The Group strives to enhance the PDCA cycle of risk management to address risks that are difficult to foresee and require company-wide countermeasures by considering the identification of risk items (identification), risk analysis (quantification), risk assessment (prioritization), and risk response (response policy), with an aim to increase corporate value and achieve sustainable growth.
The Group defines risk as "the influence of uncertainty about our objectives and the possibility to influence the achievement of our strategy and business goals when an event occurs."
We classify recognized risks as follows based on their type (strategic or pure) and factor (internal or external) and quantify them by risk factors based on the probability of occurrence and the degree of impact to select "priority risk" which exceeds the reference point. We also prioritize risks based on the assessment points and focus on discussing countermeasures against them.
| Internal factors | External factors | Group's policies | |
|---|---|---|---|
| Strategic risks | (1) Growth risk Risk factors that may impede implementation of the growth strategy that takes into account customer and business environment (human resources and assets) | (2) Environmental change risk Risk factors that result from changes in external environment (politics, economy, laws and regulations, technological innovation, and climate change) and may impede the growth strategy | Aggressively take risks to pursue growth |
| Pure risks | (3) Operational risk Risk factors that result from inadequate or failure of internal process, human resources or systems | (4) Hazard risk Risk factors beyond our control that result from external events and may impede business continuity by causing damage or harm | Hedge risks to minimize potential losses |
| Group's policies | Prevent risks from occurring | Implement damage control assuming risks may occur |
The Group manages risks with a system whereby a Risk owner*1 and a Risk manager*2 are appointed for each risk factor, and risk owners or risk managers report the status of relevant risk items to the Executive Committee and also to the Board of Directors when necessary, in order to ensure effectiveness of Enterprise Risk Management (ERM).
*1 Risk owner: A person in charge of discussing risk responses and monitoring/supervising the implementation of measures.
*2 Risk manager: A person in charge of addressing risks in cooperation with a Risk owner and promptly implementing relevant measures.
*The matters that may have a significant influence on investors' decision include the following. However, those listed below only include major risks, and there are other risks that are not foreseeable or specified but require company-wide measures. Any of those risk factors may have an impact on our financial results and financial position.
Reference: Heatmap by risk factor (in descending order of priority)
In recent years, frequent natural disasters (earthquakes, floods, landslides, tsunamis, volcanic eruptions, etc.) and infectious diseases (COVID-19, etc.) have not only threatened people's lives but also have had a great impact on corporate activities. Under such circumstances, for the logistics industry, BCP is not a mere plan to continue business, but preparation to work toward and contribute to the restoration of medicines, food, and social infrastructure that is the basis for life in the affected areas. We believe our social mission is to protect people's lives. Protecting a company's business also protects the livelihood of its employees. Therefore, the Group has decided on a BCP (Business Continuity Plan) policies and measures, and implemented measures to fulfill the responsibilities of the entire group at the BCM Committee (Business Continuity Management Committee) chaired by the President and Representative Director in order to provide high-quality services to customers and protect the livelihood of employees without interrupting business even when risks occur.
With the "BCM Committee" as the supreme resolution body, our group's BCP is promoting under the following system.
Makes decisions on "overall policies" and "important measures" for BCP promotion. (Frequency: once a year in principle)
Targeting risk managers at the head office, Sales Divisions, and Group companies, we disseminate company-wide policies and measures decided by the BCM Committee and discuss BCP promotion. (Frequency: twice a year in principle)
Meetings are held regularly as a place to educate persons in charge and exchange opinions with consciousness of the spread of BCP measures into the sites of each Group company. (Frequency: twice a year in principle)
If a disaster occurs, we operate a safety confirmation system that utilizes mobile phones, smartphones, and personal computers as a mechanism to quickly carry out a safety check of our group employees. In addition, for staff on overseas business trips or based overseas, we send out global alerts (overseas safety information) in a timely manner and share information on disasters and threats in an effort to secure the safety of employees.
For prompt restoration and continuation of our group business at the time of a large-scale disaster, we conduct trainings to enhance coordination between disaster prevention headquarters of the head office, management headquarters, and group companies on a regular basis, and we are also establishing emergency contact systems with overseas group companies.
In Japan, we have BCPs mainly assuming large-scale natural disasters that threaten our business continuity.
Previously, in order to enhance the effectiveness of BCPs, we had conducted a disaster prevention headquarter training (desktop simulation) systematically in several sites every year, assuming a large-scale earthquake hit. But in FY2021, after reviewing the existing initial response manual, we conducted initial response training for 16 Group companies.
In FY2022, 18 domestic group companies conducted danger prediction training (KYT)* and three companies conducted trainings for initial response* assuming an earthquake. We also conducted a "company-wide BCP trainings by disaster response HQ"* to share issues related to disaster countermeasures. In addition, we held BCP seminars by external lecturers to improve the skills of BCP staff as part of our efforts to ensure the effectiveness of BCP, which led to the improvement of initial response.
*Online desktop simulation. Total number of attendees were approximately 150 for KYT, 40 for initial response trainings, and 70 for company-wide BCP trainings by disaster response HQ
In overseas, we send a BCP Caravan from Japan to our major sites in North America, Europe, China, and other parts of Asia to establish and develop risk management system.
In addition, we gather information on developments such as large-scale-disasters, terrorism, etc., from information sources such as the Foreign Ministry as well as major communications
companies, to alert our staff stationed or traveling overseas of imminent dangers. At the same time, we have instituted emergency contact systems based on the information from our overseas locations.
In FY2022, we proceeded with the translation of various manuals on business continuity in the event of a disaster, etc. into English, and also supported the formulation of an "Emergency Response Manual" requested by customers as a part of the BCP Caravan at our group company Flyjac Logistics Pvt. Ltd. (India). In the China area, we conducted local hearings and investigations before proceeding with the formulation of an "Emergency Response Manual" considering recent geopolitical risks.
We are working to expand initiatives with emphasis on "disaster prevention" concerning the "initial response" that is the response required from the occurrence of a disaster to triggering BCP.
We provide various types of education in order to broaden understanding in employees of the importance of business continuity. In FY 2022, in addition to the e-learning conducted for all employees each year, we held six sessions providing pre-departure training for employees posted overseas, with a total of 31 participants.
By distributing to all employees the "Emergency card" that describes what actions to take in the event of a disaster, we are working to ensure thorough awareness of disaster response.
To prepare for disasters such as large-scale earthquakes that are predicted to occur in the future as well as the torrential rains and typhoons that occur every year, we have compiled a collection of natural disaster countermeasures for each of its offices. These are based on lessons learned from past natural disasters and are organized into themes such as "equipment," "stockpiles," and "evacuation."
We have been conducting initiatives linked to VC activities to raise employees' awareness of risk management. In FY2022, we implemented dialogue sessions on the topics of safety, quality and risk, and held dialogue to make BCP feel more familiar to employees, in addition to reflecting comments from employees obtained through VC activities in various educational materials, and distributing information on good examples within the company.
*VC activities (Value Change & Creation): Daily improvement activities to implement LOGISTEED WAY
We understand the importance of properly storing and managing both customer information and internal information. As a group, we work to maintain and raise our security level through the establishment of regulations, employee education and training as we strive to deliver customers with a safe, reliable and secure logistics service.
Date of enactment: July 12, 2006 Regulation No. 853
Date of revision(1): June 1, 2009 Regulation No. 967
The Company recognizes the information security efforts are important issues for management and business, and has formulated Information Security Management Rules that comply with and conform to laws and regulations and other norms. Furthermore, the Company shall establish and steadily put into practice a company-wide information security management system. In addition, the Company will maintain and continuously improve organizational, human, physical and technical information security.
The Company shall take appropriate measures to protect information assets from threats such as loss, leaks, unauthorized access, alteration and destruction of information assets handled by the Company.
The Company shall comply with information security-related laws and regulations and other norms. Additionally, the Company shall ensure that its Information Security Management Rules conform to these laws and regulations and other norms.
The Company shall encourage raising awareness of information security among its officers and employees, and provide education and training on information security.
The Company shall strive to prevent information security incidents, and should any incident occur, the Company shall promptly take appropriate measures, including measures to prevent recurrence.
The information entrusted to us from our customers includes a large quantity of personal information. The Group has established a "Privacy Policy" allowing us to take the appropriate action for the protection of personal information.
As part of our efforts to prevent information leakage and maintain a high level of security through revision of internal rules in response to changes in social conditions and the status of overseas personal information protection, and checking the management and operational status of personal information protection and information security, we participate in the Japan Electronics and Information Technology Industries Association, and collect information on external trends and revise internal rules, etc.
We are also striving to further strengthen governance across our group, working on education and simulation trainings for targeted threat emails for all employees, responses to GDPR* in EU and other relevant laws in other countries, and personal information protection in Japan and overseas.
In addition, we also ask contractors who are our business partners to implement self-inspections on the status of personal information and information security initiatives, and evaluate the inspection results in our company in an effort to mitigate risk.
*GDPR (General Date Protection Regulation): A regulation established by EU to protect personal data and privacy, which imposes severe restrictions on the handling of personal data (processing and transfer) by companies and organizations.
We aim for zero serious information security incidents every year. No serious incidents occurred in FY2022.
| Number of information security incidents (FY2022) | Target | Result |
|---|---|---|
| 0 | 0 |
Scope: The Company, domestic/overseas group companies
In addition to e-learning for all employees, we provide rank-based group trainings for information security education targeting new employees, mid-career employees, and assistant managers/managers.
Simulation trainings to cope with targeted threat emails are also conducted every year, aiming for ensuring company rules and raising their awareness about personal information protection and information security.
In FY2022, we introduced more practical training using a simulation training system we developed and began monitoring of the reporting rate.
| Attendance rate of information security training course(FY2022) | Target | Result |
|---|---|---|
| 100% | 100% (37,272 attendees) |
Scope: The Company, domestic/overseas group companies
| Rate of targeted threat emails for simulation trainings opened (FY2022) | Target | Result |
|---|---|---|
| 5.0% | 7.1% |
Scope: The Company, domestic group companies
As specific measures to prevent information leaks, we have implemented common IT measures such as encryption software, secure PCs, access control for electronic documents, ID management and access control through the establishment of an authentication infrastructure, and filtering systems for e-mail and websites. In response to cyber attacks such as targeted e-mails, we are implementing and strengthening various measures such as early detection and proliferation prevention measures in our IT measures as well.
We are certified as an enterprise with a system of effective measures to protect personal information. This gives us the right to display the Privacy Mark. Some subsidiary companies are also certified. Furthermore, domestic group companies also obtained the certification based on risk assessment concerning the protection of personal information according to business characteristics, etc.
| Privacy mark acquisition status at our company and its domestic group companies (as of March 31, 2023) |
12 companies |
|---|
With increased needs for organizations to establish solid management system for information security, we are certified according to the ISO/IEC 27001 that accredits our security management level is above standard.
Due to the characteristics of our business, etc., divisions and business sites handling sensitive information including personal information and personal data have obtained certification.
| Certification Standard | ISO/IEC 27001: 2013(*1)・JIS Q 27001: 2014(*2) |
|---|---|
| Registered Scope | 3PL Sales Promotion/3PL System Design & Development/3PL Logistics Center Operation & Management (for medical/pharmaceutical/telecommunication device businesses) |
| First Registered Date | 'December 22, 2005 |
| Valid Until | 31/Oct/2025 |
| Certification office |
*1 The ISMS standard established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
*2 The Japanese Industrial Standards Committee (JISC) translates ISO/IEC 27001: 2013 into Japanese and publishes it as a national standard (JIS).
In FY2022, there were no complaints filed for the violation of customer privacy or the loss of customer data.
We provide the data of Number of disaster response training implemented, information security and so on.
Our Service Portfolio
Search