Risk Management
- Daifuku Group
Risk Management Policy - Promotion System
- Major Initiatives
- Daifuku Group
Information Security Policy
Daifuku Group Risk Management Policy
Basic Approach
The Group is surrounded by a variety of risks, including natural disasters, law violations, climate change, political unrest, wars and disputes, and cyberattacks. Even in these circumstances, we aspire to be a corporation that continues to achieve sustainable growth and enhance corporate value by tackling each challenge with flexible ideas and the persistence we have cultivated over the Group’s history.
In addition, automated material handling systems are becoming an important social infrastructure that contributes to solving labor shortages and increasing productivity. We recognize that the Group has a social responsibility to provide a stable and continuous supply of such products and services, and we must avoid situations in which the impact of risk causes interruption of the Group’s business activities.
Therefore, based on this policy, we will identify and assess risks, work to prevent them from materializing, and respond promptly and appropriately to minimize damage in the event of a crisis.
1. Objectives
We will engage in risk management with the following objectives:
- Secure and maintain the trust of customers and other stakeholders
- Implement the Group’s management philosophy and achieve the Group’s management objectives
- Ensure sustainable growth of the Group and improve our corporate value
2. Risk management activity principles
We will promote risk management based on the following activity principles in order to achieve our basic objectives:
- The Group’s management will be actively involved in the assessment of, response to, and monitoring of risks that may affect the achievement of the Group’s management objectives
- The Risk Management Committee will manage Group-wide risks centrally and cross-departmentally, and we will implement a risk management process based on the PDCA cycle
- We will establish regulations and manuals related to risk management, and we will continue our efforts to foster risk management awareness among officers and employees
- We will operate risk management not only as a defensive measure, but also as an offensive measure to strengthen the management base and ensure sound risk-taking, leading to the Group’s sustainable growth
- In considering risk-taking, we will abide by our Group Code of Conduct, and we will not take any risk that would impede compliance with the Code
3. Guidelines for action in the event of a crisis
In the event of a crisis, we will act as follows:
- We will act ensuring life, health, and safety as our highest priorities
- We will strive to continue and quickly restore the supply of material handling systems, which are part of society’s infrastructure
- We will take measures to minimize damage, preserve our assets, and continue our business
Established: April 1, 2024
Promotion System
The Group has established a risk management system based on a three-line model with the President and CEO as the chief executive. Corporate Functions and other units in charge of risk management (second line) provide support, guidance, and supervision for risk management conducted by the global business units (first line), which are the entities responsible for responding to risks. In addition, the Audit Division (third line) inspects the risk management initiatives of the first and second lines.
We have established the Risk Management Committee, which is chaired by the President and CEO and includes the Global Business Heads, division managers, Corporate Functions, and other units, to monitor these initiatives from a company-wide perspective, issue instructions for action, and manage progress. The Committee met five times in fiscal 2023 and reports to the Board of Directors on the status of the Committee’s initiatives and other matters as necessary.
This Committee promotes activities during normal times to control risks before they materialize; however, in the event of an emergency, the BCP promotion system is in place to respond to crises after risks have emerged. The BCP promotion system works with the Risk Management Committee to consider and prepare for crises starting from normal operations. When faced with a crisis such as a large-scale disaster, we will quickly establish a framework and take initial actions to prevent secondary disasters, placing the highest priority on human lives.
In addition, the Audit Division, which is tasked with establishing and operating an internal audit system, has been established under the direct control of the Board of Directors, and the Board of Directors receives regular reports from the Audit Division. One of its functions is to verify and evaluate the effectiveness of risk management and the maintenance and operation of internal control systems, and to facilitate their improvement. In the development and operation of the internal control system, the Group refers to a standard framework (COSO).
FY2024 promotion system
The main roles of each committee
In order to strengthen the risk management system, the Central Safety and Health Committee, the Information Security Committee, and the International Trade Control Committee work in cooperation with the Risk Management Committee, effective starting fiscal 2023. The main roles of each committee are as follows.
Risk Management Committee
- Planning and development of risk management systems and related regulations
- Selection of critical risks based on risk assessment results, and decision making, direction, and progress management of response policies
- Determining and directing the action policy for training and awareness activities related to risk management
- Determining policies for and direction of education, training, and drills related to crisis response
Central Safety and Health Committee
- Promotion and dissemination of efforts to ensure compliance with relevant laws and regulations, elimination of occupational accidents, and elimination of traffic accidents
Information Security Committee
- Planning and scheduling of information security management and implementation of in-house training
- Establishing and revising information security rules and assessing compliance with them
- Studying countermeasures for cyber-attacks and information security risks
International Trade Control Committee
- Compliance management system and internal awareness-raising activities to ensure thorough compliance with laws and regulations (including those related to security) regarding all international transactions
Major Initiatives
Risk assessment
The Group conducts regular Group-wide risk assessments, and the Risk Management Committee identifies and evaluates key risks that may have a significant impact on our business activities. We formulate policies to address the key risks that are identified, and we systematically promote initiatives while confirming their progress.
Overview of significant risks
The following is a list of risks that we recognize as having the potential to significantly affect our business performance as of June 2024. However, this is not an exhaustive list of all risks to the Group, and there are unforeseen risks other than those listed. While we are taking measures to mitigate each of these risks, it is difficult to completely predict or address all of them.
List of assessments of key risks
Risk theme | Risk item | Impact | Likelihood | Likely timing of risk materialization |
---|---|---|---|---|
① Changes in the business environment | Changes in the market environment | Large | High | Within one year |
Economic crises and business fluctuation | Large | Medium | Within one year | |
Loss of important customers | Large | Relatively high |
No specific timing | |
Political upheaval, revolution, war, civil war, conflict, riots, terrorism | Large | Low | Within one year | |
② Procurement/supply chain | Delays, shortages, or inability to procure raw materials, parts, purchased goods, etc. | Relatively large |
High | Within one year |
③ Growth strategy | New domain creation and technology development | Large | High | Within five years |
④ Human resources-related | Lack of human resources development initiatives | Relatively large |
High | Within three years |
Shortage of employees (workers) | Relatively large |
High | Within three years | |
Education of successors (management positions) | Large | Medium | Within five years | |
Securing human resources; employee turnover | Relatively large |
High | Within one year | |
⑤ Group governance | Inadequate management of subsidiaries | Large | Relatively high |
No specific timing |
Scandals involving Group companies | Large | Medium | No specific timing | |
⑥ Natural disasters | Large-scale natural disasters (e.g., large-scale earthquakes, tsunamis, storms, floods, etc.) | Large | Low | No specific timing |
⑦ Information security | Leakage of confidential information due to human factors | Large | Medium | No specific timing |
Cyberattacks | Large | Medium | No specific timing |
① Changes in the business environment
Description |
The impact of changes in the business environment, whether positive or negative, represented by the following.
|
---|---|
Countermeasures |
|
② Procurement/supply chain
Description |
|
---|---|
Countermeasures |
|
③ Growth strategy
Description |
|
---|---|
Countermeasures |
|
④ Human resources-related
Description |
|
---|---|
Countermeasures |
|
⑤ Group governance
Description |
|
---|---|
Countermeasures |
|
⑥ Natural disasters
Description |
|
---|---|
Countermeasures |
|
⑦ Information security
Description |
|
---|---|
Countermeasures |
|
Business continuity plan
We have formulated a business continuity plan (BCP) to minimize damage to business assets and to enable business continuity and a rapid recovery in the event of a crisis such as a large-scale disaster, with human life as the top priority. In formulating our BCP, we followed the ISO 22301 international standard for its development and operation.
With the aim of enhancing the effectiveness of our BCP, we are conducting regular risk assessments at our business locations, introducing a safety confirmation system, implementing periodic exercises based on the initial response manual, and upgrading our disaster prevention supplies. Daifuku will, if necessary, establish on-site disaster headquarters in the event of an earthquake with an intensity of 5 or higher (per the Japan Meteorological Agency Seismic Intensity Scale), a disaster requiring prolonged recovery efforts, or other events that have or are expected to have a significant impact on business operations.
Daifuku Group Information Security Policy
Basic Approach
The Daifuku Group regards the information entrusted to us by our customers and business partners as well as trade secrets, personal information, and systems that the Group possesses regarding this information (hereinafter referred to as information assets) as important management assets in our business. We will strive to earn the trust of all members of society, including our customers, and enhance our corporate value by systematically and continuously making efforts in information security as denoted below.
Basic Policy
- Compliance with laws and regulations
- We will implement measures in each country and region to comply with the requirements of laws, national guidelines, contractual obligations, and other social standards related to information security.
- Establishment of an appropriate platform for information management
-
In order to ensure the security of information assets, we will clarify our system responsible for information security and implement appropriate measures as follows in accordance with the importance and risks of the information assets.
- Establish an information security governance system
- We will establish a centralized management system led by the Information Security Committee, and a person responsible for the handling of information will be appointed within each division and company.
- Establish regulations for information security
- We will establish regulations and guidelines for information security, and we will strive to continuously improve our initiatives to ensure information security.
- Implement safety management measures
- Appropriate management measures, including personnel and physical management as well as system, server, and network management, will be implemented throughout the life cycle of information in accordance with its level of importance.
- Education and training
- We will continuously provide education and training on information security to all Group officers and employees in an effort to raise awareness and ensure compliance with rules and regulations. Any violations of these rules and regulations will be dealt with strictly, including disciplinary action against the offending party.
- Information security audits
- We will conduct internal audits throughout the entire Group on the status of information security measures, regularly confirm the status of compliance with information security rules and operation of information security management systems, and continuously make improvements. Additionally, we will monitor for new threats and changes in risks to prevent new vulnerabilities from emerging.
- Establishment of an information security incident response system
- We will establish a management system that enables the prompt resumption and continuation of business activities should an information security incident result in an interruption of operations. In the event that an incident occurs, we will make efforts to identify the cause and prevent recurrences.
Established: September 1, 2024
Strengthening information security
The Group is promoting specific initiatives in each of the following areas against technical threats such as unauthorized access and cyberattacks, human threats such as internal misconduct and disregard for rules, and physical threats such as disasters and theft.
IT countermeasures |
|
---|---|
Organizational countermeasures |
|
Human countermeasures |
|
Physical countermeasures |
|
Personal information initiatives
We have established the Group Basic Policy for the Protection of Personal Information in order to define basic rules for the handling of personal information. This policy is implemented globally to ensure proper processing of personal information throughout the Group. Additionally, in order to specify the obligations we must comply with in handling personal information, we established the Personal Information Protection Regulations in 2015 as well as a system of regulations and related guidelines in 2023, and we are working to ensure the proper handling of personal information. In particular, we take additional precautions to manage sensitive personal information that requires special care in processing.
For more information regarding the Group’s handling of personal information obtained from customers and other parties, please refer to our Privacy Notice.
Information security education
Regarding employee training, we conduct regular global training using video content available in more than 30 languages and e-mail drills that simulate targeted attacks.
Target | Description | |
---|---|---|
Awareness-raising month | Officers and all employees (global) |
A designated annual Information Security Awareness-Raising Month during which messages from the president and other top officers are distributed and lectures by experts are held. |
Rank-based training | Newly graduated employees, newly promoted employees, mid-career hires, etc. |
Conduct training on essential information security knowledge at the time of hiring, promotion, etc. |
E-learning courses | Officers and all employees (global) |
Conducted multiple times per year. Fosters awareness of information security throughout the entire global company. |
E-mail drills | Officers and all employees (global) |
Conducted multiple times per year, including follow-up training. |
FY2021 | FY2022 | FY2023 | |
---|---|---|---|
Global information security training | 2 sessions | 4 sessions | 4 sessions |
Global e-mail training | 3 sessions | 4 sessions | 4 sessions |