The Idemitsu Group strives to stabilize its management by proactively recognizing and evaluating various risks associated with its business activities and taking appropriate measures in accordance with those risks. We classify risks associated with our business activities into two categories: “Operational Risk” and “Business Strategy Risk” and promote countermeasures against them. “Operational Risk” is the risk of an impediment to business execution that causes losses and yields no profit. Risks under this category are typified by accidents, disasters, non-compliance, business errors, product defects, customer complaints, environmental pollution, information leaks, cyberattacks, terrorism, labor problems, economic security, human rights problems, and inadequacies in sustainable procurement. The term “Business Strategy Risk” refers to risks associated with business activities that exclude “Operational Risk” and significantly affect profit or loss. In addition to risks associated with current business strategies such as investments and finance, this category includes risks associated with the future business environment.
Operational risk is specified and managed by the Risk Management and Compliance Committee as follows:
Company-wide risks with a high impact on business that management should monitor at all times (e.g., key legal compliance,crisis risks, etc.)
Updated as needed based on immediate internal and external circumstances
A more detailed and comprehensive list of risks used in risk assessments at each department and affiliated company
Updated annually based on risk events that have actually occurred and risk interviews conducted at major departments(once per year)
In addition, risk surveys are conducted for the medium term to carry out comprehensive reviews
In regard to business strategy risks, we accurately identify risks and opportunities arising from climate change in accordance with TCFD recommendations, monitor the situation, and reflect them in our business strategy.
The Enterprise Risk Management Committee, which is supervised by the Board of Directors, is tasked with the determination of risk management policies associated with Group operations and monitoring the status of risk management. With the President serving as the chair, committee members include Executive Officers and heads of relevant departments. In principle, this committee meets once every six months and requests reporting from other committees with regard to major risks categorized under “Operational Risk” or “Business Strategy Risk.” Also, the committee provides the Board of Directors with updates on the status of its activities once a year in principle.
Our group has established the “Risk Management and Compliance Committee” tasked with handling “Operational Risk” under the Enterprise Risk Management Committee and is promoting company-wide risk management by taking necessary measures in a timely and prompt manner. Regular committee meetings are held quarterly. The committee has the role and responsibility of updating the key and material risks of the entire Group, identifying and assessing various signs of risk manifestation and new risks, deliberating on other matters related to Operational Risk in general, supporting measures for risk prevention and managing the progress of such measures, and submitting its conclusions to the Enterprise Risk Management Committee.
We formulated the “Crisis Response Rules” as the highest rules for crisis response. These rules stipulate our policy on crisis response, crisis level definitions, reporting lines, and methods for establishing emergency task forces, among other matters related to crisis response.
Should an incident occur at any facility run by a Group entity, risk-related information is promptly shared with the department in charge of the site of the occurrence and the Risk Management Section of the General Affairs Department in accordance with these rules. This risk-related information will also be communicated to the Risk Management and Compliance Committee. Furthermore, corporate and other relevant departments will work to assist or spearhead risk countermeasures undertaken at the incident site to minimize the social impact and potential damage. These departments also act in collaboration with external stakeholders, including fire, police, and other public safety departments as well as municipalities and customers.
Moreover, a company-wide task force is formed in a timely and prompt manner under the direction of the chair of the Risk Management and Compliance Committee to investigate, review, and formulate countermeasures for potential risks, including economic security risks, that could significantly impact the business either in the present or the future. The task force reports to the Enterprise Risk Management Committee and the Board of Directors on the progress and results of its work.
We formulated BCPs assuming the occurrence of an earthquake with an epicenter in the Tokyo metropolitan area, a megathrust earthquake involving the Nankai trough, and the outbreak of avian influenza, respectively. Based on said BCPs, we hold annual comprehensive disaster drills and confirm problems related to actual execution and coordination among all business bases in order to strengthen our practical response capabilities. We then reflect relevant feedback in the BCPs. Also, each refinery, complex, and plant carries out periodic disaster prevention drills encompassing their entire site in accordance with applicable crisis response regulations.
In FY2015, we were appointed as a designated public institution by the Cabinet Office and submitted the latest Disaster Prevention Action Plan in December 2019. As a designated public institution, we work to ensure that the tanker trucks we operate in each prefecture have been registered for emergency use.
We disbanded our task force in May 2023 when the government downgraded COVID-19 to a class 5 common infectious disease in Japan. Since then, we have been taking precautions when someone develops a fever at the workplace level in the same way as with seasonal influenza. We recommend ensuring the safety of employees and preventing the spread of infection.
Since 2007, we have held annual comprehensive disaster drills aimed at enhancing the effectiveness of our BCPs. In FY2022, the 16th round of the comprehensive disaster drills was held in September 2022. We increased the difficulty level for a two-part confirmation of the response of the headquarters, related branches, and related refineries to an announcement of Nankai Trough Earthquake Extra Information (massive earthquake warning) in the case of so-called “half-impact” of either the east or west side of the Kii Peninsula. We have made our BCP more robust by addressing various cases of major earthquakes likely to occur in the future. As part of this drill, we also confirmed employee safety on a company-wide basis, with approximately 14,000 individuals, including those working at affiliated companies, reporting their safety status in a prompt manner. Looking ahead, we update our BCPs by incorporating issues and takeaways identified in the course of this latest round, with the aim of enhancing our crisis readiness.
Comprehensive disaster drills (September 2022)
In FY2019, we became the first oil refiner and primary oil distributor to receive the highest “Rank A” rating awarded by the Development Bank of Japan (DBJ) under the DBJ BCM Rated Loan Program.
Joint firefighting exercise with Tokyo Fire Department at Tokyo Oil Terminal (June 2022)
In line with the Basic Policy on Information Security, the Idemitsu Group is endeavoring to ensure the confidentiality of its information assets as well as the accessibility and security of its information systems and networks. Utilizing information technologies, we are thus striving to maintain and enhance the level of customer services. In addition, we have established Customer Information Management Requirements to appropriately collect and use customer information, keeping it up to date while safeguarding it. The requirements also include the proper disposal of such information.
Furthermore, as part of our education related to Security Requirements for IT System Use, we mandate that every year all IT system users (including permanent and temporary employees as well as subcontractors) undergo information security education via e-learning. In this way, we work to ensure thorough information management by IT system users.
We have established a Control Systems Security Council for the security of control systems. Based on the Control Systems Security Guidelines, we are systematically promoting group-wide security measures and continuously working to improve them while implementing a PDCA cycle at each production base. In addition, we provide control systems e-learning to control systems users and administrators and conduct incident response drills at each production base every year.
Furthermore, each department and production base performs self-inspections on both information and control systems along with regular internal audits of security. Moreover, to reduce the impact of increasingly sophisticated cyberattacks, we have multiple layers of defense in place by systems, including those to prevent unauthorized entry or removal of important information.
Should information leakage or a serious security incident occur, it will be handled in accordance with the “Crisis Response Rules” and the “Essential Points on Information Management.”
| Number of serious information security violations in FY2021 | 0 |
|---|
After defining a Career Development Plan (CDP) for ICT personnel, including security planning, implementation, and operations, we evaluate the skills of each individual in the ICT Department and set goals to systematically develop human resources.
We provide annual e-learning programs (in Japanese, English and Chinese) to instill information security rules that must be observed by all. Targeting all IT system users at home and abroad, the FY2021 round of these programs was implemented during the January – March 2022 period and completed by a total of 16,473 people, or 100% of targeted individuals.
In FY2019, we also launched e-learning programs for employees tasked with handling or administering control systems. The 2022 round of this program was implemented during the January – March 2022 period and completed by a total of 5,217 people, or 100% of targeted individuals.
On a quarterly basis, we implement training focused on handling targeted e-mail attacks, with the aim of mitigating the risk of contracting computer virus infections borne by suspicious e-mails and raising cybersecurity awareness among employees.
We distribute the monthly cybersecurity newsletter via e-mail, calling employees’ attention to relevant cybersecurity-related topics and thereby raising their awareness.
| Date | Training name | Scope | Notes |
|---|---|---|---|
| November 2019 |
IT summit 2019 | Persons in charge of IT mainly from overseas offices 30 people | Second annual event to share knowledge on strengthening security and provide IT tools to support business |
Regarding the handling of personal information, including specific personal information,*1 as well as processed anonymous information*2 (hereinafter collectively referred to as “personal information, etc.”), we have established basic policies as outlined below. In accordance with these policies, we will securely and appropriately manage all the personal information, etc., we are entrusted with.
The General Affairs Department serves as the secretariat for the protection of personal information, and information control supervisors are assigned to each department and affiliated company to promote related efforts. Every year, we hold a conference for information control supervisors for education within the Group.
| Number of serious personal information protection violations in FY2022 | 0 |
|---|