Risk Management

Basic Approach / Promotion System

Basic approach

The Idemitsu Group strives to stabilize its management by proactively recognizing and evaluating various risks associated with its business activities and taking appropriate measures in accordance with those risks. We classify risks associated with our business activities into two categories: “Operational Risk” and “Business Strategy Risk” and promote countermeasures against them. “Operational Risk” is the risk of an impediment to business execution that causes losses and yields no profit. Risks under this category are typified by accidents, disasters, non-compliance, business errors, product defects, customer complaints, environmental pollution, information leaks, cyberattacks, terrorism, labor problems, economic security, human rights problems, and inadequacies in sustainable procurement. The term “Business Strategy Risk” refers to risks associated with business activities that exclude “Operational Risk” and significantly affect profit or loss. In addition to risks associated with current business strategies such as investments and finance, this category includes risks associated with the future business environment.

Risks associated with the business activities
  • Risk arising from changes in international affairs and the economic environment
  • Risk arising from changes in the external business environment (market prices of products, procurement conditions, country- specific circumstances and foreign exchange rates)
  • Risk associated with climate change and environmental regulations
  • Risk associated with business investments
  • Risk associated with human rights
  • Compliance-related risk
  • Risk associated with intellectual properties
  • Risk arising from natural disasters and accidents
  • Risk associated with the management of personal information
  • Risk arising from the outbreak of COVID-19

Operational risk is specified and managed by the Risk Management and Compliance Committee as follows:

Key risks

Company-wide risks with a high impact on business that management should monitor at all times (e.g., key legal compliance,crisis risks, etc.)

Updated as needed based on immediate internal and external circumstances

Material risks

A more detailed and comprehensive list of risks used in risk assessments at each department and affiliated company

Updated annually based on risk events that have actually occurred and risk interviews conducted at major departments(once per year)

In addition, risk surveys are conducted for the medium term to carry out comprehensive reviews

In regard to business strategy risks, we accurately identify risks and opportunities arising from climate change in accordance with TCFD recommendations, monitor the situation, and reflect them in our business strategy.

Promotion system

The Enterprise Risk Management Committee, which is supervised by the Board of Directors, is tasked with the determination of risk management policies associated with Group operations and monitoring the status of risk management. With the President serving as the chair, committee members include Executive Officers and heads of relevant departments. In principle, this committee meets once every six months and requests reporting from other committees with regard to major risks categorized under “Operational Risk” or “Business Strategy Risk.” Also, the committee provides the Board of Directors with updates on the status of its activities once a year in principle.

Our group has established the “Risk Management and Compliance Committee” tasked with handling “Operational Risk” under the Enterprise Risk Management Committee and is promoting company-wide risk management by taking necessary measures in a timely and prompt manner. Regular committee meetings are held quarterly. The committee has the role and responsibility of updating the key and material risks of the entire Group, identifying and assessing various signs of risk manifestation and new risks, deliberating on other matters related to Operational Risk in general, supporting measures for risk prevention and managing the progress of such measures, and submitting its conclusions to the Enterprise Risk Management Committee.

Risk management promotion system
出光興産, DFF Inc.

Other Risk Management Initiatives

Further enhancement of crisis readiness capabilities

We formulated the “Crisis Response Rules” as the highest rules for crisis response. These rules stipulate our policy on crisis response, crisis level definitions, reporting lines, and methods for establishing emergency task forces, among other matters related to crisis response.

Should an incident occur at any facility run by a Group entity, risk-related information is promptly shared with the department in charge of the site of the occurrence and the Risk Management Section of the General Affairs Department in accordance with these rules. This risk-related information will also be communicated to the Risk Management and Compliance Committee. Furthermore, corporate and other relevant departments will work to assist or spearhead risk countermeasures undertaken at the incident site to minimize the social impact and potential damage. These departments also act in collaboration with external stakeholders, including fire, police, and other public safety departments as well as municipalities and customers.

Moreover, a company-wide task force is formed in a timely and prompt manner under the direction of the chair of the Risk Management and Compliance Committee to investigate, review, and formulate countermeasures for potential risks, including economic security risks, that could significantly impact the business either in the present or the future. The task force reports to the Enterprise Risk Management Committee and the Board of Directors on the progress and results of its work.

Initiatives to upgrade our Business Continuity Plans (BCPs)

We formulated BCPs assuming the occurrence of an earthquake with an epicenter in the Tokyo metropolitan area, a megathrust earthquake involving the Nankai trough, and the outbreak of avian influenza, respectively. Based on said BCPs, we hold annual comprehensive disaster drills and confirm problems related to actual execution and coordination among all business bases in order to strengthen our practical response capabilities. We then reflect relevant feedback in the BCPs. Also, each refinery, complex, and plant carries out periodic disaster prevention drills encompassing their entire site in accordance with applicable crisis response regulations.

In FY2015, we were appointed as a designated public institution by the Cabinet Office and submitted the latest Disaster Prevention Action Plan in December 2019. As a designated public institution, we work to ensure that the tanker trucks we operate in each prefecture have been registered for emergency use.

COVID-19 initiatives

We disbanded our task force in May 2023 when the government downgraded COVID-19 to a class 5 common infectious disease in Japan. Since then, we have been taking precautions when someone develops a fever at the workplace level in the same way as with seasonal influenza. We recommend ensuring the safety of employees and preventing the spread of infection.

Implementation of comprehensive disaster drills

Since 2007, we have held annual comprehensive disaster drills aimed at enhancing the effectiveness of our BCPs. In FY2022, the 16th round of the comprehensive disaster drills was held in September 2022. We increased the difficulty level for a two-part confirmation of the response of the headquarters, related branches, and related refineries to an announcement of Nankai Trough Earthquake Extra Information (massive earthquake warning) in the case of so-called “half-impact” of either the east or west side of the Kii Peninsula. We have made our BCP more robust by addressing various cases of major earthquakes likely to occur in the future. As part of this drill, we also confirmed employee safety on a company-wide basis, with approximately 14,000 individuals, including those working at affiliated companies, reporting their safety status in a prompt manner. Looking ahead, we update our BCPs by incorporating issues and takeaways identified in the course of this latest round, with the aim of enhancing our crisis readiness.


Comprehensive disaster drills (September 2022)

Acquiring highest BCM rating from the Development Bank of Japan

In FY2019, we became the first oil refiner and primary oil distributor to receive the highest “Rank A” rating awarded by the Development Bank of Japan (DBJ) under the DBJ BCM Rated Loan Program.


Joint firefighting exercise with Tokyo Fire Department at Tokyo Oil Terminal (June 2022)

出光興産, DFF Inc.

Information and Security Management

Approach to information and security management

In line with the Basic Policy on Information Security, the Idemitsu Group is endeavoring to ensure the confidentiality of its information assets as well as the accessibility and security of its information systems and networks. Utilizing information technologies, we are thus striving to maintain and enhance the level of customer services. In addition, we have established Customer Information Management Requirements to appropriately collect and use customer information, keeping it up to date while safeguarding it. The requirements also include the proper disposal of such information.

Furthermore, as part of our education related to Security Requirements for IT System Use, we mandate that every year all IT system users (including permanent and temporary employees as well as subcontractors) undergo information security education via e-learning. In this way, we work to ensure thorough information management by IT system users.

We have established a Control Systems Security Council for the security of control systems. Based on the Control Systems Security Guidelines, we are systematically promoting group-wide security measures and continuously working to improve them while implementing a PDCA cycle at each production base. In addition, we provide control systems e-learning to control systems users and administrators and conduct incident response drills at each production base every year.

Furthermore, each department and production base performs self-inspections on both information and control systems along with regular internal audits of security. Moreover, to reduce the impact of increasingly sophisticated cyberattacks, we have multiple layers of defense in place by systems, including those to prevent unauthorized entry or removal of important information.

Should information leakage or a serious security incident occur, it will be handled in accordance with the “Crisis Response Rules” and the “Essential Points on Information Management.”

Number of serious information security violations in FY2021 0
Basic Policy on Information Security
  1. Idemitsu Group shall, by securing confidentiality of information assets as well as availability and maintainability of information systems and networks, strive to maintain and improve customer services through the use of information technology.
  2. Idemitsu Group shall, by implementing appropriate protective measures, protect information concerning customers from being divulged, falsified, or destroyed.
  3. Idemitsu Group shall, by securing availability, maintainability, and confidentiality of information systems and networks, strive not to cause trouble to persons concerned such as customers and business partners.
  4. Idemitsu Group shall, by conducting educational and awareness building activities aimed at its employees and dispatched employees as well as external companies to which its businesses are outsourced, make them aware of the importance of information security and ensure the proper utilization of information and information systems by them.
  5. Idemitsu Group shall strive to ensure security by conducting an audit on a regular basis to examine and assess the status of compliance, etc. with the security policy.
Information and security management promotion system
Employee education
Human resources development

After defining a Career Development Plan (CDP) for ICT personnel, including security planning, implementation, and operations, we evaluate the skills of each individual in the ICT Department and set goals to systematically develop human resources.

Information security education via e-learning

We provide annual e-learning programs (in Japanese, English and Chinese) to instill information security rules that must be observed by all. Targeting all IT system users at home and abroad, the FY2021 round of these programs was implemented during the January – March 2022 period and completed by a total of 16,473 people, or 100% of targeted individuals.

Control systems e-learning program

In FY2019, we also launched e-learning programs for employees tasked with handling or administering control systems. The 2022 round of this program was implemented during the January – March 2022 period and completed by a total of 5,217 people, or 100% of targeted individuals.

Training on the handling of suspicious e-mails

On a quarterly basis, we implement training focused on handling targeted e-mail attacks, with the aim of mitigating the risk of contracting computer virus infections borne by suspicious e-mails and raising cybersecurity awareness among employees.

In-house newsletters designed to raise employee awareness

We distribute the monthly cybersecurity newsletter via e-mail, calling employees’ attention to relevant cybersecurity-related topics and thereby raising their awareness.

Date Training name Scope Notes
November 2019
IT summit 2019 Persons in charge of IT mainly from overseas offices 30 people Second annual event to share knowledge on strengthening security and provide IT tools to support business
出光興産, DFF Inc.

Protection of Personal Information

Approach to protection of personal information

Regarding the handling of personal information, including specific personal information,*1 as well as processed anonymous information*2 (hereinafter collectively referred to as “personal information, etc.”), we have established basic policies as outlined below. In accordance with these policies, we will securely and appropriately manage all the personal information, etc., we are entrusted with.

  • *1 People’s Individual Number and personal information containing said Individual Number, as defined by the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures
  • *2 Personal information that is processed to ensure that a specific individual’s identity can neither be uncovered nor their personal information restored.
Basic Policy on Protection of Personal Information, etc.
  1. Compliance with Laws and Regulations
    We comply with the Act on the Protection of Personal Information, the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures and other relevant laws and regulations, cabinet and ministerial ordinances, and prevailing guidelines.
  2. Matters concerning the Acquisition of Personal Information, etc.
    We will acquire personal information, etc., only through proper and fair methods. Furthermore, we will inform all individuals from whom we acquire personal information of the purpose of such information gathering either before obtaining said information or, immediately upon obtaining it, by providing them with notification individually or via a public statement of purpose, except in situations in which the Company is legally exempt from these measures. In cases where special care is required, we will obtain the prior consent of the individual from whom we acquire such information, except in situations in which we are legally exempt from obtaining such consent.
  3. Matters concerning the Use of Personal Information, etc.
    We will strictly limit the use of personal information, etc., to the extent necessary to achieve the defined purpose of usage, except in situations in which the use of personal information outside such purpose is legally permitted.
  4. Matters concerning the Provision and Disclosure of Personal Information, etc.
    We will not disclose or provide personal information to third parties other than contractors, companies engaged in the joint use of such information, and successors of our operations without the consent of any individual identifiable through such personal information, except in situations in which disclosing or providing such information is legally permitted.
  5. Matters concerning Safe Management Measures
    We will implement necessary and appropriate measures to protect personal information, etc., from unauthorized access, loss, destruction, falsification, leakage, or other incidents while continuously improving our structure for the protection and management of personal information. To this end, we will designate the individuals responsible for these measures at each business unit while ensuring that employees and contractors tasked with handling personal information, etc., are properly educated, trained, and supervised.
    Furthermore, we will maintain the accuracy of personal information, etc., and keep it updated. If it has served its purpose, we will swiftly discard or erase such information upon the lapse of storage periods stipulated by applicable laws and regulations.
    Should the leakage of personal information or a similar incident occur, we will promptly carry out correction measures in light of the nature of such an incident.
  6. Matters concerning the Disclosure of Personal Information, etc.
    In accordance with applicable laws and regulations, we will accommodate requests regarding the disclosure and correction (revision, update, deletion, suspension, elimination, or block them from being provided to third parties) of retained personal data or specific personal information files. If we decide to not disclose information held or if we retain no applicable data or files subject to the above requests, we will notify the individual who issued such requests about our decision or the nonexistence of these items.
Personal information protection promotion system

The General Affairs Department serves as the secretariat for the protection of personal information, and information control supervisors are assigned to each department and affiliated company to promote related efforts. Every year, we hold a conference for information control supervisors for education within the Group.

Number of serious personal information protection violations in FY2022 0
出光興産, DFF Inc.