Risk Management
Basic Approach
Basic Approach to Risk Management
With the aim of maintaining and enhancing corporate value, the Group manages risk by appropriately identifying various risks associated with our business activities and mitigating the damages and losses through appropriate crisis management if any risks materialize.
Policy
Risk Management Basic Policy
- 1.We manage risk while paying attention to trends in financial conditions and business environments.
- 2.We manage risk in accordance with the relevant laws and regulations and from the perspective of Nabtesco Group’s social responsibilities, while also striving to disclose information promptly to minimize the impact and losses attributable to incidents that have occurred.
- 3.We validate concrete risk management processes after the occurrence of incidents and strive to prevent their recurrence.
System
Risk Management Systems
We have systems in place to ensure that profits, losses, asset efficiency, quality and disasters, among other matters, are reported to the Board of Directors properly and in a timely manner with respect to the execution of duties. By leveraging these systems, we strive for the early identification of risks and the minimization of losses. Under the oversight of the Board of Directors, we have established the Risk Management Committee under the direct supervision of the CEO, who has ultimate responsibility for risks. The committee members are appointed by the CEO, and the chairperson is responsible for the structure and implementation of company-wide risk management. The Chairperson of the Risk Management Committee (Managing Executive Officer) consults and coordinates with the members of the Management Materiality Committee, Quality & PL Committee, Environment, and Safety and Health Committee, and Information Security Committee, as required, and provides reports at management meetings such as Executive Officers Committee attended by CEO and Board of Directors meetings regarding the risk management initiatives periodically (approximately twice a year).
Administrative organizations of the Committees
- Management Materiality Committee (administrative organization: Corporate Planning Dept.)
- Risk Management Committee (administrative organization: Legal & Compliance Dept.)
- Quality & PL Committee (administrative organization: Quality Promotion Dept.)
- Environment, Safety and Health Committee (administrative organization: Environment & Safety Dept.)
- Information Security Committee (administrative organization: Information Systems Dept.)
Measures
Risk Management Methods
First line of defense
At each in-house company and Group company, the head of the organization is responsible for risk management. Under the supervision of the risk management manager, the department and personnel in charge are responsible for risk management related to their business activities. Once a year, in-house companies and Group companies identify and evaluate the risks that may be assumed in the execution of the businesses under their jurisdiction, and they formulate and implement countermeasures to prevent materialization of the identified risks.
Second line of defense
The Corporate Department, which is in charge of handling various risks, manages the risks under its control based on its expertise in the division's area of responsibility, and supports the risk management of in-house companies and Group companies.
In addition, the Risk Management Committee, which reports directly to the CEO and is chaired by the Managing Executive Officer, meets at least twice a year. As a cross-company organization, the Committee first identifies and reviews company-wide major risks based on the results of risk assessments conducted by corporate divisions, in-house companies, and Group companies. Next, the Committee deliberates countermeasures for major risks and directs the implementation of countermeasures. After risk countermeasures have been implemented, the Committee evaluates them and conducts follow-ups appropriately.
In identifying major risks, each risk item affecting business activities is evaluated in terms of its occurrence frequency and impact, and the potential causes of its occurrence are analyzed. Then, after prioritizing risk responses and confirming the level of risk tolerance, we formulate risk response methods and implement them after deliberating the proposed countermeasures. Our risk assessment is conducted in the following order: (1) risk analysis, (2) risk assessment, and (3) risk judgment. In risk analysis, each risk is analyzed in terms of its severity with five levels of occurrence frequency and four levels of impact. Based on the results obtained from such risk analysis, a score is assigned to determine the risk level and countermeasure level from among four levels.
Third line of defense
Our internal audit department, the Business Audit Department, is independent and conducts first and second line internal audits annually. The Business Audit Department investigates and evaluates the statuses of operational risk management, overall business processes, and asset management to ensure that they are being conducted properly. The results are compiled into an audit report, and follow-ups are conducted on the improvement statuses of items that have been pointed out and items for which improvement has been requested. Audit reports and follow-up reports are submitted directly to regular operational audit report meetings attended by the representative director, full-time corporate auditors, and some executive officers, and the contents of each report are posted to the audit report database for dissemination to all directors and corporate auditors, including those outside the company. In addition, the Internal Audit Department regularly reports on operations at Board of Directors meetings.
As a company with a board of auditors, Nabtesco's board of auditors, which consists of internal auditors and external auditors, is responsible for auditing the operations of the board of directors. By monitoring and providing opinions on the execution of duties, including risk management, from an independent and objective standpoint, we ensure management transparency.
Risk Management Cycle
Principal Risks
The following lists principal risks that are deemed to have potential impacts on the Group’s business performance and financial position.
- 1.Risks relevant to the economy and markets
- 2.Risks relevant to overseas operations
- 3.Risks relevant to large-scale disasters
- 4.Risks relevant to exchange rate fluctuations
- 5.Risks relevant to procurement
- 6.Risks relevant to product quality
- 7.Risks relevant to competition
- 8.Risks relevant to information security
- 9.Risks relevant to intellectual property
- 10.Risks relevant to laws, ordinances and regulations
- 11.Risks relevant to environment
- 12.Risks relevant to corporate acquisition etc.
- 13.Risks relevant to impairment loss of fixed assets
- 14.Risks relevant to secure human resources
Risk Appetite
Through the Group Regulations on Responsibility and Authority, Nabtesco clearly defines the processes and responsible persons involved in the decision-making and business execution of the Nabtesco Group.
Risk appetite (Risk tolerance) is included in the above process, and it is determined by the final responsible party based on the degree of impact on the company after consultation with the responsible department.
The following are some of the serious risks that have been identified and the measures taken to address them:
Serious risk | Risk priority *1 |
Freq. *2 |
Impact *3 |
Effects on the Group | Risk tolerance *4 |
Measures | Link | |
---|---|---|---|---|---|---|---|---|
Overseas business development |
Geopolitical risks | ★ | C | C |
|
Medium to high |
|
|
Environment | Climate change |
★ | C | B |
|
Low to medium |
|
|
Work-related accident | Occupational health and safety risk | ★★ | A | C |
|
Low |
|
|
Product quality | Quality risk | ★★ | C | B |
|
Low |
|
-
*1
Risk priority: Risks are prioritized based on the following criteria.
- ★★★ : Measures need to be implemented promptly.
- ★★ : Measures need to be implemented as appropriate.
- ★ : Measures need to be implemented on a continual basis.
- *2 Occurrence frequency: A (extremely high), B (high), C (medium), D (low), E (almost never occurs)
- *3 Degree of impact: A (extreme), B (large), C (medium), D (small)
-
*4
Risk tolerance: The identified risks are categorized into the following risk tolerance levels.
- Low: Should not be tolerated.
- Medium: Should be tolerated as necessary, in consideration of the benefits and merits.
- High: Should be tolerated proactively for the creation of opportunities, while implementing countermeasures as necessary.
Emerging Risks
For “emerging risks” caused by changes in the external environment and other factors, we conduct regular reviews to check and manage their impact on our business. Typical emerging risks include the following:
Emerging risks | Risks related to securing human resources (Risk of shortage of human resources in the manufacturing industry due to population decline) |
Risks related to information security (Cyber attack risk) |
---|---|---|
Description of risks |
The Group has identified the shortage of human resources in the machinery manufacturing industry due to Japan's declining and aging population as an emerging risk. The Group maintains a high market share in niche machine parts and components by hiring and training a wide range of talented individuals in manufacturing, development, sales, and other specialized fields. The manufacture of Nabtesco's machine parts requires a high level of expertise in turning, machining, and assembly, and it takes time to become established and skilled in the field. These are the main factors that are increasing the risk of difficulties in securing and training sufficient human resources, most notably a young workforce. |
Through its business activities, the Group may obtain the personal information and/or confidential information of its customers and business partners, and also possesses confidential business and technical information. However cyber-attacks against companies and public institutions are becoming more sophisticated worldwide, and we are required to respond to higher level of risk by strengthening our defense system and information leakage protection. |
Potential impacts on business | The human resource shortage in Japan is directly related to the shortage of personnel at our mother factories in Japan as well as the shortage of specialists to continue to develop our special technologies and inspect our products. From a medium- to long-term perspective, this could reduce productivity and the pace of technological innovation, leading to a decline in competitiveness, which could affect the Group's performance and financial position. | There is a risk that cyber-attacks, which are complex and spreading worldwide, may result in the leakage of the above information, destruction or falsification of important data, or shutdown of systems and other equipment. In addition, the Group produces products used in public infrastructure and by public institutions, such as those in the railroad vehicle equipment business, those in the aviation equipment business, and railroad station platform doors, which may have an impact that compromises public safety. We recognize that this risk may become apparent in the medium to long term if cyber attacks become more common. |
Risk reduction measures |
The Group actively hires foreign nationals and elderly employees (rehiring after retirement) not only because of the shortage of human resources but also from the perspective of diversity. In addition, we minimize the business impacts of risks by adopting the following two main measures.
One is enhancement of our technical training program. All new hires in the engineering field undergo Basic Technical Training for three years. After that, they are assigned to divisions to learn more about specialized technologies as well as company-wide cross-functional technologies, which leads to innovation. The other is to promote the introduction of process innovation, which is a way to reduce labor by automating factory production lines through the use of AI. In addition, we aim to stabilize quality by automating product inspections and visual inspections by having AI memorize the work content, check items, and judgment criteria of skilled workers, and by layering in machine learning, regardless of who is doing the work. |
To minimize the impacts of cyber attack risks, Nabtesco has taken the following measures.
1) Information security incident response We have established standards for responding to information security incidents and have a dedicated incident response team (CSIRT). This CSIRT works both to prevent the spread of damage caused by incidents and to quickly restore operations. We also conduct incident response verifications at least twice a year. 2) Maintenance of various basic management regulations The Nabtesco Group has established and manages various regulations, including the Basic Rules for Information Management, the Information Security Management Standards, and the Information Security Incident Response Standards. 3) Information security education To raise awareness of information security, we conduct annual Information Security Training for all employees. In addition, new employees and mid-career hires are required to take information security training upon joining the company. The training content is updated annually to reflect the latest trends in information security in a timely manner. |
Activities to Reduce Risk
Our group offers various products such as aircraft flight control actuation systems, brake components for railroad vehicles, remote control systems for marine vessels, platform doors for railroad stations, and automatic doors for buildings. Due to the very nature of these products, they pose serious risks to human life in the event of a malfunction-related worst-case scenario. Therefore, we prioritize safety and take proactive measures to prevent product accidents, earning high recognition for the reliability of our products. This high level of risk awareness is not something that can be achieved overnight. Every day, our directors and employees hone their risk sensitivity and work to establish a culture of risk reduction through activities such as the following.
Training on risks throughout the organization
The Group utilizes group training, e-learning, and other methods divided by rank and theme to foster compliance awareness, including risk awareness, among directors and employees (including contract employees, temporary employees, part-time employees, and trainees). Each year, we conduct a variety of training programs for all employees, including compliance training that contains risk management and information security training.
Regular training for internal and external directors as well as internal and external auditors
Once a year, we conduct training about the organization, our business, and finances as well as rules related to roles and responsibilities, legal responsibilities, compliance, and general risk management.
Incorporation of risk criteria when developing products and services
At Nabtesco, the business side and the Technology Division consider various risk factors for products and widely solicit opinions from related departments beyond the business side regarding the approval process, input resources, schedules, and other matters pertinent to clarifying development specifications. Risk assessments are conducted at each development stage from both qualitative and quantitative perspectives, and risk criteria are set separately per product group. To eliminate various risks, we also conduct environmental assessments for environmental conservation and chemical substances.
Financial incentives which incorporate risk management metrics
Nabtesco has introduced ROIC as an indicator that incorporates a risk management perspective, and the degree of improvement in this indicator is reflected in the compensation of directors (excluding outside directors). Compensation is based on the degree of improvement. All directors are aware of the cost of capital and dividend payout ratio, and they are committed to reducing the Group's risk and promoting management based on an awareness of sustainable growth.
Crisis Management (In the Event of Emergency)
If a serious incident has a significant impact on the Group’s business activities, such as their termination or suspension, the department in charge of the risk reports to the CEO and related departments without delay. The CEO reports to the Board of Directors and Audit & Supervisory Board promptly, establishes an emergency response headquarters and takes command of risk management.
The emergency response headquarters, which will be headed by the CEO as the General Manager, deals with the incident quickly and works to solve it while at the same time reporting to the Board of Directors on the matter, including on countermeasures taken to address the issue.
The Emergency Response Division
Senior General Manager | CEO |
---|---|
Deputy Senior General Manager | President of a responsible In-house and Group company, Officer in charge of relevant corporate department or General Manager |
Members | Staff of responsible In-house and Group companies and of corporate departments |
Administrative organization | Departments in charge of relevant risks, and if necessary, relevant departments of responsible In-house and Group companies and relevant teams of responsible corporate departments. |
Serious Incident Reporting Route
Specific matters that cause losses for the Group are defined as incidents. We seek to minimize the impact of incidents through the reporting and sharing of information on these incidents through a series of regular meetings.
Reports on the occurrence, details, and causes of incidents as well as measures to address them and the losses incurred, among other things, are provided to the administrative organizations, the Executive Officers Committee and the Board of Directors. By doing so, we share information on the measures to reduce the occurrence of incidents.
Incident Reporting Route