Approach to risk management
The Kirin Group defines risk as uncertainty with the potential to seriously impede the accomplishment of business targets or impact business continuity. The Group also defines crisis as risk manifested at a certain point and requiring urgent action.
We believe that risk management plays an increasingly important role in promoting our business. This includes uncertainties in the business environment of existing business domains of Food & Beverages and Pharmaceuticals, the development of the Health Science domain as a foundation for future growth, the increase in large-scale natural disasters, and the COVID-19 pandemic. The Group’s fundamental risk management policy is to mitigate risk, prevent risk from being actualized, and to keep risk within a manageable level. Management considers risk management as essential to continue earning trust of customers, employees, shareholders and society over the long term. When making decisions to maximize corporate value, we analyze, in most cases, risk scenarios from various perspectives, including strategic and financial aspects, to review appropriate risk control proposals. Risk information is disclosed in a timely and appropriate manner on our corporate website and other means.
Risk management structure and process for determining and monitoring significant risk
The Group has established a Group Risk and Compliance Committee consisting of Kirin Holdings’ Directors of the Board (excluding Non-executive Directors) and Executive Officers and chaired by the Executive Officer in Charge of Risk. The committee oversees the Group’s risk management activities, including collecting risk information, controlling risks, setting risk policy for the medium-term business plans and for each fiscal year, preparing important items for compliance, introducing risk reduction measures, communicating information and implementing countermeasures when a risk arises, and providing necessary instructions and support to Group companies. The Board also oversees the effectiveness of risk management through deliberations and reports on significant risks. (Figure 1)
Figure 1 Risk management structure
Based on the Kirin Group’s risk management policy set for each fiscal year, each Group company examines and identifies risks related to its strategy and business execution and risks that could develop into a serious crisis. Kirin Holdings aggregates the risks faced by specific businesses on the Group level, investigates common risks across the Group, and identifies significant risks to the Group. Based on this plan, the Group Risk and Compliance Committee assesses the potential quantitative and qualitative impacts of significant risks, such as economic losses, business continuity, and damage to reputation, from the perspective of overall Group management and classifies the risks in terms of priority, taking into account its frequency of occurrence. The Board deliberates the assessments and determines the significant risks for the Group. (Figure 2)
Kirin Holdings and the Group companies frame and implement measures tailored to each risk to address the significant risks. Kirin Holdings provides necessary support and instructions to Group companies, and Group companies report and consult with Kirin Holdings, thereby promoting and operating risk management in cooperation with each other. Each Group company and Kirin Holdings monitor risk status on a quarterly basis. The Kirin Holdings’ Board deliberates the status and reviews the Group’s significant risks and provides instruction as necessary (Figure 3) to support appropriate management and control of strategic risks. At the same time, we have established various risk management systems and work to mitigate and appropriately manage risks. These risk management systems are designed to prevent the manifestation of risks that could develop into a crisis and minimize any potential negative impact when a risk does develop into a crisis.
Figure 2 Process for determining significant risk
Figure 3 PDCA cycles for risk management
Kirin group significant risk
The following is a list of the significant risks associated with the execution of the Kirin Group's strategies, businesses and other activities, as well as our approach to countermeasures and responses to individual risks.
- The Kirin Group has established a KIRIN-CSIRT (Computer Security Incident Response Team) to respond to increasingly serious threats from cyber-attacks, and is working on information-security measures, which are one of the major risks for the Kirin Group. We have established a security response system within the Group and countermeasures by human, physical and technological side. By doing this we can strengthen countermeasures against the threat of cyber attacks, such as virus infections and unauthorized access from outside.
- From the perspective of respect for human rights, The Kirin Group supports the eight basic principles listed in “Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data” adopted by the Organization for Economic Cooperation and Development (OECD) and established “Kirin Group Privacy Data Protection Policy” to put these principles into practice.
In addition to the eight basic principles, the Kirin Group Privacy Data Protection Policy includes Kirin's own initiatives for continuous improvement in response to changes in social norms and employee education.
We will evaluate each Group company based on the Privacy Data Protection Policy, formulate improvement plans for each company in the future, monitor the status of implementation, and disclose the status of compliance and improvement. We will appoint responsible officer of privacy data protection at each company and strive to raise understanding and awareness of privacy data protection.
Crisis Management and Business Continuity Planning
In the event of a crisis, Kirin Holdings provides necessary support and instructions to Group companies, and Group companies report to and consult with Kirin Holdings, thereby establishing a system for mutual cooperation and appropriate response.
In addition, we are developing a BCP in preparation for all kinds of crisis events, such as natural disasters and infectious diseases. In addition to initial responses in the event of a disaster, we regularly confirm our plans for business continuity and recovery and the level of such plans, and strive to expand and enhance our highly flexible and effective business continuity plan.
Initiatives in FY2021
Making BCP all hazardous
In the past, the Group has developed a Business Continuity Plan (BCP) for each disaster, such as earthquakes and highly virulent influenza, with each company considering its own countermeasures. However, in recent years, in addition to earthquakes, torrential rains, and infectious diseases, various crisis events have been occurring around the world, such as heightened geopolitical risks and cyber attacks, which not only affect our business in isolation but also have a combined impact on our business, creating a highly uncertain business environment. Therefore, since 2021, we have been working to improve the resilience of our business continuity plan by reviewing our approach to individual crisis events and shifting to an "all-hazards BCP" that focuses on the loss of management resources, including damage to employees and facilities and the temporary suspension of head office functions.
While taking into account the basic approach that has been in place for some time, we have established the Group BCP Basic Policy as the content common to all Kirin Group companies, reiterating that respect for human life is the top priority, and organizing operations related to employee safety and safety confirmation in the event of an emergency as an initial response plan. In addition, with regard to the maintenance and continuation of corporate activities at each group company, we confirmed the status of BCP creation, and in the domestic food domain, we established a recovery plan and target recovery time, identified priority operations to achieve them, and formulated a new business continuity plan for an all-hazard type situation. In formulating the plan, we have assumed a situation in which management resources that we normally take for granted, such as personnel, facilities, and equipment, would be restricted from normal use, and we have clarified decision makers and substitutes, examined alternative means, and otherwise developed a system and structure to ensure a certain level of business continuity in the event of an emergency.
We recognize that the expansion of our business continuity plan is a never-ending effort, and we plan to continue to make constant improvements by establishing an annual PDCA cycle, including regular opportunities to review the contents of the plan. In addition, as a contingency preparedness measure, we will strive to improve the accuracy and effectiveness of the BCP itself by ensuring that it is well understood and widely understood within the group through drills, training, and annual reviews of priority operations, as well as by addressing new issues as they arise. We will continue to improve the flexibility and effectiveness of our business continuity plan so that we can fulfill our social responsibilities by strengthening our ability to respond to various crisis events, minimizing the impact of damage, and maintaining and quickly restoring our business.