Al-`Aqar Healthcare REIT Annual Report 2020

Governance Structure 91 The ERMF specifies the level of risk tolerance expressed through the use of a risk consequence and likelihood matrix. Once the level of risk tolerance is determined, the risk owner is required to identify and implement the risk mitigation plan strategies, while taking into consideration the root cause of the risks; covering management actions with target timeline for implementation. The risk owners are to monitor and timely update their risk profiles on an on-going basis. The update of the risk profiles includes changes to operational, financial and compliance risks and the identification of emerging risks arising from changing business conditions as well as the adequacy and effectiveness of the related controls. In addition to the establishment of a risk management committee at the Board level, the Manager is planning to set up an Enterprise Risk Management Committee (“ERMC”) at the Company level, which has commenced in January 2021. The function of the ERMC is to drive risk management guided by the ERM Policy and ERMF to ensure effective identification of emerging risks and management of identified risks through implementation of appropriate controls and risk treatment strategies. Risk owners who are also ERMC members are managers or heads from the divisional units to identify and evaluate the risks related to their business objectives or budgets against which performance is measured and to establish the risk profiles during the risk assessment sessions. The ERMC meets periodically and works closely with the Compliance and Risk Management Department (“CRMD”) to ensure effective and consistent adoption of risk management practices. The ERMC presented the risk management report to the Board on a quarterly basis. As part of the Board’s efforts to ensure risk management and internal control processes are adequate and effective, risk mitigation strategies and internal controls are subject to periodic review by the internal audit with areas for improvement. Key Elements of Internal Control The Manager’s Internal Control Policy and Procedures (“ICPP”) was designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations; • Reliability of financial reporting; and • Compliance with applicable laws and regulations. The ICPP is a reference tool for all employees to identify and assess operating controls, financial reporting, and legal/regulatory compliance processes and to take action to strengthen controls where needed. By developing effective systems of internal control, we can contribute to DRMSB’s ability to meet its objectives and reducing the potential liability arising from non- compliance to regulatory requirements, fraud and lack of efficiency and effectiveness in operations. This guide is designed to satisfy the basic objectives of most business systems as they relate to carrying out the responsibilities of the REIT Manager/DRMSB. An effective check and balance control environment is fundamental for ensuring a sound internal control system in the Fund’s operations. The Board and Management are committed to maintain an effective internal control environment by continuously enhancing the design of internal control systems to ensure that they are relevant and effective to promote operational agility while ensuring corporate governance and compliance to regulatory guidelines. The key elements and/or features of internal control system established for maintaining strong corporate governance are as follows: 1. The Standard Operating Procedures (“SOPs”) with specified roles and responsibilities in the reporting structure to incorporate the elements of checks and balances which are aligned to the business and compliance requirements. 2. Limit of Authority Policy is in place for approving capital expenditure and matters on Financial, Treasury, Legal and Secretarial, Audit, Human Resource, Procurement & Contract Management, Investment and Corporate matters – all aimed at keeping potential risk exposures under control. 3. Documented policies and procedures are also in place subject to review every now and then to ensure that it maintains its effectiveness to support the REIT’s business activities. These include the ERMF, Internal Control Policy Manual, Compliance Framework and Policy which was reviewed in 2020. The Manager has also formulated the Business Continuity Management (“BCM”) and Disaster Recovery Plan (“DRP”) Policy, which is currently under review. 4. The DRP testing is undertaken every quarterly and the results presented to the Board for their notation. The Company is evaluating a proposal to carry out an IT technical risk assessment and penetration test of its IT technical infrastructure. Statement on Risk Management and Internal Control