Chapter 1   General Provisions

Article 1   To strengthen Healthy Yuan Pharmaceutical Group Co., Ltd. (hereinafter referred to as " Company ” ") comprehensive wind risk management work, improve the comprehensive risk management system, improve the level of risk prevention and control, reasonably ensure the realization of the company's business objectives, in accordance with the relevant laws, regulations and requirements of the "Company Law of the People's Republic of China", "Listed Company Governance Principles", "Company Articles of Association", etc., and in combination with the company's actual situation, this system is specially formulated.

Article 2   This system applies to the company and its wholly-owned subsidiaries and holding companies. 。

Article 3   The risk referred to in this system refers to the uncertainty of potential losses or gains. Risks exist in the company in every aspect of its operations and management, including internal and external risks.

Article 4   The comprehensive risk management referred to in this system refers to the company's overall business objectives, through management in various aspects of management and operations, cultivating a good risk management culture, establishing and improving a comprehensive risk management system, including risk management strategies, risk management solutions, risk management organizational functions, risk management information systems and internal control systems, to achieve the overall goals of risk management. This is the process and method that provides reasonable assurance.

Article 5   The internal control system referred to in this system refers to the company's strategic planning, risk management objectives, sales, human resources, R&D management, quality control, fund management, contract management, procurement management, financial reporting and disclosure, internal audit, legal affairs, safety production, environmental protection, investment and financing management, information system management, corporate culture, and other business management and important business processes. Through the implementation of basic risk management processes, rules, regulations, procedures and measures are formulated and implemented.

Article 6   Comprehensive Risk Management Objectives:

(1) Ensure that risks are controlled within a range that is commensurate with and acceptable to the overall objectives, and promote the enterprise's sustainable development strategy;

(2) Ensure that true and reliable information communication is achieved both internally and externally within the company, including the preparation and provision of true and reliable financial reports;

(3) Ensure compliance with relevant laws and regulations;

(4) Ensure the implementation of the company's relevant rules and regulations and major measures taken to achieve business objectives, ensuring the effectiveness of management, improving the efficiency and effectiveness of business activities, and reducing the uncertainty of achieving business objectives;

(5) Ensure that the company establishes a crisis management plan for various major risks, protecting the enterprise from suffering major losses due to catastrophic risks or human error.

Article 7   The company's comprehensive risk management follows the principles of comprehensiveness, importance, reasonableness, checks and balances, and independence to ensure the effectiveness of risk management.

(1) Comprehensiveness. The company's risk management should unify pre-event, in-event, and post-event controls; covering all business, departments and personnel of the company, penetrating into all aspects of decision-making, execution, supervision and feedback.

(2) Importance. Based on comprehensive risk management, focus on important businesses, key projects and high-risk areas.

(3) Reasonableness. Comprehensive risk management should be adapted to the company's operating scale, business scope, risk situation and environment, and should achieve risk management objectives at a reasonable cost. The company should proceed from reality and strive for effectiveness, formulate an overall plan for comprehensive risk management, and implement it step by step.

(4) Checks and Balances. Risk management should form mutual constraints and mutual supervision in terms of governance structure, institutional settings and responsibilities, and business processes, while also taking into account operational efficiency.

(5) Independence. The department responsible for supervising and inspecting risk management should be independent of other business departments of the company.

Chapter 2   Comprehensive Risk Management Organization System and Responsibilities

Article 8   The company's board of directors is the highest decision-making body for the company's risk management and is responsible for supervising the risk management work. The Strategy and Risk Management Committee is responsible for reviewing the effectiveness of comprehensive risk identification, assessment, internal management and monitoring procedures. The main responsibilities are as follows:

(1) Review and evaluate the company's financial controls, risk management and internal control systems;

(2) Discuss risk management and internal control systems with management to ensure that management has fulfilled its responsibilities in establishing an effective internal monitoring system;

(3) Actively or at the behest of the board of directors, conduct research on the organization of audits related to risk management and internal control and improvements to the audit results;

(4) Deliberate on and provide recommendations on risk management policies and guidelines as well as financial policies;

(5) Formulate risk levels, acceptable risk levels and related resource allocation, and provide recommendations to the board of directors;

(6) Provide opinions and appropriate guidance on major risk combinations or threats affecting the company;

(7)   Deliberate on and report to the board of directors the identified key risks and related risk mitigation measures (including crisis management);

(8) Other major matters of comprehensive risk management deemed necessary by the Strategy and Risk Management Committee.

Article 9   The management is the executive body of comprehensive management and is responsible to the board of directors for the effectiveness of this work. Functional departments cooperate to implement risk management procedures. The heads of functional departments are the first responsible persons for risk management, and their main responsibilities are as follows:

(1) Responsible for formulating and implementing risk management strategies and coordinating daily risk management work;

(2) Responsible for researching and proposing suggestions on the judgment standards or mechanisms for major decisions, major risks, major events and important business processes within the scope of their responsibilities;

(3) Organize risk assessments of major events and important business processes within the scope of their responsibilities, and propose risk response strategies and internal control optimization suggestions;

(4) Establish and improve the early warning, reporting mechanism and emergency plan for major risks within the scope of its responsibilities;

(5) Complete other important work of risk management.

Article 10   The Risk Management Department is the leading management department for the company's comprehensive risk management work. Under the guidance of the Strategic and Risk Management Committee, it carries out comprehensive risk management work and mainly performs the following responsibilities:

• Research and propose criteria or mechanisms for judging major risks;
• Organize the drafting of risk management-related systems, and research and propose a plan for the establishment and responsibilities of the risk management organizational system;
• Organize and carry out the daily work of comprehensive risk management, including organizing various departments (units) to carry out risk identification work, leading the maintenance and updating of the group risk database, organizing risk assessment work to form risk assessment reports, organizing supervision of the implementation of risk response plans, organizing supervision of risk early warning work, and organizing supervision of the reporting of major operational risk events;
• Coordinate and guide various units to build their unit's risk management system based on the company's unified risk management system architecture, forming an integrated closed-loop management from top to bottom;
• Responsible for promoting the informatization of risk management;
• Responsible for organizing and coordinating other related work of risk management.

Article 11   The company establishes a perfect management framework for risk management and internal control in the form of "three lines of defense", clarifies the responsibilities of the relevant functional departments of the "three lines of defense", and forms a risk control management system with reasonable division of labor, clear responsibilities, mutual checks and balances, and effective supervision.

(1) Subsidiaries and departments are the first line of defense, directly responsible for risk management in their departments, and the heads of each department are the first responsible persons for risk control in their departments. They are mainly responsible for the daily work of risk identification, assessment, risk prevention and control, and internal control within the scope of their business responsibilities.

(2) The Risk Management Department is the company's second line of defense for risk control. It is mainly responsible for pre-event and in-event risk management and post-event risk handling. The Risk Management Department directly reports to the Board of Directors Strategic and Risk Management Committee.

(3) The company's internal control department is the company's risk control system's third line of defense, responsible for supervising the company's risk establishment and implementation of controls, the authenticity and integrity of financial information, and the situation of integrity and anti-corruption. The company's internal control department directly reports to the board of directors' audit committee and is independent of any department of the company.

Chapter 3   Comprehensive Risk Management Content

Article 12   The main contents of comprehensive risk management include: risk information collection, risk identification and assessment, formulation of comprehensive risk management strategies, risk response, risk monitoring and early warning, risk reporting, and supervision and improvement of comprehensive risk management.

Article 13   Risk information collection refers to the comprehensive, systematic, and continuous collection and analysis of internal and external information that may affect business objectives by various functional departments of the company based on their actual work.

Article 14   Risk identification refers to the fact that various functional departments should, based on the collected risk information, promptly identify and communicate the risks they face, regularly assess and analyze the conditions for the formation of risks, potential impacts, and the likelihood of occurrence, and make advance classifications, sorting, and corresponding prompts for potential risk points.

Article 15   Risk assessment refers to the fact that the company should establish assessment standards based on the degree of impact and the likelihood of occurrence of risks, analyze and measure the identified risks, and conduct level evaluation or quantitative ranking to determine the key risks to be focused on and prioritized for control.

Article 16   Formulating a comprehensive risk management strategy refers to the fact that the company, based on the results of risk assessment, combined with the causes of risk occurrence and tolerance, weighs risks and returns, and selects appropriate risk management strategies such as risk assumption, risk avoidance, risk transfer, risk conversion, risk hedging, risk compensation, and risk control. At the same time, the company should regularly summarize and analyze the effectiveness and rationality of the formulated risk management strategies, and continuously revise and improve them based on actual conditions.  

Article 17   Risk response refers to the formulation of risk response strategies based on existing control systems and activities, as well as specific control measures.

Article 18   Risk monitoring and early warning refer to the overall evaluation of the effectiveness of the design and implementation of risk response strategies and management measures, and the proposal of improvement suggestions. Various functional departments of the company continuously monitor risks, and issue timely warnings when major risks change.

Article 19   Risk reporting refers to the fact that the reporting system for risk management work is divided into regular routine reports, major special item risk reports, and major events / risk emergency reports:

1. Regular routine reports are reports submitted by various functional departments on the overall situation of risk management and internal control system construction work, work progress or phased achievements, major problems, and resources and matters that need to be coordinated and resolved.

2. Major special risk reports are reports submitted by various functional departments on the company's overall major risk management topics in their departments, as well as reports on major risk management topics in their departments, including but not limited to assessments of the special risk, setting of risk tolerance, management status, planned response plans, internal control design and implementation, setting of risk monitoring indicators, work progress, or resources and matters that need to be coordinated and resolved.

3. Major events / risk emergency reports are reports submitted by functional departments when a major event / risk occurs, urgently reporting to the management on the causes, process, response methods, current status, and estimated losses of the event, and the management reports to the board of directors.

Article 20   Comprehensive risk management supervision and improvement refers to the supervision and evaluation of the implementation and effectiveness after the initial establishment of the comprehensive risk management system, and improvement of the identified problems.

Chapter Four   Basic Risk Management Process

Article Twenty-One   Each functional department of the company should continuously carry out risk identification and assessment, and the comprehensive risk management system for major risks Analyze the key causes, determine risk warning indicators, establish a warning mechanism, continuously monitor major risks, promptly issue warning information, formulate contingency plans, and adjust control measures according to changes in the situation. Based on the problems found in the risk assessment, propose a risk management improvement plan.

Article Twenty-Two   The aforementioned major risk warning mechanism and contingency plan should be submitted to the President for review and approval, and reported to the Risk Management Department for the record. For risk warning mechanisms and contingency plans involving multiple departments, they should be submitted to the relevant vice president or president for coordination, depending on the specific circumstances.

Article Twenty-Three   Each functional department of the company should carry out various tasks in accordance with the major risk warning mechanism approved by the President and the requirements of the contingency plan, and do a good job in communication and reporting.

Twenty Four Article   Risk Management Department The Risk Management Department will adopt a combination of regular inspections and random checks, combined with the annual audit risk control work plan, through internal control audits and special audits, to evaluate the effectiveness of risk management work in various functional departments and issue reports.

Chapter Five   Risk Management Assessment and Accountability

Article Twenty-Five   Senior management and various business departments of the company / Business Heads should include risk management assessment in the comprehensive assessment of operation and management, and the assessment results are linked to employee Financial incentives.

Twenty Six Article   For those responsible for major risks and crises in their departments due to decision-making errors, management negligence, or improper conduct, resulting in tangible or intangible losses, the company will hold them accountable for their direct or leadership responsibilities in accordance with the relevant accountability system, and cancel the relevant responsibilities of the person and department's advanced and excellent qualifications.

Chapter Six   Supplementary Provisions

Article Twenty-Seven   Matters not covered in this system shall be implemented in accordance with relevant laws, regulations, normative documents, the listing rules of the Shanghai Stock Exchange and the "Company Articles of Association" and other relevant regulations.

Article Twenty-Eight   This system shall come into effect and be implemented from the date of approval by the Board of Directors Strategy and Risk Management Committee. This system shall come into effect and be implemented from the date of approval by the Board of Directors

Article Twenty-Nine   This system is Risk Management Department responsible for interpretation and revision.

Joincare Pharmaceutical Group Industry Co., Ltd.

August 27, 2024