Risk Management
- Risk Management
- Definition and Classification of Risks
- Risk Management System
- Risk Factors and the Implementation Status of Our Measures
- Disaster Risk Measures
- Tightening of Information Security
- Personal Information Protection
- Risk Management Data
Risk Management
The Group strives to enhance the PDCA cycle of risk management to address risks or opportunities that are difficult to foresee and require company-wide response. This involves identifying risk items (detection), analyzing risks (quantification), assessing risks (prioritization), and considering risk response (response policies) increase corporate value and achieve sustainable growth.
Definition and Classification of Risks
The Group defines risk as "the influence of uncertainty about our objectives and the possibility to influence the achievement of our strategy and business goals when an event occurs."
We classify recognized risks as follows based on their type (strategic or pure) and factor (internal or external) and quantify them by risk factors based on the probability of occurrence and the degree of impact to select "priority risk" which exceeds the reference point. We also prioritize risks based on the assessment points and focus on discussing countermeasures against them.
| Internal factors | External factors | Group's policies | |
|---|---|---|---|
| Strategic risks |
1. Growth risk Risk factors that may impede implementation of the growth strategy that takes into account customer and business environment (human resources and assets) |
2. Environmental change risk Risk factors that result from changes in external environment (politics, economy, laws and regulations, technological innovation, and climate change) and may impede the growth strategy |
Aggressively take risks to pursue growth |
| Pure risks |
3. Operational risk Risk factors that result from inadequate or failure of internal process, human resources or systems |
4. Hazard risk Risk factors beyond our control that result from external events and may impede business continuity by causing damage or harm |
Hedge risks to minimize potential losses |
| Group's policies |
Prevent risks from occurring |
Implement damage control assuming risks may occur |
Risk Management System
The Group manages risks with a system whereby a Risk owner*1 and a Risk manager*2 are appointed for each risk factor who collaborate across divisions (domestic business, overseas business, sales development division, corporate division). Risk owners or risk managers report the status of relevant risk items to the Executive Committee and also to the Board of Directors and the Audit & Supervisory Committee when necessary, in order to ensure effectiveness of Enterprise Risk Management (ERM).
Reference: Risk Management Structure
- *1Risk owner: A person in charge of discussing risk responses and monitoring/supervising the implementation of measures.
- *2Risk manager: A person in charge of addressing risks in cooperation with a Risk owner and promptly implementing relevant measures.
- *3CJBO: Chief Japan Business Officer
- *4CIBO: Chief International Business Officer
- *5CMO: Chief Marketing Officer
- *6CTrO: Chief Transformation Officer
Risk Factors and the Implementation Status of Our Measures
- 1.
- 2.
- 3.
- 4.
*The matters that may have a significant influence on investors' decision include the following. However, those listed below only include major risks, and there are other risks that are not foreseeable or specified but require company-wide measures. Any of those risk factors may have an impact on our financial results and financial position.
Reference: Heatmap by risk factor (in descending order of priority)
Disaster Risk Measures
BCP promotion
In recent years, frequent natural disasters (earthquakes, floods, landslides, tsunamis, volcanic eruptions, etc.) and infectious diseases (COVID-19, etc.) have not only threatened people's lives but also have had a great impact on corporate activities. Under such circumstances, for the logistics industry, BCP is not a mere plan to continue business, but preparation to work toward and contribute to the restoration of medicines, food, and social infrastructure that is the basis for life in the affected areas. We believe our social mission is to protect people's lives. Protecting a company's business also protects the livelihood of its employees. Therefore, the Group has decided on a BCP (Business Continuity Plan) policies and measures, and implemented measures to fulfill the responsibilities of the entire group at the BCM Committee (Business Continuity Management Committee) chaired by the President and Representative Director in order to provide high-quality services to customers and protect the livelihood of employees without interrupting business even when risks occur.
BCM (Business Continuity Management) Structure / BCP promotion structure (as of April 2025)
With the "BCM Committee" as the supreme resolution body, our group's BCP is being promoted under the following system.
BCM Committee
Makes decisions on "overall policies" and "important measures" for BCP promotion. (Frequency: once a year in principle)
All Our Group BCP Promotion Board and Our Group Disaster Response HQ
Targeting BCP personnel from the Head Office Disaster Response HQ and each Group company, we conduct briefings on company-wide policies and measures decided by the BCM Committee, and hold discussions regarding the promotion of BCP. (Frequency: twice a year in principle)
Group Company BCP Promotion Staff Meeting
Meetings are held regularly and as needed as a place to educate persons in charge and exchange opinions with consciousness of the spread of BCP measures into the sites of each Group company.
Strengthen BCP system
For prompt restoration and continuation of our group business at the time of a large-scale disaster, we conduct trainings to enhance coordination between disaster prevention headquarters of the head office, management headquarters, and group companies on a regular basis, and we are also establishing emergency contact systems with overseas group companies.
Disaster prevention training in Japan
In Japan, we have BCPs mainly assuming large-scale natural disasters that threaten our business continuity. In addition, in order to enhance the effectiveness of our BCP, we continue to conduct initial response drills, simulating the occurrence of large-scale natural disasters.
In FY2024, we conducted simulation training* at group companies based on a scenario in which a large-scale earthquake occurs during the night or on a holiday, simulating initial response actions from immediately after the event through the day of occurrence.
* Simulation training using a blind scenario (assumption that the headquarters of Group companies were affected by a disaster) conducted by members of the disaster response HQ at individual Group company head offices Approx. 231 people at 13 companies participated
Strengthening system in overseas
In overseas, we send a BCP Caravan from Japan to our major sites in North America, Europe, China, and other parts of Asia to establish and develop risk management system.
In addition, we gather information on developments such as large-scale-disasters, terrorism, etc., from information sources such as the Foreign Ministry as well as major communications companies, to alert our staff stationed or traveling overseas of imminent dangers. At the same time, we have instituted emergency contact systems based on the information from our overseas locations. We have also formulated Emergency Response Manuals and Emergency Evacuation Manuals that take into account various risks tailored to each region's circumstances, and conduct drills to verify their effectiveness. In FY2024, we customized manuals for BCP education, fire prevention management education, and the like at seven overseas group companies in China and Asia.
Safety confirmation
If a disaster occurs, we operate a safety confirmation system that utilizes mobile phones, smartphones, and personal computers as a mechanism to quickly carry out a safety check of our group employees. In addition, for staff to work overseas, such as overseas expatriates, we send out global alerts (overseas safety information) in a timely manner and share information on disasters and threats in an effort to secure the safety of employees.
Implementation of BCP education and e-learning at rank-based group training
We provide various types of education in order to broaden understanding in employees of the importance of business continuity.
In FY2024, in addition to the e-learning conducted for all employees each year and pre-departure training for employees posted overseas, we conducted BCP training to new employees during their new employment training.
Dissemination of behavioral standard in the event of a disaster
By distributing to all employees the "Emergency card" that describes what actions to take in the event of a disaster, we are working to ensure thorough awareness of disaster response.
Preparing for natural disasters
To prepare for disasters such as large-scale earthquakes that are predicted to occur in the future as well as the torrential rains and typhoons that occur every year, we have compiled a collection of natural disaster countermeasures for each of its offices. These are based on lessons learned from past natural disasters and are organized into themes such as "equipment," "stockpiles," and "evacuation."
Initiatives linked to VC activities
We have been conducting initiatives linked to VC activities to raise employees' awareness of risk management. As part of our VC activities, we have held dialogue sessions on the themes of safety, quality, and risk, engaging in dialogue to help employees become more familiar with BCP and sharing best practices related to BCP within the company.
In FY2024, we conducted e-learning on fire prevention education, with a total of 11 sessions attended by approximately 105,000 employees.
*VC activities (Value Change & Creation): Daily improvement activities to implement LOGISTEED WAY
Creating a workplace full of smiles and vibrance (VC activities: Value Change & Creation)
Tightening of Information Security
We understand the importance of properly storing and managing both customer information and internal information. As a group, we work to maintain and raise our security level through the establishment of regulations, employee education and training as we strive to deliver customers with a safe, reliable and secure logistics service.
Information Security Basic Policy
1. Formulation and continuous improvement of information security management rules
The Group recognizes the information security efforts are important issues for management and business, and has formulated Information Security Management Rules that comply with and conform to laws and regulations and other norms. Furthermore, the Company shall establish and steadily put into practice a company-wide information security management system. In addition, the Company will maintain and continuously improve organizational, human, physical and technical information security.
2. Education and Training
The Group shall encourage raising awareness of information security among its officers and employees, and provide education and training on information security.
3. Protection and Continuous Management of Information Assets
The LOGISTEED Group will implement security management measures to appropriately protect information assets from threats to the confidentiality, integrity, and availability of the information assets it handles. In addition, it will implement appropriate management measures to ensure business continuity.
4. Accident prevention and response
The Group shall strive to prevent information security incidents, and should any incident occur, the Company shall promptly take appropriate measures, including measures to prevent recurrence.
5. Compliance with laws and norms
The Group shall comply with information security-related laws and regulations and other norms. Additionally, the Group shall ensure that its Information Security Management Rules conform to these laws and regulations and other norms.
6. Group Governance
In accordance with Articles 1 through 5 above, the LOGISTEED Group will strive to establish a system to ensure appropriateness of information security within the LOGISTEED Group.
Personal Information Protection
The information entrusted to us from our customers includes a large quantity of personal information. The Group has established a "Privacy Policy" allowing us to take the appropriate action for the protection of personal information.
Promotion structure for personal information protection / information security (as of April, 2025)
Personal information protection / Strengthening information security initiatives
Rapid advances in digital technology have led to the rapid global use of data, increasing the risk of cyberattacks resulting in information leaks and operational suspensions that could affect the continuity of business itself. In response to these changing social conditions, the LOGISTEED Group has implemented various measures to comply with personal information laws and regulations and to appropriately protect information assets from threats to the confidentiality, integrity, and availability of information assets, and is implementing appropriate management measures to ensure business continuity.
- Revising information security-related rules based on the ISO 27001 global standard to unify governance globally
- Providing information security education and targeted email response training for all employees
- Inspecting the status of personal information and information security initiatives at our outsourced business partners
- Participating in the Japan Electronics and Information Technology Industries Association (JEITA) and making recommendations to the government regarding amendments to the Act on the Protection of Personal Information
- Collaborating with external experts to gather information on external cyber risk trends and address vulnerabilities
- Inspecting and auditing the status of personal information protection and information security initiatives
*GDPR (General Data Protection Regulation): A regulation established by EU to protect personal data and privacy, which imposes severe restrictions on the handling of personal data (processing and transfer) by companies and organizations.
Target and result of personal information protection / information security
We aim for zero serious information security incidents every year. No serious incidents occurred in FY2024.
Scope: The Company, domestic/overseas group companies
| Number of information security incidents (FY2024) | Target | Result |
|---|---|---|
| 0 | 0 |
Scope: The Company, domestic/overseas group companies
Education and training for personal information protection / information security
Training is aimed at improving security awareness and response capabilities, and it is given to all employees, including executives and partner company employees.
In addition to e-learning on basic knowledge of personal information protection and information security, we also conduct hands-on training to help employees learn how to conduct appropriate initial response in the event of a security incident such as a cyber attack. From FY2023, we have also been conducting high-level training on cyber attacks for overseas Group companies, assuming greater sophistication and diversification of cyber attacks, and have trained more than 13,000 employees.
Scope: The Company, domestic/overseas group companies
| Attendance rate of information security training course (FY2024) | Target | Result |
|---|---|---|
| 100% |
100% (35,504 attendees) |
Scope: The Company, domestic/overseas group companies
| Rate of targeted threat emails for simulation trainings opened (FY2024) | Target | Result |
|---|---|---|
| 10.0% | 11.0% |
Strengthening the development of human resources with DX skills, including information security
In line with the Digital Skills Standard (DSS) established by the Information-Technology Promotion Agency (IPA), the LOGISTEED Group has divided its human resources into eight categories and is promoting the development of human resources with DX skills.
To mitigate risks that threaten logistics safety, such as cyberattacks and information leaks, we are raising information security awareness, strengthening education, and working to develop human resources with DX skills who are also well-versed in information security.
Measures to prevent information leaks
As specific measures to prevent information leaks, we have implemented common IT measures such as encryption software, secure PCs, access control for electronic documents, ID management and access control through the establishment of an authentication infrastructure, and filtering systems for e-mail and websites. In response to cyber attacks such as targeted e-mails, we are implementing and strengthening various measures such as early detection and proliferation prevention measures in our IT measures as well.
Third-party certification
Privacy mark
We are certified as an enterprise with a system of effective measures to protect personal information. This gives us the right to display the Privacy Mark. Some subsidiary companies are also certified. Furthermore, domestic group companies also obtained the certification based on risk assessment concerning the protection of personal information according to business characteristics, etc.
| Privacy mark acquisition status at our company and its domestic group companies (as of March 31, 2025) | 9 companies |
|---|
Information security management system (ISMS)
With increased needs for organizations to establish solid management system for information security, we are certified according to the ISO/IEC 27001 that accredits our security management level is above standard.
Due to the characteristics of our business, etc., divisions and business sites handling sensitive information including personal information and personal data have obtained certification.
Status of ISMS certification
| Certification Standard | ISO/IEC 27001: 2022(*1)・JIS Q 27001: 2023(*2) |
|---|---|
| Registered Scope |
3PL Sales Promotion / 3PL System Design & Development, 3PL Logistics Center Operation & Management (for medical / pharmaceutical / telecommunication device businesses) |
| First Registered Date | December 22, 2005 |
| Valid Until | December 21, 2026 |
| Certification office | |
| Number of certified sites | 19 sites |
- *1 The ISMS standard established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
- *2 The Japanese Industrial Standards Committee (JISC) translates ISO/IEC 27001: 2022 into Japanese and publishes it as a national standard (JIS).
-
*3
In addition to the above, two other LOGISTEED Group companies in Europe have obtained ISMS certification.
・Mars Logistics Group Inc. :15 sites
・VANTEC EUROPE LIMITED :2 sites
Customer privacy
In FY2024, there were no complaints filed for the violation of customer privacy or the loss of customer data.
Risk Management Data
We provide the data of Number of disaster response training implemented, information security and so on.