Risk management
The English version will be available in November.
役員メッセージ
リスクマネジメントの進化で各事業を支持
森下 健一
2024年10月
国際情勢や経済、社会の変化、そして気候変動対応など、経営を取り巻く環境が大きく変化していく中、当社はカーボンニュートラル・循環型社会の実現に向けて事業構造の変革に取り組んでいます。
これまで当社は、事業部門の自律的な活動により強固なリスクマネジメント体制を構築し、大規模災害に備えたBCM(事業継続マネジメント)などについても高い水準を維持してきました。しかしながら、新たな環境の変化によってリスクの範囲が拡大、複雑化してきており、その適切な対応のためリスクマネジメントの進化が必要となっています。
リスクマネジメントの進化
これからの当社のリスクマネジメントには、顕在的なリスクに対する是正対応から、潜在的なリスクの予防対応に力点をシフトさせ、拡大、複雑化したリスクへの対応を強化させていく必要があります。そのために、潜在的なリスクの予見を高める仕組みとして、リスクマネジメントをより全社的、統合的な活動として運用を高めていく必要があると考えています。当社では、リスクマネジメントを各事業を支える重要なプラットフォームとして位置付け、現在、この全社リスクマネジメントに向けた見直しに着手しています。
全社リスクマネジメントの方向性
当社が考える全社リスクマネジメントが取り組む方向性として、二つを掲げています。第一に「リスク領域の設定・重点化と統合的管理の向上」で、当社が注意すべきリスクの領域を環境変化と事業構造の変革を踏まえて捉え直し、その中から重点的に対応するリスクの特定、管理を統合的に推進していきます。第二に、「リスク・コミュニケーションのさらなる強化」です。これは事業部門、コーポレート部門、内部監査部門の3ラインの密接化はもとより、コーポレート部門の連携も今まで以上に強化させていきます。総務、法務、広報部門などが、予見性を高めて一歩先のリスク対応を図ることで、事業部門への支援の実効性を向上させていきます。
● Company-wide risk management operation cycle
Basic approach
The Idemitsu Group strives to ensure management stability by proactively identifying and assessing various risks associated with its business activities and taking appropriate measures in accordance with those risks.
In promoting risk management, we categorize risks related to our business activities into two categories: "management risks" and "operational risks," and we manage and respond to each of these risks separately.
Governance
Strategy
Among "operational risks," those that can be managed across the organization due to their comprehensiveness are designated as "major risks." These are used to monitor risk management within the Group, and responses to "major risks" are confirmed through risk interviews with major business divisions.
Risk management
Risk management activities
Risk assessment and preventive measures in peacetime
・Each business division will regularly evaluate its own risks and develop countermeasures. In addition, we will constantly monitor for signs of risk manifestation and strive to prevent risks from occurring.
・The corporate division will formulate management policies for each specialized risk area and support the risk management activities of each business division.
・The Risk Management Section of the General Affairs Department monitors the risk management activities of the Group and provides necessary support.In addition, it centrally manages information on signs of "major risks" and, if necessary, takes measures to prevent risks affecting the entire Group, following deliberation by the Risk and Compliance Committee.
Preparing for a crisis
・Each business division will also prepare the necessary measures to minimize damage in the event of a crisis.
・The Risk Management Section of the General Affairs Department will determine matters related to the approach and system for emergency response, and will develop business recovery and business continuity plans (BCP) for risks that are assessed to have a significant impact on the entire Group, and will conduct regular training.
Arranging for insurance
In preparation for financial losses due to unforeseen accidents or disasters, each business division cooperates with the Risk Management Section of the General Affairs Department to obtain efficient and stable liability insurance.
Self-management and self-inspection
Each business division regularly conducts self-inspections within the division in order to maintain a system (self-management) in which each business division establishes its own optimal risk management system, functions effectively, and makes improvements on a daily basis.
Using the self-inspection web system, in addition to inspection items common to the group, we check regulations, conventions, business processes, tasks, procedures, etc. that have been independently established by each department, in an effort to visualize management.
Company-wide risk management initiatives
In order to promote business structure reforms amid major changes in the business environment, it is necessary to elevate risk management to a more company-wide, integrated activity in order to strengthen risk prevention.
To this end, we will review our current approach to classifying risks into "operational risks" and "management risks" and change the way we manage risks to comprehensively grasp risks that require our attention. Furthermore, we will identify important risks from the perspective of management and enhance the function of monitoring responses by the Risk and Compliance Committee.
In addition, because risks are dynamic, we will put in place a mechanism to respond effectively to anticipated issues by flexibly setting up task teams among relevant departments and divisions as necessary.
The aim is for this initiative to be fully operational from fiscal year 2025, after which we will work to improve it in preparation for the next Medium-term Management Plan.
Further strengthening crisis response capabilities
Responding in times of crisis
In our "Crisis Response Regulations" (approved by the president), the Group has established response policies, how to interpret the level of a crisis, communication systems, the establishment of a response headquarters, etc. In the event of a crisis, we will strive to minimize the social impact and damage by taking prompt and appropriate initial measures and responding organizationally with a clear chain of command.
Policy on crisis response (excerpt from Rules on how to deal with a crisis)
(1) Place top priority on safety of all people.
(2) Minimize environmental impact
(3) Sincerely deal with a crisis all the time from the viewpoint of ordinary citizens.
(4) Quickly disclose accurate information.
(5) Retain Company s reliability by carrying out (1) through (4)
●Crisis level
|
|
|
|
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
●Communication system
Business Continuity Plan (BCP) initiatives
Our group has developed BCPs for the Tokyo Metropolitan Earthquake version, the Nankai Trough mega-earthquake version, and the new strain influenza version. We conduct comprehensive disaster prevention drills every year based on various BCPs, confirm cooperation and issues with each site, strive to strengthen practical response capabilities, and reflect the feedback in BCP revisions. At Refineries/Complexes, factories, etc., we regularly conduct disaster prevention drills throughout our bases based on various crisis response regulations.
In addition, in 2015, we were designated as a designated public institution by the Cabinet Office, and in December 2019 we submitted the latest version of our "Disaster Prevention Operation Plan." As a designated public institution, we are proceeding with the registration of tank trucks as emergency vehicles in each prefecture.
Implementation of comprehensive disaster prevention training
Comprehensive disaster prevention training (September 2024)
In order to improve the effectiveness of our BCP, we have been conducting comprehensive disaster prevention drills every year since 2007, and the 2024 fiscal year will mark the 18th time the drill has been held.
Based on a scenario that assumes a massive earthquake in the Nankai Trough and a large-scale power outage in the Chubu region, and assuming that the Japan Meteorological Agency issues a "Nankai Trough Earthquake Emergency Information (Massive Earthquake Alert)," we confirmed how to respond to a complex disaster. 193 participants from the head office (Disaster Management Headquarters), related branches, and manufacturing bases participated in the training, including information gathering, transmission, and response planning. In addition, the training was divided into two parts, including a scenario of a delayed earthquake (on the west side) occurring three days after the earthquake, and we confirmed the response status under complex assumptions. At the same time, a company-wide safety confirmation training was also conducted, and approximately 8,500 employees, including those from group companies, promptly reported their safety. We are reflecting the issues and realizations gained from the training in our BCP to improve our crisis response capabilities.
Addressing economic security
Our group keeps a close eye on the trends of international affairs on a daily basis, and in light of their impact, we are making the necessary preparations and taking the necessary measures from the perspective of economic security. As part of this, all relevant departments are formulating response measures for various events and cases that occur overseas, conducting training, and raising awareness among related parties regarding safety, asset protection, and securing information and communications.
Furthermore, in accordance with the Economic Security Promotion Act, as an energy supplier, we investigate and respond to risks within our company and in our supply chain. We also work on daily risk management to ensure the business continuity of our group, with an eye on regulatory and policy trends in the United States and other relevant countries.
Evaluation
Obtained the highest rank in the Development Bank of Japan BCM rating.
Joint fire drill with Tokyo Fire Department at Tokyo oil terminal (June 2022)
In fiscal 2019, we became the first oil wholesaler to receive the highest rank, Rank A, under the Development Bank of Japan Inc.'s (DBJ) BCM Rating Loan system.
Information management/security management
Basic approach
Under our "Basic Information Security Policy," our group strives to ensure the confidentiality of information assets, the availability and integrity of information systems and networks, and utilize information technology to maintain and improve customer service. Information about customers will be appropriately collected and used in accordance with the Customer Information Management Standards, stored in a safe and up-to-date state, and disposed of appropriately. We also conduct e-learning on information security for all IT system users to ensure thorough information management.
Additionally, in order to reduce the impact of increasingly sophisticated cyber-attacks, we have implemented a system-based multi-layered defense system that prevents unauthorized intrusion and the removal of important information.
Policy
Basic policy on information security
(1)Idemitsu Group shall, by securing confidentiality of information assets as well as availability and maintainability of information systems and networks, strive to maintain and improve customer services through the use of information technology.
(2)Idemitsu Group shall, by implementing appropriate protective measures, protect information concerning customers from being divulged, falsified, or destroyed.
(3)Idemitsu Group shall, by securing availability, maintainability, and confidentiality of information systems and networks, strive not to cause trouble to persons concerned such as customers and business partners.
(4)Idemitsu Group shall, by conducting educational and awareness building activities aimed at its employees and dispatched employees as well as external companies to which its businesses are outsourced, make them aware of the importance of information security and ensure the proper utilization of information and information systems by them.
(5)Idemitsu Group shall strive to ensure security by conducting an audit on a regular basis to examine and assess the status of compliance, etc. with the security policy.
Governance
Information management/security management promotion system
In our group, the management department is in charge of information management for the entire group, in accordance with the "Information Management Guidelines" in the President's Approval Regulations. In the unlikely event that an information leak or other serious security incident occurs, it will be reported to the Risk Management and Compliance Committee, etc., in accordance with the "Regulations for Response in the Event of a Crisis" approved by the president, and the committee will take the lead in taking appropriate action. I'll deal with it. The officer in charge of general affairs serves as the chairperson of the Risk and Compliance Committee.
Additionally, with the aim of maintaining and improving the security of control systems, we have established a security council and are promoting security measures across the group in an organized and planned manner based on the "Control System Security Guidelines." At our manufacturing sites, we use the PDCA cycle to make continuous improvements and conduct incident response training every year. We also provide control system e-learning for system users and administrators.
●Information management/security management promotion system
Initiatives
Number of serious information security violations in FY2023: 0
In-house training
Human resource development
ICT including security planning, implementation, and operation * After defining a CDP (career development plan) for human resources, we evaluate the skills and set goals for each individual in the ICT department, and develop human resources in a planned manner.
*ICT (Information and Communication Technology)
E-learning on information security
We conduct e-learning (in Japanese, English, and Chinese) on information security every year for all IT system users (employees, temporary workers, outsourced contractors, etc.) to learn the rules that must be followed. In fiscal 2023, the training was conducted from October 2023 to April 2024, with 16,302 people taking the training, a participation rate of 100%.
Control System E-Learning
Starting in fiscal 2019, we have been conducting e-learning for control system users and managers. In fiscal 2023, the course was held from January to March 2024, with 4,345 people taking the course, a participation rate of 100%.
E-learning for Web managers
Starting in fiscal 2023, we will be conducting e-learning for departments that build and manage websites and those in charge of affiliated companies to learn the rules that must be observed for website security measures. In fiscal 2023, the course was held from March to May 2024, with 341 people taking the course, a participation rate of 100%.
Email Training
In order to raise awareness and reduce the risk of computer virus infection from targeted email attacks, we conduct targeted email attack training once a quarter for our company and group companies (including overseas). Additional training is also provided as necessary.
Awareness email
We distribute a monthly awareness email called "Cybersecurity Letter" that provides the latest information on cyber attacks and other important information security information.
Conducting education and training in preparation for cybersecurity incidents and accidents
In addition to training planned in-house, we also participate every year in cross-sectoral exercises organized by the Cabinet Secretariat's Cyber Security Center as training for responding to cyber attacks.
Strengthening security measures
Conducting vulnerability assessments
We regularly have a third party conduct security vulnerability assessments. We create improvement plans based on the results of the assessments and take measures accordingly.
Information Security Certification
Our organizations and call centers involved in low-voltage electricity sales in Power/renewable energy businesses have obtained JIS Q 27001 (ISMS, Information Security Management System) certification.
Privacy protection
Basic approach
Regarding the handling of personal information including specific personal information *1 and anonymously processed information *2 (hereinafter referred to as "personal information, etc."), our group complies with the "Basic Policy on the Protection of Personal Information, etc." (approved by the president) and handles it. We will manage all personal information more safely and appropriately.
-
Individual number and other personal information that includes the individual number
-
Information about an individual obtained by processing personal information so that a specific individual cannot be identified, and the personal information cannot be recovered.
Policy
Basic policy on protection of personal information, etc.
1. Compliance with Laws and Regulations
The Group will comply with the Act on the Protection of Personal Information, the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures, other applicable laws, related government and ministry ordinances, guidelines, etc.
2. Matters Concerning Acquisition
The Group will acquire Personal Information, etc. by lawful and fair means. Unless otherwise permitted by applicable laws, the Group will either explicitly explain or announce the purpose of use of Personal Information, etc. to the person in advance, or give notice or announce to the person immediately after acquisition thereof. In addition, the Group will, when acquiring special care-required personal information, obtain the prior consent of the person, unless otherwise permitted by applicable laws.
3. Matters Concerning Use
The Group will use the Personal Information, etc. only within the scope necessary for achieving the purposes of use thereof, unless otherwise permitted by applicable laws.
4. Matters Concerning Provision and Disclosure
Unless otherwise permitted by applicable laws, the Group will not disclose or provide without the consent of the person any Personal Information, etc. to any third party other than outsourcing companies, companies sharing Personal Information, etc., and business successors.
5. Matters Concerning Safety Control Measures
The Group will take the necessary and appropriate safety control measures to prevent unauthorized access to, and loss, destruction, falsification, leakage, etc. of, Personal
Information, etc., and strive to improve personal information protection and management systems on an ongoing basis. The Group will clarify who has the responsibility to protect and manage personal information at each organization and provide the necessary and appropriate education, training and supervision to those employees and outsourcing companies which handle Personal Information, etc.
Furthermore, the Group will keep the Personal Information, etc. accurate and updated. Any Personal Information, etc. with regard to which the purposes of use have been achieved and whose retention period prescribed by applicable laws has expired will immediately be destroyed or eliminated.
In the event of leakage, etc., the Group will immediately take case-by-case correction measures.
6. Matters Concerning Disclosure, etc. of
The Group will respond in accordance with applicable laws to requests for disclosure and correction, etc. (i.e. correction, addition, deletion, suspension of use, elimination, and suspension of provision to a third party), of retained personal data and specific personal information files.
If such data and files are not disclosed or do not exist, the Group will notify the requesting person to that effect.
Governance
Regarding the protection of personal information, the General Affairs Department serves as the secretariat, and information management officers are assigned to each department and group company to promote initiatives. We hold an information management manager meeting every year to provide education within the group.
Initiatives
Number of serious personal information protection violations in FY2023: 0