Risk Management
- Policy and Basic Approach
- Systems and Initiatives
- Initiatives
- Measuring and Controlling Risk
- Transformation of Risk Management
- Risk Management Training
- Addressing Information Security Risk
- Addressing Disaster Risks
Policy and Basic Approach
Sojitz Group aims to ensure sound management practices and increase its corporate value. To realize these aims, Sojitz identifies and categorizes risks that may occur under the performance of duties with the potential to result in unexpected losses or damages to Sojitz Group’s net assets. Additionally, Sojitz carefully assesses risks associated with new business ventures or accompanying changes in the business environment, and the company has established the necessary risk management systems to address these risks and manages these systems appropriately.
Systems and Initiatives
In compliance with the General Standards of Risk Management, Sojitz has established the Internal Control Committee as an organization for supervising Group-wide risk management. The Internal Control Committee is an executing body under the supervision of the president & CEO. The committee identifies, categorizes, and defines the potential risks associated with Sojitz’s business activities and conducts ongoing reviews of the risks associated with new business ventures or accompanying changes in the business environment. Risks are first subdivided into categories in order to gain a comprehensive and thorough understanding of each type. Risk managers are then assigned for each risk type. These risk managers establish risk management policies and plans at the beginning of each fiscal year and implement PDCA cycles based on these plans. The Internal Control Committee conducts quarterly monitoring of the progress of risk management plans, discussing strategies for improvement and issuing directives to organizations in charge of risk management as necessary. Monitoring results are reported quarterly to the Management Committee and Board of Directors. The Board of Directors supervises Sojitz’s risk management operations through discussion of important risk management-related issues and through regular reports, and conducts evaluations of the effectiveness of Sojitz’s risk management systems and processes. Any new risks that are identified mid-quarter are also subject to the same monitoring processes.
Sojitz Group uses an evaluation process to regularly review the major risks facing the Group and has currently identified 12 major risk types. For major risk categories, Sojitz has established a range of organizations that deliberate regarding the unique characteristics of each risk type and implement concrete risk prevention measures at a cross-organizational level. These organizations include 1) internal committees that act as executing bodies under the supervision of the president & CEO to oversee key management issues and 2) working groups formed to review practices and initiatives under a specific theme.
The 12 Major Risk Types and Sojitz Internal Committees
- Market risks (foreign exchange rates, interest rates, commodity prices, listed securities prices)
- Credit risks
- Business investment risks
- Country risks
- Funding risks
- Environmental and social (human rights) risks
- Compliance risks
- Legal risks
- System and information security risks
- Disaster risks
- Risks related to sharing company information via the corporate website and social media accounts
- Quality management risks
Current as of June 20, 2023
Committee | Chairperson |
---|---|
Internal Control Committee | Representative Director, Senior Managing Executive Officer Executive Management of Corporate Departments |
Compliance Committee | Managing Executive Officer, CCO, CISO COO, Legal Department, Internal Control Administration Department |
Sustainability Committee | President & CEO |
Security Trade Control Committee | Executive Vice President Advisor to the President Executive Management of Business Group (Automotive, Aerospace & Transportation Project, Infrastructure & Healthcare), and East Asia region |
DX Promotion Committee | President & CEO |
Quality Management Committee | Managing Executive Officer COO, Retail & Consumer Service Division |
Information and IT System Security Committee | Managing Executive Officer, CCO, CISO COO, Legal Department, Internal Control Administration Department |
Business Continuity Management Working Group | Managing Executive Officer COO, Human Resources Department |
Disclosure Working Group | Executive Officer COO, IR Office, Corporate Sustainability Department |
Initiatives
Sojitz’s basic internal control framework comprises three lines of defense (first line: business divisions; second line: corporate departments; third line: internal audits). Under Medium-term Management Plan 2023, Sojitz seeks to augment the risk management capabilities of the first and second lines while bolstering its capacity to respond to the risks that might emerge due to entry into new business fields.
Specifically, Sojitz provides trainings and e-learning course for business division managers—the employees that directly oversee business management and make up the front line of defense—in order to raise their awareness and understanding of risk management issues. Sojitz also requires each Group organization to conduct self-assessments of its key risk factors in order to instill an awareness of the importance of risk management in all employees. Sojitz is working to strengthen its risk management framework in light of new risks associated with cybersecurity, security trade controls, and B2B business that are emerging due to recent changes in the business environment and Sojitz’s expansion into new business fields.
Status of Response to the 12 Major Risk Types
Risk type | Status of response |
---|---|
Market risks (Risk measurement in progress) |
|
Credit risks (Risk measurement in progress) |
|
Business investment risks (Risk measurement in progress) |
|
Country risks (Risk measurement in progress) |
|
Funding risks |
|
Environmental and social (human rights) risks |
|
Compliance and legal risks |
|
System and information security risks |
|
Disaster risks |
|
Risks related to sharing company information via the corporate website and social media accounts |
|
Quality management risks |
|
Measuring and Controlling Risk
In order to manage risk with a dual focus on both safety and profit opportunity, Sojitz measures risk assets within the following four risk types: market risk, business investment risk, credit risk, and country risk. The goals of risk measurement are to 1) manage quantified risk assets in order to keep them within the scope of the company’s strength (total equity), and 2) maximize earnings in line with the level of risk exposure. Risk assets are measured twice yearly and reported to the Board of Directors and the Management Committee. Each business department receives feedback on analysis conducted for factors affecting risk levels, and the business departments utilize the results of these analyses in their ongoing risk management efforts. Sojitz Group’s objective for risk control is to keep the ratio of risk assets to total equity at or below 1.0. Sojitz has maintained this goal ratio since the fiscal year ended March 2010.
Transformation of Risk Management
The risks Sojitz faces are growing increasingly more diverse. This is true for geopolitical risks as well as risks related to natural disasters, abnormal weather events, human rights, environment, and quality management. At the same time, Sojitz’s supply chain continues to grow as the company creates new businesses through market-oriented initiatives. Appropriately managing the ever-more diverse range of risks and fulfilling Sojitz’s responsibility toward customers and society will require an approach toward risk management that encompasses the entire value chain. To respond to the changing risk management landscape, Sojitz reorganized its trading and risk management organizations in April 2022 and established the Supply Chain Risk Management Department and the General Risk Management Department.
The Supply Chain Risk Management Department possesses frameworks for flexible response to the sudden materialization of risks by swiftly measuring the quantitative impact of the given risk event. For example, when Russia’s invasion of Ukraine disrupted supply chains, the department was able to take an organization-wide response by coordinating with business divisions to secure alternative supply routes. The Supply Chain Risk Management Department will continue working to enhance responsiveness to various risks and increase company resilience going forward.
The General Risk Management Department is responsible for aspects of risk management like pre-investment risk screening, post-investment monitoring, provision of advice related to underperforming projects, and country risk and risk asset assessments. The results of these and other assessments are regularly reported to the Board of Directors and the Management Committee, and the department shapes its measures based on the discussion by these bodies. The General Risk Management Department also functions as the secretariat for the Quality Management Committee. By developing monitoring frameworks for high-risk areas, the department engages in discussions on how to improve frontline responsiveness and heighten Sojitz Group’s resilience.
Installation of Frontline Risk Management
Enhancing the risk management functions of Sojitz’s business divisions is imperative to ensuring the company can act with the level of speed necessary to address the diversifying values seen in the evolving operating environment. In April 2022, Sojitz reorganized its risk management organizations to allow for more rigorous screening and operation of investment projects, reforms of portfolios and earnings structures, and enhancement of frontline risk management and monitoring structures. In this reorganization, parts of controller office functions were transferred to the planning and administration offices of business divisions.
Investment and Loan Proposals
When considering new investment and loan projects, Sojitz implements a system for reviewing whether a proposed project aligns with company policies through a process that involves identifying factors including: 1) the project’s vision and its path for improving corporate value, 2) the growth potential of the business field in question, and 3) the functions and competitiveness of both Sojitz and the business within that field. This process also involves eliminating projects that do not align with Sojitz policies and which would entail taking on excessive risks in unfamiliar business areas.
Following this review process, projects that are found to be in line with company policies are presented to the Finance & Investment Deliberation Council, a body which consists of a chairman and council members appointed by the president. This council analyzes the feasibility of each project’s business plan and visualizes risks in order to reach a decision on investment. Specifically, the council closely examines the cash flow plan and other details of the business plan, evaluates business feasibility, and compares the internal rate of return (IRR) and hurdle rate for each proposal in order to select only those projects which have the potential to enhance Sojitz Group shareholder value while also generating returns commensurate with risk.
After an investment is completed, Sojitz carries out a thorough post-merger integration (PMI) process in order establish a business management structure at the operating company that meets Sojitz Group standards at an early stage. Sojitz implements measures for adding value as it seeks to enhance the overall business value of the investment.
In order to ensure the success of all investment and loan projects, Sojitz has created guidelines for monitoring the progress of business plans, which ensures that business plans contain appropriate KPIs and action plans. Sojitz has also established frameworks which facilitate a flexible response in the event that a risk scenario occurs.
In the event that Sojitz is unable to add new value and the operating company performs poorly, Sojitz acts in accordance with the Standards for Monitoring and Withdrawal (Sojitz Group General Standards of Risk Management). Sojitz implements an ongoing asset replacement strategy and, in principle, withdraws from businesses for which ROIC and CROIC do not exceed the cost of capital.
Risk Management Training
Sojitz’s vision for 2030 under Medium-term Management Plan 2023 is to become a company that constantly cultivates new businesses and human capital. In order to achieve this goal, it is essential that Sojitz not only encourages employees to take on new challenges, but also instills in them the risk management skills and mindset needed to conduct business successfully. In addition to general trainings held by the Human Resources Department, the General Risk Management Department and Supply Chain Risk Management Department provide trainings on risk management.
These departments offer an extensive range of trainings in order to comprehensively cover all major risk types. Courses include a required training to ensure employee understanding and adherence with company risk management rules and trainings for junior and mid-level employees. An advanced course on business investment is also offered which focuses on methods for anticipating risk and creating businesses capable of generating stable earnings. In addition to group and on-one-one trainings, Sojitz also offers e-learning courses that can be completely independently which delve deeper into the specific types of work that employees perform.
The risks that trading companies face are constantly evolving. Sojitz therefore reviews and updates the content of its training materials as needed and strives to provide employees with the tools needed to respond to evolving and newly emerging risks.
Addressing Information Security Risk
Policy and Basic Approach
Sojitz has established Information Management Regulations, Sojitz IT Security Policy and other regulations regarding information management and information security measures. Sojitz Group seeks to create an integrated system of information security risk countermeasures and works to ensure that all Group employees appropriately use, manage, and maintain IT assets.
Systems
Sojitz has established the Information and IT System Security Committee, an organization chaired by the Managing Executive Officer, CCO, and CISO. The Information and IT System Security Committee creates Sojitz’s system for managing information security throughout Sojitz Group, deliberates on a wide range of information security-related issues, and makes proposals to management. The committee also monitors adherence to all information security-related regulations and in the event of a violation, centrally manages all relevant information, and ensures that there is a system in place for promptly addressing violations.
Initiatives
Addressing Information Leaks
Sojitz Group identifies high-priority information assets that require careful protection (clients’ personal information, etc.), and takes steps to secure this information, including limiting user access. In the event of an information leak, Sojitz has established a disclosure framework, incorporating outside parties, that ensures information is disclosed appropriately.
Addressing Cyberattack Threats
Sojitz is continuously working to strengthen its measures for preventing cyber attacks. These measures include the use of firewalls to prevent unauthorized system access by external parties, measures for stopping viruses that exploit system vulnerabilities, and technological measures such as the use of encryption technology. In addition, Sojitz has established a framework for the 24/7 operation and supervision of IT systems and strives to ensure that the company can promptly detect and address any cyber attacks that may occur.
Addressing Disaster Risks
Policy and Basic Approach
Sojitz recognizes the importance of maintaining business continuity and ensuring the safety of all Sojitz Group employees, families, and other affiliated parties in the event of a major disaster such as an earthquake, flood, terrorist attack, or pandemic. Sojitz has established the Sojitz Group Basic Crisis Management Policy, which defines Sojitz’s policies and framework for crisis management. Sojitz operates an active system for crisis management at all times in order to ensure that in the event of a disaster, it can maintain the safety of all Sojitz Group employees, families, and other affiliated parties.
Sojitz Group Basic Crisis Management Policy
- Ensure the safety of employees and others (personal safety)
- Ensure the safety of company assets and restart operations as soon as possible (stable supply of business services)
- Support stakeholders and the local community (cooperation and mutual support)
- Strengthen crisis response and raise crisis management awareness (regularly conduct trainings and drills)
Systems
In the event of a crisis, Sojitz has established internal systems and roles based on the Sojitz Group Basic Crisis Management Policy and the Sojitz Crisis Management Guidelines. Sojitz has also established the Business Continuity Management Working Group, an organization chaired by the Managing Executive Officer and Human Resources Department COO, which regularly reports to the Management Committee. The working group continuously reviews and implements improvements to all crisis-related measures in order to ensure their effectiveness and respond to changes in the business environment.
Initiatives
Business Continuity Management (BCM) Operations
In order to ensure the effectiveness of business continuity planning (BCP), Sojitz establishes a plan for year-round BCP activities and regularly reviews the plan. Sojitz conducts a range of BCP-related trainings including drills conducted by the Emergency Response Unit, first aid trainings for employees, and evacuation drills. (Trainings are conducted for two differing scenarios: a disaster occurring 1) during working hours and 2) at night on a non-workday.) In addition, Sojitz utilizes a reporting system to confirm the safety of all employees in the event of a disaster and also conducts reporting drills using this system.
Disaster Preparedness and Mitigation
Sojitz has taken steps to ensure that its Tokyo headquarters can continue to perform its functions in the event of an earthquake in the Tokyo metropolitan area, through measures such as equipping its facilities with emergency power generators capable of providing 72 hours of electricity. Sojitz has also stockpiled five days’ worth of food for employees in the event that they are required to shelter at Sojitz offices. The Tokyo Metropolitan Government has recognized Sojitz as a model company for its efforts to prevent the mass movement of employees in the event of a natural disaster.