Risk Management

Materiality
Related ESG :
E S G
Risk Management
Peace, Justice and Strong Institutions

Management approach

Policy and approach

As well as establishing a “Risk Management Basic Policy” that outlines our fundamental stance on risk management activities,Toyobo group is identifying various types of risk that could pose a threat across the entire range of our business activities, and are managing risk appropriately according to the characteristics of each risk. In an emergency, we immediately set up a task force under the instruction of the relevant corporate officer, and bring the crisis under control through a swift response. By putting these systems in place and conducting the initiatives, we work hard to earn the trust of our customers, the local community, and our shareholders and other stakeholders.

< Basic policy on business risk >

1. Toyobo group has a system for identifying the location of risks and the size of their impact (visualization)
2. Allocate resources appropriately to avoid or reduce identified risks
3. We will deepen and upgrade our activities by continuing to run PDCA
4. Enhance sensitivity and responsiveness to risks by each individual through information sharing, training, etc (eliminate ignorance)
5. All employees participate in risk management activities by personalizing them

Business risks

The main risks recognized that could have a material impact on Toyobo group's operating results and financial position are as listed below. The list does not include all the risks related to Toyobo group.

Forward-looking statements were determined by the group as of fiscal 2023-end.

< Incurred or highly probable risks >

(1)
Occurrence of disasters, accidents, and infections
(2)
Further worsening of political and economic situations
(3)
Inappropriate behavior or similar in details of third-party certification registration

< Medium- to long-term risks >

(4)
Purchase of raw materials
(5)
Product defects
(6)
Securing of human resources
(7)
Climate change
(8)
Environmental burden
(9)
Information security
(10)
Laws, regulations and compliance
(11)
Overseas business activities
(12)
Litigation

< Financial risks >

(13)
Large forex movement
(14)
Large rise in interest rates
(15)
Sharp drop in share prices
(16)
Impairment loss of fixed assets

Structure

On April 1, 2021, Toyobo group established a Risk Management Committee headed by the President for centralized management of risks throughout the group. The committee comprises members of the Board of Corporate Executive Officers and Controlling Supervisors as well as members nominated by the chair, and in fiscal 2023, it convened four times.

This Risk Management Committee brings together risk management activities (identification, analysis, evaluation, and response), as well as formulating risk management policies for the group as a whole. It is working to strengthen our risk management structure by aiming to build effective and sustainable organizations and approaches.

Management structures and processes

Management Structures and Processes

Initiatives

As part of our management policy, we seek to be a company that is able to grow sustainably by shifting from the survival-based thinking of the past to a sustainable growth orientation. We establish self-directed management activities appropriate to business areas and roles, assess company-wide risks and work toward their prevention and early detection, and, united as a group, will build a system to advance measures for preventing recurrence of risks.
As a starting point for these activities, we conducted an assessment of company-wide risks. We identified serious risks from the results of evaluations in terms of the two axes of severity of impact and likelihood of occurrence, and monitor these risks regularly.

In FY2023, we surveyed qualitative and quantitative information concerning serious risks at all of our group companies, confirming that those risks were the same as the serious risks that we identified in FY2022 for Toyobo group. We also surveyed serious risks specific to some group companies. Any detected items that are common across the group and that require attention are reported to the Risk Management Committee, and group-wide risk reduction activities are undertaken.
The Risk Management Committee also confirmed measures for the reduction of serious risks and instructed group companies to deploy these.

Data security, privacy

Materiality
Related ESG :
S G
Digital transformation
Partnerships for the Goals

Policy and approach

Today, as significance of information increasingly grows, how a company utilizes necessary information, advances development of products and technologies, and develops businesses in line with the times is a crucial factor in the company's survival.

The improper management of information can also have severe repercussions to a company from legal and social standpoints. As stated in our TOYOBO Group Charter of Corporate Behavior, our group must properly manage information and prevent problems involving information security from occurring if we are to contribute to society and remain a company that earns people's trust.

Restated, it is necessary that every one of our officers and employees recognizes the importance of information security and the information assets that are the key to corporate survival, and, while effectively utilizing our information assets throughout the organization, maintains and secures the confidentiality, integrity, and availability of those information assets. Based on this thinking, our group has declared our basic policies as follows:

< Information security policy (theme excerpts only) >

  • 1. Management system
    We will establish an information security management system with responsible executives placed at top, and will strive for proper management in line with the importance of and risks to information.
  • 2. Legal compliance and internal regulations
    We will establish internal rules in accordance with information security-related laws and ordinances, countries' national guidelines, and other social norms, and will take strict action against violators of these rules.
  • 3. Education and training
    We will conduct education and training for our employees on an ongoing basis to ensure that information assets are used properly, and will work to enforce compliance with rules.
  • 4. Operation of information systems
    We will enact appropriate measures and endeavor to operate information systems stably to prevent unauthorized intrusion and the leak, falsification, loss, theft, destruction, obstruction of use, etc. of information assets.
  • 5. Handling of incidents
    In the event of a problem involving information security, we will enact measures to minimize the damage, promptly investigate the cause, and strive to prevent recurrence.

Structure

Our group has established the TOYOBO-CSIRT, led by a CISO appointed by top management, as an organization to promote information security measures and activities. TOYOBO-CSIRT assesses the status of information security across the company, formulates basic policies, maintains management systems, and implements and supervises specific measures.

To advance measures based on the decisions of TOYOBO-CSIRT, we have established a front-line operations team. We also convene TOYOBO-CSIRT on a regular basis to evaluate risk countermeasures, each time also reporting on activities related to information security.
By expanding the activities of TOYOBO-CSIRT throughout our entire group, we will work to instill understanding of information security and enforce the protection of information assets, creating a state across the group in which data, security, and privacy are secured and trusted.

Our IT and DX Planning Department, which has acquired ISO 27001* certification, undergoes a yearly external audit based on ISO 27001 to confirm proper operation of information security management. The Department conducts on-duty management at five business sites of the company (the head office, Research Center, Tsuruga Research and Production Center, Iwakuni Production Center, Inuyama Plant: 50% of all business sites), and also performs comprehensive management of other business sites through the Department's management system.

  • An international standard for information security management systems
Toyobo group information security management structure

We assign a person responsible for information security to each department and built a company-wide information management system to ensure the required information security level.

Toyobo Group Information Security Management Structure

Targets and KPIs

< Targets >

Toyobo group establishes a structure to ensure cyber security as well as deepening employee understanding of information security and thoroughly ensuring protection of information.

< KPIs and results >

Initiatives KPIs Targets (FY2023) Results (FY2023)
  • Ensure cyber security
  • Protect confidential corporate information, personal information, and customer information
1.
No. of times information security education provided1
1.
22 times per year
1.
51 times
2.
No. of incidents (information leaks, service outages, etc.)1
2.
0 incidents per year
2.
0 incidents
3.
Implementation of information security measures2
3.
Disclosure of promotion contents
3.
Activities being promoted, with the Cyber Security Committee playing a central role
(Share on the company website)
1
Scope is TOYOBO CO., LTD., TOYOBO STC CO., LTD., and TOYOBO INFORMATION SYSTEM CREATE CO., LTD.
2
Scope is consolidated subsidiaries (determined while monitoring situation)
Specific measures aimed at consolidated subsidiaries
・Application of Information Security Policy
・Roll out of measures to strengthen IT/OT

Initiatives

Protection of personal information

Awareness of the protection of personal information is increasing worldwide. Toyobo group is revising our internal regulations to ensure handling of personal information in compliance with Japan's Amendments to the Act on the Protection of Personal Information and China's Personal Information Protection Law (PIPL).
We will continue to strengthen our systems for protection of the personal information of customers, our business associates, shareholders, and employees.

Promotion of digitalization

Digitalization is advancing rapidly with the development of IT. Amid this change, Toyobo group is advancing the construction of an IT system infrastructure that encompasses the entire value chain and is tackling the transformation of our business style and the creation of new solutions, making full use of digital technologies. By doing so, we seek to not only improve the efficiency of work but also strengthen our provision of value to society and to customers.

We have promoted the digitalization of business by actively incorporating IT in our operations, including streamlining sales activities through IT tools, using IT to enhance manufacturing control, and enhancing the efficiency of intellectual property management through AI.

In April 2020, we established a Digital Strategy Department as a dedicated department to advance such activities on a company-wide basis. In April 2023, we integrated systems subsidiary Toyobo Information System Create Co., Ltd. with this department to create the IT and DX Planning Department. This established a system that is capable of quickly responding to changes in the business environment, wielding digital technology as a competitive advantage. In accordance with our reorganized road map to achieve our vision for 2030, we will strengthen the group’s internal IT system infrastructure and advance digital transformation.

The IT and DX Planning Department has become a ”bridge” connecting digital and business, and has begun initiatives to implement organizational and business transformation across the entire company and across its businesses. All of our group companies will cooperate to increase the scope and degree of utilization of digitalization.

Status of major digitalization measures
  • Conducted company-wide cognitive activities for in-house DX
  • Planned and implemented the migration of legacy system adapted to DX
  • Developed DX human resources and strengthened promotion structure

Education and awareness-raising activities

As a part of our education and awareness-raising activities, we deliver the "Cyber Security Communication" every month to all employees at TOYOBO CO., LTD., TOYOBO MC Corporation, and TOYOBO STC CO., LTD. We also conduct testing of security comprehension twice a year to let employees self-check and reflect on their understanding of our education and awareness-raising activities.

In conjunction with Compliance Enhancement Month in FY2023, we conducted training for managers and disseminated information at all workplaces on the theme of information security, and conducted video-based education for all employees.

Information security measures

Cyber attacks are intensifying year by year, often targeting overseas sites and group companies. In response, we are working to raise the information security measures of our domestic and overseas affiliates to the same level as that of our headquarters, and to strengthen information security across the group. Specific measures include support for communication and improvement of policies and regulations, support for the introduction of education for employees and managers, implementation of targeted email attack drills, deployment and inspection of IT reinforcement measures, and continuous strengthening of our contact system for security and incident response.
We conduct biannual targeted email attack drills, varying the level of difficulty and subject matter each time, for all employees at TOYOBO CO., LTD., TOYOBO MC Corporation, TOYOBO TEXTILE CO.,LTD., and TOYOBO STC CO., LTD. To ensure the safety of customer information and our internal information, including confidential information, we continually assess new threats and take appropriate countermeasures, including strengthened monitoring of both IT and OT*, patching of vulnerabilities, and prevention of unauthorized intrusions.

  • IT (Information Technology), OT (Operational Technology)

Protection of information in outsourcing

When outsourcing information assets containing confidential information, the company has established outsourcing management rules for the following procedures: (1) evaluation and contracting of outsourcing partners; (2) monitoring of operations after the contract has been concluded; and (3) handling of information assets after the contract has been terminated.

When newly implementing operations to be outsourced (hereinafter referred to as "specified operations"), the department outsourcing the specified operations evaluates whether or not the candidate companies conform to the "outsourcer evaluation criteria" in accordance with these rules. After the selection, the department submits the 'outsourcer evaluation results' to the head of the information security department for approval. In addition, it is also stipulated that the implementation status of specified operations is to be regularly evaluated by the head of the information security department.

The “outsourcer evaluation criteria” are clearly stated in the “Information Security Policy”.

Initiative participation

Under the idea that we must address cyber attacks not only in our group companies and supply chains but across society as a whole, we engage in active information sharing in cooperation with the JPCERT Coordination Center and the Nippon CSIRT Association.

Business continuity plan (BCP)

Policy and approach

Toyobo group has drawn up a BCP focused on combining both “fulfillment of our responsibility to supply products as a manufacturer” and “coexistence with the global environment and society,” and we make continual improvements. The BCP clarifies the chronological sequence of the roles and functions of each department from when a crisis occurs, through to its resolution. It also contains specific details of preparations during normal times.

Structure

Our Risk Management Committee, chaired by the President, assesses and confirms serious risks facing our group and, in the event of an emergency, immediately establishes a task force under the direction of the responsible executive officer to swiftly contain the crisis through swift response.

Initiatives

Response to COVID-19

In addressing infectious diseases, our group places the highest priority on the safety and well-being of our employees and their families and makes the protection of society and the company our primary goal, under the conviction that doing so leads to business continuity.

Compared to the turmoil at the beginning of 2020, response methods and directions have become standardized to a certain extent, and we have made agile and flexible action our policy for responding to emerging infectious diseases.
So that the experience gained from our responses can be applied to future emergencies other than emerging infectious diseases, we have established a system to enable such response.

Moreover, through the activities of the Risk Management Committee, we will enhance our resilience with respect to crises and strengthen the continuity of our business.

< Ensuring employee safety >
  • Implemented robust infection prevention and control measures
< Maintaining continuity of plants and production activities >
  • Operation under BCP procedures
  • Flexible inventory and production adjustments

Response to natural disasters, etc.

In recent years, various areas have experienced significant damage from earthquakes, typhoons and sudden localized rainstorms. We have gained knowledge in the process of responding to these events, and aim to realize even more stable business continuity.

Each of our main business sites have formulated a BCP, which is reviewed at irregular intervals. We recognize that a pressing issue is a company-wide BCP review in light of the recent increasing complexity and diversification of risks.

In terms of our emergency response, we have established an emergency response process in “Risk Management and Disaster Prevention, etc.,” a company-wide regulation, as well as setting out the systems for verifying damage and communication and the people with overall command, and structures and roles for carrying out recovery work. We have also established work procedures for recovery and the order of priority for recovery work after a disaster. In addition, we have introduced a safety confirmation system for employees and their families.

Buildings at our plants and business sites comply with the Act on Promotion of Seismic Retrofitting of Buildings. We also check hazard maps for the locations of our production plants, and each business site has formulated response procedures for the disaster risks (flooding, landslides, etc.). As part of our BCP, we strive to identify and manage risk throughout the supply chain. For procurement, we are looking to procure raw materials from multiple countries and regions, and for logistics, we are establishing alternative transportation means and routes in collaboration with logistics operators.