Risk Management
- Risk Management
- Definition and Classification of Risks
- Risk Management System
- Risk Factors and the Implementation Status of Our Measures
- Disaster Risk Measures
- Tightening of Information Security
- Risk Management Data
Risk Management
The Group strives to enhance the PDCA cycle of risk management to address risks or opportunities that are difficult to foresee and require company-wide response. This involves identifying risk items (detection), analyzing risks (quantification), assessing risks (prioritization), and considering risk response (response policies) increase corporate value and achieve sustainable growth.
Definition and Classification of Risks
The Group defines risk as "the influence of uncertainty about our objectives and the possibility to influence the achievement of our strategy and business goals when an event occurs."
We classify recognized risks as follows based on their type (strategic or pure) and factor (internal or external) and quantify them by risk factors based on the probability of occurrence and the degree of impact to select "priority risk" which exceeds the reference point. We also prioritize risks based on the assessment points and focus on discussing countermeasures against them.
| Internal factors | External factors | Group's policies | |
|---|---|---|---|
| Strategic risks |
1. Growth risk Risk factors that may impede implementation of the growth strategy that takes into account customer and business environment (human resources and assets) |
2. Environmental change risk Risk factors that result from changes in external environment (politics, economy, laws and regulations, technological innovation, and climate change) and may impede the growth strategy |
Aggressively take risks to pursue growth |
| Pure risks |
3. Operational risk Risk factors that result from inadequate or failure of internal process, human resources or systems |
4. Hazard risk Risk factors beyond our control that result from external events and may impede business continuity by causing damage or harm |
Hedge risks to minimize potential losses |
| Group's policies |
Prevent risks from occurring |
Implement damage control assuming risks may occur |
Risk Management System
The Group manages risks with a system whereby a Risk owner*1 and a Risk manager*2 are appointed for each risk factor, and risk owners or risk managers report the status of relevant risk items to the Executive Committee and also to the Board of Directors and the Audit & Supervisory Committee when necessary, in order to ensure effectiveness of Enterprise Risk Management (ERM).
- *1Risk owner: A person in charge of discussing risk responses and monitoring/supervising the implementation of measures.
- *2Risk manager: A person in charge of addressing risks in cooperation with a Risk owner and promptly implementing relevant measures.
Risk Factors and the Implementation Status of Our Measures
- 1.
- 2.
- 3.
- 4.
*The matters that may have a significant influence on investors' decision include the following. However, those listed below only include major risks, and there are other risks that are not foreseeable or specified but require company-wide measures. Any of those risk factors may have an impact on our financial results and financial position.
Reference: Heatmap by risk factor (in descending order of priority)
Disaster Risk Measures
BCP promotion
In recent years, frequent natural disasters (earthquakes, floods, landslides, tsunamis, volcanic eruptions, etc.) and infectious diseases (COVID-19, etc.) have not only threatened people's lives but also have had a great impact on corporate activities. Under such circumstances, for the logistics industry, BCP is not a mere plan to continue business, but preparation to work toward and contribute to the restoration of medicines, food, and social infrastructure that is the basis for life in the affected areas. We believe our social mission is to protect people's lives. Protecting a company's business also protects the livelihood of its employees. Therefore, the Group has decided on a BCP (Business Continuity Plan) policies and measures, and implemented measures to fulfill the responsibilities of the entire group at the BCM Committee (Business Continuity Management Committee) chaired by the President and Representative Director in order to provide high-quality services to customers and protect the livelihood of employees without interrupting business even when risks occur.
BCM (Business Continuity Management) Structure / BCP promotion structure (as of April 2024)
With the "BCM Committee" as the supreme resolution body, our group's BCP is promoting under the following system.
BCM Committee
Makes decisions on "overall policies" and "important measures" for BCP promotion. (Frequency: once a year in principle)
All Our Group BCP Promotion Board and Our Group Disaster Response HQ
Targeting risk managers at the head office, each headquarters, and Group companies, we disseminate company-wide policies and measures decided by the BCM Committee and discuss BCP promotion. (Frequency: twice a year in principle)
Group Company BCP Promotion Staff Meeting
Meetings are held regularly as a place to educate persons in charge and exchange opinions with consciousness of the spread of BCP measures into the sites of each Group company. (Frequency: twice a year in principle)
Safety confirmation
If a disaster occurs, we operate a safety confirmation system that utilizes mobile phones, smartphones, and personal computers as a mechanism to quickly carry out a safety check of our group employees. In addition, for staff on overseas business trips or based overseas, we send out global alerts (overseas safety information) in a timely manner and share information on disasters and threats in an effort to secure the safety of employees.
Strengthen BCP system
For prompt restoration and continuation of our group business at the time of a large-scale disaster, we conduct trainings to enhance coordination between disaster prevention headquarters of the head office, management headquarters, and group companies on a regular basis, and we are also establishing emergency contact systems with overseas group companies.
Disaster prevention training in Japan
In Japan, we have BCPs mainly assuming large-scale natural disasters that threaten our business continuity.
Previously, in order to enhance the effectiveness of BCPs, we had conducted a disaster prevention headquarter training systematically in several sites every year, assuming a large-scale earthquake hit. But in FY2021, after reviewing the existing initial response manual, we conducted initial response training for 16 Group companies.
In FY2022, 18 domestic group companies conducted danger prediction training (KYT) and three companies conducted trainings for initial response assuming an earthquake. We also conducted a company-wide BCP trainings by disaster response HQ to share issues related to disaster countermeasures. In addition, we held BCP seminars by external lecturers to improve the skills of BCP staff as part of our efforts to ensure the effectiveness of BCP, which led to the improvement of initial response.
In FY2023, a disaster response HQ was convened at the head office using the scenario of a Nankai Trough earthquake*, and the training simulated initial response actions from the moment the earthquake occurs through the day of the event.
* Simulation training using a blind scenario (assumption that the business sites of Group companies were affected by a disaster) conducted by members of the disaster response HQ at individual Group company head offices Approx. 225 people at 13 companies participated
Strengthening system in overseas
In overseas, we send a BCP Caravan from Japan to our major sites in North America, Europe, China, and other parts of Asia to establish and develop risk management system.
In addition, we gather information on developments such as large-scale-disasters, terrorism, etc., from information sources such as the Foreign Ministry as well as major communications companies, to alert our staff stationed or traveling overseas of imminent dangers. At the same time, we have instituted emergency contact systems based on the information from our overseas locations.
In FY2022, we proceeded with the translation of various manuals on business continuity in the event of a disaster, etc. into English, and also supported the formulation of an "Emergency Response Manual" requested by customers as a part of the BCP Caravan at our group company Flyjac Logistics Pvt. Ltd. (India). In the China area, we conducted local hearings and investigations before proceeding with the formulation of an "Emergency Response Manual" considering recent geopolitical risks.
In FY2023, we supported the formulation of an "Emergency Response Manual" at four sites in the Asia region. In the China area we conducted local hearings and investigations and compiled an "Emergency Evacuation Manual." In Indonesia, we conducted training sessions (reading practice) to check whether the formulated "Emergency Response Manual" (action plan) would function. We have brushed up the manual by compiling opinions of training participants. At each site, we are working to create workplaces where fires do not occur by conducting fire patrols in the same way as in Japan.
Implementation of BCP education and e-learning at rank-based group training
We provide various types of education in order to broaden understanding in employees of the importance of business continuity.
In FY2023, in addition to the e-learning conducted for all employees each year and pre-departure training for employees posted overseas, we conducted BCP training to new employees during their new employment training.
Dissemination of behavioral standard in the event of a disaster
By distributing to all employees the "Emergency card" that describes what actions to take in the event of a disaster, we are working to ensure thorough awareness of disaster response.
Preparing for natural disasters
To prepare for disasters such as large-scale earthquakes that are predicted to occur in the future as well as the torrential rains and typhoons that occur every year, we have compiled a collection of natural disaster countermeasures for each of its offices. These are based on lessons learned from past natural disasters and are organized into themes such as "equipment," "stockpiles," and "evacuation."
Initiatives linked to VC activities
We have been conducting initiatives linked to VC activities to raise employees' awareness of risk management.
In FY2022, we implemented dialogue sessions on the topics of safety, quality and risk, and held dialogue to make BCP feel more familiar to employees, in addition to reflecting comments from employees obtained through VC activities in various educational materials, and distributing information on good examples within the company.
In FY2023, we conducted e-learning on fire prevention KYT, and a total of approximately 70,000 employees underwent education that was held a total of 54 times.
*VC activities (Value Change & Creation): Daily improvement activities to implement LOGISTEED WAY
Creating a workplace full of smiles and vibrance (VC activities: Value Change & Creation)
Tightening of Information Security
We understand the importance of properly storing and managing both customer information and internal information. As a group, we work to maintain and raise our security level through the establishment of regulations, employee education and training as we strive to deliver customers with a safe, reliable and secure logistics service.
Information Security Basic Policy
1. Formulation and continuous improvement of information security management rules
The Company recognizes the information security efforts are important issues for management and business, and has formulated Information Security Management Rules that comply with and conform to laws and regulations and other norms. Furthermore, the Company shall establish and steadily put into practice a company-wide information security management system. In addition, the Company will maintain and continuously improve organizational, human, physical and technical information security.
2. Protection of information assets
The Company shall take appropriate measures to protect information assets from threats such as loss, leaks, unauthorized access, alteration and destruction of information assets handled by the Company.
3. Compliance with laws and norms
The Company shall comply with information security-related laws and regulations and other norms. Additionally, the Company shall ensure that its Information Security Management Rules conform to these laws and regulations and other norms.
4. Education and Training
The Company shall encourage raising awareness of information security among its officers and employees, and provide education and training on information security.
5. Accident prevention and response
The Company shall strive to prevent information security incidents, and should any incident occur, the Company shall promptly take appropriate measures, including measures to prevent recurrence.
Personal Information Protection
The information entrusted to us from our customers includes a large quantity of personal information. The Group has established a "Privacy Policy" allowing us to take the appropriate action for the protection of personal information.
Promotion structure for personal information protection / information security (as of April, 2024)
Personal information protection / Strengthening information security initiatives
As part of our efforts to prevent information leakage and maintain a high level of security through revision of internal rules in response to changes in social conditions and the status of overseas personal information protection, and checking the management and operational status of personal information protection and information security, we participate in the Japan Electronics and Information Technology Industries Association, and collect information on external trends and collaborate with external experts, etc.
We are also striving to further strengthen governance across our group, taking ongoing measures, such as checking the status of personal information protection and information security operations and conducting risk assessments once a year. In addition, working on education and simulation trainings for targeted threat emails for all employees, responses to GDPR* in EU and other relevant laws in other countries, and personal information protection in Japan and overseas.
Furthermore, we also ask contractors who are our business partners to implement self-inspections on the status of personal information and information security initiatives, and evaluate the inspection results in our company in an effort to mitigate risk.
*GDPR (General Date Protection Regulation): A regulation established by EU to protect personal data and privacy, which imposes severe restrictions on the handling of personal data (processing and transfer) by companies and organizations.
Target and result of personal information protection / information security
We aim for zero serious information security incidents every year. No serious incidents occurred in FY2023.
Scope: The Company, domestic/overseas group companies
| Number of information security incidents (FY2023) | Target | Result |
|---|---|---|
| 0 | 0 |
Education and training for personal information protection / information security
Training is aimed at improving security awareness and response capabilities, and it is given to all employees, including executives and partner company employees.
In addition to e-learning on basic knowledge of personal information protection and information security, we also conduct hands-on training to help employees learn how to conduct appropriate initial response in the event of a security incident such as a cyber attack. From FY2023, we have also been conducting high-level training on cyber attacks for overseas Group companies, assuming greater sophistication and diversification of cyber attacks, and have trained more than 13,000 employees.
Scope: The Company, domestic/overseas group companies
| Attendance rate of information security training course (FY2023) | Target | Result |
|---|---|---|
| 100% |
100% (35,967 attendees) |
Scope: The Company, domestic/overseas group companies
| Rate of targeted threat emails for simulation trainings opened (FY2023) | Target | Result |
|---|---|---|
| 5.0% | 12.0% |
Measures to prevent information leaks
As specific measures to prevent information leaks, we have implemented common IT measures such as encryption software, secure PCs, access control for electronic documents, ID management and access control through the establishment of an authentication infrastructure, and filtering systems for e-mail and websites. In response to cyber attacks such as targeted e-mails, we are implementing and strengthening various measures such as early detection and proliferation prevention measures in our IT measures as well.
Third-party certification
Privacy mark
We are certified as an enterprise with a system of effective measures to protect personal information. This gives us the right to display the Privacy Mark. Some subsidiary companies are also certified. Furthermore, domestic group companies also obtained the certification based on risk assessment concerning the protection of personal information according to business characteristics, etc.
| Privacy mark acquisition status at our company and its domestic group companies (as of March 31, 2024) | 9 companies |
|---|
Information security management system (ISMS)
With increased needs for organizations to establish solid management system for information security, we are certified according to the ISO/IEC 27001 that accredits our security management level is above standard.
Due to the characteristics of our business, etc., divisions and business sites handling sensitive information including personal information and personal data have obtained certification.
Status of ISMS certification
| Certification Standard | ISO/IEC 27001: 2022(*1)・JIS Q 27001: 2023(*2) |
|---|---|
| Registered Scope |
3PL Sales Promotion / 3PL System Design & Development, 3PL Logistics Center Operation & Management (for medical / pharmaceutical / telecommunication device businesses) |
| First Registered Date | 22 / Dec / 2005 |
| Valid Until | 21 / Dec / 2026 |
| Certification office |
- *1 The ISMS standard established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
- *2 The Japanese Industrial Standards Committee (JISC) translates ISO/IEC 27001: 2022 into Japanese and publishes it as a national standard (JIS).
Customer privacy
In FY2023, there were no complaints filed for the violation of customer privacy or the loss of customer data.
Risk Management Data
We provide the data of Number of disaster response training implemented, information security and so on.