KPJ Healthcare Berhad - Annual Report 2018

50 KPJ HEALTHCARE BERHAD KEY RISKS AND OPPORTUNITIES RISK DESCRIPTION IMPACT OF RISK ON KPJ HOW WE MANAGE THE RISK Cybersecurity KPJ’s IT platform supports a number of management, administrative and clinical processes which are crucial for the smooth operations of the Group. KPJ’s business could be disrupted if its information systems fail or if its databases are breached, destroyed or damaged. • Dedicated team of IT Security professionals to protect KPJ’s in-house developed integrated systems comprising of Hospital Information Technology System (HITS) and KPJ Clinical Information System (KCIS). • KPJ Information Technology team has put in place the following security protocols and procedures:- - Firewall systems to protect against unauthorised access - Robust security access policies and protocols according to various user types - System security software is updated regularly as and when available to defend against latest security threats. Readiness to Respond to Major Internal or External Incidents During an emergency or an internal or external disaster, KPJ has to respond in a timely manner to critical incidents. Failure to respond in a measured manner and ensure smooth hospital operations despite the emergency or internal or external disaster would lead to the disruption of hospital operations. This would cascade down to impact the Group’s reputation in the marketplace, and affect its future profitability. • KPJ has a Business Continuity Management (BCM) Plan in place to ensure that critical business processes can be maintained or restored in the event of a major internal or external incident including managing environmental impact. • KPJ has adopted the requirements of the Private Healthcare Facilities and Services Act 1998 (Act 586), Occupational Safety and Health 1994 (Act 514),Environmental Quality Act 1974 JCI and MSQH in formulating the BCM. Framework for Management of Risk KPJ faces various risks in its ongoing regional operations which need to be assessed, evaluated and mitigated in a timely manner and reported. The establishment of clear structures of risk assessment and management that KPJ faces in its regional operations is necessary to ensure that risks are dealt with effectively to minimise its impact on KPJ’s operations and profitability. • KPJ subscribes to the “Australian/New Zealand Standard 4360:1999 Risk Management” to guide its risk management activities. • KPJ has adopted the “Australian/New Zealand Standard HB228:2001 Guidelines for Managing Risk in Healthcare” as its base framework in managing its business risks comprising clinical staff, employee, property, financial, corporate governance, and others. • KPJ has in place an Enterprise-Wide Risk Management (ERM) framework for managing risks associated with its business and operations. ERM framework has three levels of defence with clear lines of responsibilities and accountabilities comprising : Level 1 – Hospital Level Management and Board : Level 2 – Clinical Services and Risk Management Services at HQ : Level 3 – Group Internal Audit at HQ . • Risk management activities are coordinated through a risk reporting and escalation framework known as “Incident Reporting & Root Cause Analysis” via Q-Radar portal. • Working towards ISO:31000 Risk Management compliance by mid 2019. 7 8 9