Sojitz Corporation

CLOSE

Governance

Risk Management

Policy and Basic Approach

Sojitz Group aims to ensure sound management practices and increase its corporate value. To realize these aims, Sojitz identifies and categorizes risks that may occur under the performance of duties with the potential to result in unexpected losses or damages to Sojitz Group’s net assets. Additionally, Sojitz carefully assesses risks associated with new business ventures or accompanying changes in the business environment, and the company has established the necessary risk management systems to address these risks and manages these systems appropriately.

Systems and Initiatives

In compliance with the General Standards of Risk Management, Sojitz has established the Internal Control Committee as an organization for supervising Group-wide risk management. The Internal Control Committee is an executing body under the supervision of the president & CEO. The committee identifies, categorizes, and defines the potential risks associated with Sojitz’s business activities and conducts ongoing reviews of the risks associated with new business ventures or accompanying changes in the business environment. Risks are first subdivided into categories in order to gain a comprehensive and thorough understanding of each type. Risk managers are then assigned for each risk type. These risk managers establish risk management policies and plans at the beginning of each fiscal year and implement PDCA cycles based on these plans. The Internal Control Committee conducts quarterly monitoring of the progress of risk management plans, discussing strategies for improvement and issuing directives to organizations in charge of risk management as necessary. Monitoring results are reported quarterly to the Management Committee and Board of Directors. The Board of Directors supervises Sojitz’s risk management operations through discussion of important risk management-related issues and through regular reports, and conducts evaluations of the effectiveness of Sojitz’s risk management systems and processes. Any new risks that are identified mid-quarter are also subject to the same monitoring processes.

Sojitz Group uses an evaluation process to regularly review the major risks facing the Group and has currently identified 12 major risk types. For major risk categories, Sojitz has established a range of organizations that deliberate regarding the unique characteristics of each risk type and implement concrete risk prevention measures at a cross-organizational level. These organizations include 1) internal committees that act as executing bodies under the supervision of the president & CEO to oversee key management issues and 2) working groups formed to review practices and initiatives under a specific theme.

The 12 Major Risk Types and Sojitz Internal Committees

  1. Market risks (foreign exchange rates, interest rates, commodity prices, listed securities prices)
  2. Credit risks
  3. Business investment risks
  4. Country risks
  5. Funding risks
  6. Environmental and social (human rights) risks
  7. Compliance risks
  8. Legal risks
  9. System and information security risks
  10. Disaster risks
  11. Risks related to sharing company information via the corporate website and social media accounts
  12. Quality management risks

Current as of June 20, 2023

Committee Chairperson
Internal Control Committee Representative Director, Senior Managing Executive Officer
Executive Management of Corporate Departments
Compliance Committee Managing Executive Officer, CCO, CISO
COO, Legal Department, Internal Control Administration Department
Sustainability Committee President & CEO
Security Trade Control Committee Executive Vice President
Advisor to the President
Executive Management of Business Group
(Automotive, Aerospace & Transportation Project, Infrastructure & Healthcare), and East Asia region
DX Promotion Committee President & CEO
Quality Management Committee Managing Executive Officer
COO, Retail & Consumer Service Division
Information and IT System Security Committee Managing Executive Officer, CCO, CISO
COO, Legal Department, Internal Control Administration Department
Business Continuity Management Working Group Managing Executive Officer
COO, Human Resources Department
Disclosure Working Group Executive Officer
COO, IR Office, Corporate Sustainability Department

Initiatives

Sojitz’s basic internal control framework comprises three lines of defense (first line: business divisions; second line: corporate departments; third line: internal audits). Under Medium-term Management Plan 2023, Sojitz seeks to augment the risk management capabilities of the first and second lines while bolstering its capacity to respond to the risks that might emerge due to entry into new business fields.

 

Specifically, Sojitz provides trainings and e-learning course for business division managers—the employees that directly oversee business management and make up the front line of defense—in order to raise their awareness and understanding of risk management issues. Sojitz also requires each Group organization to conduct self-assessments of its key risk factors in order to instill an awareness of the importance of risk management in all employees. Sojitz is working to strengthen its risk management framework in light of new risks associated with cybersecurity, security trade controls, and B2B business that are emerging due to recent changes in the business environment and Sojitz’s expansion into new business fields.

Status of Response to the 12 Major Risk Types

Risk type Status of response
 
Market risks
(Risk measurement in progress)
  • Sojitz is enhancing its capacities for responding to market risks in light of the possibility of increases to procurement costs and the inability to secure the necessary quantities of items due to factors such as Russia’s invasion of Ukraine.
  • Sojitz manages its positions and losses by setting long/short position limits and max loss amounts for all products vulnerable to price fluctuation. Should a position near the max loss amount, swift action is taken to eliminate the position in order to prevent losses beyond the anticipated amount.
  • For interest and foreign exchange rates, steps are taken to minimize market risks through such means as matching assets and liabilities and hedging with forward exchange contracts and interest rate swaps.
  • Sojitz is making steady progress in selling marketable securities as part of the company’s target of achieving a 50% reduction of cross-shareholdings by the end of March 2024.
Credit risks
(Risk measurement in progress)
  • Credit risks are controlled based on credit ratings assigned to all business partners through objective methodologies. The amount of credit extended to a given partner is contained within a defined credit limit set in accordance with their credit rating.
  • Sojitz uses a system for assessing receivables to identify customers for inquiry from among those customers with business receivables, based on certain standards; regularly monitors credit risks and safeguards; and estimates the necessary provisions for doubtful accounts for individual receivables based on rigorous standards.
Business investment risks
(Risk measurement in progress)
  • For new investments, Sojitz ensures that the investment purpose is clearly defined and that the basis and feasibility of business plans are carefully assessed. Sojitz places emphasis on weighing potential risks against the profits or functions the company stands to gain and ensures that exit strategies are in place. Sojitz selects only those projects for which the internal rate of return (IRR) exceeds a hurdle rate derived from the cost of capital.
Country risks
(Risk measurement in progress)
  • Sojitz assigns country risk ratings and sets net exposure limits to avoid concentrated exposure to any single country or region.
  • In countries that pose substantial country risk, Sojitz hedges against country risk on a transaction-by-transaction basis, through such means as purchasing trade insurance.
Funding risks
  • Sojitz ensures stable funding by maintaining good business relationships with financial institutions and by keeping the long-term debt ratio at a specified level.
Environmental and social (human rights) risks
  • Sojitz has established the Sustainability Challenge as the company’s long-term sustainability vision for 2050. The Challenge includes policies for realizing a decarbonized society and respecting human rights within supply chains. In addition to defining CO2 emissions reduction targets, Sojitz has formulated individual policies regarding the environment and human rights in order to address environmental and social (human rights) risks. The Sustainability Committee discusses policies and frameworks and monitors the progress of these initiatives.
Compliance and legal risks
  • Sojitz has formulated a compliance program and has established the Sojitz Group Code of Conduct and Ethics. The Compliance Committee promotes rigorous regulatory compliance on a Groupwide basis.
  • The Security Trade Control Committee is a central proponent in the implementation of systems for security trade control initiatives.
  • Measures are in place to monitor the taxation-related procedures of Group companies and to strengthen taxation governance.
System and information security risks
  • Sojitz has prescribed regulations and established oversight entities, mainly the Information & IT System Security Committee, which is chaired by the chief information security officer (CISO), pertaining to the appropriate protection and management of information assets. Sojitz works to strengthen information security through this framework.
  • Sojitz has implemented safeguards, such as installation of backup hardware, to protect against failure of key information systems and network infrastructure. Additionally, Sojitz is strengthening IT security through such means as installing firewalls and taking other steps to prevent unauthorized access by outsiders, implementing sophisticated malware countermeasures at endpoint terminals, and utilizing encryption technologies.
  • Sojitz implements measures to combat security risks on a Group-wide basis. These measures include the implementation of malware countermeasures at endpoint terminals and the tracking of the IT assets of Group companies to identify and address vulnerabilities.
Disaster risks
  • The Business Continuity Management Working Group formulates action plans for addressing disaster risks and monitors the progress of these plans. In addition, disaster and infectious disease response manuals and business continuity plans have been established, systems for confirming the safety of employees in the event of a disaster have been installed, and crisis management drills are conducted.
  • Sojitz identifies alternative suppliers and products as a means of protecting supply chains in the event of a major disaster in order to ensure that the company is able to continue conducting business. In addition, Sojitz tracks potential impacts on supply chains and conclude insurance policies when appropriate to minimize risks.
Risks related to sharing company information via the corporate website and social media accounts
  • Sojitz has established rules and regulations regarding the management of Sojitz Group websites and social media accounts owned by organizations at Sojitz Tokyo HQ and Group companies. Each organization is required to create its own internal regulations and practice responsible website and social media management.
  • Sojitz has established a dedicated policy regarding social media account use due to the significant information-related risks associated with social media use. Sojitz holds seminars and workshops to educate social media managers on the basics of social media use, discuss methods for addressing online criticism and crises, and share relevant case studies. These initiatives aim to reduce risk by raising the social media literacy of Sojitz Group members. In addition, Group social media accounts and websites are monitored regularly by Sojitz Corporation’s Public Relations Department and the relevant supervising business division.
Quality management risks
  • Sojitz has established the Sojitz Group Quality Management Policy to define principles for quality management to be applied throughout the Group. Sojitz manages quality at all business sites based on this policy, and the Quality Management Committee monitors these activities.
  • In order to prevent quality-related issues before they arise, Sojitz works to promote the preventative aspect of quality management throughout the Group’s organizations. At the same time, the company is also engaged in discussions on proactive quality management practices and monitors progress made towards strengthening the company’s competitive advantage and initiatives to drive value creation.

Measuring and Controlling Risk

In order to manage risk with a dual focus on both safety and profit opportunity, Sojitz measures risk assets within the following four risk types: market risk, business investment risk, credit risk, and country risk. The goals of risk measurement are to 1) manage quantified risk assets in order to keep them within the scope of the company’s strength (total equity), and 2) maximize earnings in line with the level of risk exposure. Risk assets are measured twice yearly and reported to the Board of Directors and the Management Committee. Each business department receives feedback on analysis conducted for factors affecting risk levels, and the business departments utilize the results of these analyses in their ongoing risk management efforts. Sojitz Group’s objective for risk control is to keep the ratio of risk assets to total equity at or below 1.0. Sojitz has maintained this goal ratio since the fiscal year ended March 2010.

Enhancement of Supply Chain Resilience

The risks Sojitz faces are growing increasingly more diverse. This is true for economic security risks as well as risks related to natural disasters, abnormal weather events, human rights, and the environment. In this complex environment, it is crucial to assess risks across the supply chain in order to ensure that Sojitz is able to fulfill its responsibilities toward its customers and society.

Sojitz has broadened its focus beyond the traditional risk management functions of trading businesses, including credit and inventory management, and the company quantifies and monitors risks based on scenarios for major risks, such as disaster and environmental risks. This approach is taken to heighten resilience and boost responsiveness in the event that a risk should materialize. In FY2023, Sojitz added supply risk to its list of major risks. The company implements supply risk management measures including reviews of high-risk transactions, introduction of a new transaction management process, and implementation of employee education programs.

Installation of Frontline Risk Management

Enhancing the risk management functions of Sojitz’s business divisions is imperative to ensuring the company can act with the level of speed necessary to address the diversifying values seen in the evolving operating environment. In April 2022, Sojitz reorganized its risk management organizations to allow for more rigorous screening and operation of investment projects, reforms of portfolios and earnings structures, and enhancement of frontline risk management and monitoring structures. In this reorganization, parts of controller office functions were transferred to the planning and administration offices of business divisions.

Investment and Loan Proposals

When considering new investment and loan projects, Sojitz implements a system for reviewing whether a proposed project aligns with company policies through a process that involves identifying factors including: 1) the project’s vision and its path for improving corporate value, 2) the growth potential of the business field in question, and 3) the functions and competitiveness of both Sojitz and the business within that field. This process also involves eliminating projects that do not align with Sojitz policies and which would entail taking on excessive risks in unfamiliar business areas.

Following this review process, projects that are found to be in line with company policies are presented to the Finance & Investment Deliberation Council, a body which consists of a chairman and council members appointed by the president. This council analyzes the feasibility of each project’s business plan and visualizes risks in order to reach a decision on investment. Specifically, the council closely examines the cash flow plan and other details of the business plan, evaluates business feasibility, and compares the internal rate of return (IRR) and hurdle rate for each proposal in order to select only those projects which have the potential to enhance Sojitz Group shareholder value while also generating returns commensurate with risk.

Portfolio Management Cycle

In order to achieve sustainable value creation, it is imperative for Sojitz to implement an asset management strategy that considers both the risks and returns of each asset. In FY2022, Sojitz introduced a new portfolio management cycle to achieve optimized asset management. Under this new process, Sojitz regularly reviews the status of each business division’s risk assets. The results of these assessments, including risk-return analysis and investment monitoring, are then discussed at biannual meetings between the COO of the Risk Management Department and the COOs of the business divisions. The COOs deliberate regarding the current status and future vision for the portfolio of each division. Information on this process is reported to and discussed by the Management Committee to drive the improvement of Sojitz’s portfolio.

 

Risk Management Training

In order to comprehensively manage risk, Sojitz must not only establish organizational systems and frameworks, but also instill a risk management mindset and foster the necessary skills in each Group employee. Sojitz therefore places an emphasis on risk management-related trainings and provides employees with educational content on the basics of risk management, trading, and business investment. Trainings cover a wide range of topics and are designed to address the actual risk-related issues employees face as they conduct business.

As part of efforts to share risk-related knowledge throughout the company, Sojitz also creates videos that feature case studies of specific trading or business investment-related incidents that have occurred at Sojitz Group. In the videos, employees involved in the incident engage in open dialogue with members of the Risk Management Department to discuss their experience and highlight key takeaways. Through this initiative, Sojitz aims to encourage employees to apply the collective knowledge gained through past incidents in their work each day.

The risks that trading companies face are constantly evolving. Sojitz therefore reviews and updates the content of its training materials as needed and strives to provide employees with the tools needed to respond to evolving and newly emerging risks.

 

Addressing Information Security Risk

Policy and Basic Approach

Sojitz has established Information Management Regulations, Sojitz IT Security Policy and other regulations regarding information management and information security measures. Sojitz Group seeks to create an integrated system of information security risk countermeasures and works to ensure that all Group employees appropriately use, manage, and maintain IT assets.

Systems

Sojitz has established the Information and IT System Security Committee, an organization chaired by the Managing Executive Officer, CCO, and CISO. The Information and IT System Security Committee creates Sojitz’s system for managing information security throughout Sojitz Group, deliberates on a wide range of information security-related issues, and makes proposals to management. The committee also monitors adherence to all information security-related regulations and in the event of a violation, centrally manages all relevant information, and ensures that there is a system in place for promptly addressing violations.

Initiatives

Addressing Information Leaks

Sojitz Group identifies high-priority information assets that require careful protection (clients’ personal information, etc.), and takes steps to secure this information, including limiting user access. In the event of an information leak, Sojitz has established a disclosure framework, incorporating outside parties, that ensures information is disclosed appropriately.

Addressing Cyberattack Threats

Sojitz is continuously working to strengthen its measures for preventing cyber attacks. These measures include the use of firewalls to prevent unauthorized system access by external parties, measures for stopping viruses that exploit system vulnerabilities, and technological measures such as the use of encryption technology. In addition, Sojitz has established a framework for the 24/7 operation and supervision of IT systems and strives to ensure that the company can promptly detect and address any cyber attacks that may occur.

Addressing Disaster Risks

Policy and Basic Approach

Sojitz recognizes the importance of maintaining business continuity and ensuring the safety of all Sojitz Group employees, families, and other affiliated parties in the event of a major disaster such as an earthquake, flood, terrorist attack, or pandemic. Sojitz has established the Sojitz Group Basic Crisis Management Policy, which defines Sojitz’s policies and framework for crisis management. Sojitz operates an active system for crisis management at all times in order to ensure that in the event of a disaster, it can maintain the safety of all Sojitz Group employees, families, and other affiliated parties.

Sojitz Group Basic Crisis Management Policy

  1. Ensure the safety of employees and others (personal safety)
  2. Ensure the safety of company assets and restart operations as soon as possible (stable supply of business services)
  3. Support stakeholders and the local community (cooperation and mutual support)
  4. Strengthen crisis response and raise crisis management awareness (regularly conduct trainings and drills)

Systems

In the event of a crisis, Sojitz has established internal systems and roles based on the Sojitz Group Basic Crisis Management Policy and the Sojitz Crisis Management Guidelines. Sojitz has also established the Business Continuity Management Working Group, an organization chaired by the Managing Executive Officer and Human Resources Department COO, which regularly reports to the Management Committee. The working group continuously reviews and implements improvements to all crisis-related measures in order to ensure their effectiveness and respond to changes in the business environment.

Initiatives

Business Continuity Management (BCM) Operations

In order to ensure the effectiveness of business continuity planning (BCP), Sojitz establishes a plan for year-round BCP activities and regularly reviews the plan. Sojitz conducts a range of BCP-related trainings including drills conducted by the Emergency Response Unit, first aid trainings for employees, and evacuation drills. (Trainings are conducted for two differing scenarios: a disaster occurring 1) during working hours and 2) at night on a non-workday.) In addition, Sojitz utilizes a reporting system to confirm the safety of all employees in the event of a disaster and also conducts reporting drills using this system.

Disaster Preparedness and Mitigation

Sojitz has taken steps to ensure that its Tokyo headquarters can continue to perform its functions in the event of an earthquake in the Tokyo metropolitan area, through measures such as equipping its facilities with emergency power generators capable of providing 72 hours of electricity. Sojitz has also stockpiled five days’ worth of food for employees in the event that they are required to shelter at Sojitz offices. The Tokyo Metropolitan Government has recognized Sojitz as a model company for its efforts to prevent the mass movement of employees in the event of a natural disaster.

Page top