Risk Management

Policy and Basic Approach

Sojitz Group aims to ensure sound management practices and increase its corporate value. To realize these aims, Sojitz identifies and categorizes risks that may occur under the performance of duties with the potential to result in unexpected losses or damages to Sojitz Group’s net assets. Additionally, Sojitz carefully assesses risks associated with new business ventures or accompanying changes in the business environment, and the company has established the necessary risk management systems to address these risks and manages these systems appropriately.

Systems and Initiatives

In compliance with the General Standards of Risk Management, Sojitz has established the Internal Control Committee as an organization for supervising Group-wide risk management. The Internal Control Committee is an executing body under the supervision of the president & CEO. The committee identifies, categorizes, and defines the potential risks associated with Sojitz’s business activities and conducts ongoing reviews of the risks associated with new business ventures or accompanying changes in the business environment. Risks are first subdivided into categories in order to gain a comprehensive and thorough understanding of each type. Risk managers are then assigned for each risk type. These risk managers establish risk management policies and plans at the beginning of each fiscal year and implement PDCA cycles based on these plans. The Internal Control Committee conducts quarterly monitoring of the progress of risk management plans, discussing strategies for improvement and issuing directives to organizations in charge of risk management as necessary. Monitoring results are reported quarterly to the Management Committee and Board of Directors. The Board of Directors supervises Sojitz’s risk management operations through discussion of important risk management-related issues and through regular reports, and conducts evaluations of the effectiveness of Sojitz’s risk management systems and processes. Any new risks that are identified mid-quarter are also subject to the same monitoring processes.

Sojitz Group uses an evaluation process to regularly review the major risks facing the Group and has currently identified 12 major risk types. For major risk categories, Sojitz has established a range of organizations that deliberate regarding the unique characteristics of each risk type and implement concrete risk prevention measures at a cross-organizational level. These organizations include 1) internal committees that act as executing bodies under the supervision of the president & CEO to oversee key management issues and 2) working groups formed to review practices and initiatives under a specific theme.

The 12 Major Risk Types and Sojitz Internal Committees

Market risks (foreign exchange rates, interest rates, commodity prices, listed securities prices)
Credit risks
Business investment risks
Country risks
Funding risks
Environmental and social (human rights) risks
Compliance risks
Legal risks
System and information security risks
Disaster risks
Risks related to sharing company information via the corporate website and social media accounts
Quality management risks

Current as of June 20, 2023

Committee	Chairperson
Internal Control Committee	Representative Director, Senior Managing Executive Officer Executive Management of Corporate Departments
Compliance Committee	Managing Executive Officer, CCO, CISO COO, Legal Department, Internal Control Administration Department
Sustainability Committee	President & CEO
Security Trade Control Committee	Executive Vice President Advisor to the President Executive Management of Business Group (Automotive, Aerospace & Transportation Project, Infrastructure & Healthcare), and East Asia region
DX Promotion Committee	President & CEO
Quality Management Committee	Managing Executive Officer COO, Retail & Consumer Service Division
Information and IT System Security Committee	Managing Executive Officer, CCO, CISO COO, Legal Department, Internal Control Administration Department
Business Continuity Management Working Group	Managing Executive Officer COO, Human Resources Department
Disclosure Working Group	Executive Officer COO, IR Office, Corporate Sustainability Department

Initiatives

Sojitz’s basic internal control framework comprises three lines of defense (first line: business divisions; second line: corporate departments; third line: internal audits). Under Medium-term Management Plan 2023, Sojitz seeks to augment the risk management capabilities of the first and second lines while bolstering its capacity to respond to the risks that might emerge due to entry into new business fields.

Specifically, Sojitz provides trainings and e-learning course for business division managers—the employees that directly oversee business management and make up the front line of defense—in order to raise their awareness and understanding of risk management issues. Sojitz also requires each Group organization to conduct self-assessments of its key risk factors in order to instill an awareness of the importance of risk management in all employees. Sojitz is working to strengthen its risk management framework in light of new risks associated with cybersecurity, security trade controls, and B2B business that are emerging due to recent changes in the business environment and Sojitz’s expansion into new business fields.

Status of Response to the 12 Major Risk Types

Risk type	Status of response

Market risks (Risk measurement in progress)	・Sojitz is enhancing its capacities for responding to market risks in light of the possibility of increases to procurement costs and the inability to secure the necessary quantities of items due to factors such as Russia’s invasion of Ukraine. ・For products, Sojitz manages its position by setting (long and short) position limits and stop-loss levels for all products and organizations. Should a loss reach the stop-loss level (90%), swift action will be taken to eliminate the position in order to prevent further losses. ・For interest and foreign exchange rates, steps are taken to minimize market risks through such means as matching assets and liabilities and hedging with forward exchange contracts and interest rate swaps.
Credit risks (Risk measurement in progress)	・Credit risks are controlled based on credit ratings assigned to all business partners through objective methodologies. The amount of credit extended to a given partner is contained within a defined credit limit set in accordance with their credit rating. ・Sojitz uses a system for assessing receivables to identify customers for inquiry from among those customers with business receivables, based on certain standards; regularly monitors credit risks and safeguards; and estimates the necessary provisions for doubtful accounts for individual receivables based on rigorous standards.
Business investment risks (Risk measurement in progress)	・For new investments, the investment purpose is clearly defined and business plan assumptions and feasibility are carefully assessed. Investment projects are selected based on hurdle rates set using internal rate of return (IRR) with emphasis based on the ability to acquire profits or functions commensurate with risk and defined withdrawal standards. ・The status of previously executed business investments is confirmed regularly based on conditions for monitoring and withdrawal that look at factors such as progress toward goals, changes in the operating environment or plan assumptions, and return on invested capital and cash return on invested capital. When a project meets conditions for monitoring and withdrawal, decisions on how to respond are made by examining options including swift withdrawal and resource reallocation.
Country risks (Risk measurement in progress)	・Sojitz assigns country risk ratings and sets net exposure limits to avoid concentrated exposure to any single country or region. ・ In countries that pose substantial country risk, Sojitz hedges against country risk on a transaction-by-transaction basis, through such means as purchasing trade insurance.
Funding risks	・Sojitz ensures ensures stable funding by maintaining good business relationships with financial institutions and by keeping the long-term debt ratio at a specified level. ・To provide additional on-hand liquidity and heighten funding flexibility, Sojitz maintains long-term commitment lines (denominated in yen and in foreign currency).
Environmental and social (human rights) risks	・Sojitz has defined its Sustainability Challenge long-term vision for 2050 as well as decarbonization policies in relation to its Key Sustainability Issues (Materiality). The Sustainability Committee monitors progress with regard to these objectives. In addition, scenario analyses are performed based on the final recommendations of the Task Force on Climate-related Financial Disclosures. Meanwhile, the Finance & Investment Deliberation Council confirms environmental risks, social risks, and other risks related to sustainability when deliberating on potential finance and investment projects. ・Decarbonization risks related to climate change are controlled based on analysis of domestic and overseas government policy and regulatory trends, CO2 emissions from across the supply chain (Scope 3), and the potential impacts on the Group’s business. In addition, scenario analyses are performed in accordance with the final recommendations of the Task Force on Climate-related Financial Disclosures. For supply chain human rights risks, two-way communication is practiced with Group companies with the aim of maintaining an understanding of potential issues. Steps are taken to confirm and address any risks presented by business partners in business areas deemed to have high environmental or social risks. In addition, the advice of external specialists is sought to identify areas in need of improvement in order to pursue ongoing enhancements to risk management through the implementation of a PDCA cycle.
Compliance and legal risks	・Sojitz has formulated a compliance program and has established the Sojitz Group Code of Conduct and Ethics. The Compliance Committee promotes rigorous regulatory compliance on a Groupwide basis. ・The Security Trade Control Committee is a central proponent in the implementation of systems for security trade control initiatives. ・Measures are in place to monitor the taxation-related procedures of Group companies and to strengthen taxation governance.
System and information security risks	・Sojitz has prescribed regulations and established oversight entities, mainly the Information and IT System Security Committee, which is chaired by the chief information security officer (CISO), pertaining to the appropriate protection and management of information assets. ・Sojitz has implemented safeguards, such as installation of backup hardware, to protect against failure of key information systems and network infrastructure. Additionally, Sojitz is strengthening its safeguards against information leaks through such means as installing firewalls and taking other steps to prevent unauthorized access by outsiders, implementing sophisticated malware countermeasures at endpoint terminals, and utilizing encryption technologies.
Disaster risks	・The Business Continuity Management Working Group formulates action plans for addressing disaster risks and monitors the progress of these plans. In addition, disaster and infectious disease response manuals and business continuity plans have been established, systems for confirming the safety of employees in the event of a disaster have been installed, and crisis management drills are conducted.
Risks related to sharing company information via the corporate website and social media accounts	・Sojitz strives to develop measures to protect against system vulnerabilities to the greatest extent possible within reason in order to address the risk of alteration of information provided via the websites or the social media accounts of the Company or Group companies or of leakages of personal information due to such vulnerabilities. In addition, usage agreements and guidelines are put in place by Group companies to address the risk of criticism or claims or infringement of copyrights, trademarks, or rights of likeness stemming from use of websites or social media accounts. The status of risk response is monitored by the head office.
Quality management risks	・ Sojitz has begun addressing quality management risks as a priority area given the importance of these risks from the perspective of responsibility toward customers as well as Sojitz Group’s supply chains. ・The Quality Management Committee, which was established in April 2021, is spearheading efforts to categorize the products and services sold and supplied by Sojitz Group based on quality in order to develop organizational know-how regarding cross-organizational monitoring and quality issue response.

Measuring and Controlling Risk

In order to manage risk with a dual focus on both safety and profit opportunity, Sojitz measures risk assets within the following four risk types: market risk, business investment risk, credit risk, and country risk. The goals of risk measurement are to 1) manage quantified risk assets in order to keep them within the scope of the company’s strength (total equity), and 2) maximize earnings in line with the level of risk exposure. Risk assets are measured twice yearly and reported to the Board of Directors and the Management Committee. Each business department receives feedback on analysis conducted for factors affecting risk levels, and the business departments utilize the results of these analyses in their ongoing risk management efforts. Sojitz Group’s objective for risk control is to keep the ratio of risk assets to total equity at or below 1.0. Sojitz has maintained this goal ratio since the fiscal year ended March 2010.

Transformation of Risk Management

The risks Sojitz faces are growing increasingly more diverse. This is true for geopolitical risks as well as risks related to natural disasters, abnormal weather events, human rights, environment, and quality management. At the same time, Sojitz’s supply chain continues to grow as the company creates new businesses through market-oriented initiatives. Appropriately managing the ever-more diverse range of risks and fulfilling Sojitz’s responsibility toward customers and society will require an approach toward risk management that encompasses the entire value chain. To respond to the changing risk management landscape, Sojitz reorganized its trading and risk management organizations in April 2022 and established the Supply Chain Risk Management Department and the General Risk Management Department.

The Supply Chain Risk Management Department possesses frameworks for flexible response to the sudden materialization of risks by swiftly measuring the quantitative impact of the given risk event. For example, when Russia’s invasion of Ukraine disrupted supply chains, the department was able to take an organization-wide response by coordinating with business divisions to secure alternative supply routes. The Supply Chain Risk Management Department will continue working to enhance responsiveness to various risks and increase company resilience going forward.

The General Risk Management Department is responsible for aspects of risk management like pre-investment risk screening, post-investment monitoring, provision of advice related to underperforming projects, and country risk and risk asset assessments. The results of these and other assessments are regularly reported to the Board of Directors and the Management Committee, and the department shapes its measures based on the discussion by these bodies. The General Risk Management Department also functions as the secretariat for the Quality Management Committee. By developing monitoring frameworks for high-risk areas, the department engages in discussions on how to improve frontline responsiveness and heighten Sojitz Group’s resilience.

Installation of Frontline Risk Management

Enhancing the risk management functions of Sojitz’s business divisions is imperative to ensuring the company can act with the level of speed necessary to address the diversifying values seen in the evolving operating environment. In April 2022, Sojitz reorganized its risk management organizations to allow for more rigorous screening and operation of investment projects, reforms of portfolios and earnings structures, and enhancement of frontline risk management and monitoring structures. In this reorganization, parts of controller office functions were transferred to the planning and administration offices of business divisions.

Investment and Loan Proposals

When considering new investment and loan projects, Sojitz implements a system for reviewing whether a proposed project aligns with company policies through a process that involves identifying factors including: 1) the project’s vision and its path for improving corporate value, 2) the growth potential of the business field in question, and 3) the functions and competitiveness of both Sojitz and the business within that field. This process also involves eliminating projects that do not align with Sojitz policies and which would entail taking on excessive risks in unfamiliar business areas.

Following this review process, projects that are found to be in line with company policies are presented to the Finance & Investment Deliberation Council, a body which consists of a chairman and council members appointed by the president. This council analyzes the feasibility of each project’s business plan and visualizes risks in order to reach a decision on investment. Specifically, the council closely examines the cash flow plan and other details of the business plan, evaluates business feasibility, and compares the internal rate of return (IRR) and hurdle rate for each proposal in order to select only those projects which have the potential to enhance Sojitz Group shareholder value while also generating returns commensurate with risk.

After an investment is completed, Sojitz carries out a thorough post-merger integration (PMI) process in order establish a business management structure at the operating company that meets Sojitz Group standards at an early stage. Sojitz implements measures for adding value as it seeks to enhance the overall business value of the investment.

In order to ensure the success of all investment and loan projects, Sojitz has created guidelines for monitoring the progress of business plans, which ensures that business plans contain appropriate KPIs and action plans. Sojitz has also established frameworks which facilitate a flexible response in the event that a risk scenario occurs.

In the event that Sojitz is unable to add new value and the operating company performs poorly, Sojitz acts in accordance with the Standards for Monitoring and Withdrawal (Sojitz Group General Standards of Risk Management). Sojitz implements an ongoing asset replacement strategy and, in principle, withdraws from businesses for which ROIC and CROIC do not exceed the cost of capital.

Risk Management Training

Sojitz’s vision for 2030 under Medium-term Management Plan 2023 is to become a company that constantly cultivates new businesses and human capital. In order to achieve this goal, it is essential that Sojitz not only encourages employees to take on new challenges, but also instills in them the risk management skills and mindset needed to conduct business successfully. In addition to general trainings held by the Human Resources Department, the General Risk Management Department and Supply Chain Risk Management Department provide trainings on risk management.

These departments offer an extensive range of trainings in order to comprehensively cover all major risk types. Courses include a required training to ensure employee understanding and adherence with company risk management rules and trainings for junior and mid-level employees. An advanced course on business investment is also offered which focuses on methods for anticipating risk and creating businesses capable of generating stable earnings. In addition to group and on-one-one trainings, Sojitz also offers e-learning courses that can be completely independently which delve deeper into the specific types of work that employees perform.

The risks that trading companies face are constantly evolving. Sojitz therefore reviews and updates the content of its training materials as needed and strives to provide employees with the tools needed to respond to evolving and newly emerging risks.

Addressing Information Security Risk

Policy and Basic Approach

Sojitz has established Information Management Regulations, Sojitz IT Security Policy and other regulations regarding information management and information security measures. Sojitz Group seeks to create an integrated system of information security risk countermeasures and works to ensure that all Group employees appropriately use, manage, and maintain IT assets.

Systems

Sojitz has established the Information and IT System Security Committee, an organization chaired by the Managing Executive Officer, CCO, and CISO. The Information and IT System Security Committee creates Sojitz’s system for managing information security throughout Sojitz Group, deliberates on a wide range of information security-related issues, and makes proposals to management. The committee also monitors adherence to all information security-related regulations and in the event of a violation, centrally manages all relevant information, and ensures that there is a system in place for promptly addressing violations.

Initiatives

Addressing Information Leaks
Sojitz Group identifies high-priority information assets that require careful protection (clients’ personal information, etc.), and takes steps to secure this information, including limiting user access. In the event of an information leak, Sojitz has established a disclosure framework, incorporating outside parties, that ensures information is disclosed appropriately.

Addressing Cyberattack Threats
Sojitz is continuously working to strengthen its measures for preventing cyber attacks. These measures include the use of firewalls to prevent unauthorized system access by external parties, measures for stopping viruses that exploit system vulnerabilities, and technological measures such as the use of encryption technology. In addition, Sojitz has established a framework for the 24/7 operation and supervision of IT systems and strives to ensure that the company can promptly detect and address any cyber attacks that may occur.

Addressing Disaster Risks

Policy and Basic Approach

Sojitz recognizes the importance of maintaining business continuity and ensuring the safety of all Sojitz Group employees, families, and other affiliated parties in the event of a major disaster such as an earthquake, flood, terrorist attack, or pandemic. Sojitz has established the Sojitz Group Basic Crisis Management Policy, which defines Sojitz’s policies and framework for crisis management. Sojitz operates an active system for crisis management at all times in order to ensure that in the event of a disaster, it can maintain the safety of all Sojitz Group employees, families, and other affiliated parties.

Sojitz Group Basic Crisis Management Policy

1.Ensure the safety of employees and others (personal safety)
2.Ensure the safety of company assets and restart operations as soon as possible (stable supply of business services)
3.Support stakeholders and the local community (cooperation and mutual support)
4.Strengthen crisis response and raise crisis management awareness (regularly conduct trainings and drills)

Systems

In the event of a crisis, Sojitz has established internal systems and roles based on the Sojitz Group Basic Crisis Management Policy and the Sojitz Crisis Management Guidelines. Sojitz has also established the Business Continuity Management Working Group, an organization chaired by the Managing Executive Officer and Human Resources Department COO, which regularly reports to the Management Committee. The working group continuously reviews and implements improvements to all crisis-related measures in order to ensure their effectiveness and respond to changes in the business environment.

Initiatives

Business Continuity Management (BCM) Operations
In order to ensure the effectiveness of business continuity planning (BCP), Sojitz establishes a plan for year-round BCP activities and regularly reviews the plan. Sojitz conducts a range of BCP-related trainings including drills conducted by the Emergency Response Unit, first aid trainings for employees, and evacuation drills. (Trainings are conducted for two differing scenarios: a disaster occurring 1) during working hours and 2) at night on a non-workday.) In addition, Sojitz utilizes a reporting system to confirm the safety of all employees in the event of a disaster and also conducts reporting drills using this system.

Disaster Preparedness and Mitigation
Sojitz has taken steps to ensure that its Tokyo headquarters can continue to perform its functions in the event of an earthquake in the Tokyo metropolitan area, through measures such as equipping its facilities with emergency power generators capable of providing 72 hours of electricity. Sojitz has also stockpiled five days’ worth of food for employees in the event that they are required to shelter at Sojitz offices. The Tokyo Metropolitan Government has recognized Sojitz as a model company for its efforts to prevent the mass movement of employees in the event of a natural disaster.