Risk Management
Risk Management at a Glance
MEGA’s risk management system is supported by Board and committee oversight, risk ownership at operating level, a Risk Appetite Statement, Key Risk Indicators, mitigation plans, residual risk follow-up, internal controls, business continuity planning and emerging risk monitoring.
- Risk appetite
- Risk monitoring
- Residual risk follow-up
- Risk management KPI
- Internal control framework
- Internal audit support
- Emerging risks identified
- Business continuity guidelines
Challenges and Opportunities
The healthcare and wellness industry is moving through a period of rapid change. Competition is increasing, product development requires careful investment, supply chains are exposed to climate and raw material risks, and digitalization is increasing the importance of cyber security and data protection. At the same time, MEGA operates in markets where political uncertainty, logistics constraints, regulatory changes and business continuity risks can affect operations.
For MEGA, the challenge is not only to reduce risk, but to understand which risks can be managed in order to support growth. A strong risk process helps the Company protect its base business, continue supplying quality health products, invest in digital systems, build stronger supply chains and respond to changing customer needs.
Competition and changing market dynamics may affect growth, margins and brand position
Use market understanding, stakeholder engagement, new products and financial ratio tracking to strengthen competitiveness
New product introduction carries regulatory, quality, commercial and timing risks
Strengthen credible partner selection, risk-based supplier selection, business development practices and regulatory standards
Supply continuity may be affected by raw material scarcity, supplier capability, climate change and demand growth
Maintain credible suppliers, forecasting technology, long-term relationships and flexible captive manufacturing capability
Data privacy and cyber security risks are becoming more complex
Strengthen data protection, access control, training, cyber security measures, infrastructure audits and stress testing
Bribery and compliance risks can arise across markets, tenders, licenses and public sector dealings
Apply corporate values, anti-corruption training, internal audits and contractual clauses for sustainability, anti-corruption and data protection
Business disruption may arise from disasters, political instability, pandemic events or operational interruptions
Maintain business continuity plans, alternate suppliers, alternate manufacturing facilities, disaster recovery testing and crisis plans
Why Risk Management Matters to MEGA
MEGA’s purpose is to help people stay healthy as long as they live. To do this consistently, the Company must be able to manage risks that may affect product availability, product quality, customer trust, supply continuity, data protection, employees, financial performance and business continuity.
Risk management is important because MEGA operates across diverse markets and business segments. Mega We Care™ depends on product development, regulatory approval, quality standards, brand trust and market competitiveness. Maxxcare™ depends on supply reliability, customer relationships, logistics capability, local market conditions and continuity of service.
Our Risk Management Approach
MEGA’s risk management approach begins with oversight. The Board of Directors provides overall direction, while the Sustainability, Risk Management and Corporate Governance Committee considers risk management policy and framework, reviews risk assessment and action plans, monitors risk management actions and reports risks to the Board on a regular basis or at least once a year.
The process is then carried into the business through management accountability. MEGA identifies key risks in consultation with the locations where the Company operates, and each location head is considered a risk owner. This is important because risks are often best understood closest to the operating environment, whether they relate to market conditions, supply chain, regulation, customers, logistics or local disruption.
The Risk Appetite Statement serves as a foundational document for risk management at MEGA. It helps clarify the level of risk the organization is prepared to take and supports decision-making thresholds. Key Risk Indicators are used to monitor relevant changes, while mitigation plans are prepared and followed up so that residual risks can be managed as planned.
Risk Governance and Accountability
Risk governance at MEGA is designed to connect enterprise oversight with operating-level accountability. The Board of Directors oversees strategy, performance, risk management and internal controls. The Sustainability, Risk Management and Corporate Governance Committee provides focused review of risk policy, risk assessment, risk measurement, action plans and Board reporting. The Audit Committee supports the system through its oversight of internal audit, external audit, internal controls and audit observations.
At management level, risk management is headed by the CFO and Executive Director, who is a member of the Sustainability, Risk Management and Corporate Governance Committee. MEGA has also assigned a senior officer / coordinator for Risk Management and Corporate Governance. Location heads act as risk owners and report to the President / Head Coach.
Risk Identification, Assessment and Mitigation
MEGA identifies key risks in consultation with the locations where the Company operates. This helps the risk process reflect business realities in each market, including competition, regulation, supply conditions, political context, customers, suppliers and operational conditions.
Once risks are identified, MEGA uses Key Risk Indicators to monitor relevant changes. Mitigation plans are prepared, assigned and followed up so that risks can be addressed and residual risk can be managed as planned.
Risk management is also included as one of the key performance indicators for Executives, Senior Management and Middle Management. This reinforces accountability and helps embed risk awareness into management decision-making.
Key Risk Themes
MEGA’s risk register covers high and extreme inherent risks that may affect business growth, financial condition, operations, products, compliance and sustainability. The key risk themes include strategic risks, operational and supply chain risks, compliance and ethical risks, emerging risks and business continuity risks.
MEGA’s key risk themes include strategic, operational, supply chain, compliance, ethical and emerging risks. Strategic risks include competition, market changes and new product introduction. Operational and supply chain risks include inventory management, supplier capability and continuity, raw material and ingredient availability, product quality, manufacturing flexibility, distribution arrangements and business continuity. Compliance and ethical risks include regulatory and quality compliance, bribery risk, competition policy and fair trading practices, responsible product information, customer and consumer trust, and dealings with government agencies, public hospitals, regulators, certification bodies and third-party service providers.
Emerging Risks
MEGA identifies climate change, data privacy, cyber preparedness and intellectual property as key emerging risks. These risks can affect business continuity, regulatory compliance, stakeholder trust, product availability and the Company’s ability to operate safely and responsibly across markets.
Cyber and data risks are increasing as business environments change, data convergence with third parties grows and cyber threats become more sophisticated. MEGA manages these risks through controls such as cyber security awareness, training, access control, firewalls, virus protection and ongoing review of security controls based on known threats and updated intelligence
Climate-related and sustainability risks can affect supply continuity, raw material availability and environmental compliance. MEGA manages these risks through supplier selection, long-term relationships with credible suppliers, forecasting technology, flexible captive manufacturing capability, ESG reporting, transparency on non-compliance and target setting
Data privacy risk is managed through a Data Privacy Policy and framework, restricted use of data, vendor restrictions to safeguard proprietary data, stress testing and infrastructure audits by third parties. Intellectual property risk is managed through compliance with intellectual property laws, protection of the Company’s intellectual property, data security and responsible use of information.
| Emerging Risk | Why It Matters | MEGA’s Disclosed Risk Response |
|---|---|---|
| Climate Change and Sustainability Supply Risk | Climate change, raw material scarcity and rising demand may affect supply continuity. | Supplier selection beyond GMP requirements, long-term relationships with credible suppliers, forecasting technology, investment in supplier relationships, flexible captive manufacturing, ESG reporting, transparency and target setting. |
| Data Privacy and Regulatory Environment | Data exposure may lead to regulatory, financial and reputational impact. | Data Privacy Policy and framework, restricted use of data, vendor restrictions to safeguard proprietary data, stress testing and infrastructure audits by third parties. |
| Cyber Preparedness | Sophisticated cyber threats may affect business continuity, customer data, product data and corporate data. | Company-wide controls, cyber security awareness and training, access control, firewalls, virus protection, review of security controls, audits, stress testing, disaster recovery planning and Board / Committee reporting. |
| Intellectual Property | Product knowledge, corporate data and proprietary information are important to business competitiveness and trust. | Protection through data security, restricted use of data, vendor safeguards, IT policy expectations and responsible use of confidential information. |
Risk Culture and Decision-Making
MEGA encourages a risk culture that helps the Company leverage opportunities and minimize threats. Risk management is included as one of the key performance indicators for Executives, Senior Management and Middle Management, reinforcing the role of leaders in identifying and managing risk.
Risk culture also means that teams consider risk before decisions are made. MEGA’s approach encourages people to identify key risks, discuss mitigation processes and make decisions with an understanding of risk appetite, business priorities and long-term impact.
Disclosed Target / Management Focus
MEGA’s risk management focus areas are connected to governance oversight, risk ownership, risk appetite, mitigation planning, emerging risk monitoring, internal controls, business continuity and crisis preparedness.
Continue Board and Sustainability, Risk Management and Corporate Governance Committee oversight of risk policy, framework, assessment, action plans and reporting.
Continue identifying key risks in consultation with operating locations, with location heads acting as risk owners.
Continue using the Risk Appetite Statement as the foundational document for risk management and decision-making thresholds.
Continue identifying and monitoring Key Risk Indicators for material risks.
Continue preparing mitigation plans, following up actions and managing residual risks as planned.
Continue including risk management as a KPI for Executives, Senior and Middle Management.
Continue monitoring climate change, data privacy, cyber preparedness and intellectual property as key emerging risks.
Continue strengthening supplier relationships, forecasting, flexible manufacturing and supplier audits.
Continue maintaining COSO-based internal controls, Audit Committee oversight and third-party internal audits.
Continue maintaining business continuity plans, recovery plans, disaster recovery testing, crisis plans and resilience measures across locations.
Continue strengthening cyber security awareness, security controls, audits, stress testing and Board / Committee reporting.
Continue applying anti-bribery controls, training, audits, contractual safeguards and whistleblowing channels.
