Risk Management

Sikarin has established a clear Risk Management Policy aligned with ISO 31000 and the COSO ERM Framework. This policy provides a structured approach to identifying, assessing, managing, and monitoring risks—covering strategic, operational, financial, legal compliance, and Environmental, Social, and Governance (ESG) risks.

Key principles of the policy include:

• Risk management is a shared responsibility at all organizational levels
• Risk management must be integrated into strategy setting, business planning, and operations
• ESG risks must be analyzed and evaluated on par with business risks
• A consistent and transparent system for monitoring, reviewing, and reporting risks must be maintained

Sikarin’s risk management is guided by a clear governance structure with defined roles and responsibilities at every level to ensure effectiveness and alignment with corporate strategy while maintaining long-term resilience.

Board of Directors: Sets risk management policy, direction, and enterprise-wide framework in line with corporate strategy; approves the acceptable risk appetite; closely monitors risk performance and conducts annual reviews of the risk management system. The Board also promotes a risk-aware culture across the organization.

Enterprise Risk Management Committee: Oversees enterprise-wide risk strategy, planning, and integration—including strategic, operational, financial, and ESG risks. This committee monitors systemic and material risks, promotes risk integration across departments, and reports outcomes to the Board as scheduled.

Board of Director established Risk Management function with Mr. Suriyan Kojonroj, Deputy Managing Director responsible for specific operational level risk management. This Risk Management function is responsible for integrate risk into planning and decision-making; continuously monitor and improve risk management processes; and report outcomes to the Risk Management Committee.

Operational Units and Risk Owners: Identify, assess, and manage risks related to their operations; implement and refine control measures; prepare quarterly risk reports or event-triggered reports; and collaborate with management to strengthen internal controls.

Internal Audit: Evaluates the adequacy and effectiveness of the risk management system; audits compliance with policies and internal risk-related procedures; provides recommendations to enhance the risk management framework to respond to evolving business contexts; and reports systematically to the Audit Committee and Board.

1. Risk from changing global demographic structure trends

Risk Impacts

The current global demographic structure has resulted in significant volatility in the demand of service users. Global population statistics indicate that the demographic structure has entered a Super-Aged Society. Thailand is one of the top three countries with the fastest-growing elderly or Silver Age population in the world. The elderly population tends to increase, while the population of reproductive age has declined. Thailand ranks third in the world for the lowest birth rate, with a decline of as much as 81 percent over the past 74 years, resulting in a further decline in births over the next three years. This may affect business units relating to newborns through adolescents, such as the Pediatrics Department, the Obstetrics and Gynecology Department, as well as children’s hospitals, which account for 19 percent of revenue in the hospital business group. This creates a risk of a decline in total revenue and loss of business opportunities if there is no adaptation to changes in the demographic structure.

2. Risk from Economic Slowdown

Risk Impacts

Economic slowdown may affect people’s savings and spending, which in turn affects decisions to receive medical services, particularly for non-emergency services or those that can be postponed. At the same time, the hospital business continues to face challenges in managing costs that remain at a high level, such as personnel costs, medicine and medical supply costs, energy costs, and expenses for upgrading technology/service standards, which may affect business operations and the profitability of each operator at different levels. However, Thailand has continuously upgraded medical services and has standards that are internationally accepted, together with the advantage of competitive medical treatment costs, which are supporting factors for maintaining the competitiveness of the hospital sector in the long term.

3. Risk in managing the spread of emerging diseases

The spread of emerging diseases may result in a rapid increase in demand for medical services, while also increasing safety risks for service users and personnel, as well as affecting the continuity of operations and the availability of medical supplies. The Company therefore must adapt to greater use of online technology to support operations, with the management and preparation of information technology resources, as well as necessary safety and biosecurity equipment to be in place, together with operational manuals for epidemic situations for employees to use as guidelines, and to support the needs of service users whose behavior has shifted increasingly toward online services, such as home medicine delivery, home vaccination services, including the development of a Telemedicine system to communicate with patients, through which care, medical history review, and symptom follow-up can be provided for both Thai and foreign patients who are unable to travel to see a doctor, as well as the development of a wellness center, rehabilitation center, and the use of modern medical tools/equipment, in order for the Company to maintain its competitiveness.

4. Risk from changes in future standards and regulations

Sikarin Public Company Limited operates its business under the supervision of the Ministry of Public Health, other relevant government agencies, and in accordance with the license to operate a healthcare facility, including company laws and other relevant laws. At present, the enactment of laws tends to become more stringent, including the promulgation of the Personal Data Protection Act B.E. 2562 (2019), which is a law issued for the collection, gathering, use, and disclosure of personal data, including the data of service recipients. Under such law, the Company is designated as the data controller and is required to implement appropriate security measures to prevent loss, access, alteration, correction, or disclosure of personal data without authority, including requesting consent for the use/disclosure of personal data and supporting the rights of data owners as prescribed by law.

• Monitor changes in relevant laws, regulations, and standards on a regular basis, together with assessing operational and strategic impacts, in order to improve internal policies/processes to ensure compliance and reduce non-compliance risk.
• Establish a compliance management system and internal communication, including training for relevant personnel, so that they understand the requirements and are able to comply correctly.
• Establish a personal data protection policy and implement appropriate data security measures to prevent loss, access, or improper disclosure of data, including establishing systematic procedures for obtaining consent and managing the rights of data owners.
• Conduct periodic assessments of personal data and security risks (such as reviews of data access and risk assessments of systems/external service providers) in order to strengthen controls and reduce the likelihood of data leakage incidents.
• Establish guidelines for incident response and reporting/communication when an incident occurs, including reviewing lessons learned after the incident, in order to improve preventive measures and build confidence among service recipients and stakeholders.

Sikarin Public Company Limited places great importance on fostering a risk management culture at all levels of the organization, grounded in the belief that building risk awareness is a fundamental foundation for driving sustainable achievement of strategic goals, particularly in an increasingly dynamic and uncertain environment.

To promote this culture, the Company regularly conducts training sessions and seminars on risk management. These aim to ensure that employees across all levels understand the concepts, principles, and practices involved in identifying, assessing, managing, and monitoring risks. Training programs also cover specialized risk topics such as ESG risks, information technology risks, and patient safety risks to enable personnel to effectively apply this knowledge to their responsibilities.

Internal communication on risk and risk management practices is another key element that the Company strongly emphasizes. Continuous knowledge sharing and experience exchange across departments are encouraged to foster mutual learning and strengthen a shared understanding of risk-related issues relevant to each operational context.

Furthermore, the Company supports an environment in which employees are encouraged and empowered to report risks or anomalies without fear of negative consequences. By cultivating an organizational culture rooted in transparency, accountability, and constructive learning from mistakes, the Company believes that open and fearless communication of risk-related information leads to more effective risk management and significantly reduces the likelihood of severe incidents.

Key Training Highlights:

Strategic Risk Thinking: Participants learned that effective risk management involves more than just responding to incidents. It includes proactive planning, seeing the big picture, and making visionary decisions at all organizational levels.

Holistic Perspective: Risk management is not limited to hospital operations. The training also covered financial, operational, reputational, and legal risks, promoting an integrated, cross-departmental approach to risk management.

Hands-on Practice through Real-life Scenarios: Through workshop activities, participants practiced analyzing simulated events, assessing impacts, and making decisions under uncertainty. This practical approach aimed to prepare them realistically for actual situations.

Leadership Role in Fostering a Risk Culture: The training underscored the critical role of leadership in instilling preventive behaviors, encouraging open communication about risks, and creating a safe space for learning from mistakes.

At Sikarin, the highest priority in service quality control is placed on minimizing risks in the medical treatment process as well as in other related operations. Significant emphasis is given to risk identification, risk prevention, and risk reporting. Each year, Sikarin develops a Hospital Risk Matrix to assess organizational risks. The results of this assessment identify key areas where risk prevention measures are required, including the five highest-risk areas. These insights also inform the development of improvement programs and the selection of appropriate Key Performance Indicators (KPIs) within the Hospital Matrix.