Sustainability - Risk Management
Businesses face conditions that change day to day: climate change, natural disasters growing in frequency and intensity, growing geopolitical risks, increasing digitalization, and diversifying values. Under these circumstances, we must accurately identify the wide range of potential future risks and respond appropriately if we are to sustainably increase our corporate value.
The Meiden Group has created an ERM (Enterprise Risk Management) system designed to identify all types of major business risks to the Group as a whole so that management can discuss them and control them in an integrated manner.
In addition to everyday risk management, we also have an organization-wide BCM (Business Continuity Management) system for managing and responding to business continuity risks caused by accidents or disasters. Through this, we aim to be able to respond to constantly changing risks during both regular operation and emergencies.
The Meiden Group is building a risk management system using the following three-line model.。
| First line | In our business units (the first line), including plants and domestic and overseas subsidiaries, we have introduced Control Self-Assessment (CSA). With this tool, each unit identifies, assesses, and controls its own risks. To identify risks, units refer to a 120-item risk list to ensure their review is comprehensive. Each unit then evaluates the major risks it identified, focusing on scale of impact and likelihood of occurrence. |
|---|---|
| Second line | The second line consists of staff business units with expertise in general affairs, legal affairs, human resources, and more. These units monitor and support the CSAs performed by the first line. |
| Third line | The internal audit department (the third line) conducts regular audits to verify that the first line’s CSA cycle and second line’s support are functioning effectively. The status of internal audits is reported to the Executive Officers’ Meeting, the Board of Directors, the Audit and Supervisory Committee, and key Company management as needed. |
| Risk Management Committee | Heads of staff business units serve on this committee, which meets twice a year to discuss major company-wide risks as aggregated by the Internal Control Promotion Division. The committee selects major company-wide risks, determines which departments have jurisdiction over them, and clarifies the responsibilities of those departments. The committee also discusses new major risks to strengthen risk control. |
| Internal Control Committees at Group companies | These committees consist of directors of subsidiaries and meet twice a year to take reports on the status of each company’s CSA and share information on major risks for the Meiden Group as a whole. The committees also take part in risk discussions among subsidiaries to enrich the conversation. |
The Risk Management Committee consists of the heads of Headquarters staff business units, with the head governance officer as chairperson. Twice a year, it deliberates on the important business risks of the Meiden Group as identified by the Internal Control Promotion Division, then selects major company-wide risks. The committee determines which units have jurisdiction over each risk and discusses policies for dealing with the risks. Management holds discussions on the business risks previously discussed by the Risk Management Committee and further debates them in meetings of the Executive Officers’ Meeting and Board of Directors to determine the important business risks of the Meiden Group and policies for dealing with them.
The Meiden Group stipulates major business risks to the entire Meiden Group through regular discussion among management according to systems such as those listed above. Risks that the Group considers could have a serious impact on its operations are as follows.
The Meiden Group’s preliminary risk assessment system, based on our Basic Policy on the Establishment of a System to Ensure the Appropriateness of Business Operations, is designed to provide information for management decision-making. In our system, we hold a preliminary risk assessment meeting to carefully consider matters that may have a significant impact on the Group. Projects subject to review are generally classified as large scale EPCs, M&As, partnerships, new businesses, or other matters that require a resolution by the Executive officers’ meeting according to regulations.
In FY2024, we conducted preliminary risk assessments on 5 cases. Including these, we have not yet identified any cases that have caused new losses.
In the preliminary risk assessment meetings, we evaluate not only financial risks, but the allocation of responsibilities (product assurances, etc.), operation risks (systems, etc.), and more. The Corporate Policy Planning Group and the Internal Control Promotion Division serve as the secretariat for assessments, and their supervising officers determine whether a meeting needs to be held. Other units involved include the Corporate Governance Management Group, the Accounting and Financing Group, and the Sales Planning & Administration Group.
During M&A, a third-party unit performs the due diligence. Besides doing a financial investigation of the target company, we also evaluate it from an ESG perspective to strengthen risk management. This includes the target’s corporate culture, legal compliance systems including human rights concerns, compliance with environmental regulations, labor conditions, occupational health and safety, and other factors.
The Meiden Group Basic BCP Policy stipulates the Meiden Group’s basic policy on business continuity, business continuity targets, and response in the event of a disaster, etc., and is applied at each business unit and subsidiary.
We will promote the Medium-term Management Plan 2027, paying particular attention to the following items relating to disaster-prevention and BCP.
Under the BCM Committee, which determines the Meiden Group’s BCP policy and measures, the Meiden Group established the Corporate BCP Promotion Committee, BCP promotion committees for each business, BCP liaison committees at domestic subsidiaries, the Working Group to discuss company-wide issues and promotes BCP throughout the Group.
In September 2024, we conducted a company-wide natural disaster response headquarters drill to verify BCP responses. The first through fourth drills assumed an earthquake, while the fifth drill assumed an eruption of Mt. Fuji to verify the effectiveness of BCP for all hazards. The scenario presumed that an eruption warning was issued and that an eruption occurred during a company-wide natural disaster response headquarters meeting. A preliminary orientation for this drill was held in August and because each team pre-verified their responses to an eruption warning, participants were able to practice under an understanding of how Mt. Fuji erupting would affect their actions during a drill conducted with ever-changing eruption updates to mimic real-life conditions. The company-wide natural disaster response headquarters meeting deliberated on the decision to evacuate personnel from each business site and whether to reopen plants. We will use the results of these drills to organize and adjust whether enough information exists to reach a decision, study how to enact responses to risks beyond the eruption of Mt. Fuji and earthquakes, and improve BCP.
We have conducted BCP workshops focusing on each Business site and branch, and began BCP workshops for Business groups in FY2024. In FY2024, we conducted a simulated disaster for the EV Group where an earthquake in the Nankai Trough impacted the Nagoya works. Over twenty people from Nagoya and Tokyo participated, with the purpose of “promoting knowledge and an understanding of the contents of the EV Group Integrated BCP manual,” “confirming consistency in communications between divisions in the EV Group,” and “using workshops to extract issues and consider improvements.” In post-workshop reviews, employees engaged in lively exchanges on the necessity of periodic drills and other ideas.
Moving forward, we plan to expand these workshops laterally across the entire Meiden Group, especially to the Line Division, and drive improvements in our disaster response capabilities.
We are also establishing BCP in subsidiary sites outside Japan. They were exposed to various risks, such as hurricanes in the USA and cyclones in India in FY2024, and large-scale earthquakes in central Myanmar in March 2025. Japanese and local staff worked together to advance initiatives to further refine BCP materials based on these experiences. We will continue to permeate BCP as we coordinate with Meiden Group overseas subsidiaries from the standpoint of business continuity for the entire Medien Group.
Disaster prevention and BCP training is included in the curriculum for each level of employment and is provided continually. In FY2024, we again gave training for new employees and mid-career hires. We have also expanded the scope of our awareness activities, such as disaster prevention and BCP training for employees working at domestic sites and training for BCP staff of Meiden Group companies.
In addition, we created a training video to further spread the word about our disaster prevention and BCP efforts. The video was released in May of 2023 and we have worked to ensure that all Group employees view it.
The Meiden Group understands that ensuring the security of the information we handle is a most critical issue. We therefore protect information assets from disasters, accidents, criminal acts, errors, and other threats. We also maintain and enhance information management to prevent leaks, tampering, theft, or loss. Further, through information security management, we maintain the safety of the products and services we provide to our customers.
Meidensha (hereinafter the “Company”) is aware that ensuring security of information assets handled by the Company is a major management issue for the Company, and protects information assets from threats such as disasters, accidents, crime, negligence, and cyber risks.
By establishing and maintaining information security management, we aim to prevent information security incidents such as leakage, falsification, or theft of information, build relationships of trust with a range of interested parties, including shareholders and customers, and improve corporate value of the Company.
This basic policy applies to all personnel who handle information assets managed by the Company.
The Company complies with obligations imposed by laws and agreements that relate to business activities.
Everyone involved with business activities ensures thorough compliance with matters required by laws and regulations, obligations imposed by agreements, this policy, and internal management regulations relating to information security.
The Company provides for information security management such as by nominating an Information Security Manager and an Information Security Business Unit Managers, and establishing an office, has established regulations and procedures, etc., based on the Basic Information Security Policy, and continuously maintains and improves information security.
Considering the increased sophistication of cyber attacks in recent years, we have established and currently operate a company-wide security system to comprehensively respond to the ever-changing risks.
We established PSIRT*1 to enhance our information security measures for the products and services we provide to customers and FSIRT*2 to oversee factories under CSIRT*3, which enhances internal information security. We also established the PrSIRT,*4 which aims to reduce supply chain risks. These specialized teams will take the lead in routine countermeasures and incident response. Further, we have assigned a SIRT manager in charge of information security to each unit to continually inspect and improve the state of implementation, the degree of training, and the implementation of rules within the organization. In addition, we have established a general contact point (MEIDEN-SIRT) to facilitate cooperation with each unit and to provide rapid response to information security risks and incidents.
The Information Security Committee is chaired by the director in charge of information systems and deliberates on the drafting, evaluation, and improvement of information security measures, as well as investigations into the causes of incidents and the prevention of recurrences. The status of information security operations is regularly explained to and approved by the president and management.
Information Security Control System
The Meiden Group conducts information security audits of Meidensha and subsidiaries, mainly through the Information Security Committee, and verifies and evaluates whether security measures are actually being implemented and function.
At present, some of Meidensha and its domestic subsidiaries have received Information Security Management System (ISMS) certification.
In fiscal 2024, we are continuing to implement initiatives to reinforce information security for the entire Meiden Group.
Meiden Group strives to implement sustainable security measures within the framework of “prediction/protection/detection/response/restoration.” We analyze and implement both hardware and software measures to protect data from unauthorized logins, etc., and virus infections from suspicious emails, such as targeted attacks, as well as measures mainly aimed at combatting human factors such as theft, loss, or mishandling of information devices.
Further, to strengthen our ability to respond to increasingly sophisticated cyber attacks in recent years, alongside our existing multi-layer defense measures, we have implemented various additional measures with a “zero trust” approach in mind. In terms of systems, we have initiated efforts to strengthen externally facing information security measures (concerning products and services) and have developed internal systems to speed up incident response.
All of the Meiden Group’s officers, employees, dispatch workers, and contract workers, etc., engage in information security education. In FY2024, we conducted e-learning covering an introduction to information security as well as information security threats based on case studies. The e-learning was attended by 94% of employees, plus materials were sent to those who were unable to attend online.
We continue to conduct suspicious email drills as education about cyber attacks such as targeted email attacks.
Going forward, we will continue to strengthen hardware and software measures and continue to conduct personnel measures, such as information security education and suspicious email drills. We will continue to roll out measures for information security on a group-wide basis.
Since FY2017, we have continuously conducted activities to enhance our suppliers’ information security. We ensure that suppliers are aware of information security measures as management issues, and we hold training and information sessions as required.
We continue to support our business partners’ efforts to strengthen information security. We do so through four measures designed to prevent information security incidents: awareness raising, education, visitations, and information sharing.
In this way, we are continuing to conduct activities to enhance information security throughout the entire supply chain.
