Sustainability - Risk Management
Businesses face conditions that change day to day: climate change, natural disasters growing in frequency and intensity, geopolitical risks coming to the surface, increasing digitalization, and diversifying values. Under these circumstances, we must identify the wide range of potential future risks in a timely manner and respond appropriately if we are to sustainably increase our corporate value.
The Meiden Group has created an ERM (Enterprise Risk Management) system designed to identify all types of major business risks to the Group as a whole so that management can discuss them and control them in an integrated manner.
In addition to everyday risk management, we also have an organization-wide BCM (Business Continuity Management) system for managing and responding to business continuity risks caused by accidents or disasters. Through this, we aim to be able to respond to constantly changing risks during both regular operation and emergencies.
The Meiden Group is building a risk management system using the following three-line model.
| First line | In our business units (the first line), including plants and domestic and overseas subsidiaries, we have introduced Control Self-Assessment (CSA). With this tool, each unit identifies, assesses, and controls its own risks. To identify risks, units refer to a 120-item risk list to ensure their review is comprehensive. Each unit then evaluates the major risks it identified, focusing on scale of impact and likelihood of occurrence. |
|---|---|
| Second line | The second line consists of staff business units with expertise in general affairs, legal affairs, human resources, and more. These units monitor and support the CSAs performed by the first line. |
| Third line | The internal audit department (the third line) conducts regular audits to verify that the first line’s CSA cycle and second line’s support are functioning effectively. The status of internal audits is reported to the Executive Officers’ Meeting, the Board of Directors, and key Company management as needed. |
| Internal Control Promotion Division | This unit is responsible for the framework in which management is involved in deliberations and decision-making on major company-wide risks. The division consolidates the risk information from the first line’s CSAs and risk information overseen by the second line and submits it to executive management after it is discussed by the Risk Management Committee. |
| Risk Management Committee | Heads of staff business units serve on this committee, which meets twice a year to discuss major company-wide risks as aggregated by the Internal Control Promotion Division. The committee selects major company-wide risks, determines which departments have jurisdiction over them, and clarifies the responsibilities of those departments. The committee also discusses new major risks to strengthen risk control. |
| Internal Control Committees at Group companies | These committees consist of directors of subsidiaries and meet twice a year to take reports on the status of each company’s CSA and share information on major risks for the Meiden Group as a whole. The committees also take part in risk discussions among subsidiaries to enrich the conversation. |
The Risk Management Committee and the Group Company Internal Control Committee are chaired by the Meidensha Director & Senior Managing Executive Officer, who is in charge of all administrative divisions.
The Risk Management Committee is chaired by the Director & Senior Managing Executive Officer and consists of the heads of Headquarters staff business units. Twice a year, it deliberates on the important business risks of the Meiden Group as identified by the Internal Control Promotion Division, then selects major company-wide risks. The committee determines which units have jurisdiction over each risk and discusses policies for dealing with the risks. Management holds discussions on the business risks previously discussed by the Risk Management Committee and further debates them in meetings of the Executive Officers’ Meeting and Board of Directors to determine the important business risks of the Meiden Group and policies for dealing with them.
The Risk Management Committee is clearly independent from the Audit and Supervisory Committee.
The Meiden Group stipulates major business risks to the entire Meiden Group, including in relation to ESG, through regular discussion among managers according to systems such as those listed above. As a result of the above discussion among managers, risks that could have a serious impact on the decisions of investors are as follows.
| Ranking | Risk | Risk assessment | Comparison with previous year’s assessment | ||||
|---|---|---|---|---|---|---|---|
| Impact | Likelihood | Speed of materialization | Effectiveness of response | Likelihood of harm to brand | |||
| 1 | Environmental regulations/climate change | Large | High | Normal | Effective | High |
|
| 2 | Inadequate procurement management | Large | High | Somewhat fast | Normal | Somewhat high |
|
| 3 | Insufficient internal information management | Large | Medium | Extremely fast | Effective | High |
|
| 4 | Geopolitical risks | Large | Medium | Extremely fast | Normal | Somewhat high |
|
| 5 | Inadequate labor management | Large | Medium | Normal | Normal | High |
|
| 6 | Occurrence of industrial accident | Large | Medium | Extremely fast | Somewhat effective | Somewhat high |
|
| 7 | Reduced quality | Large | High | Fast | Somewhat effective | Normal |
|
| 8 | Inadequate cyber measures | Large | Medium | Extremely fast | Effective | Somewhat high |
|
| 9 | Human rights violations | Large | Medium | Normal | Normal | Somewhat high |
|
| 10 | Insufficient personnel | Large | High | Somewhat slow | Somewhat effective | Normal |
|
| 11 | Occurrence of a natural disaster | Large | Medium | Extremely fast | Effective | Normal |
|
| 12 | Disguising quality or iniquitous inspection | Large | Low | Fast | Somewhat effective | High |
|
| 13 | Breach of Construction Business Act | Large | Low | Fast | Somewhat effective | High |
|
| 14 | Insufficient awareness or responsiveness to changes in market conditions | Large | High | Normal | Effective | Normal |
|
| 15 | Breach of Antimonopoly Act or bribery | Large | Low | Extremely fast | Effective | High |
|
| 16 | Losses due to fluctuations in exchange rates, interest rates, stock prices, and land prices | Medium | High | Somewhat fast | Somewhat effective | Normal |
|
| 17 | Incomplete control of overseas subsidiaries | Large | Low | Extremely fast | Somewhat effective | Somewhat high |
|
| 18 | Insufficient or poor internal communication | Medium | High | Somewhat slow | Somewhat effective | Normal |
|
| 19 | Incomplete control of Japanese subsidiaries | Large | Low | Normal | Somewhat effective | Somewhat high |
|
| 20 | Reduced ability to cater to customers | Large | Low | Extremely fast | Normal | Normal |
|
The Meiden Group’s preliminary risk assessment system, based on our Basic Policy on the Establishment of a System to Ensure the Appropriateness of Business Operations, is designed to provide information for management decision-making. In our system, we hold a preliminary risk assessment meeting to carefully consider matters that may have a significant impact on the Group. Projects subject to review are generally classified as large scale EPCs, M&A, partnerships, joint developments, new businesses, or other matters that require a resolution by the Executive officer’s meeting according to regulations.
In FY2022, we conducted preliminary risk assessments on nine cases. Including these, we have not yet identified any cases that have caused new losses. Preliminary risk assessment plays an important role in managing risk prior to the start of a project.
There are four key parts to preliminary risk assessment, as follows.
As mentioned above, in the preliminary risk assessment, we evaluate not only financial risks, but project risks, operation risks, etc. The Corporate Policy Planning Group and the Internal Control Promotion Division serve as the secretariat for assessments, and their supervising officers determine whether a meeting needs to be held. Other units involved include the General and Legal Affairs Division, the Accounting and Financing Group, and the Sales Planning & Administration Group.
During M&A, a third-party unit performs the due diligence. Besides doing a financial investigation of the target company, we also evaluate it from an ESG perspective to strengthen risk management. This includes the target’s corporate culture, legal compliance systems including human rights concerns, compliance with environmental regulations, labor conditions, occupational health and safety, and other factors.
The Meiden Group Basic BCP Policy stipulates the Meiden Group’s basic policy on business continuity, business continuity targets, and response in the event of a disaster, etc., and is applied at each business unit and subsidiary.
We will promote the Medium-term Management Plan 2024, paying particular attention to the following items relating to disaster-prevention and BCP.
Under the BCM Committee, which determines the Meiden Group’s BCP policy and measures, the Meiden Group established the Corporate BCP Promotion Committee, BCP promotion committees for each business, BCP liaison committees at domestic subsidiaries, the Working Group to Consider Priority Businesses, and the Working Group to Handle and Protect Employees, and promotes BCP throughout the Group.
In September 2022, we conducted a company-wide natural disaster response headquarters drill to verify the effectiveness of BCPs that had been created. In the hypothetical scenario used for the drill this time, the Numazu Plant was hit by a Nankai Trough earthquake centered on the east side of Suruga Bay on a Sunday night, with Numazu Works the first production site to be damaged. Since the disaster occurred on a non-working day and at night, the initial response was not to gather in one place, but rather to organize information on just a portal site that would be set up when the disaster happened. Subsequently, staff verified and confirmed events particular to a damaged production site, including trade-offs between customer response and plant restoration when several days had already passed since the disaster happened, based on damage information prepared in cooperation with Numazu Works.
We will revise BCPs in light of the various issues identified during the training.
In March 2023, we brought a mobile power supply vehicle to Numazu Works to prepare for power outages at the site. In conjunction with the introduction of the vehicle, we conducted a drill to verify the process of requesting the vehicle and dispatching it to the site in the event of a power outage, as well as the work to be performed at the site. For the drill, we did in fact cut power to a portion of the plant. Participants restored electricity by connecting to the mobile power supply vehicle. This allowed us to confirm how the work would actually be performed. On the day of the event, an outside company provided drone footage of the drill. We have also discussed the usefulness of drones in times of disaster.
The Meiden Group will improve on issues identified during the drill to help create better BCP measures.
To improve disaster prevention and BCP at each production site (works), we launched the Works BCP Liaison Committee in November 2022. In the event of a disaster, works must set up an area disaster response headquarters to deal with a wide range of issues such as responding to personnel in the area, gathering information from their factories and other units and subsidiaries, and managing stockpiles. However, each works had established its own methods of responding and there was no interaction with others. The new liaison committee organizes disaster prevention and BCP-related issues at each works and discusses solutions to each one. This has enhanced disaster prevention and BCP systems at each works.
This effort continues in FY2023 to strengthen the disaster response capabilities of each works.
Meiden Group subsidiaries outside Japan have also begun establishing BCPs. Japanese and local staff work together to design the optimal BCP for each company. This effort is starting with the ASEAN region, India, and China. Subsidiaries in these regions aim to complete their BCP manuals by the end of FY2023. We are committed to advancing this initiative to ensure business continuity for the entire Meiden Group, including overseas subsidiaries.
Disaster prevention and BCP training is included in the curriculum of personnel education for each level of employment and is provided continually. In FY2022, we gave training for new employees and mid-career hires. We have also visited regional offices in Japan to conduct extensive awareness-raising initiatives, including disaster prevention and BCP training for local employees and training for BCP staff of Group companies.
In addition, we created a training video to further spread the word about our disaster prevention and BCP efforts. The video will be released in FY2023 and we will work to ensure that all Group employees view it.
The Meiden Group understands that ensuring the security of the information we handle is a most critical issue. We therefore protect information assets from disasters, accidents, criminal acts, errors, and other threats. We also maintain and enhance information management to prevent leaks, tampering, theft, or loss.
Meidensha (hereinafter the “Company”) is aware that ensuring security of information assets handled by the Company is a major management issue for the Company, and protects information assets from threats such as disasters, accidents, crime, negligence, and cyber risks.
By establishing and maintaining information security management, we aim to prevent information security incidents such as leakage, falsification, or theft of information, build relationships of trust with a range of interested parties, including shareholders and customers, and improve corporate value of the Company.
This basic policy applies to all personnel who handle information assets managed by the Company.
The Company complies with obligations imposed by laws and agreements that relate to business activities.
Everyone involved with business activities ensures thorough compliance with matters required by laws and regulations, obligations imposed by agreements, this policy, and internal management regulations relating to information security.
The Company provides for information security management such as by nominating an Information Security Manager and an Information Security Business Unit Managers, and establishing an office, has established regulations and procedures, etc., based on the Basic Information Security Policy, and continuously maintains and improves information security.
The Meiden Group conducts information security audits of Meidensha and subsidiaries, mainly through the Information Security Committee, and verifies and evaluates whether security measures are actually being implemented and function.
At present, some of Meidensha and its domestic subsidiaries have received Information Security Management System (ISMS) certification.
In fiscal 2022, we are continuing to implement initiatives to reinforce information security for the entire Meiden Group.
The Meiden Group is working to implement sustainable security measures in the areas of “prediction,” “defense,” “detection,” and “response.”
We analyze and implement both hardware and software measures to protect data from unauthorized logins, etc., and virus infections from suspicious emails, such as targeted email attacks, as well as measures mainly aim at combatting human factors such as theft, loss, or mishandling of information devices. We introduced the Security Operation Center (SOC) in fiscal 2017, established a detection system that operates 24 hours per day, 365 days per year, and in fiscal 2019, we installed next-generation antivirus software on all computers, in order to enhance detection.
We established the Meiden Computer Security Incident Response Team (CSIRT) and joined the Nippon CSIRT Association in order to enhance response. In addition, we have begun strengthening information security measures for customers of our products and services so they can better respond to cyberattacks, which have become increasingly sophisticated in recent years. We are also establishing internal systems to speed up incident response.
All of the Meiden Group’s officers, employees, dispatch workers, and contract workers, etc., engage in information security education. In fiscal 2022, we conducted e-learning on information security threats based on case studies. The e-learning was attended by 90% of employees, plus materials were sent to those who were unable to attend online.
We continue to conduct suspicious email drills as education about cyber attacks such as targeted email attacks.
Going forward, we will continue to strengthen hardware and software measures and continue to conduct personnel measures, such as information security education and suspicious email drills. We will continue to roll out measures for information security on a group-wide basis.
Since FY2017, we have continuously conducted activities to enhance our suppliers’ information security. We ensure that suppliers are aware of information security measures as management issues, and we hold training and information sessions as required.
We continue to support our business partners’ efforts to strengthen information security. We do so through four measures designed to prevent information security incidents: awareness raising, education, visitations, and information sharing.
In this way, we are continuing to conduct activities to enhance information security throughout the entire supply chain.
