- Policy and Basic Approach
- Risk Measurement and Control
- Business Investment Proposals
- Risk Management Training
- Addressing Information Security Risk
- Addressing Disaster Risks
Sojitz Group aims to ensure sound management practices and increase its corporate value. To realize these aims, Sojitz identifies and categorizes risks that may occur under the performance of duties with the potential to result in unexpected losses or damages to Sojitz Group’s net assets. Additionally, Sojitz carefully assesses risks associated with new business ventures or accompanying changes in the business environment, and the company has established the necessary risk management systems to address these risks and manages these systems appropriately.
Sojitz has established the Internal Control Committee as an organization for supervising Group-wide risk management. The Internal Control Committee is an executing body under the supervision of the president & CEO and chaired by the CFO. The committee identifies potential risks associated with Sojitz’s business activities and reviews the risks associated with new business ventures or accompanying changes in the business environment. The Internal Control Committee ensures that Sojitz establishes the necessary risk monitoring systems for appropriately managing these risks, discusses strategies for improvement, and issues directives to the organizations in charge of risk management. The status of Sojitz’s risk management operations, efforts to improve risk management systems, and monitoring results are reported quarterly to the Management Committee and Board of Directors. The Board of Directors supervises Sojitz’s risk management operations through discussion of important risk management-related issues and through regular reports, and conducts evaluations of the effectiveness of Sojitz’s risk management systems and processes.
Sojitz Group uses an evaluation process to regularly review the major risks facing the Group and has currently identified 12 major risk types. Sojitz appoints risk managers for each risk type and these managers establish risk management policies and plans for addressing the unique characteristics of each risk type. Sojitz has established internal committees that act as executing bodies under the supervision of the president & CEO to oversee management issues that require collaboration across organizations, and each committee deliberates and executes risk countermeasures. In addition, Sojitz has established working groups that address specific themes from a cross-organizational perspective.
Major 12 Risks and Sojitz Internal Committees
- Market risks (foreign exchange rates, interest rates, commodity prices, listed securities prices)
- Credit risks
- Business investment risks
- Country risks
- Funding risks
- Environmental and social (human rights) risks
- Compliance risks
- Legal risks
- System and information security risks
- Disaster risks
- Risks related to sharing company information via the corporate website and social media accounts
- Quality management risks
|Internal Control Committee||Executive Vice President, CFO|
|Compliance Committee||Executive Officer, CCO|
|Sustainability Committee||President & CEO|
|Security Trade Control Committee||Executive Vice President|
|DX Promotion Committee||President & CEO|
|Quality Management Committee||Managing Executive Officer|
|Information and IT System Security Committee||Vice President, CISO|
|Business Continuity Management Working Group||Managing Executive Officer|
|Disclosure Working Group||Executive Officer|
In compliance with its Basic Code of Corporate Risk Management, Sojitz Group defines and categorizes risks and manages them according to the nature of each risk. For quantifiable risks (market risks, credit risks, business investment risks, and country risks), risk assets are measured on a quarterly basis. Difficult-to-quantify risks (funding risks, environmental and social (human rights) risks, compliance risks, legal risks, System and information security risks, disaster risks, risks related to sharing company information via the corporate website and social media accounts, and quality management risks) are managed in the same manner as quantifiable risks, with risk managers being appointed for each risk. These risk managers establish risk management policies and plans, and issue quarterly progress reports to the Internal Control Committee, the Management Committee, and the Board of Directors. In the event that a new risk is detected mid-quarter, risk managers assess the risk as well as the status of risk management systems and initiatives in order to verify the effectiveness of overall risk countermeasures.
Sojitz’s basic internal control policy comprises three lines of defense (first line: business divisions; second line: corporate departments; third line: internal audits). Under Medium-term Management Plan 2023, we seek to augment the risk management capabilities of the first and second lines while bolstering our capacity to respond to the risks that might emerge due to our entry into new business fields.
Specifically, risks with the potential to impact Sojitz Group are subdivided in order to track risks in a meticulous and comprehensive manner. The responsible corporate department is defined for each of the subdivided risk types, comprising the second line of defense. Each department uses an evaluation process to identify major risks and implements a PDCA cycle. Through this approach, Sojitz will strengthen its response toward quality and information management risks associated with business-to-consumer operations, which are expected to grow in the future, as well as toward the risks that may emerge in new business fields.
|Category||Status of response|
|Business investment risks||
|Environmental and social (human rights) risks||
|Compliance and legal risks||
|System and information security risks||
|Risks related to sharing company information via the corporate website and social media accounts||
|Quality management risks||
The goals of risk measurement are to 1) manage quantified risk assets within the scope of the company’s strength (total equity), and 2) maximize earnings in line with the level of risk exposure. Based on this thinking, Sojitz Group manages risks with a focus on both stability and profitability. Risk assets are measured quarterly and reported to the Board of Directors and the Management Committee. Each business department receives feedback on analysis conducted for factors affecting risk levels, and the business departments utilize the results of these analyses in their ongoing risk management efforts. Sojitz Group’s objective for risk control is to keep the ratio of risk assets to total equity at or below 1.0. Sojitz has maintained this goal ratio since the fiscal year ended March 2010.
Amid the current spread of COVID-19, governments around the world are taking steps to minimize the impact of the pandemic on their economies through vaccine rollouts and other ongoing government financing and financial measures. However, the current conditions are expected to continue over the long term. In this constantly changing operating environment, Sojitz Group is implementing appropriate risk management measures. For example, risk assets are calculated by factoring stress into stock price and exchange rate volatility and country credit ratings, and the ratio of risk assets to total equity is monitored to ensure that the ratio remains at 1.0 or below, even under stress conditions. In addition, as a countermeasure to tail risk, Sojitz creates stress scenarios for its core businesses in order to analyze the potential impacts that stress conditions may have on its business portfolio.
Business investment proposals are deliberated by the Finance & Investment Deliberation Council, which consists of a chairman and members appointed by the president & CEO. In order to visualize risks and facilitate deliberation, the council examines downside scenarios as well as expected scenarios, and decides whether or not Sojitz should invest in projects. More specifically, the council assesses the feasibility of the overall business plan, including the cash flow plan, and sets internal rate of return (IRR) hurdles in order to select projects that can be expected to increase Sojitz Group’s shareholder value and produce returns commensurate with the risks. Each corporate department deliberates proposals in advance from its respective specialized viewpoint.
More than ever before, Sojitz seeks to maximize “two types of value”—that is, “value for Sojitz” and “value for society”—in its management of operating companies after investment. Sojitz aims to enhance the value of its businesses by increasing competitiveness and profitability. For ongoing investment projects, Sojitz carefully manages business processes, including through assessments of commercial viability and profitability, while also paying attention to changes in the external environment. Sojitz considers all of these factors as it determines whether to continue with each business. Sojitz sets exit rules and implements a monitoring system in order to identify problems in ongoing investment projects early on, improve shareholder value, and minimize losses upon withdrawal or reorganization. Sojitz relies on these criteria as it determines whether to continue with or withdraw from an investment, primarily for businesses that do not generate a return that exceeds the cost of capital.
Establishing rules alone is not sufficient to enhance company-wide risk management competence; all employees throughout the company must have risk management capabilities. In addition to e-learning courses and other trainings to familiarize employees with company rules, Sojitz provides a wide range of risk-related trainings. Training topics include: case studies on past risk-related incidents, preventing and mitigating country risks, preventing and mitigating transactions with inherent market risks such as inventory transactions. Training is provided for employees at various levels, including junior employees and management-level staff. Training is based on the knowledge and on-the-job experience of employees directly involved in daily operations. Sojitz also regularly holds workshops with external specialists on topics such as political and economic conditions to foster employees’ ability to respond flexibly to changes in the business environment. In addition, Sojitz takes steps to further instill risk management capabilities throughout the company by bringing staff from business divisions and overseas operating bases into risk management organizations, and through other personnel exchanges between risk management organizations at Sojitz’s Tokyo headquarters and Group companies.
Policy and Basic Approach
Sojitz has established Information Management Regulations, Sojitz IT Security Policy and other regulations regarding information management and information security measures. Sojitz Group seeks to create an integrated system of information security risk countermeasures and works to ensure that all Group employees appropriately use, manage, and maintain IT assets.
Sojitz has established the Information and IT System Security Committee, an organization chaired by the CISO. The Information and IT System Security Committee creates Sojitz’s system for managing information security throughout Sojitz Group, deliberates on a wide range of information security-related issues, and makes proposals to management. The committee also monitors adherence to all information security-related regulations and in the event of a violation, centrally manages all relevant information, and ensures that there is a system in place for promptly addressing violations.
Addressing Information Leaks
Sojitz Group identifies high-priority information assets that require careful protection (clients’ personal information, etc.), and takes steps to secure this information, including limiting user access. In the event of an information leak, Sojitz has established a disclosure framework, incorporating outside parties, that ensures information is disclosed appropriately.
Addressing Cyber Attack Threats
Sojitz is continuously working to strengthen its measures for preventing cyber attacks. These measures include the use of firewalls to prevent unauthorized system access by external parties, measures for stopping viruses that exploit system vulnerabilities, and technological measures such as the use of encryption technology. In addition, Sojitz has established a framework for the 24/7 operation and supervision of IT systems and strives to ensure that the company can promptly detect and address any cyber attacks that may occur.
Policy and Basic Approach
Sojitz recognizes the importance of maintaining business continuity and ensuring the safety of all Sojitz Group employees, families, and other affiliated parties in the event of a major disaster such as an earthquake, flood, terrorist attack, or pandemic. Sojitz has established the Sojitz Group Basic Crisis Management Policy, which defines Sojitz’s policies and framework for crisis management. Sojitz operates an active system for crisis management at all times in order to ensure that in the event of a disaster, it can maintain the safety of all Sojitz Group employees, families, and other affiliated parties.
Sojitz Group Basic Crisis Management Policy
- Ensure the safety of employees and others (personal safety)
- Ensure the safety of company assets and restart operations as soon as possible (stable supply of business services)
- Support stakeholders and the local community (cooperation and mutual support)
- Strengthen crisis response and raise crisis management awareness (regularly conduct trainings and drills)
In the event of a crisis, Sojitz has established internal systems and roles based on the Sojitz Group Basic Crisis Management Policy and the Sojitz Crisis Management Guidelines. Sojitz has also established the Business Continuity Management Working Group, which regularly reports to the Management Committee. The working group continuously reviews and implements improvements to all crisis-related measures in order to ensure their effectiveness and respond to changes in the business environment.
Business Continuity Management (BCM) Operations
In order to ensure the effectiveness of business continuity planning (BCP), Sojitz establishes a plan for year-round BCP activities and regularly reviews the plan. For an earthquake directly under the Tokyo metropolitan area (approximately magnitude 7), which is expected to have the greatest impact on all of Sojitz’s organizations, we have established scenarios of damage and impact on major social infrastructure (rail, power, communications, etc.) and the building environment based on the damage conditions predicted by the Japanese government’s Central Disaster Management Council and on other factors. Based on these scenarios, members of the Disaster Task Force regularly conduct drills of an earthquake occurring during business hours and during holiday and nighttime hours.
Scenarios of Damage to Major Infrastructure:
・JR and private railways go out of service for a month, and subways go out of service for a week
・We strive to keep employees within the workplace for three days during an emergency in accordance with Tokyo Metropolitan Government ordinances
・Widespread power outages in the Tokyo metropolitan area continue for one week
・Telephone outages continue for one week
We also utilize a safety confirmation system to conduct announcement drills involving all Sojitz employees.
Disaster Preparedness and Mitigation
Sojitz has taken steps to ensure that its Tokyo headquarters can continue to perform its functions in the event of an earthquake in the Tokyo metropolitan area, through measures such as equipping its facilities with emergency power generators capable of providing 72 hours of electricity. Sojitz has also stockpiled five days’ worth of food for employees in the event that they are required to shelter at Sojitz offices. The Tokyo Metropolitan Government has recognized Sojitz as a model company for its efforts to prevent the mass movement of employees in the event of a natural disaster.