Risk Management
Policy and Basic Approach
Sojitz Group aims to ensure sound management practices and increase its corporate value. To realize these aims, Sojitz identifies and categorizes risks that may occur under the performance of duties with the potential to result in unexpected losses or damages to Sojitz Group’s net assets. Additionally, Sojitz carefully assesses risks associated with new business ventures or accompanying changes in the business environment, and the company has established the necessary risk management systems to address these risks and manages these systems appropriately.
Systems and Initiatives
In compliance with the General Standards of Risk Management, Sojitz has established the Internal Control Committee as an organization for supervising Group-wide risk management. The Internal Control Committee is an executing body under the supervision of the president & CEO. The committee identifies, categorizes, and defines the potential risks associated with Sojitz’s business activities and conducts ongoing reviews of the risks associated with new business ventures or accompanying changes in the business environment. Risks are first subdivided into categories in order to gain a comprehensive and thorough understanding of each type. Risk managers are then assigned for each risk type. These risk managers establish risk management policies and plans at the beginning of each fiscal year and implement PDCA cycles based on these plans. The Internal Control Committee conducts quarterly monitoring of the progress of risk management plans, discussing strategies for improvement and issuing directives to organizations in charge of risk management as necessary. Monitoring results are reported quarterly to the Management Committee and Board of Directors. The Board of Directors supervises Sojitz’s risk management operations through discussion of important risk management-related issues and through regular reports, and conducts evaluations of the effectiveness of Sojitz’s risk management systems and processes. Any new risks that are identified mid-quarter are also subject to the same monitoring processes.
Sojitz Group uses an evaluation process to regularly review the major risks facing the Group and has currently identified 12 major risk types. For major risk categories, Sojitz has established a range of organizations that deliberate regarding the unique characteristics of each risk type and implement concrete risk prevention measures at a cross-organizational level. These organizations include 1) internal committees that act as executing bodies under the supervision of the president & CEO to oversee key management issues and 2) working groups formed to review practices and initiatives under a specific theme.
The 12 Major Risk Types and Sojitz Internal Committees
① Market risks (foreign exchange rates, interest rates, commodity prices, listed securities prices)
② Credit risks
③ Business investment risks
④ Country risks
⑤ Funding risks
⑥ Environmental and social (human rights) risks
⑦ Compliance risks
⑧ Legal risks
⑨ System and information security risks
➉ Disaster risks
⑪ Risks related to sharing company information via the corporate website and social media accounts
⑫ Quality management risks
Current as of June 20, 2023
Committee | Chairperson |
---|---|
Internal Control Committee | Representative Director, Senior Managing Executive Officer Executive Management of Corporate Departments |
Compliance Committee | Managing Executive Officer, CCO, CISO COO, Legal Department, Internal Control Administration Department |
Sustainability Committee | President & CEO |
Security Trade Control Committee | Executive Vice President Advisor to the President Executive Management of Business Group (Automotive, Aerospace & Transportation Project, Infrastructure & Healthcare), and East Asia region |
DX Promotion Committee | President & CEO |
Quality Management Committee | Managing Executive Officer COO, Retail & Consumer Service Division |
Information and IT System Security Committee | Managing Executive Officer, CCO, CISO COO, Legal Department, Internal Control Administration Department |
Business Continuity Management Working Group | Managing Executive Officer COO, Human Resources Department |
Disclosure Working Group | Executive Officer COO, IR Office, Corporate Sustainability Department |
Initiatives
Sojitz’s basic internal control framework comprises three lines of defense (first line: business divisions; second line: corporate departments; third line: internal audits). Under Medium-term Management Plan 2023, Sojitz seeks to augment the risk management capabilities of the first and second lines while bolstering its capacity to respond to the risks that might emerge due to entry into new business fields.
Specifically, Sojitz provides trainings and e-learning course for business division managers—the employees that directly oversee business management and make up the front line of defense—in order to raise their awareness and understanding of risk management issues. Sojitz also requires each Group organization to conduct self-assessments of its key risk factors in order to instill an awareness of the importance of risk management in all employees. Sojitz is working to strengthen its risk management framework in light of new risks associated with cybersecurity, security trade controls, and B2B business that are emerging due to recent changes in the business environment and Sojitz’s expansion into new business fields.
Status of Response to the 12 Major Risk Types
Risk type | Status of response |
---|---|
Market risks (Risk measurement in progress) |
|
Credit risks (Risk measurement in progress) |
|
Business investment risks (Risk measurement in progress) |
|
Country risks (Risk measurement in progress) |
|
Funding risks |
|
Environmental and social (human rights) risks |
|
Compliance and legal risks |
|
System and information security risks |
|
Disaster risks |
|
Risks related to sharing company information via the corporate website and social media accounts |
|
Quality management risks |
|
Measuring and Controlling Risk
In order to manage risk with a dual focus on both safety and profit opportunity, Sojitz measures risk assets within the following four risk types: market risk, business investment risk, credit risk, and country risk. The goals of risk measurement are to 1) manage quantified risk assets in order to keep them within the scope of the company’s strength (total equity), and 2) maximize earnings in line with the level of risk exposure. Risk assets are measured twice yearly and reported to the Board of Directors and the Management Committee. Each business department receives feedback on analysis conducted for factors affecting risk levels, and the business departments utilize the results of these analyses in their ongoing risk management efforts. Sojitz Group’s objective for risk control is to keep the ratio of risk assets to total equity at or below 1.0. Sojitz has maintained this goal ratio since the fiscal year ended March 2010.
Enhancement of Supply Chain Resilience
The risks Sojitz faces are growing increasingly more diverse. This is true for economic security risks as well as risks related to natural disasters, abnormal weather events, human rights, and the environment. In this complex environment, it is crucial to assess risks across the supply chain in order to ensure that Sojitz is able to fulfill its responsibilities toward its customers and society.
Sojitz has broadened its focus beyond the traditional risk management functions of trading businesses, including credit and inventory management, and the company quantifies and monitors risks based on scenarios for major risks, such as disaster and environmental risks. This approach is taken to heighten resilience and boost responsiveness in the event that a risk should materialize. In FY2023, Sojitz added supply risk to its list of major risks. The company implements supply risk management measures including reviews of high-risk transactions, introduction of a new transaction management process, and implementation of employee education programs.
Installation of Frontline Risk Management
Enhancing the risk management functions of Sojitz’s business divisions is imperative to ensuring the company can act with the level of speed necessary to address the diversifying values seen in the evolving operating environment. In April 2022, Sojitz reorganized its risk management organizations to allow for more rigorous screening and operation of investment projects, reforms of portfolios and earnings structures, and enhancement of frontline risk management and monitoring structures. In this reorganization, parts of controller office functions were transferred to the planning and administration offices of business divisions.
Investment and Loan Proposals
When considering new investment and loan projects, Sojitz implements a system for reviewing whether a proposed project aligns with company policies through a process that involves identifying factors including: 1) the project’s vision and its path for improving corporate value, 2) the growth potential of the business field in question, and 3) the functions and competitiveness of both Sojitz and the business within that field. This process also involves eliminating projects that do not align with Sojitz policies and which would entail taking on excessive risks in unfamiliar business areas.
Following this review process, projects that are found to be in line with company policies are presented to the Finance & Investment Deliberation Council, a body which consists of a chairman and council members appointed by the president. This council analyzes the feasibility of each project’s business plan and visualizes risks in order to reach a decision on investment. Specifically, the council closely examines the cash flow plan and other details of the business plan, evaluates business feasibility, and compares the internal rate of return (IRR) and hurdle rate for each proposal in order to select only those projects which have the potential to enhance Sojitz Group shareholder value while also generating returns commensurate with risk.
Portfolio Management Cycle
In order to achieve sustainable value creation, it is imperative for Sojitz to implement an asset management strategy that considers both the risks and returns of each asset. In FY2022, Sojitz introduced a new portfolio management cycle to achieve optimized asset management. Under this new process, Sojitz regularly reviews the status of each business division’s risk assets. The results of these assessments, including risk-return analysis and investment monitoring, are then discussed at biannual meetings between the COO of the Risk Management Department and the COOs of the business divisions. The COOs deliberate regarding the current status and future vision for the portfolio of each division. Information on this process is reported to and discussed by the Management Committee to drive the improvement of Sojitz’s portfolio.
Risk Management Training
In order to comprehensively manage risk, Sojitz must not only establish organizational systems and frameworks, but also instill a risk management mindset and foster the necessary skills in each Group employee. Sojitz therefore places an emphasis on risk management-related trainings and provides employees with educational content on the basics of risk management, trading, and business investment. Trainings cover a wide range of topics and are designed to address the actual risk-related issues employees face as they conduct business.
As part of efforts to share risk-related knowledge throughout the company, Sojitz also creates videos that feature case studies of specific trading or business investment-related incidents that have occurred at Sojitz Group. In the videos, employees involved in the incident engage in open dialogue with members of the Risk Management Department to discuss their experience and highlight key takeaways. Through this initiative, Sojitz aims to encourage employees to apply the collective knowledge gained through past incidents in their work each day.
The risks that trading companies face are constantly evolving. Sojitz therefore reviews and updates the content of its training materials as needed and strives to provide employees with the tools needed to respond to evolving and newly emerging risks.
Addressing Information Security Risk
Policy and Basic Approach
Sojitz has established Information Management Regulations, Sojitz IT Security Policy and other regulations regarding information management and information security measures. Sojitz Group seeks to create an integrated system of information security risk countermeasures and works to ensure that all Group employees appropriately use, manage, and maintain IT assets.
Systems
Sojitz has established the Information and IT System Security Committee, an organization chaired by the Managing Executive Officer, CCO, and CISO. The Information and IT System Security Committee creates Sojitz’s system for managing information security throughout Sojitz Group, deliberates on a wide range of information security-related issues, and makes proposals to management. The committee also monitors adherence to all information security-related regulations and in the event of a violation, centrally manages all relevant information, and ensures that there is a system in place for promptly addressing violations.
Initiatives
Addressing Information Leaks
Sojitz Group identifies high-priority information assets that require careful protection (clients’ personal information, etc.), and takes steps to secure this information, including limiting user access. In the event of an information leak, Sojitz has established a disclosure framework, incorporating outside parties, that ensures information is disclosed appropriately.
Addressing Cyberattack Threats
Sojitz is continuously working to strengthen its measures for preventing cyberattacks. These measures include the use of firewalls to prevent unauthorized system access by external parties, measures for stopping viruses that exploit system vulnerabilities, and technological measures such as the use of encryption technology. In addition, Sojitz has established a framework for the 24/7 operation and supervision of IT systems and strives to ensure that the company can promptly detect and address any cyberattacks that may occur.
Addressing Disaster Risks
Policy and Basic Approach
Sojitz recognizes the importance of maintaining business continuity and ensuring the safety of all Sojitz Group employees, families, and other affiliated parties in the event of a major disaster such as an earthquake, flood, terrorist attack, or pandemic. Sojitz has established the Sojitz Group Basic Crisis Management Policy, which defines Sojitz’s policies and framework for crisis management. Sojitz operates an active system for crisis management at all times in order to ensure that in the event of a disaster, it can maintain the safety of all Sojitz Group employees, families, and other affiliated parties.
Sojitz Group Basic Crisis Management Policy
- Ensure the safety of employees and others (personal safety)
- Ensure the safety of company assets and restart operations as soon as possible (stable supply of business services)
- Support stakeholders and the local community (cooperation and mutual support)
- Strengthen crisis response and raise crisis management awareness (regularly conduct trainings and drills)
Systems
In the event of a crisis, Sojitz has established internal systems and roles based on the Sojitz Group Basic Crisis Management Policy and the Sojitz Crisis Management Guidelines. Sojitz has also established the Business Continuity Management Working Group, an organization chaired by the Managing Executive Officer and Human Resources Department COO, which regularly reports to the Management Committee. The working group continuously reviews and implements improvements to all crisis-related measures in order to ensure their effectiveness and respond to changes in the business environment.
Initiatives
Business Continuity Management (BCM) Operations
In order to ensure the effectiveness of business continuity planning (BCP), Sojitz establishes a plan for year-round BCP activities and regularly reviews the plan. Sojitz conducts a range of BCP-related trainings including drills conducted by the Emergency Response Unit, first aid trainings for employees, and evacuation drills. (Trainings are conducted for two differing scenarios: a disaster occurring 1) during working hours and 2) at night on a non-workday.) In addition, Sojitz utilizes a reporting system to confirm the safety of all employees in the event of a disaster and also conducts reporting drills using this system.
Disaster Preparedness and Mitigation
Sojitz has taken steps to ensure that its Tokyo headquarters can continue to perform its functions in the event of an earthquake in the Tokyo metropolitan area, through measures such as equipping its facilities with emergency power generators capable of providing 72 hours of electricity. Sojitz has also stockpiled five days’ worth of food for employees in the event that they are required to shelter at Sojitz offices. The Tokyo Metropolitan Government has recognized Sojitz as a model company for its efforts to prevent the mass movement of employees in the event of a natural disaster.