Strategic Report 01 Strategy 02 03 04 Financial reporting and Internal Audit department Executive Risk Committee and Risk department With regard to internal controls over financial reporting, including over The Executive Risk Committee was established in 2017. Its members the Group’s consolidation process, our financial procedures include comprise the Executive Director, his deputies, the Director of the a range of system, transactional and management oversight controls. Legal department, the Head of Internal Audit department and The Finance department prepares detailed monthly management employees of the Risk department. The Committee meets at reports to senior management that include analyses of our business least quarterly, but can also meet more frequently if needed. results along with comparisons to relevant strategic plans, budgets, forecasts and prior results. The primary responsibility of the Executive Risk Committee is oversight of the Group-wide risk management framework at the executive level as Each quarter, the Chief Financial Officer as well as the finance team well as related compliance and governance matters, including reviewing, discuss financial reporting and associated internal controls with the approving and monitoring significant policies and practices used in Audit Committee, which reports significant findings to the Board. managing all applicable risks; and reviewing and advising on risk appetite The Audit Committee also reviews the quarterly, half year and full year setting, risk response strategies and stress-testing across the Group. Financial Statements and corresponding press releases and provides feedback to the Board. The internal auditors attend most Audit The Risk department was also established in 2017 to better coordinate Committee meetings and the Audit Committee meets regularly the management of risks within the Group. The main goals of the Risk both with and without management present. department are: performing continuous due diligence in both clinics and the head office, management of the Risk Event Database (“RED”), The Internal Audit department reviews financial areas of risk pursuant maintenance of the Group’s risk register, implementation of risk to a programme approved by the Audit Committee. Any issues management policies and preparation of regular risk reports for the or risks arising from an internal audit review are reviewed by the Executive Risk Committee. With the recent reorganisation, reorganised Audit Committee and appropriate actions are undertaken to ensure operating companies will continue to have their independent risk satisfactory resolution. The Head of Internal Audit has a direct departments with similar functions being replicated. reporting line to the Chairman of the Audit Committee. These bodies cover the following main categories of risks: regulatory Clinical risk reporting and Clinical Process Audit Unit compliance risks, operational risks, financial risks and environmental The Clinical Process Audit Unit reviews areas of non-financial risk and safety risks. pursuant to an annual programme approved by the Clinical Quality and Safety Committee. The Head of Clinical Process Audit Unit has Whistleblowing a direct reporting line to the Chairman of the Clinical Quality and Our systems of internal control are also supported by our Safety Committee. Just as the internal auditors report to the Audit Whistleblowing Policy, which allows employees as well as external Committee, any issues or risks arising from the Clinical Process Audit stakeholders (such as vendors, customers, etc.) to report concerns Unit’s internal audit review are reported to the Clinical Quality and on an anonymous basis, using a 24-hour hotline or e-mail. Safety Committee and appropriate actions are undertaken to ensure a satisfactory resolution. In line with the most current iteration of the UK Corporate Governance Code, responsibility for approval of the Whistleblowing Policy has, On a day-to-day operational level, the Clinical Department is in charge since 1 January 2019, rested with the Board. The Audit Committee of the entire healthcare risk assessment and management. The reviews, and recommends any changes to, the Whistleblowing Policy healthcare risk assessment and reporting system requires the quality on an annual basis and receives reports from the Head of Corporate management group (head office and hospitals) to prepare specifically and Physical Security on any significant issues raised under the Policy designed reports on a monthly basis, to identify the potential risks and over the year. gaps for improvement and to prepare tailored recommendations for those improvements. Risks are identified from a number of internal Effectiveness review and external sources. Internal sources are incident reports (sentinel Each year, we review the effectiveness of our risk management events, near misses, medication dispensing errors, adverse drug processes and internal control systems, with the assistance of the reactions, injury reports), peer review activities, complaints and claims, Audit Committee and Clinical Quality and Safety Committee. This patient and staff satisfaction surveillance reports, quality and safety review covers all material systems, including financial, operational, measures and indicators, clinical audit and medical records). External clinical and regulatory compliance controls. The latest review covered sources include patient surveys or feedback, review reports and the financial year ended 31 December 2018 and the period to the correction reports issued by the healthcare regulator. Through approval of this Annual Report and Accounts. assessing the proper data and information, the Clinical Department identifies whether or not each of the medical facility and the Group This year we obtained assurance from management, Internal Audit, are in compliance with defined quality and safety goals. The Clinical our external auditors and other external specialists. Department also identifies the potential financial loss attributable to medical malpractice and penalties. The clinical risk assessment and The Board is able to conclude with reasonable assurance that the analysis process is based on the detailed study of the failure events appropriate internal control and risk management systems were and analysis of the risks associated with these failure events and maintained throughout the year and operated effectively. The review their root causes. did not identify any significant weaknesses or failings in the systems. Management Board We are satisfied that our risk management processes and internal The Management Board has responsibility for the Group’s balance control systems processes comply with the UK Corporate Governance sheet, income statement and risk management activities, policies and Code 2016 (the “Code”) and the Financial Reporting Council (“FRC”) procedures. In order to effectively implement the risk management guidance on Risk Management, Internal Control and Related Financial system, the Management Board receives reports on risk managementand Business Reporting. The Audit Committee and Board have taken functions from each of the various departments within the Group and into account the provisions of the recently revised UK Corporate consolidated reports from the Risk department. Governance Code in respect of risk management and internal control processes, and we will report on our compliance with those provisions in the 2019 Annual Report. 51