Strategic Report:

Risk management,
principal risks and

The Board is ultimately accountable for the Group’s risk management processes and system of internal control. It has delegated responsibility to the Audit and Risk Committee for overseeing and reviewing the efficacy of the:

  • risk management processes and system of internal control;
  • Group’s internal auditors; and
  • Group’s external auditor.

The Board receives regular updates on the activities of the Audit and Risk Committee.


The Group’s Enterprise-wide Risk Management (“ERM”) Policy is reviewed annually and follows the international Committee of Sponsoring Organisations of the Treadway Commission framework. The policy defines the risk management objectives, methodology, risk appetite, risk identification, assessment and treatment processes, and the responsibilities of the various risk management role-players in the Group. Any policy amendments are subject to the approval of the Audit and Risk Committee.

The objective of risk management in the Group is to establish an integrated and effective risk management framework wherein important and emerging risks are identified, quantified and managed. An ERM software application supports the Group’s risk management process in all three divisions and at Group level. The Group’s principal risk items (grouped by category, business process and strategic priorities), the movement in risk during the reporting period, together with key measures taken to mitigate these risks, are listed in the table below.


Reference Category Business processes
Strategic and business environment risks
  • Strategy formulation and implementation
  • Strategic investments and strategic projects
Financial and reporting risks
  • Revenue cycle
  • Procure-to-pay cycle
  • Financial management and control
  • Treasury
  • Health information (including coding)
Operational risks
  • Infrastructure
  • Marketing and corporate communication
  • Operations
Information technology risks
  • ICT and related projects
Regulatory compliance risks
  • Legal and secretarial
  • Governance, risk and compliance
  • Environmental management
Clinical risks
  • Clinical
  • Nursing
  • Pharmacy
  • Coding
People risks
  • ICT
  • Human resources
  • Payroll cycle
Risk exposure has increased due to change in business environment, increased investments, increased dependency of operations on information technology, information sensitivity and cost involved.
Proactive and continuous monitoring, favourable results of negotiations, effective treasury and risk management processes have resulted in lowering of risk exposure.
Risk exposure has not changed much as the operating and regulatory environments have remained stable and enhanced risk mitigation measures have kept the risk at same level.

The principal risks are determined through a strategic risk review process where each division’s executive committee, as well as the Group Executive Committee re-assess the top risks which could impact on the achievement of strategic objectives. Related risks are aggregated and grouped to determine the principal risks.

New risks added:

  • Business projects
  • Disruptive innovation and digitalisation


1. Regulatory and compliance risks

The increasing risk relates to the continued healthcare reform and the introduction of new regulations.

These risks relate to adverse changes in legislation and regulations impacting on the Group or the failure to comply with legislation and regulations which may result in losses, fines, penalties or damage to reputation.

The risks include healthcare reform by regulators aimed at reducing the cost of healthcare, broadening the access to quality healthcare and increasing the monitoring of quality standards by regulators.

  • Proactive engagement with stakeholders
  • Health policy units created to conduct research and to provide strategic input into reform processes
  • Active industry participation across all divisions
  • Company secretarial, legal and compliance functions support operational management, monitor regulatory developments and, where necessary, obtain expert legal advice for the effective implementation of compliance initiatives
  • Compliance risks identified and assessed as part of compliance management processes

2. Information systems security and cyber risk

The increased risk relates to the continued external threats arising from cyberattacks and breaches.

Information systems security risk and cyber risk relate to the unauthorised access to information systems through external or internal attack or unauthorised breach resulting in the unavailability of systems, failure of data integrity and data confidentiality breaches.
  • Comprehensive information systems identity access management, change and physical access controls
  • Regular security reviews
  • Disaster recovery planning
  • Group information security and data privacy policies
  • Group ICT Security Committee

3. Business investment and acquisition risks

The investment and governance process were strengthened during the year.

These risks relate to increased financial exposure relating to major strategic business investments and acquisitions.

The risk includes the sensitivity of the assumptions made when capital is allocated and the effective implementation of major investment decisions.

  • Strategic planning processes
  • Due diligence processes
  • Investment mandates
  • Board oversight
  • Post-acquisition management processes

4. Business project risks


The Group plans to adapt to the evolving regulatory, industry and market environment.

These risks refer to issues or occurrences that may potentially interfere with successful completion of projects, including timeliness, cost and quality.

  • Effective project governance practices, methodologies and reporting
  • Experienced project management teams
  • Proactive monitoring and oversight

5. Economic and business environment risks

Economic growth in the Middle East and Southern Africa remained low, resulting in increased risk exposure.

These risks relate to the downturn in the general economic and business environments impacting on the affordability of healthcare for funders and self-paying patients.

The business environment risks include the potential negative impact on tariffs and fees resulting from the shift of the relative positioning away from healthcare service providers toward funders.

  • Systems to monitor developments and trends in the economic and business environments and early warning indicators
  • Proactive monitoring and negotiation by the Group’s Funder Relations departments
  • Focus on quality and continuum of care to reinforce the Group’s market position

6. Competition risks

Healthcare providers market continued to grow.

These risks relate to the uncertainty created by the existence of competitors or the emergence of new competitors with their own strategies.

The risk includes the outmigration of care, partly driven by further technological developments, and the development of alternative care models.

  • Proactive monitoring
  • Strategic planning processes
  • Quality and value of care processes

7. Clinical risks

Clinical processes across all operating divisions remained a key focus area for the Group.

Risk exposure remained at a comparable level to the previous year.

These risks relate to all clinical risks associated with the provision of clinical care resulting in undesirable clinical outcomes.

Clinical risks at the Group’s facilities are managed daily. High-priority clinical risk areas include patient safety culture, adverse obstetric outcomes, medication errors, surgical and procedural adverse events and multidrug resistant organisms.

Such risks may also result in damage to Mediclinic’s reputation and impact on brand equity. Brand equity refers to the commercial value derived from the consumer perception of the Group’s brand names rather than the services provided under those brand names. 

  • Refer to the Clinical Services Report for a detailed analysis of the strategies to manage and monitor clinical risks
  • A Group-wide clinical risk register implemented per division
  • Accreditation processes
  • Clinical governance processes
  • Monitoring of clinical performance indicators
  • Focus on quality management processes
  • Stakeholder engagement and disclosure strategies
  • Clinical audits

8. Disruptive innovation and digitalisation risks

New Disruptive innovation and digitalisation risks include the disintermediation and erosion of the Mediclinic business model due to the impact of technological development. It refers to the extent and speed that new technologies (and combinations thereof) change and transform industries and to what extent an organisation is able to exploit these opportunities and also being able to respond and innovate, while managing associated risks.
  • Strategic planning processes
  • Proactive monitoring
  • Systems to monitor developments and trends in the economic and business environments and early warning indicators

9. Availability, recruitment and retention of skilled resources and medical practitioners

Vacancies and turnover ratios in respect of skilled resources and medical practitioners are expected to remain at similar levels to the prior year.

The availability and support of admitting medical practitioners, whether independent or employed, are critical to the Group’s services.

There is a shortage of skilled labour, particularly a shortage of qualified and experienced nursing staff in Southern Africa.

10. Availability and cost of capital risks

(Including financing and liquidity risks)

Interest rates are expected to remain at comparable levels during 2019. Long-term financing arrangements are in place.

These risks relate to the cost, terms and availability of capital to finance strategic expansion opportunities and/or the refinancing or restructuring of existing debt affected by prevailing capital market conditions.
  • Long-term planning of capital requirements and cash-flow forecasting
  • Scrutiny of cash-generating capacity within the Group
  • Proactive and long-term agreements with banks and other funders relating to funding facilities
  • Systems to monitor compliance with requirements of debt covenants
  • Further details on capital risk management and the Group’s borrowings contained in the annual financial statements

11. Operational and credit risks

The operational and credit risks did not change significantly and remained stable.

Operational risk refers to diverse types of operational events with a potential for financial loss, operational interruptions or reputational damage.

Credit risk is the risk of loss due to a funder’s inability to pay the outstanding balance owing, default by banks and/or other deposit-taking institutions, or the inability to recover outstanding amounts due from patients.

  • Preservation of a sound internal financial control environment
  • Effective operational risk management processes
  • Effective monitoring and oversight of operations
  • Regulated minimum solvency requirements for funders.
  • Monitoring of approved funders
  • Treasury policy

12. Quality and stability of operational services risks

The quality and operational services risks did not change significantly and remained stable.

These risks refer to the quality of service and the stability of the operations. It includes:

  • incidents of poor service or where operational management fail to respond effectively to complaints;
  • operational interruptions which refer to any disruption of the facility and may include the threat of disrupted electricity or water supply; and
  • fire and allied perils causing damage or business interruption.
  • Patient satisfaction surveys (both internal and external)
  • Complaints monitoring
  • Training programmes and supervision of service levels
  • Emergency backup electricity generation
  • Emergency and disaster planning
  • Extensive fire-fighting and detection systems, including comprehensive maintenance processes
  • Comprehensive insurance to deal with financial impact of potential disasters


Mediclinic continues to monitor the developments around Brexit and the potential implications for the Group. The future terms under which the UK and EU will function in a post-Brexit environment remain unclear. The Group does not expect that Brexit will have a material impact on any of its divisions in Switzerland, Southern Africa and the UAE. However, Mediclinic may be indirectly impacted through its 29.9% investment in Spire, whose core operations are located in the UK.

The Board of Spire has reported a possible no-Brexit deal as one of its principal risks and has communicated to the market its position and assessment thereof in its annual report. The areas considered to have the biggest potential impacts on Spire are related to:

  • supply-chain risks where more than 80% of the goods (other than blood) that Spire uses to operate its hospitals come into the UK from or via the EU. Its supply chain currently operates on short ordering times and low inventories;
  • the impact on employees where Spire reported that less than 10% of its employees are EU citizens; and
  • the risk of increased costs which may occur due to EU imports being subject to customs charges and tariffs.

Another indirect impact which may arise from Brexit is the macroeconomic consequences it may have on European (and Swiss) markets. Due to the significant uncertainties relating to the relationship and trading arrangements between the UK and the EU following Brexit, Mediclinic is not able to quantify the potential impacts that could affect its Swiss operations.