Risk Management

Approach to risk management

The Kirin Group defines risk as uncertainty with the potential to seriously impede the accomplishment of business targets or impact business continuity. The Group also defines crisis as risk manifested at a certain point and requiring urgent action. The Group’s fundamental risk management policy is to mitigate risk, prevent risk from being actualized, and keep risk within a manageable level so that we can earn trust of our stakeholders in a sustainable manner. By treating strategies and risks as two sides of the same coin, we assess and implement appropriate risk control measures by analyzing risks in the phases of selecting and implementing strategies, as well as risks that could develop into crises, from various perspectives. Risk information is disclosed in a timely and appropriate manner on our corporate website and other means.

Risk management structure and process for determining and monitoring significant risk

The Group has established the Group Risk and Compliance Committee consisting of Kirin Holding’s Senior Executive Officers or higher and chaired by the Executive Officer in Charge of Risk. The committee oversees the Group’s risk management activities, including collecting risk information, controlling risks, setting risk policy for the medium-term business plans and for each fiscal year, preparing important items for compliance, introducing risk reduction measures, communicating the information and implementing countermeasures when a risk arises, and providing necessary instructions and support to Group companies. The Board also oversees the effectiveness of risk management through deliberations and reports on the Group’s major risks. (Figure 1)

Figure 1 Risk management structure

  • Figure 1 Risk management structure

To identify the Group’s major risks, each Group company examines and identifies risks related to its strategy and business execution and risks that could develop into a serious crisis based on the Kirin Group’s risk management policy set for each fiscal year. Kirin Holdings aggregates these business-specific risks and investigates common risks across the Group. The Group Risk and Compliance Committee assesses the potential quantitative and qualitative impacts of major risks, such as economic losses, business continuity, and damage to reputation, from the perspective of overall Group management and classifies the risks in terms of priority, taking into account its likelihood of occurrence. The Board deliberates the assessments and determines the major risks for the Group. (Figure 2)
The Group’s major risks are managed centrally on a risk map based on their degree of impact and likelihood of occurrence. With regard to the most major risks, the Board also takes stock of changes in risk conditions and reviews measures against these risks. Kirin Holdings and the Group companies frame and implement measures tailored to each risk. Meanwhile, Kirin Holdings provides necessary support and instructions to Group companies, and Group companies report and consult with Kirin Holdings, thereby promoting and operating risk management in cooperation with each other. (Figures 3 and 4) Each Group company and Kirin Holdings monitor the status of both strategies and risks on a quarterly basis to appropriately manage and control strategic risks. At the same time, we have put in place various risk management systems that are designed to prevent the manifestation of risks that could develop into a crisis and minimize any potential negative impact when a risk does develop into a crisis.

Figure 2 Process for determining significant risk

  • Figure 2 Process for determining significant risk

Figure 3 Risk map

  • Figure 3 Risk map

Figure 4 PDCA cycles for risk management

  • Figure 4 PDCA cycles for risk management

  • The Kirin Group has established a risk management system based on the framework of the ISO 31000 risk management standard.

Kirin group significant risk

Major risks associated with the execution of Kirin Group's strategies, businesses, and other activities are described here. Please refer to the following for details on measures for each risk, such as scenario analysis for ESG-related risks.

  1. The Kirin Group has established a KIRIN-CSIRT (Computer Security Incident Response Team) to respond to increasingly serious threats from cyber-attacks, and is working on information-security measures, which are one of the major risks for the Kirin Group. We have established a security response system within the Group and countermeasures by human, physical and technological side. By doing this we can strengthen countermeasures against the threat of cyber attacks, such as virus infections and unauthorized access from outside.
  2. From the perspective of respect for human rights, The Kirin Group supports the eight basic principles listed in “Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data” adopted by the Organization for Economic Cooperation and Development (OECD) and established “Kirin Group Privacy Data Protection Policy” to put these principles into practice.
    In addition to the eight basic principles, the Kirin Group Privacy Data Protection Policy includes Kirin's own initiatives for continuous improvement in response to changes in social norms and employee education.
    We will evaluate each Group company based on the Privacy Data Protection Policy, formulate improvement plans for each company in the future, monitor the status of implementation, and disclose the status of compliance and improvement. We will appoint responsible officer of privacy data protection at each company and strive to raise understanding and awareness of privacy data protection.

Crisis Management and Business Continuity Planning

In the event of a crisis, Kirin Holdings provides the required support and instructions to Group companies, and Group companies report to and consult with Kirin Holdings, thereby mutually working together and establishing a system to respond appropriately. In addition, the Company is pursuing the maintenance of a BCP in preparation for all kinds of crisis events such as natural disasters and infectious diseases, and we have conducted a drill for a hypothetical earthquake directly under the Tokyo metropolitan area in 2022. We are regularly reviewing our initial response to disasters and recovery plans for business continuity, and shall strive to expand and improve our effective business continuity plan.

Risk Management Initiatives

Quality initiatives In 2022

The Kirin Group is pursuing Group-wide initiatives to foster a "Culture that values quality" as outlined in the 2022-2024 Mid-term Business Plan. The Group defines quality as "satisfying consumers by providing products and services that meet their expectations."
We have established the Kirin group Global Quality Management Principles (KGQMP), which represent the Kirin Group’s Quality Policy and Action Principles based on the Kirin Group's management principles of "consumer-first approach" and "steady focus on quality" in order to achieve higher quality.
This principle is the basis of quality management that the Kirin Group values throughout the entire value chain, from raw material procurement, to delivery of products and services to consumers through product development, manufacturing, and logistics. This concept is reflected in the quality management systems of each Group company in the food & beverages domain, health science domain, and pharmaceutical domain, both in Japan and overseas, and leads to products and services of reliable quality.
The Quality Assurance Department of Kirin Holdings Company, Limited carries out activities to understand the quality assurance status of each Group company and pursue improvements through regular dialogues on quality assurance with major Group operating companies in Japan and overseas, in order to further enhance the autonomous quality assurance activities of each company. We set common indicators (KH indicators)for quality assurance that are measurable across all entities, including input indicators such as the status of international certification and the sufficiency of resources for quality assurance operations, as well as output indicators such as the number of quality incidents and consumer complaints, and exchange opinions for monitoring and improvement. The status of each Group company is discussed by the Group Executive Committee and reported annually to the Board of Directors.
We have established "Guidelines for assurance of raw material safety in the Kirin Group (food business in Japan)" for the procurement of raw materials in the value chain that the Kirin Group is responsible for, and ensure the safety of the raw materials we use by assessing risks to raw materials handled by Group companies and taking appropriate measures based on a wide range of risk information, including information from government and research institutions in Japan and abroad that is regularly collected by the Quality Assurance Department of Kirin Holdings Company, Limited. In addition, we operate food quality management systems (ISO9001) and food safety management systems (FSSC22000, etc.) that incorporate the concept of international standards as part of our quality assurance initiatives in development, manufacturing, and logistics, and define "Food Defense Guidelines" and "Microbial Assurance Guidelines" to ensure the quality and safety of the products we deliver to consumers.
In the quality management system for the alcoholic and beverage business in Japan, we horizontally deploy examples and measures to prevent recurrence through meetings attended by quality assurance managers of each operating company, so that quality problems that occur in a particular business are not kept within that particular company.
In addition, the Food Safety and Quality Assurance Center, a specialized organization within the Group responsible for product inspection and analysis, provides technical support for the Group's advanced quality assurance system.
We will continue to deliver safe and reliable products and services to our consumers through these Group-wide initiatives, as well as by fostering a culture that values quality.

Making BCP all hazardous In 2021

In the past, the Group has developed a Business Continuity Plan (BCP) for each disaster, such as earthquakes and highly virulent influenza, with each company considering its own countermeasures. However, in recent years, in addition to earthquakes, torrential rains, and infectious diseases, various crisis events have been occurring around the world, such as heightened geopolitical risks and cyber attacks, which not only affect our business in isolation but also have a combined impact on our business, creating a highly uncertain business environment. Therefore, since 2021, we have been working to improve the resilience of our business continuity plan by reviewing our approach to individual crisis events and shifting to an "all-hazards BCP" that focuses on the loss of management resources, including damage to employees and facilities and the temporary suspension of head office functions.
While taking into account the basic approach that has been in place for some time, we have established the Group BCP Basic Policy as the content common to all Kirin Group companies, reiterating that respect for human life is the top priority, and organizing operations related to employee safety and safety confirmation in the event of an emergency as an initial response plan. In addition, with regard to the maintenance and continuation of corporate activities at each group company, we confirmed the status of BCP creation, and in the domestic food domain, we established a recovery plan and target recovery time, identified priority operations to achieve them, and formulated a new business continuity plan for an all-hazard type situation. In formulating the plan, we have assumed a situation in which management resources that we normally take for granted, such as personnel, facilities, and equipment, would be restricted from normal use, and we have clarified decision makers and substitutes, examined alternative means, and otherwise developed a system and structure to ensure a certain level of business continuity in the event of an emergency.
We recognize that the expansion of our business continuity plan is a never-ending effort, and we plan to continue to make constant improvements by establishing an annual PDCA cycle, including regular opportunities to review the contents of the plan. In addition, as a contingency preparedness measure, we will strive to improve the accuracy and effectiveness of the BCP itself by ensuring that it is well understood and widely understood within the group through drills, training, and annual reviews of priority operations, as well as by addressing new issues as they arise. We will continue to improve the flexibility and effectiveness of our business continuity plan so that we can fulfill our social responsibilities by strengthening our ability to respond to various crisis events, minimizing the impact of damage, and maintaining and quickly restoring our business.