Risk Management

Basic ideas and policies

We will contribute to the sustainable growth and development of our Group and society by instilling a high sense of ethics in each and every one of our employees and ensuring they engage in risk management with an eye to the future. By repeating a cycle of examining the direction and appropriateness of risk countermeasures and verifying their effectiveness – to include conducting company-wide risk assessments and pursuing business continuity management – we will clarify risks and their impact on business management and tie them to management decisions that achieve an optimal allocation of resources.

Risk management promotion system

Risk management system

Resonac has put in place an ISO31000-compliant risk management system and organized a Risk Management Committee chaired by the CEO that allows top management to deliberate across organizations on the risk management system, the Group's major risks, and measures to address them. Matters deliberated on by the Risk Management Committee are discussed and approved by the Executive Committee and then reported to the Board of Directors, which evaluates the appropriateness and effectiveness of the risk management system and supervises its implementation.
In addition, risk owners, risk officers, and risk managers have been assigned at each business unit, plant and major Group company in Japan to assume responsibility for identifying and assessing risks for each business/worksite and to promote countermeasures that address those risks. In addition, the various CXO organizations that constitute corporate divisions at the Head Office are responsible for overseeing the control of risks under their authority as risk control organizations setting company-wide risk control standards, and reviewing and supporting risk assessment and response measures by risk assessment organizations from a Group-wide, cross-sectional perspective. In this way, the Company is able to ensure a system is in place in which management and frontline personnel work together in pursuit of integrated risk management.

Crisis management system

In the event of a disaster, compliance violation, or other incident in which risk becomes apparent, the relevant business unit or office reports to the CXO organization responsible for that risk and the CRO, and the CXO and CXO work together in responding to the incident. Should the incident be capable of threatening the Group’s existence or developing into a situation that could seriously impede the Group's normal business operations, a Crisis Response Headquarters headed by the CEO will be established to assess the situation and its impact, issue instructions on containing the damage/loss, consider how to disseminate information to the public, and promptly take other appropriate initial actions.
If a significant impact on business continuity is anticipated after the initial response, we will activate the BCP (Business Continuity Plan) for products that have been previously defined as subject to maintenance in order to maintain and quickly restore business activities to fulfill our responsibility to continue supplying customers with products, especially those necessary for maintaining social infrastructure.

Risk management system diagram

Targets

The following KPIs are being pursued as material issue KPIs.

Progress made in achieving material issue measures and KPIs

Key items	2025 targets	2022 results
Establishment and operation of an integrated risk management system	Operating a new integrated risk management system that also covers external environmental risks and operational hazards	The company established an integrated risk management system, including a system for dividing responsibility between business execution and control divisions and a process for reporting important risks to the Board of Directors and the Executive Committee, and establishing rules and regulations for this system
Stronger functioning of the second defensive line	Contributing to the expansion of the Group's internal control infrastructure through data linkage with second and third lines Starting overseas deployment of risk assessment processes and promoting centralization of Group risk data	The company formulated an "FY2022 Risk Assessment Result Report" based on comparisons with information disclosed outside the company, and provided feedback on the company-wide risk inventory The CXO organization's review process for critical risks was added to risk assessments to further improve data granularity

Performance

1. Advanced risk assessments

(1) Risk assessment practices

Risks with both a very high frequency of occurrence and a substantial impact were positioned as critical risks, and risk events and response plans were reviewed and shared by divisions and the Risk Management Department as well as being reported to the Risk Management Committee. The 2022 risk assessment identified accidents and disasters, legal and regulatory compliance, personnel and labor issues, information security, supply chains, and the external environment (including changes in market trends) as critical risks. The results of the risk assessment have been shared on the system with managers and higher-ranking officials throughout the company to reduce risks onsite.

Specific examples of key risks and measures to address them

Human resources and labor	Information security (cyber-risk)	Supply chains
Intensified recruitment and retention of human resources with excellent management or technical skills Countermeasures: Fostering a culture of co-creation by increasing employee engagement under our Purpose/Values Diversifying recruitment methods, expanding education and training programs, enhancing talent management and early selection programs, etc.	Damage to production activities and information leaks due to cyber-attacks on internal systems, manufacturing facilities, etc. Countermeasures: Implementing world-standard security solutions Establishing a global standard for the Group's information security operations and carrying out improvement activities through education and monitoring	Supplier shutdowns due to natural disasters, accidents, infectious diseases, etc., or disruption of logistics networks Occurrence of illegal/antisocial behavior or lack of respect for human rights and environmental protection by suppliers Countermeasures: Collecting information on damage to suppliers in the event of a contingency, preparing a manual that defines procedures for assessing impacts on our business activities, and conducting BCP drills based on the manual Establishing "Sustainable Procurement Guidelines," requesting that suppliers comply with them, and periodically checking on their compliance

※ Click here for "Business and other risks " disclosed in the Annual Securities Report

(2) Continuous improvement of risk assessment process

After centralizing risk information and unifying the risk assessment process through the risk management system introduced in 2021, we added a "CXO organization review process" in 2022. CXO organizations as risk control organizations introduced a process to review countermeasures, consider the need for support, and monitor the operational status of risks identified by business units and plants as a second line of defense.
To further improve the process, we plan to add a “control implementation evaluation process" and a "monitoring process" for risk response planning and mitigation measures. We will continue improving the risk assessment process by expanding the process to examine the direction and appropriateness of risk countermeasures and verify their effectiveness.

2. Promotion of BCM

(1) Establish BCM/BCP guidelines

The importance of BCM for companies is increasing every year due to such factors as the strong likelihood of a Nankai Trough earthquake within the next 30 years, the occurrence of earthquakes directly under the Tokyo metropolitan area, global epidemics of emerging infectious diseases, and increasingly sophisticated and complex cyber-attacks.
We have therefore formulated BCM/BCP guidelines with the aim of revamping the BCP system, which previously comprised plans drafted independently by individual business units and plants, to standardize and raise the level of BCP throughout the company. We have changed our approach from the conventional scenario-based BCP for individual disasters such as earthquakes to one that sets recovery targets (target recovery time, target recovery level) based on the business requirements of stakeholders and others by creating a BCP based on the consequent damage to management resources.
In addition, we will review the system for implementing BCP simulation drills, which have been conducted independently at workplaces, and the Risk Management Department will establish guidelines and a system to support simulation drills by 2025.
We aim to improve the effectiveness and high-level standardization of business impact analysis (BIA) and BCP by deepening employees' understanding of the BCP, while implementing the PDCA cycle through periodic reviews of BIA and the BCP and verifying their effectiveness through BCP simulation drills.

(2) Selection of BCP products subject to maintenance and BCP maintenance plan

We have selected from among all our Group’s products and services those to which management resources are to be preferentially allocated even in the face of obstacles to business continuity from the perspective of social infrastructure products, etc.
The BCPs for these products subject to maintenance will be reviewed in full、 based on the BCM/BCP guidelines and should be revamped by the end of 2024.

3. Responds to risks from changes in the external environment

Today’s external global environment is becoming increasingly complex and uncertain, with rising geopolitical risks, changes in the economic security environment, planetary-scale environmental issues such as climate change, and rapid advances in technological innovation. We recognize that conventional risk assessment methods are limited in their ability to extract risks with an awareness of these megatrends and dynamic changes in the external environment. We will therefore examine the possibility of introducing a system to respond quickly and flexibly to future changes in the external environment by identifying external environmental changes from among a wide range of megatrends to which the Group should be attentive, sorting out the possible risks and their impacts, and preparing response plans.
The risk events and countermeasures extracted in this way will be centrally identified and visualized and a process then established to monitor them on a regular basis, with the aim of establishing a system to manage them together with risk information extracted through conventional risk assessments.