complaints on data breaches; 20. Ensured compliance with the Personal Data Protection Commission (PDPC) Singapore by lodging the Group Data Protection Office (GDPO’s) Key Representative with the ACRA BizFile for Singapore entities under GDPO’s jurisdiction; 21. Strengthened the IHH Indian Insider Trading Code of Conduct by enhancing the existing Structured Digital Database (SDD) to meet the Securities and Exchange Board of India (Prohibition of Insider Trading Regulations, 2015) requirements regarding SDD; and 22. Carried out ad-hoc assignments requested by Senior Management. For 2024, the consolidated risk report includes those of Fortis Healthcare Limited and PLife REIT risk profiles. The consolidated risk report and updates are analysed and reported to the Board on half yearly basis and RMC on a quarterly basis. The compliance culture is driven with a strong tone from the top, supported by the tone emanating from the middle, to embed the expected values and principles of conduct that shape the behaviors and attitudes of employees at all levels of business and activities across the Group. Group Internal Audit The Group has an independent internal audit function which provides independent, objective assurance and consulting designed to add value and improve the organisation’s operations. The internal audit function is under the responsibility of GIA department led by the Group Head, Internal Audit. GIA is independent and reports directly to the AC. GIA has direct control over internal audit activities in Malaysia, Singapore, China and India (excluding Fortis Healthcare Limited Group which is a publicly listed company in India). GIA maintains oversight of Acibadem’s internal audit activities through close partnership with the internal audit function of Acibadem. Statement on Risk Management and Internal Control Governance

RkJQdWJsaXNoZXIy NDgzMzc=