Risk Governance
- Risk Management Oversight and Reporting Mechanisms
The Board has established a Risk Control Committee, and has formulated, implemented and monitored risk management and internal control systems with the assistance of the Risk Control Committee. We integrate ESG risks into the current risk management system, and identify and manage ESG risks related to the Group’s business according to the risk management process. The Risk Control Committee regularly reviews the risk-related matters of the Group, including ESG risks, and provides advice to the Board.

To ensure the comprehensive identification, assessment, and management of all business-affecting risks, Universal Medical incorporates sustainability-related and emerging risks into its risk management system. The company conducts a comprehensive risk assessment at least once a year. We also actively conduct stress tests on risks, monitoring foreign exchange risk exposure and interest rate risk exposure on a monthly basis, and perform sensitivity analysis quarterly to calculate the impact of exchange rate and interest rate fluctuations on the company’s profits and losses. Additionally, based on internal and external factors, we periodically carry out liquidity risk stress tests, setting specific scenarios and variable factors to measure the company’s ability to withstand normal, mild, moderate, and severe scenarios, as well as the emergency measures to be taken.

To mitigate collusion risks in operations and partnerships, we have established a multi-layered prevention system: Strict compliance standards and employee training to raise awareness; Comprehensive due diligence and risk assessments for partners prior to collaboration; Internal whistleblowing channels and an independent oversight team are established to investigate and address potential collusion risks promptly，ensuring that the enterprise adheres to the bottom line of compliance and responsibility in its business activities.

Our internal control system fully observes the requirements of the COSO risk management framework and the guidelines of the Hong Kong Institute of Certified Public Accountants on risk management, draws on the internal control model of peer companies, and takes into account the actual situation and business characteristics of the Group to formulate an effective monitoring system. The governance structure is as follows:

l  The Risk Control Committee and its subordinate working groups are responsible for taking the lead in risk identification, and cooperating with relevant departments at the management level to follow up

l  Carry out risk analysis and select areas with higher risk

l  The department in the corresponding field describes the risk

l  Summarize risks in various fields and prepare risk reports

l  Risk reports are submitted to the Board Risk Control Committee for review. After the review, the reports are then submitted to the Board of Directors meeting.

The company has established an annual major risk assessment mechanism to thoroughly anticipate and evaluate various risks that may occur during the fiscal year. Based on this, targeted risk control measures are implemented to further enhance the level of risk management and internal control. The company conducts at least one internal control evaluation each year to continuously improve the risk management and internal control system. In a risk-oriented approach, the company also performs two external audits annually to supervise and inspect the construction and implementation of risk management and internal control. Any issues discovered are addressed through corrective actions, ensuring effective risk control. In 2024, no major risk events occurred within the company.

-Non-executive Directors to Receive Risk Management Training

All directors have participated in risk management training and continuously review relevant guidance materials on integrity and ESG legal developments provided and published by the Hong Kong Stock Exchange, the Hong Kong Institute of Certified Public Accountants, and the Hong Kong Accounting and Financial Reporting Council.

-Independence between Risk Management Functions and Business Lines

The group has set up an audit department with guaranteed independence in terms of its organization, staffing and work. When performing its duties, the audit department may inspect all business and meet relevant personnel without restrictions. To ensure the independence of financial operations and risk management, the group conducts separate evaluations of senior executives in charge of financial operations and risk management departments, based on metrics such as "Financial Sector Asset-Liability Ratio" and "Total Interest Liability of the Financial Sector." This approach aims to maintain transparency and fairness in the decision-making process.

Compliance Operations
To ensure legal and regulatory adherence, Universal Medical has formulated the Compliance Management System Construction Guide and continually improves the Group’s compliance management system, which includes organizational structure, regulations, procedural standards, and responsibility assignments. This system strengthens compliance management capabilities and enhances the management level of legal and compliant business operations.

We continue to foster a corporate culture of integrity and compliance internally and establish a good external image of the company’s integrity and compliance. For serious misconduct that violates national laws and regulations, we adopt a "zero tolerance" policy and will pursue criminal liability or impose appropriate administrative penalties in accordance with the law. Simultaneously, the company has systematically identified potential compliance risks in both its direct operations and business partnerships (including the supply chain), and established corresponding control measures to mitigate and address these risks.

To ensure the systematic and timely execution of compliance operations, the Group regularly identifies, reviews, and updates applicable laws and regulations. Concurrently, a clear reporting mechanism has been established to define procedures and timelines for promptly informing management of changes in relevant laws and regulations, legal proceedings, non-compliance incidents, and related penalties, thereby ensuring transparency and timely dissemination of compliance-related information.

Furthermore, the Group continuously collects relevant data and conducts risk analyses, periodically evaluating the effectiveness of implemented practices and plans. By establishing a compliance program evaluation and improvement mechanism, we proactively review processes and identify areas for enhancement, continuously strengthening compliance management capabilities and solidifying the foundation for sustainable development.

Due Diligence
Universal Medical has integrated human rights and environmental due diligence into its operational and supply chain management systems. We proactively identify and mitigate adverse impacts on human rights and the environment, ensuring alignment with international standards and legal requirements.

Through comprehensive risk assessments, we document actual and potential adverse impacts, including but not limited to labor rights, employee health, waste management, and carbon emissions. To effectively address identified risks, the company has established a multi-level prevention and mitigation mechanism, including but not limited to:
• Regular supplier performance reviews;
• Anonymous grievance channels to protect labor rights;
• Tailored remediation plans for historical pollution issues sand track the effectiveness of rectification efforts.

The Group annually issues public statements through ESG reports and other channels, outlining the due diligence processes implemented and mitigation measures taken during the year, ensuring stakeholders gain clear visibility into the Group’s concrete actions in safeguarding human rights and the environment. Simultaneously, through internal audits and third-party evaluations, we continuously monitor the effectiveness of policies and measures, optimizing management processes based on data analysis and case reviews. We conduct comprehensive reviews of existing practices and plans, incorporating stakeholder feedback and industry best practices to identify areas for improvement and adjust strategies promptly.

Business Continuity Management
Universal Medical prioritizes business continuity and crisis management, having established comprehensive policies and mechanisms covering all phases of crisis management: pre-crisis preparedness, in-crisis response, and post-crisis recovery. These ensure the resilience and recovery capabilities of the Company’s operations and supply chain systems under disruptive scenarios.

To validate the effectiveness of business continuity strategies and contingency plans, the Group regularly organizes drills and tests to refine emergency response capabilities. Additionally, we proactively engage internal and external stakeholders to communicate business continuity and crisis management plans, fostering coordinated responses during emergencies.

The Group continuously collects relevant data and conducts risk analyses to evaluate the execution outcomes of current practices and plans. Through periodic reviews and assessments, we identify opportunities for improvement, further enhancing the business continuity management system and strengthening the enterprise’s overall risk resilience.