Basic thinking on risk management
To control various risks that could have severe impacts on corporate management, KITZ carries out risk management in KITZ and each Group member company.
Risk management structure
In the KITZ Group, the executive officer in charge of risk management, who also serves concurrently as a member of the C&C Control Committee, which is chaired by the president, promotes risk management at KITZ and each Group member company based on basic policies decided on by that committee under the supervision of the board of directors.
Risk Management System
Risk analysis and evaluation
In the KITZ Group, the importance of anticipated risks related to business activities (totaling 128 risk items) is judged quantitatively along the two axes of their frequency of occurrence and their impact on management based on the basic policy and evaluation standards for risk evaluation formulated by the C&C Control Committee to identify important risks and key risks. Specifically, risks are graded by each evaluation item under the standards for determining their frequency of occurrence and their impact (consisting of the items of human injury, physical damage, liability, loss of profit, loss of trust, and environmental damage), and each is grouped into one of the four zones of high-damage/high-frequency, low-damage/high-frequency, high-damage/low-frequency, or low-damage/low-frequency based on a four-quadrant risk-mapping scale.
Risk map scale
Risk management implementation flow
Based on the results of risk evaluation by each organization and through the Management Conference, the KITZ Group identifies important risks and key risks that have a particularly high possibility of significantly impacting management among the important risks, chooses whether to address each risk through avoidance, transfer, mitigation, or retention in light of its importance, and drafts and implements necessary countermeasures under the responsibility of the individual executive officers and Group company presidents.
Important risks and key risks thus identified, and countermeasures drafted for them, are shared with the general manager of the Internal Audit Office. The Internal Audit Office evaluates the state of development and operation of risk management from an independent perspective through means that include checking on the progress and results of related countermeasures through business auditing and other activities.
In addition, based on reports on such matters as priority risks identified in the Management Conference and countermeasures drafted for them, as well as the results of evaluation by the Internal Audit Office, the board of directors carries out necessary deliberation and checks on the ultimate results of implementing countermeasures, among other activities involved in final decision-making and oversight on risk management in the Group.
Information security and personal information protection
To minimize the risk of cyber-attacks, information leaks by insiders, business stop due to cyber attacks, and any other disruptions to business continuity, as well as the impacts on customers and business partners, KITZ Group positions information security governance as one of its key management issues, and is continuously taking measures from both value creation through the information utilization and risk management. We have established KITZ Group Information Security and Personal Information Protection Policy and established the Information Security and Personal Information Protection Management Committee, chaired by an executive officer appointed by the president, to promote the policy decisions and initiatives for information security and personal information protection.
Basic Information Security Policy
KITZ Group established and promotes the following basic policies on information security.
- 1. Compliance with Laws
We comply with laws, regulations, and other norms related to information security, and strive to continuously improve and update to ensure information security.
- 2. Information security organization
We establish responsible persons for information security in each organization, make necessary rules and thoroughness them, and manage information assets correctly.
- 3. Information assets management
We manage information assets correctly clearly defining how to handle according to the importance and risks for security of the information assets.
- 4. Educations and Trainings
We continuously provide educations and trainings on information security to all executives and employees to improve their awareness and to comply and thorough the related rules. In addition, we take strict measures against those who violate these rules, including disciplinary action.
- 5. Reliable products and services delivery
We manage information security strongly for our customers who use our products and services, and provide products and services that our customers can use with peace of mind.
- 6. Incident response organization and actions when incident happened
We establish information security incident report and response organization to minimize the impacts of the incident when unauthorized access, company asset loss, destruction, falsification, and information leakage happened related to information asset handling. And when critical incident happened, we will analyze the root cause and make the actions to avoid same incident.
Basic Policy for Personal Information Protection
KITZ Group has established and promotes the following basic policies for personal information protection.
- 1. Compliance with Laws
We comply with laws and regulations concerning personal information, guidelines established by the government, and other norms.
- 2. Personal information protection organization
We have established internal rules for protecting personal information and a personal information protection management system to ensure compliance with these rules, and all executives and employees follow them.
- 3. Personal information management
Personal information is gathered in an appropriate manner in accordance with internal rules and is used only to the extent that the consent of the person in question has been obtained, and is not disclosed or provided to any third party unless there is a justifiable reason. In addition, we take strict measures against those who violate these regulations, including disciplinary action.
We regularly audit the personal information protection, review the internal rules and the management ways on a regular basis or as necessary, and continuously make improvements to the personal information protection management system.
To prevent and reduce risks for unauthorized access to personal information, loss, destruction, falsification, and leakage of personal information, we take necessary safety measures systematically, physically, and technically.
In the event of a request for disclosure, correction, suspension of use, or deletion of personal information, we confirm the identity of the requested person and promptly deal with the such request.
- 4. Education and Training
We educate our executives and employees about the personal information protection and the proper management of personal information, and ensure the proper handling of personal information in our daily operations.
Information security and personal information protection management organization
Initiatives for Information Security and Personal Information Protection
KITZ Group has established KITZ Group Information Security and Personal Information Protection Policy (hereinafter referred to as the Policy) for all workers in KITZ and the Group companies to minimize the risk of cyber attacks and information leakage by insiders, and is continuously working to ensure information security and the proper handling of personal information.
In addition to the Basic Policy on Information Security and the Personal Information Protection, this policy defines the rules for use of information assets and technical requirements related to information systems, and ensures information security and the personal information protection from various perspectives. We also regularly review this policy in order to respond to recent changes in the environment and risks.
In addition, the Information Security and Personal Information Protection Committee, attended by KITZ and the Group companies, meets annually to share information security incidents and share information security improvement activities, in an effort to continuously improve information security and personal information protection throughout the Group.
Education for information security and personal information protection
KITZ Group provides various educational programs for KITZ and the Group-wide employees to improve each employee’s awareness and knowledge of information security and personal information protection, and manage information appropriately. Specifically, we provide education on such topics as information management education through e-learning, individual education when employees join the company and are promoted to managerial positions, and practical cyber-attack Email training.
For inquiries about product technology, product purchases,
catalogs, and quality