The Board is ultimately accountable for the Group’s risk management process and system of internal control. In terms of a mandate by the Board, the Audit and Risk Committee monitors the risk management process and systems of internal control of the Group. The Board oversees the activities of the Audit and Risk Committee, the Group’s internal and external auditors, and the Group’s risk management function as delegated to the Company’s Audit and Risk Committee.

Risk management

The Group’s Enterprise-wide Risk Management (“ERM”) policy follows the international Committee of Sponsoring Organisations of the Treadway Commission (“COSO”) framework and defines the risk management objectives, methodology, risk appetite, risk identification, assessment and treatment processes and the responsibilities of the various risk management role-players in the Group. The ERM policy is subject to annual review, and any amendments are submitted to the Audit and Risk Committee for approval.

The objective of risk management in the Group is to establish an integrated and effective risk management framework where important and emerging risks are identified, quantified and managed. An ERM software application supports the Group’s risk management process in all three operating platforms. The Group’s principal risk items (grouped by COSO category, business process and strategic priorities), the movement in risk during the financial year, together with key measures taken to mitigate these risks, are listed in the table below.

Use the key to read the table below

Principal risk Movement
in 2017
Description of risk Mitigation of risk

Regulatory and compliance risk


Adverse changes in laws and regulations impacting the Group or the failure to comply with laws and regulations which may result in losses, fines, prosecution or damage to reputation.

The risk includes ethical and governance risks that refer to unexpected negative consequences of unethical actions or the failure of the control and oversight mechanisms which were designed and implemented to uphold the ethical standards and controls of the organisation.

  • Proactive engagement strategies with stakeholders
  • Health policy units created to conduct research and provide strategic input for reform processes
  • Active industry participation across all platforms
  • Company secretarial and legal departments support operational management, monitor regulatory developments and, where necessary, obtain expert legal advice for the effective implementation of compliance initiatives
  • Compliance risks identified and assessed as part of departmental risk registers
  • Compliance management
  • Visible ethical leadership
  • Monitoring and investigation of incidents reported on the ethics line
  • Board-level oversight



The risk relating to the uncertainty created by the existence of competitors or the emergence of new competitors with their own strategies.

The risk includes the outmigration of care, partly driven by further technological developments and the development of alternative care models.

  • Proactive monitoring
  • Strategic planning processes
  • Quality and value of care processes

Business investment and acquisition risks


The increased financial exposure relating to major strategic business investments and acquisitions.

During the prior financial year, Mediclinic made strategic investments in Spire Healthcare, and acquired the Al Noor Hospitals Group.

  • Strategic planning processes
  • Due diligence processes
  • Investment mandates
  • Board oversight
  • Post-acquisition management processes

Economic and business environment


The downturn in the general economic and business environment, including all those factors that affect a company’s operations, customers, competitors, stakeholders, suppliers and industry trends.

The business environment risk includes the power of funders and the potential negative impact on tariffs and fees resulting from the shift of the relative negotiating power towards funders, away from healthcare service providers.

  • Systems to monitor developments in the economic and business environment of trends and early warning indicators
  • Proactive monitoring and negotiation by Group’s funder relations departments
  • Focus on quality and continuum of care to reinforce the Company’s position

Operational and credit risks


Operational risk refers to various types of operational events with a potential for financial loss.

Credit risk is the risk of loss due to a funder’s inability to pay the outstanding balance owing, default by banks and/or other deposit-taking institutions, or the inability to recover outstanding amounts due from the patient.

  • Preservation of a sound internal financial control environment
  • Effective risk management processes
  • Extensive combined assurance processes
  • Monitoring operations through KPIs
  • Continuous enhancement of operational efficiency and cost reduction
  • Regulated minimum solvency requirements for funders.
  • Monitoring approved funders
  • Treasury policy
  • Board-level oversight

Availability and cost of capital

(Including financing and liquidity risk)


The cost, terms and availability of capital to finance strategic expansion opportunities and/or the refinancing or restructuring of existing debt which was affected by prevailing capital market conditions.

The impact of negative interest rates currently prevalent in Switzerland.

  • Long-term planning of capital requirements and cash flow forecasting
  • Scrutiny of cash-generating capacity within the Group
  • Proactive and long-term agreements with banks and other funders relating to funding facilities
  • Monitoring compliance with requirements of debt covenants
  • Further details on capital risk management and the Group’s borrowings are contained in the consolidated financial statements.

Clinical risks


All clinical risks associated with the provision of clinical care resulting in undesirable clinical care or clinical outcomes.

The risks include a pandemic and disease outbreak. A pandemic is an epidemic of infectious disease that is spreading through human populations across a large region. Disease outbreak involves highly infectious diseases with a high mortality rate.

Such risks may also result in damage to the Mediclinic brand equity. Brand equity refers to the value of the Group’s brand names.

  • Refer to the Clinical Services Overview and the Clinical Services Report for a detailed analysis of the strategies to manage and monitor clinical risks
  • A Group-wide clinical risk register implemented per platform
  • Accreditation processes
  • Clinical governance processes
  • Monitoring clinical performance indicators
  • Implementation of comprehensive processes for infection control and prevention
  • Marketing and communication strategies
  • Focus on quality management processes
  • Stakeholder engagement and disclosure strategies

Information systems security and availability risk


Information systems security risk (including cyber risk) relates to the unauthorised access to information systems, failure of data integrity and confidentiality. Availability risk relates to the instances where systems are not available for use by its intended users.

A risk closely associated with information systems risk is project delivery. Project delivery risk refers to issues or occurrences that may potentially interfere with successful completion of projects, including its scope, timeliness and appropriateness of delivery.

  • Comprehensive IT logical access, change and physical access controls
  • Disaster recovery planning
  • System design and architecture
  • Group ICT security committee
  • Experienced project management team
  • Proactive monitoring and oversight
  • Reallocation of tasks and resources

Quality and stability of operational services


The risk refers to the quality of service and the stability of the operations. It includes but is not limited to:

  • incidents of poor service or incidents where operational management fail to respond effectively to complaints.
  • operational interruptions, which are any disruption of the facility and including the threat of disrupted power or water supply; and
  • fire and allied perils causing damage or business interruption.
  • Patient experience surveys (both internal and external)
  • Complaints monitoring
  • Training programmes
  • Supervision of service levels
  • Emergency backup power generation
  • Emergency planning
  • Plans to deal with disasters
  • Extensive fire-fighting and detection systems, including comprehensive maintenance processes
  • Comprehensive insurance to deal with financial impact of potential disasters

Availability, recruitment and retention of skilled resources and medical practitioners


The availability and support of
admitting doctors, whether independent or employed, are critical to the services the Group provides.

There is a shortage of skilled labour, particularly a shortage of qualified and experienced nursing staff in Southern Africa.

Internal control and assurance

The Group upholds an effective control environment, including a comprehensive system of internal controls which is designed to ensure that risks are mitigated and that the Group’s objectives are attained. The system includes monitoring mechanisms and ensures that appropriate actions are taken to correct deficiencies when they are identified. During the year, each operating platform executed its assurance plans. These plans comprise various assurance processes, including internal and external audit processes in place to evaluate the effectiveness of key controls designed to mitigate the significant risks identified in each operating platform.

The Group makes use of an outsourced internal audit function which is closely aligned with the Group risk management function and reports independently to the Audit and Risk Committee of the Board. At each operating platform, the effectiveness of the system of internal financial control is independently evaluated through the internal and external audit programmes. In addition to these audits, the effectiveness of operational procedures is examined internally through various peer review and control self-assessment processes. The results of these assurance processes are monitored by the Group’s risk management function and reported to each operating platform’s management teams.

Each of the operating platforms has, in addition to the above-mentioned assurance processes, implemented further independent assurance processes with professional organisations which are summarised in the table below.

The company secretaries at Group and operating platform level and the internal legal advisors are responsible for providing guidance in respect of compliance with applicable laws and regulations.

Assurance output*   Business processes assured Provider
External calculation of carbon footprint based on carbon emissions data of Mediclinic Southern Africa Carbon footprint calculation Carbon Calculated
ISO 14001:2004 certification of 41 of Mediclinic Southern Africa’s 52 hospitals Environmental management system British Standard Institute, as accredited by UKAS (United Kingdom Accreditation Service)
COHSASA accreditation of 31 of Mediclinic Southern Africa’s participating hospitals, with the remaining eight hospitals undergoing the renewal process Quality standards of healthcare facilities Council for Health Service Accreditation of Southern Africa (COHSASA), which is accredited by the International Society for Quality in Health Care (ISQua)
ISO 9001:2008 certification of all 16 Hirslanden hospitals and Hirslanden corporate office Process and quality management Swiss Association for Quality and Management Systems (SQS)
Self-assessment against European Foundation for Quality Management (EFQM) Excellence Model by all 16 Hirslanden hospitals and Hirslanden Corporate Office Assessment against the EFQM Excellence Model, a framework for organisational management systems aimed at promoting sustainable excellence within organisations EFQM Excellence Model
ISO 14001:2015 certification of Hirslanden Klinik Aarau and Hirslanden Clinique La Colline Environmental management system Swiss Association for Quality and Management Systems (SQS)

JCI re-accreditation of Mediclinic Middle East hospitals and clinics in Dubai as well as accreditation of Mediclinic Corniche and Mediclinic Al Hili

Reaccreditation of Al Noor Hospital – Al Ain branch

JCI reaccreditation of Mediclinic Al Noor Hospital in 2017, with accreditation of all Mediclinic Middle East facilities by 2019

Quality and safety of patient care Joint Commission International Accreditation (JCIA)
ISO 15189:2009 certification of the laboratories of Mediclinic Middle East hospitals in Dubai and all clinics in Dubai with in-house laboratories Pathology laboratories of Mediclinic Middle East hospitals and clinics in Dubai International Organization for Standardization (ISO)
College of American Pathologists (CAP) re-accreditation of the pathology laboratory of Mediclinic City Hospital Pathology laboratory of Mediclinic City Hospital College of American Pathologists
* The flags indicate the operating platform where the assurance process is in place.
  = Mediclinic Southern Africa    = Hirslanden    = Mediclinic Middle East

Viability statement

The assessment of viability is an extension of the risk management, budget and forecast process which translates into each of the Group’s operating platforms’ business plans. The business plans reflect the current Group strategies and their associated risks and the Directors’ best estimations of their prospects. Fundamental to the assessment of the Group’s prospects, is the long-term business model which has resulted in quality service delivery and revenue growth under manageable risk tolerance.

The budget and forecast process includes a detailed bottom-up approach per platform for the budget year (performed by each clinic and hospital) and the extension of the key assumptions to the forecast period. The budgets are subject to review and, if necessary, re‑budgeting. The five-year plans, including the strategic Group goals and objectives, are reviewed and approved by the platform Executive Committees, Mediclinic International Executive Committee and Mediclinic International Board.

The Board has adopted a five-year time frame for the assessment, in line with the Group’s business planning period which reflects the impact of investments made in the present period. The five-year period extends beyond the maturities of a material portion of the Group’s borrowings in each platform. Under current operating and market circumstances, as well as the existing levels of debt and the forecast headroom in respect of debt covenants, the assumption is that these borrowings would be refinanced broadly in line with the terms and conditions of the existing facilities. The Group successfully refinanced CHF1.9bn and ZAR4.2bn in 2012; CHF1.7bn in 2015; and in 2016 refinanced the UK bridge facility of £266m with facilities amounting to ZAR2.7bn in South Africa and US$155m in the Middle East.

The Audit and Risk Committee monitors the Group’s robust risk management process and system of internal control via a mandate from the Board (see the Audit and Risk Committee Report). The principal risks as detailed above were identified by these systems and, for the purposes of the viability assessment, severe but plausible scenarios reflecting the risks that could impair the viability of the Group were identified for each of the operating platforms to form the basis for stress testing.

On a platform level the potential impact of each scenario and certain scenarios in combination were modelled and assessed on EBITDA or profit after tax (as appropriate), net debt and debt covenants over the five-year forecast period.

The principal risks and related key assumptions underlying each of the operating platforms’ business plans that were flexed in the stress testing are set out in the table below.

PRINCIPAL RISK Key assumption
stress tested
Platform stress tested
Economic and business environment; Regulatory risk Reductions in tariffs and fees Southern Africa; Switzerland; UAE
Competition; Economic and business environment; Regulatory risk Reduction in volumes Southern Africa; UAE
Regulatory risk Change in insurance patient mix UAE
Availability and cost of capital; Economic and business environment A downturn in the macro-economic and business environment Southern Africa
Availability, recruitment and retention of skilled resources and medical practitioners The shortage and availability of qualified and experienced healthcare staff Southern Africa
Regulatory risk Adverse regulatory and tax changes Switzerland; UAE
Economic and business environment Outmigration of care Switzerland
Information systems security and availability risk The investment in group initiatives not being successfully implemented Switzerland
Information systems security and availability risk Delays in expansion projects UAE

This analysis showed that the business, in its geographically diverse portfolio, would be able to withstand any individual and certain combinations of the severe but plausible scenarios by taking management action, ceteris paribus, with the key mitigating step being a reduction in discretionary investment. The Directors therefore have a reasonable expectation that the Group will be able to continue in operation and meet its liabilities as they fall due over the five-year period of their detailed assessment, ending in 31 March 2022. In making their assessment, the Directors have assumed that there will be no material change in the business environment as such assumptions are subject to a level of uncertainty and judgment for which outcomes cannot be projected and foreseen.

Having considered the principal risks and the viability assessment, the Board also considers it appropriate to adopt the going concern basis of accounting in preparing the financial statements.

Effectiveness of risk management process and system of internal control

The Board, via the Audit and Risk Committee, regularly receives reports on and considers the activities of the internal and external auditors of Mediclinic Southern Africa, Hirslanden and Mediclinic Middle East, and the Group’s risk management function. The Board, via the Audit and Risk Committee, is satisfied that there is an effective risk management process in place and that there is an adequate and effective system of internal control in place to appropriately mitigate the significant risks faced by the Group.