The Group instils and promotes a risk management culture to allow prudent risk-based decision-making by embedding core values, principles, compliance and dynamic internal control systems in its day-to-day operations. Ongoing communication, education, monitoring and mitigation are an integral part of the Group’s dynamic risk management culture and is adopted across all its business activities.

Investment assessments and due diligence exercises are carried out on prospective business opportunities to ensure that potential financial, operational and strategic risks are identified and mitigated prior to commitment. In addition, Fraud Risk Assessment is conducted across the Group as part of the Annual Internal Audit Programme to ensure consistency with the Group’s commitment to anti-corruption.

Half yearly and annual enterprise risk assessments are carried out to validate the existence and effectiveness of the controls in place, review the changes in risk profile, and update the existing controls if required.

The Enterprise Risk Management Framework provides a sound system of risk management and internal control, and is underpinned by a sound foundation of the Group’s strong corporate governance culture, supported by five pillars of management control system being: Policies and Procedures, Internal External Audits, Due Diligence Reviews, Compliance Monitoring Reporting and Enterprise Risk Assessments, all of which are overseen by the ARMC and the Board.

Risk-Based Internal Audit

Risk-based internal audit is one of the main functions carried out by the Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the Enterprise Risk Management Framework, outlined as follows:

  1. identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
  2. assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
  3. treating all identified risks, as far as possible, through established controls or pending control plans;
  4. monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
  5. reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.


Over the years, FMI assessed various risks it is exposed to. The diagram below indicates a snapshot of FMI’s evolving risks.
Five major risks identified are affecting FMI’s ability to create value over the short, medium and long term.

FY 2016 - 17

FY 2018 - 19

5 major risks have been identified to
provide a more integrated approach.


  • Interest Rate Risk
  • Exchange Rate Risk
  • Maturity Risk
  • Cyber Security Risk
  • Collateral Risk


  • Common Healthcare Sector Risk
  • Pandemic Risk

Operational Risk
Financial Risk


  • Demand Risk
  • Cost Risk
  • Liquidity Risk


  • Market Competition Risk
  • IT Risk
  • HR Risk
  • Regulatory Risk
  • Profitability Risk
  • Technology Risk

Strategic Risk
IT Risk
Compliance Risk



  • Inadequate IT Governance
  • Cyber Security Risk


  • Political, Economic and Social Instability
  • Regulatory Risk



  • Lack of Efficiency
  • Environmental and Social / Health and Safety Risk


  • Long Term Profitability and Net Margin
  • Cash Flow and Funding Risk
  • Cash Management Risk


  • Changes in Legislation and Policies
  • Legal and Regulatory Compliance Risk