LENMED AIR 2019.pdf

RISK GOVERNANCE Principle 11 The governing body should govern risk in a way that supports the organisation in setting and achieving strategic objectives. The Board governs and is responsible for the culture of managing risk at every level of the organisation. It is assisted by the Audit and Risk Committee, which plays an oversight role in respect of risk management. The Group identifies risks under the headings of: + Enterprise risk + Operational risk + Financial risk + Reputational risk Risk appetite determination — King IV™ requires the Board to determine the organisation’s risk appetite or tolerance for risk. Risk appetite in this context is “the amount of risk Lenmed is willing to accept in pursuit of value”. Risk appetite is directly related to our business strategy; therefore, strategy changes could require re-assessing our risk appetite and strategy. Both are re-evaluated annually. The Group has an appetite for risk that is consistent with the operation of private hospitals in the healthcare industry in South Africa, Mozambique and Botswana. It manages that risk by remaining compliant with legislation and statutory requirements such as the terms under which its licences are granted. The Group has zero tolerance for risk to the enterprise and its reputation but is willing to take on risks at manageable levels for operations and finance, recognising that reward and opportunities flow from the acceptance of risk. Lenmed has a detailed Risk Register and risk matters are a standard agenda item at every Audit and Risk Committee and Board meeting. It is regularly emphasised that risk is everyone’s responsibility. In addition, risk mitigation happens on two levels — non-financial and financial — and sub-registers populate the Group Register. There are specific risk registers at our larger hospitals and compliance audits are done at certain hospitals by specific risk and functional area. There is clinical risk management training at hospitals and industry norms are monitored with a view to becoming ISO compliant in the future. There are also Finance Risk Registers in place. Opportunities flowing from risk assessments form part of the overall approach to risk governance. Emerging risk trends are identified and monitored regularly. Time is set aside at every meeting of the Audit and Risk Committee and the Board for an open risk discussion. TECHNOLOGY AND INFORMATION GOVERNANCE Principle 12 The governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives. IT governance is a standard agenda item at meetings of the Audit and Risk Committee. An IT Steering Committee is in place, chaired by Mr V E Firman. The committee meets regularly to discuss Lenmed’s IT governance and evaluate potential or ongoing projects. An IT Charter is in place and the Board and Audit and Risk Committee are regularly apprised of committee discussions. There is report back in terms of the SAP implementation to the Audit and Risk Committee and the SAP implementation and roll-out is underpinned by the integration of multiple components that represent the healthcare solution for Lenmed. Management is of the view that outsourcing of various aspects of IT is beneficial to Lenmed rather than in-house, as there are numerous benefits in the service being provided by a professional and reputable service provider. Regular meetings are held with these services providers. Lenmed has focused on building up cybersecurity and is assisted in this regard by an outsourced service provider. Further, Lenmed constantly upgrades its software. As regards information governance, including the Protection of Personal Information Act (POPI) and Promotion of Access to Information Act (PAIA), Lenmed is aware of the need to protect client and corporate information, and has adopted appropriate policies and procedures. The Technology Risk Register is reviewed regularly by the IT Governance committee and major risks are uplifted to the Group Risk Register. Disaster Recovery and Business Continuity policies are in place. Board level strategy is translated into tactical and operational activities which are governed by Steering committees. COMPLIANCE GOVERNANCE Principle 13 The governing body should govern compliance with applicable laws and adopted, non-binding rules, codes and standards in a way that supports the organisation being ethical and a good corporate citizen. The Board is active in its pursuit of compliance and this is monitored by a combination of management controls and compliance monitoring via internal audit, external audit and the Company Secretary. Also, compliance is a standard agenda item for the Audit and Risk Committee, the clinical Governance Committee as well as the Social and Ethics committee which report to the Board. The healthcare sector is highly regulated which places greater levels of demand and vigilance on the Board and management. In this regard, the key legal and regulatory risks are monitored. In addition, a Legal Compliance Register has been implemented, with reporting to the Audit and Risk Committee. Lenmed also has two COHSASA accredited hospitals and hospital compliance audits are also underway. The Company’s financial managers are updated every quarter on key laws, including the Companies Act, finance and tax laws. There are also experts within the Company who look at specific areas as regards applicable laws. An update on the NHI by a leading law firm was made at the Board’s strategy session and at the Audit and Risk Committee. LENMED ANNUAL INTEGRATED REPORT 2019 67