Risk Management

Risk Management Policy and Governance (GRM 01, 02, 05, 07)

Praram 9 Hospital Public Company Limited carries out risk management in accordance with the risk policy, which is continuously refined based on the evolving business model. In 2024 onwards, the Enterprise Risk Management (ERM) policy of the Hospital encompasses 5 risk categories, namely: 1) Emerging Risk 2) Business Risk 3) Clinical Risk 4) Environmental, social, and governance (ESG) Risk 5) Shareholder Risk. Each risk category is overseen by the relevant committees, along with senior executives and risk owners, to manage the risks, mitigating them in acceptable levels. This is outlined as follows: (GRM 01, 02, 05, 07)

Roles and Responsibilities of the Board of Directors

Responsible for setting policies and making overall decisions, as well as approving or proposing improvements to risk information across 5 risk categories. These have been approved by the Audit Committee and the Enterprise Risk Management Committee to ensure their adequacy and alignment with the Company's strategic direction.

Roles and Responsibilities of the Audit Committee

Responsible for acknowledging and providing opinions on enterprise-wide risks across 5 risk categories, as well as recommending improvements to the risk management system to align with the principles of the 3 Lines of Defense, which are integrated with internal control and internal audit processes.

Roles and Responsibilities of the Enterprise Risk Management Committee

Oversee, supervise, and approve risk analysis and risk management approaches across 5 risk categories to ensure adequacy in achieving the Hospital’s vision and mission. Additionally, support and promote the development of a risk-aware culture across the organization through a structured knowledge-sharing approach.

Roles and Responsibilities of Senior Executives

Support the operational mechanisms of the Enterprise Risk Management Committee and act as risk owner, responsible for risk analysis, designing response strategies, and systematically developing Key Risk Indicators-KRIs.

Roles and Responsibilities of the Risk Management Division

The Hospital has established the risk management division with the primary responsibility of implementing enterprise-wide risk management in accordance with the international COSO ERM framework (Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management). It also serves as a facilitator for risk owners to ensure risk management efforts achieve their goals. Additionally, it acts as the main unit for promoting a risk-aware culture and developing the Risk Champion system.

International Standards for Enterprise Risk Management (ERM) (GRM 04)

Praram 9 Hospital Public Company Limited emphasizes enterprise risk management (ERM). The Hospital's risk management process follows the international standard of COSO ERM 2017, consisting of 5 key components and 20 sub-principles, as illustrated below.

Governance and Culture Comprising a Board of Directors, an Audit Committee, and a Risk Management Committee with clearly defined responsibilities (GRM 01, 02) as well as senior executives and personnel at all levels of the Hospital, who prioritize and implement risk management procedures. Furthermore, the Hospital has a risk management policy, a risk management manual, and risk management reports, along with initiatives to raise awareness of risk management across the Company. These are based on 5 principles: (1) Exercises Board Risk Oversight, (2) Establishes Operating Structures, (3) Defines Desired Culture, (4) Demonstrates Commitment to Core Values, and (5) Attracts, Develops, and Retains Capable Individuals.
Strategy and Objective Setting The Hospital integrates risk management with the Company’s core strategies and objectives. This process consists of 4 principles: (6) Analyzes Business Context, (7) Defines Risk Appetite, (8) Evaluates Alternative Strategies, and (9) Formulates Business Objectives
Performance consists of 5 principles: (10) Identifies Risk, (11) Assesses Severity of Risk, (12) Prioritizes Risks, (13) Implements Risk Responses, and (14) Develops Portfolio View. The risk management system must be comprehensive in accordance with the risk management process. In 2024, the ERM Portfolio of the Hospital is categorized into 5 risk categories:
1. Emerging Risk
2. Business Risk
3. Clinical Risk
4. ESG Risk
5. Shareholder Risk
Review and Revision The Hospital regularly reviews risks across 5 categories, with risk owners coordinating with the risk management division. This process consists of 3 principles: (15) Assesses Substantial Change, (16) Reviews Risk and Performance, and (17) Pursues Improvement in Enterprise Risk Management.
Information, Communication, and Reporting The Company collects risk-related data, communicates it to employees at all levels, and implements a reporting process based on 3 principles: (18) Leverages Information and Technology, (19) Communicates Risk Information, and (20) Reports on Risk, Culture, and Performance

Risk Factors and Opportunities

In 2024 Praram 9 Hospital Public Company Limited has established a foundation for cultivating a risk-aware organizational culture through various activities

Organizational Risk Training for Operational-Level Employees The executives emphasize the importance of risk management, which involves integrating risk management processes into the organization to achieve the established objectives. Risk management provides a rational approach to predicting future uncertainties and identifying measures to mitigate or prevent potential damage in each operational step in advance. In cases of unexpected events, organizations that have implemented risk management are less likely to encounter problems. On the other hand, organizations that have not prepared or adopted risk management processes may face crises that lead to significant challenges and damages, which are difficult to resolve. Therefore, incorporating risk management processes alongside daily operations helps ensure that ongoing tasks align with the predetermined objectives.
Training on "Principles of Personal Data Protection Act (PDPA)" This training aims to enhance Praram 9 Hospital personnel's knowledge and understanding of personal data protection, privacy principles, the scope of personal data, activities related to patient and personal data usage, and data subject rights. Praram 9 Hospital personnel will also gain awareness of the roles and responsibilities of individuals and various departments under the Hospital's personal data protection policy.

In 2024, the Hospital conducted an analysis of risk factors and opportunities, along with risk management approaches across 5 risk categories as follows:

1. Emerging Risk

Cost Conscious The Health Provider industry in Thailand is highly competitive, with new entrants regularly joining the sector. The ability to remain competitive is measured by an organization's capacity to manage costs effectively and efficiently. The Hospital has identified this topic as a new risk for the 2024. The risk owner conducted an in-depth cost analysis, particularly focusing on fixed cost, to determine the factors contributing to their increase and to develop proactive cost risk management strategies. Additionally, risk indicators were established to monitor risks periodically. After implementing risk management measures for 2 quarters, a reduction in fixed costs was observed, while the Hospital's revenue increased. This outcome confirms that cost risk can be managed within an acceptable risk level.

2. Business Risk

2.1 Risk of Failing to Achieve World-Class Hospitality Within 5 Years
The Hospital has a strategic goal of becoming World-Class Hospitality to accommodate international patients, including both tourists and those residing and working in Thailand (Expat). Achieving World-Class Hospitality requires several adaptations, such as ensuring that the quality of treatment is on par with World-Class standard, along with enhancing service quality and staff competency at all levels. To achieve this goal, the Hospital has implemented several proactive risk management strategies, including: 1) Treatment Quality: Investing in advanced medical technologies that align with international standards, as well as developing multidisciplinary skills and knowledge. 2) Service Excellence: Analyzing various complaints to identify root causes, enhancing communication skills, fostering an international service culture, and creating incentives for employees. The risks associated with this issue will be periodically monitored to assess its effectiveness moving forward.

2.2 Cyber Resiliency The healthcare provider industry is highly vulnerable for cyber threats, as health-related data is a prime target for cyber theft. The Hospital acknowledges these risks and has implemented several proactive measures, such as preventive controls. The Hospital has designed critical systems with regular penetration testing and consistently updates antivirus software. Additionally, employees across all departments receive cybersecurity awareness training. Furthermore, the Hospital has established detective controls by structuring its network infrastructure to ensure continuity in all situations and monitoring proactive risk indicators, such as system uptime, statistics on external and internal attacks that could not be prevented or mitigated. The Hospital's next objective is to achieve cyber resilience within the shortest possible time. In July, during the Blue Screen of Death (BSOD) incident caused by CrowdStrike, the Hospital was affected but successfully restored its system in accordance with the RTO (Recovery Time Objective).

2.3 Risk of Workforce Competency Misalignment with Organizational Direction
The business environment is rapidly evolving and requiring a high level of adaptability. As a result, workforce competencies must continuously adjust. The extended timeframe required to develop new competencies could pose a risk, potentially preventing the Hospital from achieving its organizational objectives on time. To address this risk, the human resources department has established a competency set that aligns with the Hospital's future goals and developed a performance measurement system that integrates these competencies. Additionally, a Human Resource Development (HRD) system has been designed to support these competencies through training and practical application via on-the-job training.

2.4 Risk of Non-Compliance with Business-Related Regulations (GRM 08, 12) The Hospital has systematically compiled relevant regulations, including legal requirements and professional group regulations. In addition, it operates under the supervision of the Securities and Exchange Commission, which introduces numerous new laws and regulations that must be adhered to. The Hospital has successfully communicated and complied with all applicable regulations, maintaining an acceptable level of risk. The key risk management approaches are: 1) Monitoring new regulations, analyzing stakeholders affected by these regulations, and systematically communicating compliance guidelines. 2) Educating employees across all departments. 3) Developing a flow to outline roles and responsibilities for handling non-compliance scenarios, ensuring a swift response. If any risk of non-compliance arises, it will be promptly communicated and clarified.

3. Clinical Risk

Patient Safety Patient safety is the top priority for Praram 9 Hospital. In 2024, the Hospital has proactively developed a patient risk management system across multiple dimensions as follows:

3.1 Patient Safety Culture Project
Starting with the process of accurately identifying patients- IPSG1 - (Identify Patients Correctly) by setting the incidence in the patient identification category to zero, as well as conducting training sessions on IPSG1 for each unit. Encouraging personnel to recognize patient safety as the top priority for both patients and our healthcare system. This patient safety strategy has been developed collaboratively by patients and staff to identify and implement healthcare improvements. These improvements support the delivery of the safest and highest-quality care to service recipients. The strategy acknowledges that patients and those utilizing our healthcare and service offerings are often in the best position to provide information for enhancing safety. It ensures that patient-centered care is at the core of planning and implementing patient safety strategies. This framework encompasses structured activities that cultivate a culture, processes, procedures, behaviors, technology, and healthcare environments aimed at continuously and sustainably reducing risks, minimizing preventable harm, decreasing the likelihood of errors, and mitigating their impact when they occur.

3.1.1 Empowering and Engaging Patients to Improve Patient Safety.
We will foster a culture of collaboration to maximize positive patient experiences and outcomes while minimizing the risk of errors and harm. This will include working with and learning from patients in the design, delivery, evaluation, and improvement of care.
3.1.2 Empowering and Engaging Staff to Improve Patient Safety.
We will work to cultivate a culture of learning and continuous improvement—one that is compassionate and just.

Fair and transparent, we will encourage employees to work safely. This includes identifying and reporting safety deficiencies, as well as managing and improving patient safety.
3.1.3 Anticipating and Responding to Risks to Patient Safety.
We will prioritize the proactive risk identification in patient safety to establish and maintain a safe and resilient care system designed to reduce adverse events and improve outcomes by addressing the root causes of harm. We will take action to minimize patient harm, with a particular focus on the most common causes of harm.
3.1.4 Reducing Common Causes of Harm.
We will utilize data from various sources to provide intelligence that enables us to detect anomalies, learn from them, and support best practices. Additionally, we will measure, monitor, and recognize improvements in patient safety.
3.1.5 Using Information to Improve Patient Safety
We will take action to reduce patient harm, with a particular focus on the most common causes of harm.
3.1.6 Leadership and Governance to Improve Patient Safety
We will instill a culture of continuous patient safety improvement at every level of healthcare and social care services through effective leadership and the highest standards of governance.

3.2 Develop a risk culture by appointing risk coordinators or Risk Champions for each ward to represent their units in fostering a proactive risk culture. These Risk Champions will undergo training to gain valuable knowledge, with the primary goal of enhancing patient safety.

3.3 Connect risk data across all points through guidance provided by the advisory team, which offers risk knowledge and training on completing the Risk Register for each participating unit.

3.4 The Risk Management Award 2024 Project: IR (Near Miss) Hunter.

Enhancing proactive risk management through the identification of risks in the form of Near Miss. Risk management is everyone's responsibility, and all personnel are required to monitor, identify, and report risks by understanding the Hospital's risk management system. To achieve maximum efficiency, cooperation from all members is essential. The key principle of risk management begins with ensuring that everyone in the organization recognizes its importance and actively participates. Therefore, to encourage each unit to raise Awareness and make everyone feel engaged in identifying risks at A – B (Near Miss) levels.

3.5 The “Voice of Service Recipients for Development” Project Activity: “Risk Management Award 2024” (Outstanding Prevention Champion)

Risk Identification is a proactive activity aimed at preventing potential harm, injury, or loss. In collaboration with the risk management division and the human resources department, the executives has initiated a competition for reporting recurring incidents at level C or higher. This initiative utilizes the PDCA (Plan – Do – Check – Act) and RCA (Root Cause Analysis) processes to identify problems, analyze Data, develop improvement strategies, and assess outcomes. The goal is to enhance safety for patients, personnel, physicians, employees, service recipients, and all stakeholders.

Following the implementation of the above risk management plan, the number of patient safety-related incidents has decreased, and risks have been managed to an acceptable level.

4. ESG Risk

Climate Change Risk(ECC76)

The Hospital's long-term goal is to achieve net-zero greenhouse gas emissions (Net-Zero Hospital). In the medium- and short-term, the Hospital has implemented measures to reduce greenhouse gas emissions across all 3 Scopes. The Hospital discloses climate risk information following the Framework TCFD (Task Force on Climate-Related Financial Disclosures) and has implemented the 4 recommendations of TCFD as follows:

Governance	Strategy	Risk Management	Metric and Target
Executives and risk owners jointly oversee the greenhouse gas emission reduction process, with the Organizational Risk Management Committee and the Sustainability Committee making decisions on key issues. The Audit Committee and the Board of Directors acknowledge, provide feedback, and oversee the implementation of the greenhouse gas reduction plan.	Climate risk targets are set in alignment with the organization's strategy, categorized into short-term, medium-term, and long-term goals as follows: Short-term goal: Conduct measurement and collection of greenhouse gas emissions data Medium-term goal: Analyze of climate risk impact in connection with the organization's financial implications Long-term goal: Participate in Science-Based Target (SBT) to drive progress toward Net-Zero Hospital.	Climate Change Risk is integrated as part of the organization's risk management (ERM). The risk is identified, assessed, managed, and responded to through various risk management strategies, such as adopting a Low Carbonization business model.	Greenhouse gas emissions data are recorded for Scope 1, 2, and 3. Set greenhouse gas emission reduction goals for the short, medium, and long term.

Governance

Strategy

Risk Management

Metric and Target

Executives and risk owners jointly oversee the greenhouse gas emission reduction process, with the Organizational Risk Management Committee and the Sustainability Committee making decisions on key issues.

The Audit Committee and the Board of Directors acknowledge, provide feedback, and oversee the implementation of the greenhouse gas reduction plan.

Climate risk targets are set in alignment with the organization's strategy, categorized into short-term, medium-term, and long-term goals as follows:

Short-term goal: Conduct measurement and collection of greenhouse gas emissions data

Medium-term goal: Analyze of climate risk impact in connection with the organization's financial implications

Long-term goal: Participate in Science-Based Target (SBT) to drive progress toward Net-Zero Hospital.

Climate Change Risk is integrated as part of the organization's risk management (ERM). The risk is identified, assessed, managed, and responded to through various risk management strategies, such as adopting a Low Carbonization business model.

Greenhouse gas emissions data are recorded for Scope 1, 2, and 3.

Set greenhouse gas emission reduction goals for the short, medium, and long term.

Social Risk

Praram 9 Hospital Public Company Limited prioritizes stakeholders across the entire supply chain, including employees at all levels, shareholders, and surrounding communities. The Hospital manages various social risks as follows:

Health and Safety Risk (SHS)

The Hospital regularly updates its employee health and safety policies while ensuring effective communication, training, and engaging activities to raise employee awareness of these policies. Emphasizing workplace safety, the Hospital also provides a suitable working environment, including appropriate lighting and noise levels conducive to efficient operations.
Human Rights Risk (SHR) The Hospital prepares and studies human rights policies to systematically develop a formal Human Rights Policy. The Hospital has consistently prioritized equality, ensuring that employees at all levels have the right to voice their opinions in meetings. Every employee is treated fairly under the Diversity and Inclusion Policy, which embraces individual differences. The Hospital provides equal opportunities for both male and female employees to advance into leadership roles. A clear indicator of this commitment is the composition of the Board of Directors, which maintains gender balance. Additionally, the Hospital follows a non-discriminatory hiring process, with no gender-based restrictions, and fully embraces gender diversity. Equality is extended to all gender identities, with qualifications and capabilities being the primary criteria for selection and career advancement.

Governance Risk

Praram 9 Hospital Public Company Limited places great importance on good governance and ethical practices. Employees at all levels, supervisors, and senior executives work in coordination with all board committees, following the GRC (Governance, Risk, and Compliance) framework and the 3 Lines of Defense model to ensure transparency in governance and minimize the risk of fraud and corruption (Anti-corruption). The Hospital upholds a strong stance against bribery and ensures fair voting processes in all critical decision-making.

5. Stakeholder Risk

Risk of Business Growth Not Meeting Is Goals The Hospital's executives aim to enhance shareholder value by ensuring continuous business growth. Given the highly competitive nature of the healthcare industry, the Hospital prioritizes this risk by structuring revenue growth stimulation into 2 segments: domestic patients and international patients, each with distinct strategic approaches.

For the domestic patients segment, the Hospital employs a variety of strategies, such as promoting the Loyalty Program (CRM), offering Buy 1 Get 1 deals, distributing discount coupons, and providing discount coupons for IPD patients to use on their next visit. Additionally, the Hospital closely monitors revenue more frequently to track performance and adjust strategies accordingly.
For the international patients segment, the Hospital employs a market penetration strategy through agencies, along with marketing promotions and event activities that provide opportunities for doctors to engage closely with international patients.

Following the implementation of various risk management strategies, the Hospital has achieved continuous revenue growth while effectively maintaining an acceptable level of risk for shareholders.