KPJ Healthcare Berhad : Sustainability Report

Anti-Corruption Key Focus Area

KPJ Healthcare Berhad has formed the Group Integrity Unit (GIU) in February 2020 as part of its preparation to meet the requirements of Section 17A Malaysian Anti-Corruption Commission Act 2009. The GIU's primary role is to drive and embed integrity as a key factor in governance and ensure all the policies and procedures are in place. These have been incorporated in KPJ Group Anti-Bribery Management System that have been established according to the provisions of the ISO 37001:2016 Anti-Bribery Management System. In October 2020, KPJ ABMS obtained its ISO certification from SIRIM QAS International Sdn. Bhd.

There are four main offences stipulated in the MACC Act 2009 which are aimed to be countered by ABMS as follows:

• Soliciting/Receiving Gratification (Bribe) [section 16 & 17(a) MACC Act 2009]
• Offering/Giving Gratification (Bribe) [section 17(b) MACC Act 2009]
• Intending to Deceive (False Claim) [Section 18 MACC Act 2009]
• Using Office or Position for Gratification (Bribe) (Abuse of Power/Position) [Section 23 MACC Act 2009]
  Whistleblowing Channel
  The Group also has in place a comprehensive Policy of Whistleblowing that outlines the Group's commitment to promote the highest standards of governance, ethics and integrity in all aspects of business dealings.

1

Download Whistleblowing Policy

The Policy covers, inter-alia, 3 tiers of whistleblowing reporting line, comprising of the Managing Director, the Chairman of the Risk and Governance Committee and the Chairman of the Board, to facilitate whistleblowing activities according to different possible circumstances.

Protection for Whistleblowers

A dedicated whistleblowing channel at integrity@kpjhealth.com.my is available for reporting. In order to encourage a conducive environment for effective whistleblowing, the Policy also provides assurances on the preservation of identity, confidentiality of information and protection of whistleblowers from possible retaliation.

This policy provides an avenue for employees to raise genuine concerns internally or report any breach or suspected breach of any law or regulation.

A whistleblower may report a whistleblowing complaint if he/she is aware of any corruption or detrimental action committed within KPJ Group, including but not limited to the following:

• Bribery/Corruption
• Fraud
• Misappropriation of Assets
• Sexual Harassment
• Criminal breach of trust
• Questionable or improper accounting
• Misuse or unauthorized disclosure of confidential information
• Actions that are criminal in nature

2

The Group has put in place the "No Gifts and Entertainment" policy and "Annual Asset Declaration" policy applicable to all staff.

The purpose of these policies is to uphold ethical and responsible behaviour by all its employees and to avoid conflict of interest situation in any ongoing or potential business dealings in the Group with various suppliers and service providers.

The Group has also established the "Corporate Integrity Agreement" (CIA) for Vendors/Suppliers/Contractors since 2016 to strengthen our integrity practices. The Group requires its Vendors/Suppliers/Contractors to adhere in all of their activities to the laws, rules and regulations. The Group expects the Vendors/Suppliers/Contractors to abide by the integrity agreement when conducting business with or for the Group.

According to "guidelines on adequate procedures" published pursuant to section 17A of the MACC Act by the Prime Ministers Department, a corruption risk assessment should form the basis of an organisation's anti- corruption efforts. As such, commercial organisations should conduct corruption risk assessments periodically and when there is a change in law or circumstance of the business to identify, analyse, assess and prioritise the internal and external corruption risks of the organisation. This risk assessment should be used to establish appropriate processes, systems and controls approved by the top level management to mitigate the specific corruption risks the business is exposed to.

For this purpose, KPJ has conducted a bribery risk assessment and maintains a bribery risk register that is reviewed periodically every 12 months to ensure it remains relevant, while any incidents that occur from across the organisation are captured and added to the risk register. The risk register categorises different risks according to severity, either low, moderate, major or extreme and assigns appropriate controls and mitigations for each risk, depending on severity.

3

As KPJ Healthcare is focused on serving all communities and maintaining the highest ethical standards, the company makes no donations to any political parties.

4