The Board believes that effective risk management and internal control systems underpin a successful business and are integral to realising the Group’s overall objective of delivering value to its shareholders. The Board is ultimately responsible for monitoring and reviewing the effectiveness of these systems and reporting on its review in the Annual Report. The Board has delegated to the Audit and Risk Committee the tasks of evaluating the Group’s risk management procedures, assessing the effectiveness of the internal controls and monitoring the integrity of the Group’s reporting, but maintains strong and regular oversight of the outcome of the Audit and Risk Committee’s work.
The objective of risk management in the Group is to identify and assess important and emerging risks. To this end, the Group has established an Enterprise-wide Risk Management (“ERM”) policy which follows the international Committee of Sponsoring Organisations of the Treadway Commission (“COSO”) framework and is aligned to the Group’s operations and strategy. The Group ERM framework defines the risk appetite, risk management objectives, methodology, risk identification, assessment and treatment processes and the responsibilities of the various risk management role-players in the Group. The ERM policy is embedded in the Group’s daily management and operational processes. It provides a robust structure within which management can operate and which directors can oversee without stifling the core activities of the business. The policy reinforces a strong risk management culture within the Group by setting the tone and acting as the starting point for all components of risk management and internal control. It is subject to annual review, and any amendments are submitted to the Audit and Risk Committee for approval. In accordance with the recommendations of the Financial Reporting Council’s UK Code on Corporate Governance and Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, the Board annually reviews the Group’s principal risks and ERM policy and processes, taking account of the Audit and Risk Committee’s recommendations and assessment.
An ERM software application supports the Group’s risk management process in all three operating divisions. The Group’s principal risk items (grouped by category, business process and strategic priorities), the movement in risk during the financial year, and key measures taken to mitigate these risks, are listed in the table below.
The Group upholds an effective control environment designed to ensure risks are mitigated and the Group attains its objectives, including the accuracy and reliability of the Group’s financial reporting. The system includes monitoring mechanisms and ensures that appropriate actions are taken to correct deficiencies when they are identified.
The key features of the Group’s internal control and risk management systems in relation to the financial reporting process include:
- clearly defined matters reserved for the Board or its Committees, delegations of authority and lines of accountability;
- policies and procedures covering:
- the Group’s approach to treasury activities and tax matters;
- internal and external audit mandates;
- preparation of financial reports;
- governance of key projects; and
- ICT security;
- periodic audits conducted by the Internal Auditor;
- representation letters from the divisional CEOs regarding the key risks and mitigating actions for their division; and
- review of disclosures in financial reports by the divisional CEOs and CFOs and the Group senior management as relevant, as well as the Audit and Risk Committee and the Board, to ensure that they fulfil the relevant requirements.
During the year, the Group and each operating division executed their assurance plans. These plans comprise various assurance processes, including internal and external audit processes which are in place to evaluate the effectiveness of key controls designed to mitigate the significant risks identified in each operating division.
The Group makes use of an outsourced internal audit function which is closely aligned to the Group risk management function. It reports independently to the Audit and Risk Committee of the Board. At each operating division, the effectiveness of the system of internal financial control is independently evaluated through the internal and external audit programmes. In addition to these audits, the effectiveness of operational procedures is examined internally through various peer review and control self-assessment processes. The results of these assurance processes are monitored by the Group’s risk management function and reported to each operating division’s management team.
Each operating division has, in addition to the above mentioned assurance processes, implemented further independent assurance processes with professional organisations, as summarised in the following table.
The company secretaries at Group and operating division level, as well as the internal legal advisors, are responsible for providing guidance in respect of compliance with applicable laws and regulations.
Effectiveness of risk management process and system of internal control
The Board, via the Audit and Risk Committee, regularly receives reports on, and considers the activities of, the internal and external auditors of Hirslanden, Mediclinic Southern Africa and Mediclinic Middle East, and the Group’s risk management function. The Board, via the Audit and Risk Committee, is satisfied that there is an effective risk management process in place and that there is an adequate and effective system of internal control in place to appropriately mitigate the significant risks faced by the Group.