HealthPlus Retail Group — Risk Analysis & Mitigation

A structured risk register and the mitigation measures covering market, operational, financial, regulatory, supply-chain and execution risks.

HealthPlus Retail Group Business PlanSection 12 › Risk Analysis & Mitigation

Section 12 · Business Plan

Risk Analysis & Mitigation

A structured risk register and the mitigation measures covering market, operational, financial, regulatory, supply-chain and execution risks.

12.1 Risk Management Framework

HealthPlus operates an enterprise risk management (ERM) framework
aligned to ISO 31000 and the King IV principles on risk governance.
Risks are identified, scored on a 5×5 likelihood-impact matrix,
mitigated through documented controls, and reviewed monthly by the
executive team and quarterly by the Audit & Risk Committee. The
framework distinguishes between strategic, operational, financial,
regulatory, technology and macro risks.

Risk in the South African pharmacy retail context is
dominated by three things: regulation, currency, and pharmacist supply.
Everything else is manageable.

12.2 Risk Heat Map

Figure 12.1 plots the twelve principal residual risks
(post-mitigation) on the standard likelihood-impact heat map. Five risks
are classified as High residual (red); seven as Medium (amber); none as
Low (green) — a deliberate framing, since material risks should never be
characterised as Low to a sophisticated investor audience.

Figure 12.1
Figure 12.1 — Residual risk heat map (post-mitigation)

12.3 Risk Register

The full risk register is set out below. Each risk is identified by a
unique reference (R1–R12), classified, scored on inherent and residual
basis, and assigned a named mitigation owner. The register is a living
document; this presentation reflects the position at financial
close.

ID Risk Category Inherent Residual Owner
R1 NHI implementation alters dispensing economics Regulatory High High CPO
R2 Single-Exit Price (SEP) regime tightens Regulatory High Med CPO
R3 Pharmacist labour shortage caps store rollout Operational High High CPO / CHRO
R4 ZAR depreciation against USD (import inflation) Macro / FX High Med CFO
R5 Load-shedding disrupts cold-chain & operations Operational High Med COO
R6 Major data breach / cyber incident Technology Med Med CTO
R7 Aggressive incumbent price war Competitive Med Med CCO
R8 Site availability slows expansion Operational Med Med COO
R9 Private-label quality / recall event Operational Med Med CPO
R10 Civil unrest / supply chain disruption Macro High High COO
R11 Funding-market pricing widens Financial Med Med CFO
R12 Key-person dependency on founding executives Governance Med Med CEO / Board

Table 12.1 — Risk register summary

12.4 Principal Risks & Mitigation Strategies

12.4.1 R1 — National Health Insurance (NHI)

The NHI Act, signed in 2024, contemplates a single-payer fund
replacing private medical schemes for “comprehensive” services.
Implementation is phased over 8–12 years and subject to ongoing
constitutional and operational challenges. Net effect on retail pharmacy
is uncertain but plausibly positive (broader population access,
formulary-driven volume) if dispensing fees remain economically
viable.

12.4.2 R3 — Pharmacist Labour Supply

South Africa produces ~800 new pharmacists annually against
retail-sector demand for ~2,400 incremental positions through Y5 across
all chains. This is the single most binding operational constraint on
the rollout plan.

12.4.3 R4 — ZAR Currency Depreciation

Approximately 38% of cost of goods is USD-linked (international
beauty brands, pharmaceutical APIs, technology). A 10% ZAR depreciation
translates to ~3.8 ppt of gross margin pressure if unmitigated.

12.4.4 R5 — Load-Shedding

Eskom load-shedding has been a structural feature of South African
operations since 2008. Pharmacies face dual exposure: cold-chain
integrity (vaccines, insulin, biologics) and point-of-sale
availability.

12.4.5 R10 — Civil Unrest / Supply Chain Disruption

The July 2021 KZN/Gauteng unrest demonstrated the asymmetric impact
of civil disruption on retail. HealthPlus has architected its supply
chain explicitly to absorb this risk class.

12.5 Insurance Programme

A comprehensive corporate insurance programme is procured at
financial close, structured across six policy lines and reviewed
annually by an independent broker.

Policy Limit (ZAR) Insurer Type Notes
Property all risks 4.5 billion Composite local + reinsurance Including stock and IT
SASRIA (riot & strike) 2.0 billion Government scheme Maximum statutory cover
Business interruption 1.8 billion Composite 12-month indemnity period
Public & products liability 500 million Composite Worldwide ex. US/Canada
Directors & officers 250 million Composite Listing readiness aligned
Cyber liability 150 million Specialist POPIA + GDPR coverage

Table 12.2 — Insurance programme structure

12.6 Crisis Management & Business Continuity

A formal Business Continuity Management (BCM) framework — aligned to
ISO 22301 — is implemented in Y1 and tested via tabletop exercises
bi-annually. The framework defines recovery time objectives (RTO) for
each critical business function, named crisis-team roles, and
pre-authorised expenditure thresholds for crisis response.

Risk philosophy

No business plan eliminates risk; the credible plans price it.
HealthPlus prices each principal risk explicitly into store-level capex,
working-capital buffer, insurance premium, and headroom on the capital
stack. The Downside scenario in Section 10.10 reflects the simultaneous
occurrence of three of the High-residual risks above and still delivers
a 14.2% equity IRR — evidence that the plan is robust to realistic
stress.

Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of HealthPlus Retail Group (Pty) Ltd.