Risk management
Basic approach
The Idemitsu Group strives to stabilize its management by proactively recognizing and evaluating various risks related to business activities and taking appropriate responses according to the risks.
In promoting risk management, we classify risks related to business activities into two categories: "management risks" and "operational risks," and promote the management and response of each.
Governance
Strategy
The Corporate Planning Department is responsible for "management risk," and the General Affairs Department is responsible for "operational risk." Among "operational risks," risks that are managed across the organization due to their high level of comprehensiveness are positioned as "important risks," and are used to monitor risk management within the Group, as well as through risk interviews with major business divisions. We are confirming our response to "important risks." These "material risks" are selected by the Risk Management and Compliance Committee based on the results of risk questionnaires regularly conducted among business divisions and taking into account incidents that occurred in the previous year.
Important risks in 2023
1.Environmental pollution
2.Fire/Explosion
3.Quality accidents
4. Large-scale natural disaster
5. Infectious disease
6. Information-related risks
7.Violation of antitrust law
8.Security/legal violation
9. Overseas crisis
10.Overseas compliance
11. Cheating
12.Human resources/labor risks
Risk management
Risk management activities
Risk assessment and preventive measures during normal times
・Each business division regularly assesses its own risks and develops countermeasures. Additionally, we constantly monitor signs of risks emerging and strive to prevent them from occurring.
・Corporate departments formulate management policies for their specialized risk fields and support the risk management activities carried out by each business department.
・The Risk Management Division of the General Affairs Department monitors the Group's risk management activities and provides necessary support. In addition, we centrally manage information regarding signs of "major risks," and take measures to prevent risks that affect the entire Group after deliberation by the Risk Management and Compliance Committee as necessary.
Preparing for a crisis
・Each business division will prepare the necessary measures to minimize damage in the event of a crisis.
・The Risk Management Division of the General Affairs Department establishes matters related to emergency response concepts and systems, and formulates business recovery and business continuity plans (BCP) for risks assessed to have a significant impact on the entire Group. and conduct regular training.
Arranging property insurance
Each business division works together with the Risk Management Division of the General Affairs Department to ensure efficient and stable operations, unaffected by temporary changes in the business environment, and in preparation for economic losses caused by unforeseen accidents or disasters. We provide general liability insurance.
Self-management and self-inspection
Each business division regularly conducts self-inspections within the division in order to maintain a system (self-management) in which each business division establishes its own optimal risk management system, functions effectively, and makes improvements on a daily basis.
Using the self-inspection web system, in addition to inspection items common to the group, we check regulations, conventions, business processes, tasks, procedures, etc. that have been independently established by each department, in an effort to visualize management.
Further strengthening crisis response capabilities
Response in the event of a crisis
Our Group's ''Regulations for Response in the Event of a Crisis'' (approved by the president) stipulates response policies, how to define crisis levels, communication systems, and the establishment of a task force. In the event of a crisis, we will take prompt and appropriate initial response measures and respond in an organized manner with a clear chain of command in order to minimize social impact and damage.
Policy on crisis response (excerpt from Rules on how to deal with a crisis)
(1) Place top priority on safety of all people.
(2) Minimize environmental impact
(3) Sincerely deal with a crisis all the time from the viewpoint of ordinary citizens.
(4) Quickly disclose accurate information.
(5) Retain Company s reliability by carrying out (1) through (4)
●Crisis level
|
|
|
|
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
●Communication system
Business Continuity Plan (BCP) initiatives
Our group has developed BCPs for the Tokyo Metropolitan Earthquake version, the Nankai Trough mega-earthquake version, and the new strain influenza version. We conduct comprehensive disaster prevention drills every year based on various BCPs, confirm cooperation and issues with each site, strive to strengthen practical response capabilities, and reflect the feedback in BCP revisions. At Refineries/Complexes, factories, etc., we regularly conduct disaster prevention drills throughout our bases based on various crisis response regulations.
In addition, in 2015, we were designated as a designated public institution by the Cabinet Office, and in December 2019 we submitted the latest version of our "Disaster Prevention Operation Plan." As a designated public institution, we are proceeding with the registration of tank trucks as emergency vehicles in each prefecture.
Implementation of comprehensive disaster prevention training
Comprehensive disaster prevention training (September 2023)
With the aim of increasing the effectiveness of our BCP, our company has been conducting a "Comprehensive Disaster Prevention Drill" every year since 2007, and fiscal 2023 marked the 17th time it has been held.
Based on a scenario hypothesizing an earthquake directly hitting the Tokyo metropolitan area, 180 participants from the head office (countermeasures headquarters), related branches, and manufacturing sites conducted training on gathering and communicating information, and formulating countermeasures. In addition, we worked to further strengthen our crisis response capabilities over time by holding a two-part training exercise that simulated the immediate aftermath of an earthquake and 24 hours after. At the same time, we conducted a company-wide safety confirmation drill, and approximately 14,000 employees, including those from group companies, promptly reported their safety. We are working to improve our company's crisis response capabilities by reflecting the issues and awareness gained through training in our BCP.
Addressing economic security
Our group pays close attention to trends in the international situation on a daily basis and takes necessary preparations and responses from the perspective of economic security.
In addition to responding as an energy supplier based on the Economic Security Promotion Act that went into effect this year, we are working on risk management on a daily basis to ensure the continuity of our group's business, keeping an eye on regulations and policy trends in the United States and related countries. is.
Initiatives against the new coronavirus infection (COVID-19)
The task force was disbanded in May 2023, when the situation moved to Category 5. Since then, we have encouraged each workplace to practice precautions in the event a person develops a fever, similar to seasonal influenza, to ensure the safety of employees and prevent the spread of infection.
Evaluation
Obtained the highest rank in the Development Bank of Japan BCM rating.
Joint fire drill with Tokyo Fire Department at Tokyo oil terminal (June 2022)
In fiscal 2019, we became the first oil wholesaler to receive the highest rank, Rank A, under the Development Bank of Japan Inc.'s (DBJ) BCM Rating Loan system.
Information management/security management
Basic approach
Under our "Basic Information Security Policy," our group strives to ensure the confidentiality of information assets, the availability and integrity of information systems and networks, and utilize information technology to maintain and improve customer service. Information about customers will be appropriately collected and used in accordance with the Customer Information Management Standards, stored in a safe and up-to-date state, and disposed of appropriately. We also conduct e-learning on information security for all IT system users to ensure thorough information management.
Additionally, in order to reduce the impact of increasingly sophisticated cyber-attacks, we have implemented a system-based multi-layered defense system that prevents unauthorized intrusion and the removal of important information.
Policy
Basic policy on information security
(1)Idemitsu Group shall, by securing confidentiality of information assets as well as availability and maintainability of information systems and networks, strive to maintain and improve customer services through the use of information technology.
(2)Idemitsu Group shall, by implementing appropriate protective measures, protect information concerning customers from being divulged, falsified, or destroyed.
(3)Idemitsu Group shall, by securing availability, maintainability, and confidentiality of information systems and networks, strive not to cause trouble to persons concerned such as customers and business partners.
(4)Idemitsu Group shall, by conducting educational and awareness building activities aimed at its employees and dispatched employees as well as external companies to which its businesses are outsourced, make them aware of the importance of information security and ensure the proper utilization of information and information systems by them.
(5)Idemitsu Group shall strive to ensure security by conducting an audit on a regular basis to examine and assess the status of compliance, etc. with the security policy.
Governance
Information management/security management promotion system
In our group, the management department is in charge of information management for the entire group, in accordance with the "Information Management Guidelines" in the President's Approval Regulations. In the unlikely event that an information leak or other serious security incident occurs, it will be reported to the Risk Management and Compliance Committee, etc., in accordance with the "Regulations for Response in the Event of a Crisis" approved by the president, and the committee will take the lead in taking appropriate action. I'll deal with it. The officer in charge of general affairs serves as the chairperson of the Risk and Compliance Committee.
Additionally, with the aim of maintaining and improving the security of control systems, we have established a security council and are promoting security measures across the group in an organized and planned manner based on the "Control System Security Guidelines." At our manufacturing sites, we use the PDCA cycle to make continuous improvements and conduct incident response training every year. We also provide control system e-learning for system users and administrators.
●Information management/security management promotion system
Initiatives
Number of serious information security violations in FY2022: 0
In-house training
Human resource development
ICT including security planning, implementation, and operation * After defining a CDP (career development plan) for human resources, we evaluate the skills and set goals for each individual in the ICT department, and develop human resources in a planned manner.
*ICT (Information and Communication Technology)
Information security e-learning
Every year, we conduct e-learning on information security (in Japanese, English, and Chinese) for all IT system users (employees, temporary workers, outsourcing companies, etc.) to learn about the rules that must be followed. I am. In fiscal 2022, the training was held from January to March 2023, with 16,810 people taking the course, and the participation rate was 100%.
Control system e-learning
Since fiscal 2019, we have been conducting control system e-learning for control system users and administrators. In fiscal 2022, the training was held from January to March 2023, with 5,252 people taking the course, and the participation rate was 100%.
Email training
In order to reduce and raise awareness of the risk of computer virus infection from targeted attack emails, we conduct targeted attack email drills once a quarter for our company and group companies (including overseas). Additional training is also provided as needed.
Awareness email
We send out the latest information on cyber attacks and other information security precautions in the form of a monthly ``Cyber Security Letter'' email.
Privacy protection
Basic approach
Regarding the handling of personal information including specific personal information *1 and anonymously processed information *2 (hereinafter referred to as "personal information, etc."), our group complies with the "Basic Policy on the Protection of Personal Information, etc." (approved by the president) and handles it. We will manage all personal information more safely and appropriately.
-
Individual number and other personal information that includes the individual number
-
Information about an individual obtained by processing personal information so that a specific individual cannot be identified, and the personal information cannot be recovered.
Policy
Basic policy on protection of personal information, etc.
1. Compliance with Laws and Regulations
The Group will comply with the Act on the Protection of Personal Information, the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures, other applicable laws, related government and ministry ordinances, guidelines, etc.
2. Matters Concerning Acquisition
The Group will acquire Personal Information, etc. by lawful and fair means. Unless otherwise permitted by applicable laws, the Group will either explicitly explain or announce the purpose of use of Personal Information, etc. to the person in advance, or give notice or announce to the person immediately after acquisition thereof. In addition, the Group will, when acquiring special care-required personal information, obtain the prior consent of the person, unless otherwise permitted by applicable laws.
3. Matters Concerning Use
The Group will use the Personal Information, etc. only within the scope necessary for achieving the purposes of use thereof, unless otherwise permitted by applicable laws.
4. Matters Concerning Provision and Disclosure
Unless otherwise permitted by applicable laws, the Group will not disclose or provide without the consent of the person any Personal Information, etc. to any third party other than outsourcing companies, companies sharing Personal Information, etc., and business successors.
5. Matters Concerning Safety Control Measures
The Group will take the necessary and appropriate safety control measures to prevent unauthorized access to, and loss, destruction, falsification, leakage, etc. of, Personal
Information, etc., and strive to improve personal information protection and management systems on an ongoing basis. The Group will clarify who has the responsibility to protect and manage personal information at each organization and provide the necessary and appropriate education, training and supervision to those employees and outsourcing companies which handle Personal Information, etc.
Furthermore, the Group will keep the Personal Information, etc. accurate and updated. Any Personal Information, etc. with regard to which the purposes of use have been achieved and whose retention period prescribed by applicable laws has expired will immediately be destroyed or eliminated.
In the event of leakage, etc., the Group will immediately take case-by-case correction measures.
6. Matters Concerning Disclosure, etc. of
The Group will respond in accordance with applicable laws to requests for disclosure and correction, etc. (i.e. correction, addition, deletion, suspension of use, elimination, and suspension of provision to a third party), of retained personal data and specific personal information files.
If such data and files are not disclosed or do not exist, the Group will notify the requesting person to that effect.
Governance
Regarding the protection of personal information, the General Affairs Department serves as the secretariat, and information management officers are assigned to each department and group company to promote initiatives. We hold an information management manager meeting every year to provide education within the group.
Initiatives
Number of serious personal information protection violations in FY2022: 0