Sustainability - Risk Management
Businesses face conditions that change day to day: climate change, natural disasters growing in frequency and intensity, growing geopolitical risks, increasing digitalization, and diversifying values. Under these circumstances, we must accurately identify the wide range of potential future risks and respond appropriately if we are to sustainably increase our corporate value.
The Meiden Group has created an ERM (Enterprise Risk Management) system designed to identify all types of major business risks to the Group as a whole so that management can discuss them and control them in an integrated manner.
In addition to everyday risk management, we also have an organization-wide BCM (Business Continuity Management) system for managing and responding to business continuity risks caused by accidents or disasters. Through this, we aim to be able to respond to constantly changing risks during both regular operation and emergencies.
The Meiden Group is building a risk management system using the following three-line model.
First line | In our business units (the first line), including plants and domestic and overseas subsidiaries, we have introduced Control Self-Assessment (CSA). With this tool, each unit identifies, assesses, and controls its own risks. To identify risks, units refer to a 120-item risk list to ensure their review is comprehensive. Each unit then evaluates the major risks it identified, focusing on scale of impact and likelihood of occurrence. |
---|---|
Second line | The second line consists of staff business units with expertise in general affairs, legal affairs, human resources, and more. These units monitor and support the CSAs performed by the first line. |
Third line | The internal audit department (the third line) conducts regular audits to verify that the first line’s CSA cycle and second line’s support are functioning effectively. The status of internal audits is reported to the Executive Officers’ Meeting, the Board of Directors, the Audit and Supervisory Committee, and key Company management as needed. |
Risk Management Committee | Heads of staff business units serve on this committee, which meets twice a year to discuss major company-wide risks as aggregated by the Internal Control Promotion Division. The committee selects major company-wide risks, determines which departments have jurisdiction over them, and clarifies the responsibilities of those departments. The committee also discusses new major risks to strengthen risk control. |
Internal Control Committees at Group companies | These committees consist of directors of subsidiaries and meet twice a year to take reports on the status of each company’s CSA and share information on major risks for the Meiden Group as a whole. The committees also take part in risk discussions among subsidiaries to enrich the conversation. |
The Risk Management Committee consists of the heads of Headquarters staff business units. Twice a year, it deliberates on the important business risks of the Meiden Group as identified by the Internal Control Promotion Division, then selects major company-wide risks. The committee determines which units have jurisdiction over each risk and discusses policies for dealing with the risks. Management holds discussions on the business risks previously discussed by the Risk Management Committee and further debates them in meetings of the Executive Officers’ Meeting and Board of Directors to determine the important business risks of the Meiden Group and policies for dealing with them.
The Meiden Group stipulates major business risks to the entire Meiden Group through regular discussion among management according to systems such as those listed above. Risks that the Group considers could have a serious impact on its operations are as follows.
The Meiden Group’s preliminary risk assessment system, based on our Basic Policy on the Establishment of a System to Ensure the Appropriateness of Business Operations, is designed to provide information for management decision-making. In our system, we hold a preliminary risk assessment meeting to carefully consider matters that may have a significant impact on the Group. Projects subject to review are generally classified as large scale EPCs, M&As, partnerships, new businesses, or other matters that require a resolution by the Executive officers’ meeting according to regulations.
In FY2023, we conducted preliminary risk assessments on 5 cases. Including these, we have not yet identified any cases that have caused new losses. Preliminary risk assessment plays an important role in managing risk prior to the start of a project.
There are four key parts to preliminary risk assessment, as follows.
As mentioned above, in the preliminary risk assessment, we evaluate not only financial risks, but project risks, operation risks, etc. The Corporate Policy Planning Group and the Internal Control Promotion Division serve as the secretariat for assessments, and their supervising officers determine whether a meeting needs to be held. Other units involved include the Corporate Governance Management Group, the Accounting and Financing Group, and the Sales Planning & Administration Group.
During M&A, a third-party unit performs the due diligence. Besides doing a financial investigation of the target company, we also evaluate it from an ESG perspective to strengthen risk management. This includes the target’s corporate culture, legal compliance systems including human rights concerns, compliance with environmental regulations, labor conditions, occupational health and safety, and other factors.
The Meiden Group Basic BCP Policy stipulates the Meiden Group’s basic policy on business continuity, business continuity targets, and response in the event of a disaster, etc., and is applied at each business unit and subsidiary.
We will promote the Medium-term Management Plan 2024, paying particular attention to the following items relating to disaster-prevention and BCP.
Under the BCM Committee, which determines the Meiden Group’s BCP policy and measures, the Meiden Group established the Corporate BCP Promotion Committee, BCP promotion committees for each business, BCP liaison committees at domestic subsidiaries, the Working Group to Consider Priority Businesses, and the Working Group to Handle and Protect Employees, and promotes BCP throughout the Group.
In September 2023, we conducted a company-wide natural disaster response headquarters drill to verify the effectiveness of BCPs that had been created. The purpose of this drill was to have the company-wide natural disaster response headquarters make decisions concerning the restoration of production sites damaged in a disaster. For this reason, we created a hypothetical scenario in which a company-wide natural disaster response headquarters meeting was being held 4 days after the Nagoya Works and the Chubu Branch Office were damaged by a Nankai Trough earthquake. The hypothetical damage information used in the drill was prepared in advance by the Nagoya Works and each unit, making it possible for the drill to be conducted under realistic conditions. The company-wide natural disaster response headquarters meeting deliberated on the decision to dispatch personnel for facility restoration, the determination of which plant to prioritize for restoration, and possibilities for replacing the production of these plants. Based on the results of the drill, we will reorganize and adjust the information and reporting routes necessary for decision-making to improve our BCPs.
The activities implemented in affected areas are of particular importance in the early stages of disaster response. Meidensha has been conducting workshops on disaster preparedness and BCP at its business sites since FY 2022. In FY 2023, we held workshops at the Ohta Works and for the Tokyo area. Participants reconfirmed hazardous areas on the premises of their site as well as disaster supply storage locations, and discussed evacuation methods as well as what to do in the event of a need to stay on-site.
Since all divisions, including subsidiaries at the same production site, had not previously come together under the theme of disaster prevention and BCP, the sharing of information held by the area disaster response headquarters as well as measures implemented at each workplace helped to deepen understanding of disaster prevention and disaster management trends within the area.
The content of the workshops was reflected in BCPs and disaster prevention plans, helping the participating sites to prepare for a disaster.
Meiden Group subsidiaries outside Japan have also begun establishing BCPs. Japanese and local staff work together to design the optimal BCP for each company. This effort is starting with the ASEAN region, India, and China. Subsidiaries in these regions aim to complete their BCP manuals by the end of FY2023. We are committed to advancing this initiative to ensure business continuity for the entire Meiden Group, including overseas subsidiaries.
Disaster prevention and BCP training is included in the curriculum of personnel education for each level of employment and is provided continually. In FY2023, we again gave training for new employees and mid-career hires. We have also conducted extensive awareness-raising initiatives, including disaster prevention and BCP training for employees working at domestic sites and training for BCP staff of Meiden Group companies.
In addition, we created a training video to further spread the word about our disaster prevention and BCP efforts. The video was released in May of 2023 and we have worked to ensure that all Group employees view it.
The Meiden Group understands that ensuring the security of the information we handle is a most critical issue. We therefore protect information assets from disasters, accidents, criminal acts, errors, and other threats. We also maintain and enhance information management to prevent leaks, tampering, theft, or loss. Further, through thorough information security management, we maintain the safety of the products and services we provide to our customers.
Meidensha (hereinafter the “Company”) is aware that ensuring security of information assets handled by the Company is a major management issue for the Company, and protects information assets from threats such as disasters, accidents, crime, negligence, and cyber risks.
By establishing and maintaining information security management, we aim to prevent information security incidents such as leakage, falsification, or theft of information, build relationships of trust with a range of interested parties, including shareholders and customers, and improve corporate value of the Company.
This basic policy applies to all personnel who handle information assets managed by the Company.
The Company complies with obligations imposed by laws and agreements that relate to business activities.
Everyone involved with business activities ensures thorough compliance with matters required by laws and regulations, obligations imposed by agreements, this policy, and internal management regulations relating to information security.
The Company provides for information security management such as by nominating an Information Security Manager and an Information Security Business Unit Managers, and establishing an office, has established regulations and procedures, etc., based on the Basic Information Security Policy, and continuously maintains and improves information security.
Taking into consideration the risks posed by increasingly sophisticated cyber attacks in recent years, Meidensha has undertaken a company-wide system review to strengthen its information security control system.
To enhance our information security measures for the products and services we provide to customers, we established the new PSIRT.*1 To enhance internal information security, we established the FSIRT*3 to oversee factories under the CSIRT.*2 In addition, we established the PrSIRT,*4 which aims to reduce supply chain risks. These specialized teams will take the lead in routine countermeasures and incident response. Further, we have assigned a SIRT manager in charge of information security to each unit to ensure that employees throughout the unit are familiar with relevant rules, provide education, and scrutinize and improve information security implementation on an ongoing basis. In addition, we have established a general contact point (MEIDEN-SIRT) to facilitate cooperation with each unit and to provide rapid response to information security risks and incidents.
The Information Security Committee is chaired by the director in charge of information systems and deliberates on the drafting, evaluation, and improvement of information security measures, as well as investigations into the causes of incidents and the prevention of recurrences. The status of information security operations is regularly explained to and approved by the president and management.
Information Security Control System
The Meiden Group conducts information security audits of Meidensha and subsidiaries, mainly through the Information Security Committee, and verifies and evaluates whether security measures are actually being implemented and function.
At present, some of Meidensha and its domestic subsidiaries have received Information Security Management System (ISMS) certification.
In fiscal 2023, we are continuing to implement initiatives to reinforce information security for the entire Meiden Group.
Meiden Group strives to implement sustainable security measures within the framework of “prediction/protection/detection/response/restoration.” We analyze and implement both hardware and software measures to protect data from unauthorized logins, etc., and virus infections from suspicious emails, such as targeted attacks, as well as measures mainly aimed at combatting human factors such as theft, loss, or mishandling of information devices.
Further, to strengthen our ability to respond to increasingly sophisticated cyberattacks in recent years, alongside our existing multi-layer defense measures, we have implemented various additional measures with a “zero trust” approach in mind. In terms of systems, we have initiated efforts to strengthen externally facing information security measures (concerning products and services) and have developed internal systems to speed up incident response.
All of the Meiden Group’s officers, employees, dispatch workers, and contract workers, etc., engage in information security education. In FY2023, we conducted e-learning covering an introduction to information security as well as information security threats based on case studies. The e-learning was attended by 90% of employees, plus materials were sent to those who were unable to attend online.
We continue to conduct suspicious email drills as education about cyber attacks such as targeted email attacks.
Going forward, we will continue to strengthen hardware and software measures and continue to conduct personnel measures, such as information security education and suspicious email drills. We will continue to roll out measures for information security on a group-wide basis.
Since FY2017, we have continuously conducted activities to enhance our suppliers’ information security. We ensure that suppliers are aware of information security measures as management issues, and we hold training and information sessions as required.
We continue to support our business partners’ efforts to strengthen information security. We do so through four measures designed to prevent information security incidents: awareness raising, education, visitations, and information sharing.
In this way, we are continuing to conduct activities to enhance information security throughout the entire supply chain.