The Board is ultimately accountable for the Group’s risk management process and system of internal control. In terms of a mandate by the Board, the Audit and Risk Committee monitors the risk management process and systems of internal control of the Group, the Group’s internal and external auditors and the Group’s risk management function. The Board oversees the activities of the Audit and Risk Committee and receive regular feedback on the responsibilities delegated to the Audit and Risk Committee.

Use the key to read the table below

in 2016
of risk
of risk


1 4

Adverse changes in laws and regulations impacting on the Group or the failure to comply with laws and regulations which may result in losses, fines, prosecution or damage to reputation.

The risk also includes ethical and governance risks that refer to unexpected negative consequences of unethical actions or the failure of the control and oversight mechanisms which were designed and implemented to uphold the ethical standards and controls of the Group.


  • Proactive engagement strategies with stakeholders
  • Health policy units created to conduct research and provide strategic input into reform processes
  • Active industry participation across all platforms
  • Company secretarial and/or legal departments support operational management, monitor regulatory developments and, where necessary, obtain expert legal advice for the effective implementation of compliance initiatives
  • Compliance risks identified and assessed as part of departmental risk registers
  • Visible ethical leadership
  • Monitoring and investigation of incidents reported on the Ethics Line
  • Board-level oversight




The risk relating to the uncertainty created by the existence of competitors or the emergence of new competitors with their own strategies.
  • Proactive monitoring
  • Strategic planning processes
  • Quality and value of care processes

Business investment and acquisition risks


The increased financial exposure relating to major strategic business investments and acquisitions. During the last financial year, Mediclinic made strategic investments in Spire Healthcare, as well as acquired the Al Noor Hospitals Group.
  • Strategic planning processes
  • Due diligence processes
  • Investment mandates
  • Board oversight
  • Post-acquisition management processes

Economic and business environment


The downturn in the general economic and business environment, including all those factors that affect a Company’s operations, customers, competitors, stakeholders, suppliers and industry trends.

The business environment risk includes the power of funders and the potential negative impact on tariffs and fees resulting from the shift of the relative negotiating power towards funders, away from healthcare service providers.

  • Systems to monitor developments in the economic and business environment of trends and early warning indicators
  • Proactive monitoring and negotiation by Group’s Funder Relations Departments
  • Focus on quality and continuum of care to reinforce Company position

Operational and credit RISKS


Operational risk refers to various types of operational events with a potential for financial loss.

Credit risk is the risk of loss due to a funder’s inability to pay the outstanding balance owing, default by banks and/or other deposit-taking institutions, or the inability to recover outstanding amounts due from the patient.

  • Preservation of a sound internal financial control environment
  • Effective risk management processes
  • Extensive combined assurance processes
  • Monitoring of operations through KPIs
  • Continuous enhancement of operational efficiency and cost reduction
  • Regulated minimum solvency requirements for funders
  • Monitoring of approved funders
  • Treasury policy
  • Board-level oversight

Availability and cost of capital

(Including financing and liquidity risk)


The cost, terms and availability of capital to finance strategic expansion opportunities and/or the refinancing or restructuring of existing debt which has been affected by prevailing capital market conditions.

The impact of negative interest rates currently prevalent in Switzerland.

  • Long-term planning of capital requirements and cash-flow forecasting
  • Scrutiny of cash-generating capacity within the Group
  • Proactive and long-term agreements with banks and other funders relating to funding facilities
  • Monitoring of compliance with requirements of debt covenants
  • Further details on capital risk management and the Group’s borrowings are contained in the annual financial statements

Clinical risks


All clinical risks associated with the provision of clinical care resulting in undesirable clinical care or clinical outcomes.

The risks include a pandemic and disease outbreak: a pandemic is an epidemic of infectious disease that is spreading through human populations across a large region. Disease outbreak involves highly infectious diseases with a high mortality rate.

Such risks may also result in damage to the Mediclinic brand equity. Brand equity refers to the value of the Group’s brand names.

  • Refer to the Clinical Services Report for a detailed analysis of the strategies to manage and monitor clinical risks
  • A Group-wide clinical risk register implemented per platform
  • Accreditation processes
  • Clinical governance processes
  • Monitoring of clinical performance indicators
  • Implementation of comprehensive processes for infection control and prevention
  • Marketing and communication strategies
  • Focus on quality management processes
  • Stakeholder engagement and disclosure strategies

Information systems security and availability risk


Information systems security risk (including cyber risk) relates to the unauthorised access to information systems, failure of data integrity and confidentiality. Availability risk relates to the instances where systems are not available for use by its intended users.

A risk which is closely associated with Information Systems risk is project delivery. Project Delivery risk refers to issues or occurrences that may potentially interfere with successful completion of projects, including its scope, timeliness and appropriateness of delivery.

  • Comprehensive IT logical access, change and physical access controls
  • Disaster recovery planning
  • System design and architecture
  • Group ICT Security Committee
  • Experienced project management team
  • Proactive monitoring and oversight
  • Reallocation of tasks and resources

Quality and stability of operational services


The risk refers to the quality of service and the stability of the operations. It includes but is not limited to:

  • Incidents of poor service or incidents where operational management fails to respond effectively to complaints.
  • Operational interruptions which refer to any disruption of the facility and may include the threat of disrupted power or water supply.
  • Fire and allied perils causing damage or business interruption.
  • Patient satisfaction surveys (both internal and external)
  • Complaints monitoring
  • Training programmes
  • Supervision of service levels
  • Emergency backup power generation
  • Emergency planning
  • Plans to deal with disasters
  • Extensive fire-fighting and detection systems, including comprehensive maintenance processes
  • Comprehensive insurance to deal with financial impact of potential disasters

Availability, recruitment and retention of skilled resources and medical practitioners


The availability and support of admitting doctors, whether independent or employed, are critical to the services the Group provides.

There is a shortage of skilled labour, particularly a shortage of qualified and experienced nursing staff in Southern Africa.

Risk management

The Group’s Enterprise-wide Risk Management (“ERM”) policy follows the international COSO (Committee of Sponsoring Organisations of the Treadway Commission) framework and defines the risk management objectives, methodology, risk appetite, risk identification, assessment and treatment processes and the responsibilities of the various risk management role-players in the Group. The ERM policy is subject to annual review and any amendments are submitted to the Audit and Risk Committee for approval.

The objective of risk management in the Group is to establish an integrated and effective risk management framework where important and emerging risks are identified, quantified and managed. An ERM software application supports the Group’s risk management process in all three operating platforms. A robust assessment of the key risks in the Group culminates in the identification of the Group’s principal risks, which are presented via the Audit and Risk Committee to the Board for consideration and approval.

The Group’s principal risk items (grouped by COSO category and business process), the movement in risk during the financial year, together with key measures taken to mitigate these risks, are listed in this table.

Internal control

The Group upholds an effective control environment, including a comprehensive system of internal controls. These are designed to ensure that risks are mitigated and that the Group’s objectives are attained. The system includes monitoring mechanisms and ensures that appropriate actions are taken to correct deficiencies when they are identified. Also included is a comprehensive system of financial reporting and forecasting. The Chief Financial Officer and Group Financial Manager oversee the internal controls relating to financial information and reporting, tax and treasury.

The Al Noor business operated its own system of internal controls which was being monitored for its effectiveness by the previous Al Noor Board’s Audit and Risk Committee. Their system of internal control included a risk management function, a set of defined financial controls and an internal audit function. Formal integration projects are underway to fully integrate the Al Noor business with Mediclinic under the guidance of the Mediclinic Middle East leadership. The first phase, which included the implementation of new organisational structures and the implementation of Mediclinic policies, has been successfully completed. The next phases will include the development and integration of IT systems and related processes.

Each operating platform executed its assurance plans. These plans comprise various assurance processes, including internal and external audit processes, which are in place to evaluate the effectiveness of key controls designed to mitigate the principal risks identified in each operating platform.

The Group makes use of an outsourced internal audit function which is closely aligned with the Group Risk Management function and reports independently to the Audit and Risk Committee of the Board. At each operating platform the effectiveness of the system of internal financial control is independently evaluated through the internal and external audit programmes. In addition to these audits, the effectiveness of operational procedures is examined internally through various peer review and control self-assessment processes. The results of these assurance processes are monitored by the Group’s risk management function and reported to each operating platform’s management teams.

Each of the operating platforms has, in addition to the abovementioned assurance processes, implemented further independent assurance processes with professional organisations which are summarised in this table.

The Company Secretaries at Group and operating platform level, as well as the internal legal advisors, are responsible for providing guidance in respect of compliance with applicable laws and regulations.

Effectiveness of risk management process and system of internal control

The Board, via the Audit and Risk Committee, regularly receives reports on and considers the activities of the internal and external auditors of Mediclinic Southern Africa, Hirslanden and Mediclinic Middle East and the Group’s risk management function. The Board, via the Audit and Risk Committee, is satisfied that there is an effective risk management process in place and that there were no significant failings or weaknesses identified in the system of internal control during the period under review within the Group.

Assurance output* Business processes assured Provider
External calculation of carbon footprint based on carbon emissions data of Mediclinic
Southern Africa
Carbon footprint calculation Carbon Calculated
ISO 14001:2004 certification of 41 of Mediclinic Southern Africa’s 52 hospitals
Environmental management system British Standard Institute, as accredited by UKAS (United Kingdom Accreditation Service)
COHSASA accreditation of 30 of Mediclinic Southern Africa’s 36 participating hospitals, with the remaining eight hospitals undergoing the renewal process
Quality standards of
healthcare facilities
COHSASA (Council for Health Services Accreditation of Southern Africa), which is accredited by ISQua (the International Society for Quality in Health Care)
BBBEE Level 4 contributor verification
Broad-based black
economic empowerment
ISO 9001:2008 certification of 15 out of 16 Hirslanden hospitals and Hirslanden
Corporate Office
Process and Quality management Swiss Association for Quality and Management Systems (SQS)
Self-assessment against EFQM (European Foundation for Quality Management) Excellence Model by 15 out of 16 Hirslanden hospitals and Hirslanden Corporate Office
Assessment against the EFQM Excellence Model, a framework for organisational management systems aimed at promoting sustainable excellence within organisations EFQM Excellence Model
ISO 14001:2015 certification of Hirslanden
Klinik Belair
Environmental management system Swiss Association for Quality and Management Systems (SQS)
JCI accreditation of both Mediclinic Middle East hospitals and accreditation of eight clinics in Dubai as well as accreditation of all three Al Noor hospitals
Quality and safety of patient care Joint Commission International Accreditation (JCIA)
ISO 15189:2009 certification of the pathology laboratories of both Mediclinic Middle East hospitals and all five clinics with
in-house laboratories
Pathology laboratories of both Mediclinic Middle East hospitals and five clinics International Organization
for Standardization (ISO)
College of American Pathologists (CAP) re-accreditation of the pathology laboratory of Mediclinic City Hospital
Pathology laboratory of Mediclinic City Hospital College of American Pathologists
* The flags indicate the operating platform where the assurance process is in place.
Key:   Mediclinic Southern Africa    Hirslanden    Mediclinic Middle East

Viability Statement

In accordance with provision C.2.2 of the 2014 revision of the Code, the Board has made an assessment of the prospects of the Group over a period extending beyond the 12 months which is the focus of the ‘Going Concern’ basis of accounting.

The Board has adopted a three-year time frame for the assessment, as this is in line with the Group’s loan facilities’ refinancing period and the business planning period, including the financial forecasts. The assessment is consequently based on each of the operating platforms’ business plans, which reflect the current Group strategies and their associated risks and the directors’ best estimations of their future prospects. The Al Noor business, which is in the process of being integrated into the Mediclinic Middle East platform, was included in the sensitivity analysis and stress tested in the same manner as the other platforms as discussed further in this statement.

The Audit and Risk Committee monitors the Group’s risk management process and system of internal control via a mandate from the Board (see Role and responsibilities). The principal risks, were identified by these systems and, for the purposes of the viability assessment, severe but plausible scenarios reflecting these risks were identified for each of the Group’s operating platforms to form the basis for stress testing.

The potential impact of each scenario was modelled on each operating platform’s EBITDA, profit after tax, net debt and debt covenants over the three-year forecast period.

The key assumptions underlying the operating platforms’ business plans that were flexed in the stress testing included:

  • reductions in tariffs and fees;
  • reductions in number of bed days sold;
  • increased competition;
  • the macro-economic and business environment;
  • the shortage and availability of qualified and experienced nursing staff;
  • the investment in Group initiatives not being successfully implemented;
  • expansion projects not achieving projections and expectations;
  • a larger increase in accounts receivable (debtor days) than expected; and
  • a delay in the opening of new branches.

The Board considered the viability of the Group both in the context of the individual risks listed above and in combination.

This analysis showed that the business would be able to withstand any of the severe but plausible scenarios by taking management action in the normal course of business. The Directors therefore have a reasonable expectation that the Group will be able to continue in operation and meet its liabilities as they fall due over the three-year period of their detailed assessment, ending on 31 March 2019.

Having considered the principal risks and the viability assessment, the directors also consider it appropriate to adopt the going concern basis of accounting in preparing the financial statements.