Risk Management
Basic Approach
We are promoting the development and operation of Group-wide systems that enable us not only to identify and prevent latent risks, but also to respond rapidly to and deal with risks that have already manifested themselves.
Risk Management System
To build and operate a Group-wide risk management framework, we have established the Risk Management Committee. The Committee promotes the development and operation of a company-wide system designed to identify and prevent potential risks, as well as to respond promptly to and resolve risks that have materialized.
Individual risks that have materialized are addressed by the departments responsible for managing those risks and are reported to the Risk Management Committee, including the status of implementing measures to prevent recurrence and horizontal deployment across the Group.
The Risk Management Committee monitors whether risk management across the Zeon Group is being appropriately controlled and prepares a “Group-wide Risk List”. Based on this list, the Committee reports on control activities related to critical Group-wide risks to the Management Committee and the Board of Directors to confirm the effectiveness of risk management.
In addition, each organization within the Zeon Group prepares its own Risk List, identifies both Group-wide risks and risks specific to that organization, and implements necessary control activities based on this identification. The Risk Management Committee compiles evaluations and control activities for these individual risks and shares them with the relevant risk-owning departments, thereby enhancing the effectiveness of Group-wide risk control activities.
Group-wide risks include those related to climate change and human rights, among others.
BCP Formulation and Training
To minimize the impact on business continuity from disasters such as earthquakes and severe storm and flood damage, we have formulated a Business Continuity Plan (BCP) and conduct training to enhance its effectiveness. In FY2025, we conducted two whole-company emergency headquarters drills and two whole-company emergency headquarters secretariat drills. Through these drills and other activities, we verify the effectiveness of our BCP and work to strengthen our resilience to disasters.
In addition, each business division and plant has formulated its own BCP and established systems that enable a rapid response in the event of an emergency. Furthermore, through continuous review under our Business Continuity Management (BCM) and the implementation of our own training programs, we strive to maintain and enhance the effectiveness of our BCP.
Whistleblowing System
We have put in place a confidential whistleblowing system to identify information about potential risks as early as possible so that appropriate action can be taken. Reporting channels for risk information include internal channels such as reporting through superiors and reporting directly to the Compliance Department. We have also set up the web-based Compliance Helpline, which allows anonymous reporting. In addition, we have established the Lawyer HOTLINE, with an outside attorney serving as the contact point, broadening the options available to whistleblowers (1 to 4 in the flowchart).
This whistleblowing system accepts reports related to overall compliance, including harassment, human rights violations, corruption and bribery, theft, fraud, threats, insider trading, and information security issues.
Upon receiving a report, the Compliance Department investigates the facts regarding the report, while giving the utmost consideration to the privacy of the whistleblower and maintaining confidentiality, and, based on the results, takes appropriate actions such as instructing relevant internal departments to implement countermeasures.
We also ensure that employees are informed of the purpose of the system and that whistleblowers who make reports in good faith will not be subject to dismissal, reassignment, discrimination, or any other disadvantageous treatment as a result of their report.
Information Security System
We recognize that cyber-related incidents constitute one of the risks that may impede business operations. To ensure business continuity and growth and to maintain social trust, we are committed to securing the digital environment, including information systems and industrial control systems.
Under the leadership of senior management, all directors, officers, and employees, together with our business partners, will address the expectations of diverse stakeholders and promote initiatives based on the following policy in order to establish and maintain a resilient cybersecurity framework.
- 1Management Responsibility and Governance Structure
We position cybersecurity as a key management priority. Senior management will take the lead in implementing risk-based measures. We will establish a company-wide framework and promote coordinated efforts across relevant departments.
- 2Securing Resources and Human Resource Development
We will secure the necessary personnel, technologies, and budget to continuously strengthen our cybersecurity measures. Through education and awareness programs for employees and related parties, we will promote improvements in awareness and capabilities.
- 3Risk Management and Incident Response
We will conduct periodic risk assessments and implement measures according to the level of risk. In the event of an incident, we will respond promptly to minimize damage, ensure early recovery, and prevent recurrence.
- 4Supply Chain and External Collaboration
We will collaborate with Group companies and business partners to ensure security throughout the supply chain. We will also strengthen our measures by leveraging the latest information through cooperation with specialized institutions and industry associations.
- 5Factory Cybersecurity
Particularly at manufacturing sites, we will implement cybersecurity measures with a strong emphasis on preventing disasters, including explosions and fires caused by high-pressure gases and large-scale leaks of toxic gases.
- 6Continuous Improvement
Through monitoring and internal audits, we will periodically evaluate the status of our initiatives and pursue continuous improvement in cybersecurity.
Structure and System
As part of our efforts to strengthen and promote information security measures, we maintain the Digital Transformation Promotion Division as the organization responsible for overseeing cyber security, which reports directly to the Representative Director. The Division provides company-wide guidance, monitoring, and evaluation of cyber security measures.
In addition, as an organization responsible for making expert judgments and implementing practical responses in the event of incidents, we have established a Computer Security Incident Response Team (CSIRT) as a subordinate organization under the Digital Security Management and Governance Department within the Digital Transformation Promotion Division.
The CSIRT is responsible for ensuring appropriate and rapid responses to incidents, including those occurring at Group companies. At the same time, in order to address increasingly sophisticated and diversified cyber-attack threats, the CSIRT works to continuously improve and progressively enhance its incident response capabilities, collaborating with external specialist organizations as necessary.
Key Initiatives
Zeon has established specialist units to handle matters relating to cyber security, and we are implementing the following types of measures. Cyber security risks are being transformed by the continuing evolution of digital technology and the widespread promotion of DX. We recognize that implementing a strategic, effective response to these risks is an important management issue for Zeon, and going forward we will be working to strengthen our initiatives in this area and realize ongoing improvement.
| Technical and organizational measures | Human resources measures |
|---|---|
|
|