Risk Management
Approach to risk management
At the Kirin Group, we define “risk” as uncertainty—both opportunities and threats—that may significantly affect the achievement of management goals and business continuity, and we define “crisis” as a situation in which a risk materializes beyond a certain point and requires urgent response. To earn long-term trust from customers, employees, shareholders, and society, our basic policy is to identify and appropriately control various risks arising from business activities by building and operating a risk management system based on the principles below. We will also disclose risk-related information in a timely and appropriate manner through our website and other channels.
Basic Policy
-
①Based on our management philosophy and values, we implement risk management to ensure the achievement of management goals and business continuity, fulfill corporate social responsibility, and enhance corporate value over the medium to long term.
-
②Examine strategy and risk in an integrated manner and realize appropriate risk-taking.
-
③To promote risk management, develop the organizational structure and mechanisms and enhance organizational capabilities to respond flexibly to environmental changes.
-
④Identify risks on an ongoing basis in normal times and, after understanding various risks associated with corporate activities, conduct risk identification, analysis, evaluation, measures + monitoring, and implement appropriate responses to risks (retain, mitigate, avoid, transfer).
-
⑤Recognize that risk management is an activity in which all employees participate, and foster risk sensitivity through awareness-raising activities such as education and training.
-
⑥For crises, thoroughly focus on prevention and minimize impact through early detection, prompt reporting, information sharing, and response. After responding to a crisis, analyze its causes and response methods, and strive to prevent recurrence.
-
⑦Disclose appropriate risk-related information regarding the nature of risks and countermeasures at the company to stakeholders in a timely manner.
In addition to the above policy, we have established our basic stance toward risk to clarify “risks we pursue while controlling them” and “risks we do not take,” and by setting risk tolerance levels, we support continuous business growth through risk management (Table).
Table: Basic approach to risk
| Risk perspective | Basic approach to risk | |
|---|---|---|
| Controlling risks while taking them | Risks that are not taken | |
| Promotion of innovation | ・The Kirin Group will proactively develop new, high-value products and services through innovation while maintaining financial soundness | ・The Kirin Group will not adopt strategies that are inconsistent with its policies |
| Stable supply of high-quality, safe products and services | ・The Kirin Group will enhance its global supply chain management and maintain and improve its quality management system while balancing costs to ensure a stable supply of high-quality products and services | ・The Kirin Group will never provide products or services to patients or consumers that raise doubts about the safety of pharmaceuticals or food & beverages |
| Communication with consumers and patients | ・The Kirin Group will continue to communicate the value of its products and services to consumers and patients in a more appropriate and understandable manner | ・The Kirin Group will not engage in activities that violate the three principles of advertising: "Do not lie, do not be vulgar, and do not slander" |
| Social responsibility (Compliance) | ・The Kirin Group prioritizes the sustainable growth of its business by resolving social issues and aims to address environmental issues while maintaining cost efficiency | ・The Kirin Group will not take risks that violate human rights policies throughout the supply chain, including with business partners・The Kirin Group defines compliance as "fulfilling our legal and ethical responsibilities to society" and will not violate compliance policies and guidelines |
Risk management structure and process for determining and monitoring significant risk
The Kirin Group has established the “Group Risk & Compliance Committee,” composed of Executive Officers and above of Kirin Holdings, chaired by the Executive Officer in charge of risk.
The committee oversees risk management activities as a whole, including collecting risk information, formulating the Group’s risk management policy and priority issues, promoting integrated consideration of strategy and risk (including risk-taking as well as risk reduction), and sharing information and examining countermeasures when a crisis occurs.In addition, the Board of Directors oversees the effectiveness of risk management through deliberation and reporting on Group material risks (Figure 1).
Figure 1 Risk management structure
Group material risks are compiled by consolidating risks from both perspectives: risks related to the Group’s overall goals, strategy, and business execution, and risks unique to each business.For each risk, we evaluate its impact on the Group from both quantitative and qualitative perspectives, and taking probability of occurrence into account, we determine risk materiality using two axes: impact and probability.Material risks are further managed in an integrated manner on a risk map.The Group Risk & Compliance Committee discusses the compiled Group material risks and deliberates on responses and risk tolerance for each risk.
These Group material risks are also deliberated by the Board of Directors, which confirms changes in circumstances and reviews countermeasures (Figures 2 and 3).
Kirin Holdings and group companies promote and operate risk management by planning and implementing measures according to each risk and working in coordination with one another.
Through monitoring conducted along both business and functional axes, we manage and control strategic risks, and we maintain a risk management framework to prevent risks from materializing into crises and to minimize impacts if they occur, thereby striving to reduce risks and manage them appropriately (Figure 4).
Figure 2 Process for determining significant risk
Figure 3 Risk map
Figure 4 PDCA cycles for risk management
-
*The Kirin Group has established a risk management system based on the framework of the ISO 31000 risk management standard.
Kirin group significant risk
Major risks associated with the execution of Kirin Group's strategies, businesses, and other activities are described here. Please refer to the following for details on measures for each risk, such as scenario analysis for ESG-related risks.
- KIRIN Group significant risk
- A Responsible Alcohol Producer Policy and System
- Policy on Sustainable Procurement
- Respect for human rights
- Measures against Information Security Risks*1
- Practice for Privacy Data Protection*2
-
*1The Kirin Group has established a KIRIN-CSIRT (Computer Security Incident Response Team) to respond to increasingly serious threats from cyber-attacks, and is working on information-security measures, which are one of the major risks for the Kirin Group. We have established a security response system within the Group and countermeasures by human, physical and technological side. By doing this we can strengthen countermeasures against the threat of cyber attacks, such as virus infections and unauthorized access from outside.
-
*2From the perspective of respect for human rights, The Kirin Group supports the eight basic principles listed in “Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data” adopted by the Organization for Economic Cooperation and Development (OECD) and established “Kirin Group Privacy Data Protection Policy” to put these principles into practice.
In addition to the eight basic principles, the Kirin Group Privacy Data Protection Policy includes Kirin's own initiatives for continuous improvement in response to changes in social norms and employee education.
We will evaluate each Group company based on the Privacy Data Protection Policy, formulate improvement plans for each company in the future, monitor the status of implementation, and disclose the status of compliance and improvement. We will appoint responsible officer of privacy data protection at each company and strive to raise understanding and awareness of privacy data protection.
Crisis Management and Business Continuity Planning
In the event of a crisis, Kirin Holdings provides necessary support and instructions to group companies, while group companies report to and consult with Kirin Holdings; through mutual coordination, we have established a structure to respond appropriately.
We are also advancing the development of an all-hazards BCP to prepare for various crisis events such as natural disasters, infectious diseases, and cyberattacks, and we regularly review initial response actions and recovery plans for business continuity when a crisis event occurs.Based on those plans, we conduct training not only at each company but also across the Group, assuming scenarios such as a major metropolitan-area earthquake or a Nankai Trough earthquake, to identify issues and consider countermeasures, thereby enhancing the effectiveness of our BCP.
Risk Management Initiatives
FY2025 Cybersecurity Initiatives
To continue delivering products and services to customers around the world with confidence, the Kirin Group positions cybersecurity as one of its key management foundations and is promoting unified group-wide initiatives.In recent years, cyberattacks have increased globally, and there are cases where they affect not only corporate activities but also social infrastructure and people’s daily lives.We recognize these environmental changes as an important management risk and are working to continuously strengthen measures and advance operational capabilities.Specifically, to strengthen prevention and detection, we implement technical measures based on the concept of defense in depth and enhance access management.
We have established a continuous monitoring framework led by specialist teams and operate mechanisms that enable the early identification of and response to suspicious signs.To minimize impact even in the event of an incident, we have established group-wide common response procedures and regularly conduct drills assuming real situations.This helps accelerate initial response and improve the accuracy of decision-making.Furthermore, we regularly review backup structures and recovery plans to keep the business running, and we strive to enhance resilience so that we can continue to uphold our commitments to product supply and to society.
Going forward, the Kirin Group will continue to strengthen cybersecurity as a management foundation and aims to remain a corporate group trusted by society.