Chapter 1 General Provisions

Article 1 In order to strengthen the comprehensive risk management of Joincare Pharmaceutical Industry Group Co., Ltd. (the “Company”), improve the comprehensive risk management system, enhance the level of risk prevention and control, and reasonably ensure the realization of the Company’s business objectives, this system is formulated in view of its actual situations and in accordance with the Company Law of the People’s Republic of China, Code of Corporate Governance for Listed Companies, the Articles of Association and other relevant laws, regulations and requirements.

Article 2 This system is applicable to the Company and its wholly-owned subsidiaries and holding subsidiaries.

Article 3 The term “risk” in this system refers to the uncertainty of potential loss or gain. Risks are involved in every activity of the Company’s operation and management, including internal risks and external risks.

Article 4 The comprehensive risk management referred to this system represents the processes and methodology that the Company focuses on overall operational objectives and cultivates a strong risk management culture by implementing the basic risk management process in various management stages and operations, establishes a comprehensive risk management system, including risk management strategies, risk management solutions, system of organizational function for risk management, risk management information system and internal control system, so as to provide a reasonable guarantee for the achievement of the overall objectives of risk management.

Article 5 The internal control system referred to this system represents rules, procedures, and measures that the Company formulates and implements, focusing on the risk management objectives, for the management of the Company’s strategic planning, sales business, human resources, R&D management, quality control, capital management, contract management, procurement management, financial reporting and disclosure, internal audit, legal affairs, production safety, environmental protection, investment and financing management, information system management, corporate culture, and other business and their important business processes by implementing the basic process of risk management.

Article 6 Comprehensive risk management objectives:

(I) to ensure that the risks are controlled within a range that is appropriate and tolerable in relation to the overall objectives;

(II) to ensure the Company’s internal and external communication of true and reliable information, including the preparation and provision of true and reliable financial reports;

(III) to ensure the compliance with relevant laws and regulations;

(IV) to ensure the implementation of relevant rules and regulations of the Company and the major measures taken for achieving business objectives, guarantee the effectiveness of operation and management, improve the efficiency and effectiveness of business activities, and reduce the uncertainties of achieving business objectives;

(V) to ensure that the Company has a crisis management plan in place for the occurrence of various major risks, and to protect the Company from material losses due to catastrophic risks or human errors.

Article 7 The Company's comprehensive risk management follows the principles of comprehensiveness, importance, reasonableness, checks and balances, and independence to ensure the effectiveness of risk management.

(I) Comprehensiveness. The Company's risk management shall be unified before, during and after the process; and shall cover all business, departments and personnel of the Company, covering all aspects of decision-making, implementation, supervision and feedback.

(II) Importance. On the basis of comprehensive risk management, attention shall be paid to important businesses, key projects and high-risk areas.

(III) Reasonableness. Comprehensive risk management shall be commensurate with the Company's operational scale, business scope, risk status, and the environment it operates in, and shall realize risk management objectives at a reasonable cost. The Company shall formulate the overall plan for comprehensive risk management and implement it step by step under the principle of practicality and pragmatism.

(IV) Checks and balances. Risk management shall form mutual constraints and mutual supervision in the governance structure, organization settings and distribution of rights and responsibilities, business process, etc., while taking into account the operational efficiency.

(V) Independence. The departments responsible for risk management shall be structurally independent of the business lines .

Chapter 2 Organizational System and Responsibilities of Comprehensive Risk Management

Article 8 The Board is the highest decision-making body of the Company’s risk management and is responsible for supervising the risk management work; The audit committee is responsible for reviewing the effectiveness of comprehensive risk identification, assessment, internal management, and control procedures, with the main duties as follows:

(I) to review and assess the Company’s financial control, risk management and internal control systems;

(II) to discuss the risk management and internal control systems with the management to ensure that the management has performed its duty to have an effective internal control system;

(III) on its initiative or upon delegation by the Board, to organize audits in relation to risk management and internal control and to research the improvement of the audit results;

(IV) to review and advise on risk management policies and guidelines as well as financial policies;

(V) to formulate the risk level, risk tolerance level, and related resource allocation, and advise the Board;

(VI) to advise and give appropriate guidance on major risk portfolios or threats affecting the Company;

(VII) to consider and report to the Board on the identified key risks and relevant risk mitigation measures (including crisis management);

(VIII) other material matters of comprehensive risk management that the audit committee considers necessary.

Article 9 The operations management is the executive body of overall management work and is accountable to the Board for the effectiveness of such work. Each functional department cooperates in the implementation of risk management procedures. The head of each functional department is the primary responsible person for risk management, with the main duties as follows:

(I) to be responsible for formulating and implementing risk management strategies and coordinating the daily work of risk management;

(II) to study and advise on the judgment standards or mechanisms for major decisions, major risks, major events, and important business processes within the scope of its duties;

(III) to organize risk assessment on major events and important business processes within the scope of its duties, and advise on risk response strategies and internal control optimization;

(IV) to establish and improve the early warning system, reporting mechanism, and emergency plan for major risks related to the scope of its duties;

(V) to complete other important tasks of risk management.

Article 10 The Supervision and Internal Audit Department is the leading management department of the Company’s comprehensive risk management work. Under the guidance of the audit committee, it carries out comprehensive risk management work with the main duties as follows:

1.  to study and advise on the judgment criteria or mechanisms for major risks;
2.  to organize the formulation of risk management related systems, and study and propose plans on the establishment and duties of risk management organization systems;
3.  to organize the daily work of comprehensive risk management, including organizing all departments (units) to carry out risk identification work, taking the lead in maintaining and updating the Group’s risk database, organizing risk assessment work to form risk assessment reports, organizing and supervising the implementation of risk response plans, risk early warning work and the reporting of major business risk events;
4.  to coordinate and guide all units to establish their risk management system with reference to the Company’s unified risk management system structure, forming an integrated closed-loop management from top to bottom;
5.  to be responsible for promoting the informatization development of risk management;
6.  to be responsible for organizing and coordinating other work related to risk management.

Chapter 3 Contents of Comprehensive Risk Management

Article 11 The contents of comprehensive risk management mainly include risk information collection, risk identification and assessment, formulation of comprehensive risk management strategy, risk response, risk monitoring and early warning, risk reporting, supervision, and improvement of comprehensive risk management.

Article 12 Risk information collection refers to the comprehensive, systematic, and continuous collection and analysis of internal and external information that may affect business objectives by each functional department of the Company according to the actual implementation of work.

Article 13 Risk identification refers to that each functional department shall identify and communicate the risks faced promptly based on the risk information collected, regularly assess and analyze the conditions of risk formation, potential impact, and likelihood of occurrence, and classify, organize, and give corresponding reminders on potential risks in advance.

Article 14 Risk assessment refers to that the Company shall establish assessment criteria according to the impact degree and likelihood of occurrence of risks, analyze and measure the identified risks, and conduct rating evaluation or quantitative ranking to determine the risks that should be focused on and prioritized for control.

Article 15 The formulation of comprehensive risk management strategy refers to the Company’s selection of appropriate risk management strategies such as risk taking, risk aversion, risk transfer, risk conversion, risk hedging, risk compensation, and risk control based on the results of risk assessment, in conjunction with the causes and tolerance of risks, taking into consideration of risks and returns. At the same time, the Company shall regularly summarize and analyze the effectiveness and rationality of the established risk management strategies, and continuously revise and improve them based on the actual situation.

Article 16 Risk response refers to the formulation of risk response strategies and specific control measures based on the existing control systems and activities.

Article 17 Risk monitoring and early warning refer to the overall assessment of the effectiveness of the design and implementation of risk response strategies and management measures, and the making of recommendations for improvement. Each functional department of the Company continuously monitors the risks and provides early warning on time when major risks change.

Article 18 Risk reporting refers to the reporting system of risk management work, which is divided into regular routine reporting, major special risk reporting, and major event/risk emergency reporting:

1. Regular routine reporting refers to the overall situation, work progress or phased results, major issues and resources, and matters that need to be coordinated and solved by the functional departments in reporting the risk management and construction of internal control systems.

2. Major special risk reporting refers to the reports of each functional department on the overall major risk management issues of the Company and the major risk management issues of the department, including but not limited to the assessment of the special risk, the setting of risk tolerance, the current management status, the response plan, the design and implementation of internal control, the setting of risk monitoring indicators, the progress of work, or the proposal of resources and matters that need to be coordinated and resolved.

3. Major event/risk emergency reporting refers to functional departments urgently reporting the cause, process, response method, current status, estimated loss, and other information to the management when a major event/risk occurs, and the management reports to the Board.

Article 19 Supervision and improvement of comprehensive risk management refers to the supervision and evaluation of the implementation and the effect of implementation after the initial establishment of the comprehensive risk management system and the improvement of the problems found.

Chapter 4 Basic Process of Risk Management

Article 20 Each functional department of the Company shall continuously carry out risk management identification and assessment, analyze the key causes of the comprehensive risk management system for major risks, determine risk early warning indicators, establish an early warning mechanism, continuously monitor major risks, issue early warning information promptly, formulate emergency plans and adjust control measures according to the changes of situation. In response to the issues identified in the risk assessment, it shall propose risk management improvement plans.

Article 21 The aforesaid early warning mechanism and emergency plan for major risks shall be reported to the president for review and approval and reported to the Supervision and Internal Audit Department for the record. For the risk early warning mechanism and emergency plan involving multiple departments, it shall be reported to the vice president in charge or the president for coordination according to the specific situation.

Article 22 Each functional department of the Company shall carry out various work in accordance with the requirements of major risk early warning mechanism and emergency plan issued after approval by the president, and communicate and report its work well.

Article 23 The Supervision and Internal Audit Department adopts a combination of regular and random sampling, and by taking into consideration the annual audit and risk control work plan, assesses the effectiveness of risk management work of each functional department and issues reports through internal control audits and special audits.

Chapter 5 Risk Management Assessment and Accountability

Article 24 The senior management and the heads of business departments/ business lines of the Company shall incorporate risk management assessment into the comprehensive assessment of operation and management, and the assessment results shall be linked to financial incentives for employees. 
Article 25 The Company shall hold accountable the persons responsible for significant risks and crisis events that occur in the department due to decision-making errors, mismanagement, inappropriate behavior, etc., which lead to tangible or intangible losses. The accountability shall be based on their direct responsibility or leadership responsibility according to relevant accountability system. And the Company shall cancel the qualifications of being outstanding and being awarded with honors of the relevant responsible person and responsible department to be appraised.

Chapter 6 Supplementary Provisions

Article 26 Matters not covered herein shall be executed in accordance with relevant laws, regulations, regulatory documents, the listing rules of the Shanghai Stock Exchange, and the Articles of Association of the Company, among other related provisions.

Article 27 This system shall come into effect and be implemented from the date of approval by the audit committee of the Board.

Article 28 This system shall be interpreted and amended by the Supervision and Internal Audit Department.

Joincare Pharmaceutical Industry Group Co., Ltd.

25 October 2023