SustainabilityEN | TH
Corporate Governance
Risk and Crisis Management
Global healthcare systems are facing increasing challenges driven by global interconnectedness, economic volatility, rapid technological advancement and environmental change. In a fast-evolving global landscape, medical and public health organizations must navigate highly complex and uncertain risks, including geopolitical instability, supply chain disruptions, the accelerated adoption of artificial intelligence, the energy transition, labor mobility and continuously evolving societal expectations.
In response to these dynamics, BDMS has adopted an Enterprise Risk Management (ERM) framework as a core mechanism to strengthen the resilience of its healthcare service system and to support the effective execution of its strategy and long-term sustainability across all ESG dimensions—environmental, social, and governance. This framework enables the organization to proactively identify and anticipate risks, mitigate potential impacts, ensure service continuity and reinforce confidence among investors and all stakeholder groups.
Enterprise Risk Management (ERM)
BDMS has adopted the principles of risk management in accordance with the internationally recognized COSO Enterprise Risk Management (COSO ERM) framework and strengthened their application to align with the nature of its business. This approach is designed to address the impacts of global megatrends and the evolving healthcare risk landscape, which affect operations, patient services, supply chains, technology, data governance and emergency preparedness across all dimensions. The overarching objective is to ensure patient safety while integrating considerations of environmental, social and governance (ESG) sustainability. In this regard, BDMS places emphasis on four key priorities.
Risk Governance
The Company acknowledges the significance of risk management as an essential element of good corporate governance. Accordingly, the Company has defined clear roles and responsibilities for Enterprise Risk Management at both board oversight and operational levels. The Board of Directors has appointed the Risk Management Committee to scrutinize the Company’s risk management policy and directions, as well as to monitor and follow up the compliance of risk management policy and procedures. At the operational level, the Company follows the 'Three Lines of Defense' principle for risk management roles and responsibilities, as follows
Risk Governance Framework | Dedicated committee and roles | Roles and responsibilities |
| Board Oversight | Board of Director
|
|
| Risk Management Committee |
| |
| 1st Line of Defense | Front-line employees as risk owners such as Risk Manager, Patient Safety Coordinator |
|
| 2nd Line of Defense | Chief Administrative Officer and Enterprise Risk Management Steering Committee |
|
| 3rd Line of Defense | Internal Audit Director and Internal Audit Unit |
|
BDMS Risk Management Strategy
BDMS integrates key information and essential aspects of corporate risk management to identify critical business risks while assessing their short, medium, and long-term impact.
BDMS Categorization of 9 Major Corporate Risks
Risk Management Processes
BDMS established Core System Risk Assessment and Hazard Vulnerability Analysis as guideline for risk management on clinical risks and risks related to core systems in hospitals. Risk management procedures are briefly described as follows
1. Risk Identification
The department head and the committee responsible for critical systems are responsible for reviewing the working process, risks and factors from the occurrence or incidence report in the passing years, statistical indicators and experience from the external parties to determine potential impacts.
Risk factors are identified based on internal and external past events occurred. The data sources are obtained from updated in law and regulations, Occurrence report and Peer review.
2. Risk Assessment are considered covering 2 factors
- Likelihood assessment: assess potential and frequency of impact occurrence
- Impact assessment: assess on quantity impact and quality impact in various aspects such as compliance to laws and regulations, safety, financial, strategic and operational and reputation
3. Risk Scoring and Risk Prioritization
Risk Scoring or Risk Prioritization are considered based on levels of likelihood and levels of impacts. Risk Scoring can be illustrated as 5 of risk levels with definitions with the maximum score at 25 points.
BDMS Occurrence Reporting
BDMS sets forth the occurrence reporting system for employees and related internal and external personnel in case of any risks or incidents in the business operations. All personnel have the responsibility to manage such incident in a timely manner and must report the incident through the specified channels, both online and regular, within 8 hours after such incident takes place, with the aim of investigation and data analysis on the impact level. The impacts can be categorized in clinical aspects, including other aspects as follows
Level | Clinical Impact |
0 | Near Miss |
1 | No Harm |
2 | Mild Adverse Event |
3 | Moderate Adverse Event |
4 | Serious Adverse Event |
5 | Adverse Event and Reputation Harm |
SE | Sentinel Event |
Each impact level results in different internal investigation methods. The occurrence will be reported to the executives on a monthly and quarterly basis.
The risk appetite is at level Low to Medium only (Risk score below and equal to 0 is acceptable and depends on hospitals aspects).
Audit of the Risk Management Process
Internal Audit
The Audit Committee has roles and responsibilities, including ensuring that the Company has established suitable risk management and control systems that encompass the entire organization and suggesting appropriate and efficient management of risks associated with the Company’s business operations. Audit Committee has assigned the internal auditor team to set plan for the Company's annual audit. BDMS’s internal audit process is in accordance with International Professional Practices Framework (IPPF) by Institute of Internal Auditors. The internal audit plan covers reviewing the effectiveness of control, including IT reliance processes and non-IT reliance processes of hospital in BDMS groups and its subsidiaries. The project-based internal audit includes reviewing the effectiveness of the risk management process to assess control effectiveness and mitigation measures. The internal audit is conducted to check alignment of regulatory compliance and external relevant standards, such as regulatory requirements and international standards, such as IT Risk Management under ISO 27001, and requirements based on the Personal Data Protection Act 2012.
In 2025, BDMS’s Internal Audit function, as part of the third line of defense, provided independent and objective assurance, insights, and advisory perspectives on the adequacy and effectiveness of the organization’s governance, risk management, and internal control processes. The 2025 Internal Audit Plan was developed using a risk-based approach, aligned with BDMS’s business objectives, regulatory requirements, and the evolving risk environment.
The audit scope encompassed significant operational and information technology-related processes. Operational reviews focused on doctor compensation, procurement-to-payment, human resource management, and product development. In the IT domain, the audit focused on two key areas: data privacy practices in compliance with the Personal Data Protection Act (PDPA), and identity and access management (IAM).
These engagements were designed to evaluate whether controls over key operational and technology-related risk areas were adequately designed, implemented, and operating effectively. Furthermore, Internal Audit performed follow-up activities on agreed management action plans to assess whether corrective actions were implemented in a timely manner, thereby supporting the enhancement of governance, risk management, and control processes.
The internal audit process which covers risk management process are demonstrated below
