Risk Control and Compliance

Governance

Risk Governance
- Risk Management Oversight and Reporting Mechanisms

The Board has established a Risk Control Committee, and has formulated, implemented and monitored risk management and internal control systems with the assistance of the Risk Control Committee. We integrate ESG risks into the current risk management system, and identify and manage ESG risks related to the Group’s business according to the risk management process. The Risk Control Committee regularly reviews the risk-related matters of the Group, including ESG risks, and provides advice to the Board.

To ensure the comprehensive identification, assessment, and management of all business-affecting risks, Universal Medical incorporates sustainability-related and emerging risks into its risk management system. The Group conducts a comprehensive risk assessment at least once a year. We also actively conduct stress tests on risks, monitoring foreign exchange risk exposure and interest rate risk exposure on a monthly basis, and perform sensitivity analysis quarterly to calculate the impact of exchange rate and interest rate fluctuations on the Group’s profits and losses. Additionally, based on internal and external factors, we periodically carry out liquidity risk stress tests, setting specific scenarios and variable factors to measure the company’s ability to withstand normal, mild, moderate, and severe scenarios, as well as the emergency measures to be taken.

In addition, the Group formulates the Summary of Major Operational Risk Prediction and Assessment every year to identify and assess two types of core risks including but not limited to the following. For the identified risks, it formulates a risk preference framework, analyzes and judges risk trends and influencing factors, sets key monitoring indicators and risk thresholds, and clarifies the extent and scope of risks that the Group can accept, tolerate or is willing to bear:

Risk Name	Explanation of Risk Trends and Analysis of Influencing Factors	Impact Assessment	Response Measures
Safety, Environmental Protection, and Quality Risks	Inadequate safety management of affiliated institutions leading to production safety accidents, resulting in enterprise shutdown for rectification, negative impact on corporate reputation, and affecting production and operation. Safety and environmental protection measures not meeting national and local safety management requirements,leading to penalties by regulatory authorities.	Major safety or sudden environmental incidents may cause property losses, damage to social reputation, and face administrative penalties.	Strict responsibility implementation and assessment mechanisms. Conduct solid safety standard management path work. Strengthen the construction of safety production risk classification control. Implement hazard identification and rectification measures. Actively carry out safety and environmental protection training, education, and publicity activities.
Policy Research Risks	The organizational mechanism for policy analysis and feedback is not sound, and a regular information tracking mechanism has not been established. The ability to assess and respond to policy changes is insufficient. Changes in national and regional healthcare policies have placed higher demands on the conduct of healthcare operations. The financial regulatory environment is becoming stricter, with regulatory authorities requiring the prevention and resolution of major risks in the financial sector and continuously strengthening compliance supervision of leasing business.	Failure to keep abreast of changes in the policy environment affects the planning and expansion of medical and financial services.	Regularly monitor policy and regulatory changes, organize policy analysis and research in a timely manner, adjust company business policies as appropriate, and ensure that business development complies with policy regulations Address industry policy risks and guide business operations in line with policy changes: For subordinate hospitals, strengthen control over actual implementation, conduct regular spot checks, hire experts to provide guidance, and strengthen policy analysis and case training; for financial operations, promptly adjust business policies to ensure compliance with national policy regulations. At the operational level. Strengthen continuous training of risk management personnel’s professional capabilities, conduct case study training, and promote policy learning.

To mitigate collusion risks in operations and partnerships, we have established a multi-layered prevention system: Strict compliance standards and employee training to raise awareness; Comprehensive due diligence and risk assessments for partners prior to collaboration;Internal whistleblowing channels and an independent oversight team are established to investigate and address potential collusion risks promptly，ensuring that the enterprise adheres to the bottom line of compliance and responsibility in its business activities.

Our internal control system fully observes the requirements of the COSO risk management framework and the guidelines of the Hong Kong Institute of Certified Public Accountants on risk management, draws on the internal control model of peer companies, and takes into account the actual situation and business characteristics of the Group to formulate an effective monitoring system. The governance structure is as follows:

1. The Risk Control Committee and its subordinate working groups are responsible for taking the lead in risk identification, and cooperating with relevant departments at the management level to follow up

2. Carry out risk analysis and select areas with higher risk

3. The department in the corresponding field describes the risk

4. Summarize risks in various fields and prepare risk reports

5. Risk reports are submitted to the Board Risk Control Committee for review. After the review, the reports are then submitted to the Board of Directors meeting

The Group has established an annual major risk assessment mechanism to thoroughly anticipate and evaluate various risks that may occur during the fiscal year. Based on this, targeted risk control measures are implemented to further enhance the level of risk management and internal control. We conduct at least one internal control evaluation each year to continuously improve the risk management and internal control system. In a risk-oriented approach, the Group also performs two external audits annually to supervise and inspect the construction and implementation of risk management and internal control. Any issues discovered are addressed through corrective actions, ensuring effective risk control. In 2024, no major risk events occurred within the Group.

-Non-executive Directors to Receive Risk Management Training

All directors have participated in risk management training and continuously review relevant guidance materials on integrity and ESG legal developments provided and published by the Hong Kong Stock Exchange, the Hong Kong Institute of Certified Public Accountants, and the Hong Kong Accounting and Financial Reporting Council.

-Identification and Management of Emerging Risks

The Group continues to identify and manage emerging risks, and has identified the following two important long-term (more than 3-5 years) emerging risks that will have the greatest impact on future business. It has effectively mitigated related risks through measures such as carefully adjusting the Group’s strategy and/or business model.

Emerging Risk Name	Emerging Risk Explanation	Emerging Risk Impact Assessment	Measures to address emerging risks
Carbon Pricing and Investment Risks of Low-Carbon Technologies	As the government tightens environmental regulations and introduces policies related to climate change disclosure, the operating costs of carbon-intensive industries may increase, leading to higher credit risks or lower valuations, which could affect companies. In order to meet policy and stakeholder requirements, there is a risk of failure in new low-carbon technology investments and rising costs of low-carbon technology transformation.	The operating costs may increase, leading to the investment portfolio value may decrease.	Launch energy transition projects and build green, low-carbon hospitals. Adhere to green financing practices, focusing on green areas such as sewage treatment, photovoltaic new energy, and green transportation, and implement green loans, ESG loans, green bonds, etc.
Data privacy and cybersecurity threat risks	User medical data is highly sensitive. As companies advance their digital transformation and expand the application scenarios for medical data, it is necessary to continuously focus on data security and system stability during data collection, storage, and transmission, and be vigilant against potential risks such as external network attacks and data leaks.	There may be some technical maintenance costs, local services may be affected, and trust may experience short-term fluctuations.	Improve security management responsibilities: Define cybersecurity management roles, responsibilities,and processes, clarify the allocation of security responsibilities, strengthen accountability mechanisms, and prevent data leaks and cyberattacks caused by internal negligence. Enhance security awareness among all employees: Organize regular cybersecurity and privacy protection training for all employees (especially medical staff) to enhance everyone's awareness of prevention. Strengthen technical protection capabilities: Based on cybersecurity grading protection standards, implement technical measures such as encryption, backup, access control, and security authentication to protect network data from tampering,destruction, leakage, or illegal access and use, and prevent criminal activities targeting or exploiting network data. Strictly manage supply chain security: Incorporate cybersecurity and data privacy protection into the Group's supplier management system, clearly stipulate information security requirements in procurement contracts, and conduct regular supplier security reviews to reduce cybersecurity risks posed by external suppliers. Establish an emergency response mechanism: Develop detailed emergency response plans for data breaches and cybersecurity incidents, promptly control losses and restore business operations in the event of a security incident, and notify regulatory authorities and affected parties in accordance with regulations.

Emerging Risk Name

Emerging Risk Explanation

Emerging Risk Impact Assessment

Measures to address emerging risks

Carbon Pricing and Investment Risks of Low-Carbon Technologies

As the government tightens environmental regulations and introduces policies related to climate change disclosure, the operating costs of carbon-intensive industries may increase, leading to higher credit risks or lower valuations, which could affect companies. In order to meet policy and stakeholder requirements, there is a risk of failure in new low-carbon technology investments and rising costs of low-carbon technology transformation.

The operating costs may increase, leading to the investment portfolio value may decrease.

Launch energy transition projects and build green, low-carbon hospitals.
Adhere to green financing practices, focusing on green areas such as sewage treatment, photovoltaic new energy, and green transportation, and implement green loans, ESG loans, green bonds, etc.

Data privacy and cybersecurity threat risks

User medical data is highly sensitive. As companies advance their digital transformation and expand the application scenarios for medical data, it is necessary to continuously focus on data security and system stability during data collection, storage, and transmission, and be vigilant against potential risks such as external network attacks and data leaks.

There may be some technical maintenance costs, local services may be affected, and trust may experience short-term fluctuations.

Improve security management responsibilities: Define cybersecurity management roles, responsibilities,and processes, clarify the allocation of security responsibilities, strengthen accountability mechanisms, and prevent data leaks and cyberattacks caused by internal negligence.
Enhance security awareness among all employees: Organize regular cybersecurity and privacy protection training for all employees (especially medical staff) to enhance everyone's awareness of prevention.
Strengthen technical protection capabilities: Based on cybersecurity grading protection standards, implement technical measures such as encryption, backup, access control, and security authentication to protect network data from tampering,destruction, leakage, or illegal access and use, and prevent criminal activities targeting or exploiting network data.
Strictly manage supply chain security: Incorporate cybersecurity and data privacy protection into the Group's supplier management system, clearly stipulate information security requirements in procurement contracts, and conduct regular supplier security reviews to reduce cybersecurity risks posed by external suppliers.
Establish an emergency response mechanism: Develop detailed emergency response plans for data breaches and cybersecurity incidents, promptly control losses and restore business operations in the event of a security incident, and notify regulatory authorities and affected parties in accordance with regulations.

Compliance Operations

To ensure legal and regulatory adherence, Universal Medical has formulated the Compliance Management System Construction Guide and continually improves the Group’s compliance management system, which includes organizational structure, regulations, procedural standards, and responsibility assignments. This system strengthens compliance management capabilities and enhances the management level of legal and compliant business operations.

We continue to foster a corporate culture of integrity and compliance internally and establish a good external image of the Group’s integrity and compliance. For serious misconduct that violates national laws and regulations, we adopt a "zero tolerance" policy and will pursue criminal liability or impose appropriate administrative penalties in accordance with the law. Simultaneously, the Group has systematically identified potential compliance risks in both its direct operations and business partnerships (including the supply chain), and established corresponding control measures to mitigate and address these risks.

To ensure the systematic and timely execution of compliance operations, the Group regularly identifies, reviews, and updates applicable laws and regulations. Concurrently, a clear reporting mechanism has been established to define procedures and timelines for promptly informing management of changes in relevant laws and regulations, legal proceedings, non-compliance incidents, and related penalties, thereby ensuring transparency and timely dissemination of compliance-related information.

Furthermore, the Group continuously collects relevant data and conducts risk analyses, periodically evaluating the effectiveness of implemented practices and plans. By establishing a compliance program evaluation and improvement mechanism, we proactively review processes and identify areas for enhancement, continuously strengthening compliance management capabilities and solidifying the foundation for sustainable development.

Tax Strategy and Governance

The Group adheres to the principles of legal, compliant and transparent tax management, abides by the provisions and legislative spirit of tax laws and regulations in the countries where it operates, and commits to strictly complying with local tax laws and regulations in all countries and regions where we conduct business, earnestly fulfilling tax obligations, and providing stable support for national finance. At the same time, we actively respond to policy guidance, integrate tax management with national macro-control goals, help optimize the economic structure, promote industrial upgrading, encourage scientific and technological innovation, promote coordinated regional development, and pay attention to social equity, so as to contribute to the economic and social progress of the regions where we are located. We have formulated tax policies applicable to the group, and regularly review and optimize tax strategies to ensure that tax management is consistent with the Group's long-term sustainable development strategy. The relevant functional departments within the Group are responsible for putting forward tax policy suggestions and implementation plans, which are reported to the board of directors for deliberation after discussion by the management. The tax policies are officially released after the board of directors' deliberation, so as to ensure the stability and transparency of tax governance.

All operational activities of the Group are concentrated in China, and key business, financial and tax information is regularly and detailedly disclosed in the annual report. The key performance in 2024 is as follows:

Regions

Number of employees

(persons)

Revenue

(thousands of yuan)

Profit (loss) before tax

(thousands of yuan)

Accrued income tax

(thousands of yuan)

Income tax paid

(thousands of yuan)

China

22,885

13,663,485

2,907,119

754,104

735,760

Other countries and regions

Due Diligence

Universal Medical has integrated human rights and environmental due diligence into its operational and supply chain management systems. We proactively identify and mitigate adverse impacts on human rights and the environment, ensuring alignment with international standards and legal requirements.

Through comprehensive risk assessments, we document actual and potential adverse impacts, including but not limited to labor rights, employee health, waste management, and carbon emissions. We pay close attention to the human rights impacts on a wide range of groups, including our employees, women, children and local communities. Tailored measures are formulated to protect the rights and interests of different groups, with a view to effectively preventing and mitigating potential human rights risks. Through these efforts, we seek to foster shared development with stakeholders and to advance human rights protection and sustainable operations across the Group’s value chain.

To effectively address identified risks, the Group has established a multi-level prevention and mitigation mechanism, including but not limited to:

√ Regular supplier performance reviews;

√ Anonymous grievance channels to protect labor rights;

√ Tailored remediation plans for historical pollution issues sand track the effectiveness of rectification efforts.

The Group annually issues public statements through ESG reports and other channels, outlining the due diligence processes implemented and mitigation measures taken during the year, ensuring stakeholders gain clear visibility into the Group’s concrete actions in safeguarding human rights and the environment. Simultaneously, through internal audits and third-party evaluations, we continuously monitor the effectiveness of policies and measures, optimizing management processes based on data analysis and case reviews. We conduct comprehensive reviews of existing practices and plans, incorporating stakeholder feedback and industry best practices to identify areas for improvement and adjust strategies promptly.

Business Continuity Management

Universal Medical prioritizes business continuity and crisis management, having established comprehensive policies and mechanisms covering information security and other areas, as well as all phases of crisis management: pre-crisis preparedness, in-crisis response, and post-crisis recovery. These ensure the resilience and recovery capabilities of the Group’s operations and supply chain systems under disruptive scenarios.

To validate the effectiveness of business continuity strategies and contingency plans, the Group regularly organizes drills and tests to refine emergency response capabilities. Additionally, we proactively engage internal and external stakeholders to communicate business continuity and crisis management plans, fostering coordinated responses during emergencies.

The Group continuously collects relevant data and conducts risk analyses to evaluate the execution outcomes of current practices and plans. Through periodic reviews and assessments, we identify opportunities for improvement, further enhancing the business continuity management system and strengthening the enterprise’s overall risk resilience.

Previous： ESG Governance
Next：

Governance