Risk Management | Sojitz ESG BOOK

Policy and Basic Approach

Sojitz Group aims to ensure sound management practices and increase its corporate value. To realize these aims, Sojitz identifies and categorizes risks that may occur under the performance of duties with the potential to result in unexpected losses or damages to Sojitz Group’s net assets. Additionally, Sojitz carefully assesses risks associated with new business ventures or accompanying changes in the business environment, and the company has established the necessary risk management systems to address these risks and manages these systems appropriately.

Systems

Sojitz has established the Internal Control Committee as an organization for supervising Group-wide risk management. The Internal Control Committee is an executing body under the supervision of the president & CEO and chaired by the CFO. The committee identifies potential risks associated with Sojitz’s business activities and reviews the risks associated with new business ventures or accompanying changes in the business environment. The Internal Control Committee ensures that Sojitz establishes the necessary risk monitoring systems for appropriately managing these risks, discusses strategies for improvement, and issues directives to the organizations in charge of risk management. The status of Sojitz’s risk management operations, efforts to improve risk management systems, and monitoring results are reported quarterly to the Management Committee and Board of Directors. The Board of Directors supervises Sojitz’s risk management operations through discussion of important risk management-related issues and through regular reports, and conducts evaluations of the effectiveness of Sojitz’s risk management systems and processes.

Sojitz Group uses an evaluation process to regularly review the major risks facing the Group and has currently identified 12 major risk types. Sojitz appoints risk managers for each risk type and these managers establish risk management policies and plans for addressing the unique characteristics of each risk type. Sojitz has established internal committees that act as executing bodies under the supervision of the president & CEO to oversee management issues that require collaboration across organizations, and each committee deliberates and executes risk countermeasures. In addition, Sojitz has established working groups that address specific themes from a cross-organizational perspective.

Major 12 Risks and Sojitz Internal Committees

Market risks (foreign exchange rates, interest rates, commodity prices, listed securities prices)
Credit risks
Business investment risks
Country risks
Funding risks
Environmental and social (human rights) risks
Compliance risks
Legal risks
System and information security risks
Disaster risks
Risks related to sharing company information via the corporate website and social media accounts
Quality management risks

Committee	Chairperson
Internal Control Committee	Executive Vice President, CFO
Compliance Committee	Executive Officer, CCO
Sustainability Committee	President & CEO
Security Trade Control Committee	Executive Vice President
DX Promotion Committee	President & CEO
Quality Management Committee	Managing Executive Officer
Information and IT System Security Committee	Vice President, CISO
Business Continuity Management Working Group	Managing Executive Officer
Disclosure Working Group	Executive Officer

Initiatives

In compliance with its Basic Code of Corporate Risk Management, Sojitz Group defines and categorizes risks and manages them according to the nature of each risk. For quantifiable risks (market risks, credit risks, business investment risks, and country risks), risk assets are measured on a quarterly basis. Difficult-to-quantify risks (funding risks, environmental and social (human rights) risks, compliance risks, legal risks, System and information security risks, disaster risks, risks related to sharing company information via the corporate website and social media accounts, and quality management risks) are managed in the same manner as quantifiable risks, with risk managers being appointed for each risk. These risk managers establish risk management policies and plans, and issue quarterly progress reports to the Internal Control Committee, the Management Committee, and the Board of Directors. In the event that a new risk is detected mid-quarter, risk managers assess the risk as well as the status of risk management systems and initiatives in order to verify the effectiveness of overall risk countermeasures.

Sojitz’s basic internal control policy comprises three lines of defense (first line: business divisions; second line: corporate departments; third line: internal audits). Under Medium-term Management Plan 2023, we seek to augment the risk management capabilities of the first and second lines while bolstering our capacity to respond to the risks that might emerge due to our entry into new business fields.

3線ディフェンス図

Specifically, risks with the potential to impact Sojitz Group are subdivided in order to track risks in a meticulous and comprehensive manner. The responsible corporate department is defined for each of the subdivided risk types, comprising the second line of defense. Each department uses an evaluation process to identify major risks and implements a PDCA cycle. Through this approach, Sojitz will strengthen its response toward quality and information management risks associated with business-to-consumer operations, which are expected to grow in the future, as well as toward the risks that may emerge in new business fields.

リスク管理基本規定におけるリスク管理PDCA活動のイメージ図

Individual Risks

Category	Status of response
Quantifiable Risks
Market risks	・The Group minimizes market risks through such means as matching assets and liabilities (e.g., long and short commodity exposures) and hedging with forward exchange contracts, commodity futures and forward contracts, and interest rate swaps.
Credit risks	・The Group implements safeguards (e.g., collateral and guarantees) as warranted by the customer’s credit status. ・The Group uses a system for assessing receivables to identify customers for inquiry from among those customers with business receivables, based on certain standards; regularly monitors credit risk; and estimates provisions for doubtful accounts for individual receivables.
Business investment risks	・The Group closely examines business plans and carefully assesses feasibility when deliberating on investment projects. The Group also sets hurdle rates using internal rate of return (IRR) and selects those projects that can generate profits commensurate with risk and contribute to improved shareholder value. ・After investment, in order to ascertain issues at an early stage, improve shareholder value, and minimize losses from withdrawal or restructuring, the Group sets conditions for monitoring and withdrawal and for determining whether projects meet these conditions on an annual basis.
Country risks	・The Group assigns country risk ratings and sets net exposure limits to avoid concentrated exposure to any single country or region. ・In countries that pose substantial country risk, the Group hedges against country risk on a transaction-by-transaction basis, through such means as purchasing trade insurance.
Difficult-to-Quantify Risks
Funding risks	・The Group ensures stable funding by maintaining good business relationships with financial institutions and by keeping the long-term debt ratio at a specified level. ・To provide additional financial flexibility and liquidity, the Group maintains long-term commitment lines and a long-term multi-currency borrowing facility agreement with effective period provisions.
Environmental and social (human rights) risks	・The Group has defined its Sustainability Challenge long-term vision for 2050 as well as decarbonization policies in relation to its Key Sustainability Issues (Materiality). The Sustainability Committee monitors progress with regard to these objectives. In addition, scenario analyses are performed based on the final recommendations of the Task Force on Climate-related Financial Disclosures. Meanwhile, the Finance & Investment Deliberation Council confirms environmental risks, social risks, and other risks related to sustainability when deliberating on potential finance and investment projects. ・ Additionally, the Group has established an Environmental Policy, a Human Rights Policy, and CSR Action Guidelines for Supply Chains. It works to mitigate risks by ensuring these policies are observed throughout the Group, sharing them with suppliers, conducting risk assessments, and working to address discovered issues. For climate-related risks, the Group pays close attention to government policies and regulatory trends worldwide, analyzing their impact on the Group’s business.
Compliance and legal risks	・The Group has formulated a compliance program and has established the Sojitz Group Code of Conduct and Ethics. The Compliance Committee promotes rigorous regulatory compliance on a Groupwide basis. ・The Security Trade Control Committee is a central proponent in the implementation of systems for security trade control initiatives. ・Measures are in place to monitor the taxation-related procedures of Group companies and to strengthen taxation governance.
System and information security risks	・The Group has prescribed regulations and established oversight entities, mainly the Information and IT System Security Committee, pertaining to the appropriate protection and management of information assets. ・The Group has implemented safeguards, such as installation of backup hardware, to protect against failure of key information systems and network infrastructure. Additionally, the Group is strengthening its safeguards against information leaks through such means as installing firewalls and taking other steps to prevent unauthorized access by outsiders, implementing sophisticated malware countermeasures, and utilizing encryption technologies.
Disaster risks	・The Business Continuity Management Working Group formulates action plans for addressing disaster risks and monitors the progress of these plans. In addition, disaster and infectious disease response manuals and business continuity plans have been established. Efforts are taken to educate employees on the use of the safety confirmation system and crisis management drills are regularly conducted. With regard to the COVID-19 pandemic, we are placing first priority on preventing infections and the spread of COVID-19 inside and outside of the company and are maintaining the safety of all Group employees and stakeholders as we implement a variety of response measures.
Risks related to sharing company information via the corporate website and social media accounts	・The Group has set administrative guidelines for the terms of use and protection of personal information on Sojitz Corporation’s and Sojitz Group companies’ official websites and social media accounts, and monitors the implementation status of these guidelines at Group companies. Any updates are reported to the Disclosure Working Group to monitor progress in addressing risks.
Quality management risks	・Based on the expansion and diversification of its business fields, the Group established the Quality Management Committee in the fiscal year ended March 2022 to ensure the quality of manufactured products and services through company-wide management and monitoring systems. ・The Group established the “Sojitz Group Quality Management Policy,” which is a standardized, Group-wide quality management policy.

Risk Measurement and Control

The goals of risk measurement are to 1) manage quantified risk assets within the scope of the company’s strength (total equity), and 2) maximize earnings in line with the level of risk exposure. Based on this thinking, Sojitz Group manages risks with a focus on both stability and profitability. Risk assets are measured quarterly and reported to the Board of Directors and the Management Committee. Each business department receives feedback on analysis conducted for factors affecting risk levels, and the business departments utilize the results of these analyses in their ongoing risk management efforts. Sojitz Group’s objective for risk control is to keep the ratio of risk assets to total equity at or below 1.0. Sojitz has maintained this goal ratio since the fiscal year ended March 2010.

Amid the current spread of COVID-19, governments around the world are taking steps to minimize the impact of the pandemic on their economies through vaccine rollouts and other ongoing government financing and financial measures. However, the current conditions are expected to continue over the long term. In this constantly changing operating environment, Sojitz Group is implementing appropriate risk management measures. For example, risk assets are calculated by factoring stress into stock price and exchange rate volatility and country credit ratings, and the ratio of risk assets to total equity is monitored to ensure that the ratio remains at 1.0 or below, even under stress conditions. In addition, as a countermeasure to tail risk, Sojitz creates stress scenarios for its core businesses in order to analyze the potential impacts that stress conditions may have on its business portfolio.

Risk Measurement and Control

Business Investment Proposals

Business investment proposals are deliberated by the Finance & Investment Deliberation Council, which consists of a chairman and members appointed by the president & CEO. In order to visualize risks and facilitate deliberation, the council examines downside scenarios as well as expected scenarios, and decides whether or not Sojitz should invest in projects. More specifically, the council assesses the feasibility of the overall business plan, including the cash flow plan, and sets internal rate of return (IRR) hurdles in order to select projects that can be expected to increase Sojitz Group’s shareholder value and produce returns commensurate with the risks. Each corporate department deliberates proposals in advance from its respective specialized viewpoint.

More than ever before, Sojitz seeks to maximize “two types of value”—that is, “value for Sojitz” and “value for society”—in its management of operating companies after investment. Sojitz aims to enhance the value of its businesses by increasing competitiveness and profitability. For ongoing investment projects, Sojitz carefully manages business processes, including through assessments of commercial viability and profitability, while also paying attention to changes in the external environment. Sojitz considers all of these factors as it determines whether to continue with each business. Sojitz sets exit rules and implements a monitoring system in order to identify problems in ongoing investment projects early on, improve shareholder value, and minimize losses upon withdrawal or reorganization. Sojitz relies on these criteria as it determines whether to continue with or withdraw from an investment, primarily for businesses that do not generate a return that exceeds the cost of capital.

Business Investment Proposals

Risk Management Training

Establishing rules alone is not sufficient to enhance company-wide risk management competence; all employees throughout the company must have risk management capabilities. In addition to e-learning courses and other trainings to familiarize employees with company rules, Sojitz provides a wide range of risk-related trainings. Training topics include: case studies on past risk-related incidents, preventing and mitigating country risks, preventing and mitigating transactions with inherent market risks such as inventory transactions. Training is provided for employees at various levels, including junior employees and management-level staff. Training is based on the knowledge and on-the-job experience of employees directly involved in daily operations. Sojitz also regularly holds workshops with external specialists on topics such as political and economic conditions to foster employees’ ability to respond flexibly to changes in the business environment. In addition, Sojitz takes steps to further instill risk management capabilities throughout the company by bringing staff from business divisions and overseas operating bases into risk management organizations, and through other personnel exchanges between risk management organizations at Sojitz’s Tokyo headquarters and Group companies.

Addressing Information Security Risk

Policy and Basic Approach

Sojitz has established Information Management Regulations, Sojitz IT Security Policy and other regulations regarding information management and information security measures. Sojitz Group seeks to create an integrated system of information security risk countermeasures and works to ensure that all Group employees appropriately use, manage, and maintain IT assets.

Systems

Sojitz has established the Information and IT System Security Committee, an organization chaired by the CISO. The Information and IT System Security Committee creates Sojitz’s system for managing information security throughout Sojitz Group, deliberates on a wide range of information security-related issues, and makes proposals to management. The committee also monitors adherence to all information security-related regulations and in the event of a violation, centrally manages all relevant information, and ensures that there is a system in place for promptly addressing violations.

情報セキュリティ分科会

Initiatives

Addressing Information Leaks

Sojitz Group identifies high-priority information assets that require careful protection (clients’ personal information, etc.), and takes steps to secure this information, including limiting user access. In the event of an information leak, Sojitz has established a disclosure framework, incorporating outside parties, that ensures information is disclosed appropriately.

Addressing Cyber Attack Threats

Sojitz is continuously working to strengthen its measures for preventing cyber attacks. These measures include the use of firewalls to prevent unauthorized system access by external parties, measures for stopping viruses that exploit system vulnerabilities, and technological measures such as the use of encryption technology. In addition, Sojitz has established a framework for the 24/7 operation and supervision of IT systems and strives to ensure that the company can promptly detect and address any cyber attacks that may occur.

Addressing Disaster Risks

Policy and Basic Approach

Sojitz recognizes the importance of maintaining business continuity and ensuring the safety of all Sojitz Group employees, families, and other affiliated parties in the event of a major disaster such as an earthquake, flood, terrorist attack, or pandemic. Sojitz has established the Sojitz Group Basic Crisis Management Policy, which defines Sojitz’s policies and framework for crisis management. Sojitz operates an active system for crisis management at all times in order to ensure that in the event of a disaster, it can maintain the safety of all Sojitz Group employees, families, and other affiliated parties.

Sojitz Group Basic Crisis Management Policy

Ensure the safety of employees and others (personal safety)
Ensure the safety of company assets and restart operations as soon as possible (stable supply of business services)
Support stakeholders and the local community (cooperation and mutual support)
Strengthen crisis response and raise crisis management awareness (regularly conduct trainings and drills)

Systems

In the event of a crisis, Sojitz has established internal systems and roles based on the Sojitz Group Basic Crisis Management Policy and the Sojitz Crisis Management Guidelines. Sojitz has also established the Business Continuity Management Working Group, which regularly reports to the Management Committee. The working group continuously reviews and implements improvements to all crisis-related measures in order to ensure their effectiveness and respond to changes in the business environment.

経営会議

Initiatives

Business Continuity Management (BCM) Operations

In order to ensure the effectiveness of business continuity planning (BCP), Sojitz establishes a plan for year-round BCP activities and regularly reviews the plan. For an earthquake directly under the Tokyo metropolitan area (approximately magnitude 7), which is expected to have the greatest impact on all of Sojitz’s organizations, we have established scenarios of damage and impact on major social infrastructure (rail, power, communications, etc.) and the building environment based on the damage conditions predicted by the Japanese government’s Central Disaster Management Council and on other factors. Based on these scenarios, members of the Disaster Task Force regularly conduct drills of an earthquake occurring during business hours and during holiday and nighttime hours.

Scenarios of Damage to Major Infrastructure:
・JR and private railways go out of service for a month, and subways go out of service for a week
・We strive to keep employees within the workplace for three days during an emergency in accordance with Tokyo Metropolitan Government ordinances
・Widespread power outages in the Tokyo metropolitan area continue for one week
・Telephone outages continue for one week

We also utilize a safety confirmation system to conduct announcement drills involving all Sojitz employees.

Disaster Preparedness and Mitigation

Sojitz has taken steps to ensure that its Tokyo headquarters can continue to perform its functions in the event of an earthquake in the Tokyo metropolitan area, through measures such as equipping its facilities with emergency power generators capable of providing 72 hours of electricity. Sojitz has also stockpiled five days’ worth of food for employees in the event that they are required to shelter at Sojitz offices. The Tokyo Metropolitan Government has recognized Sojitz as a model company for its efforts to prevent the mass movement of employees in the event of a natural disaster.