リード文
We are aware that major risks may occur, which is why we have established a system that not only prevents the occurrence of such risks, but also takes appropriate measures to deal with them should they occur. In an aim to realize optimal company-wide risk management, we have established the Risk Management Global Policy and introduced Enterprise Risk Management (ERM).
Risk Management
Basic Policy for Enterprise Risk Management (ERM)
- In order to ensure stable business continuity and to achieve our business goals, we will develop and promote an Enterprise Risk Management (ERM) System with the aim of minimizing losses for the company, our customers and other stakeholders while at the same time fulfilling our necessary accountability to society.
- We will identify major risks that are deemed important or urgent as having a significant impact on management, and promote risk management throughout the company.
- If a risk emerges, we will implement measures to minimize damage and swiftly recover, and resolve the problem as soon as possible.
ERM Promotion System
We have established our ERM System with the Representative Director, President & COO as Chief Risk Management Officer, and Representative Director, Executive Vice President as Head Risk Management Officer, and as we regard risk management issues as important issues for our business strategy, we are taking action to respond to those issues. In addition, a Risk Management Committee has been established under the Management meeting to promote ERM, mainly led by the Risk & Compliance Management Department, which is the department (secretariat) in charge of risk management. Moreover, the Audit & Supervisory Boards and the Internal Audit Department are responsible for auditing the status of ERM promotion. The Risk Management Committee also regularly reports the results of company-wide risk assessments and the status of responses to risks to the Board of Directors in an effort to improve the effectiveness of risk management.
ONO’s risk management system
- 1st Line: Role in business promotion and risk management practices
- 2nd Line: Role in monitoring and keeping 1st Line activities in check
- 3rd Line: Role in providing independent assurance
Crisis management
In the event that a serious risk does emerge, the Representative Director, President & COO will establish an Emergency Response Committee, as necessary, to take measures to minimize damage and promote a speedy recovery.
Auditing of risk management process
Auditors conduct audits every year on our risk management process. In addition, the ERM Secretariat reports semiannually to the Audit & Supervisory Boards (including two outside auditors) on the status of ERM, including risk identification (methods and results), risk assessment (priority rating), responses to major risks, and the results of those responses, among other matters. Furthermore, with regard to internal operational audits, the ERM Secretariat shares with the Internal Audit Department the status of operational risk management confirmed by each division and the occurrence of new risks as needed, and this information is reflected in the selection of items for operational audits. The Internal Audit Department regularly reports the results of audits to the Audit & Supervisory Boards.
Risk management education
Our training on risk management is conducted through a combination of level-specific and theme-specific training to ensure that all employees understand the importance of risk management and to enhance the implementability of our risk prevention activities. In our level-specific training, we provide Risk Management Leadership Training to leader-level employees. In this training, we conduct the following series of four e-learning training sessions, which are designed to enhance the risk identification ability, sensitivity, and response capability of our leader-level employees:
Vol.1 | Basic knowledge and idea of risk management |
---|---|
Vol.2 | Why misconducts occur despite conducting risk management? |
Vol.3 | Why Bad News First does not function? |
Vol.4 | How can we increase the capability of staff members to imagine potential risks? |
In our theme-specific training, we conduct e-learning twice a year, in the first and second halves of the year, on the basics of compliance, which is basic information that every employee should know as a member of society. This is done in an effort to foster a corporate culture within the company.
- In FY2023, in order to enhance our ability to respond to major incidents, we reviewed our BCP manual, which is capable of handling all hazards, established crisis response and business continuity team operations, and strengthened risk communication.
Group-company-wide Risk Management
While respecting the autonomy of each subsidiary, we provide advice and guidance on group-wide risk management through means such as periodic reports on business activities and discussions regarding important matters. Since FY2020, we have been expanding our ERM System to our subsidiaries in Japan and overseas, and have been using the “Risk Assessment Sheet” in our operations since FY2021.
Annual Cycle of Risk Management
We strive to continuously improve ERM through the following four processes: First, we clarify the purpose of ERM for strengthening our management foundation, the target risks, and preconditions such as common risk evaluation criteria for the entire company (Step 1). Next, we conduct semiannual risk hearings with each division and department to identify potential risks and reassess existing risks, and formulate and update plans for dealing with those risks. We also conduct interviews with management to identify key risks that should be managed on a company-wide basis (Step2). Risks that are particularly important to management are selected by the Risk Management Committee as “major risks” and are focused on as countermeasures are taken (Step 3). The Risk Management Committee monitors, etc., the progress and plans for addressing major risks twice a year, and also reports to the Board of Directors (Step 4). In addition, a risk owner is selected for each major risk to be responsible for managing those major risks, and efforts are being made to enhance corporate value through the promotion of risk management.
Business Continuity Plan (BCP)
We have set up a BCP Management Headquarters under the Emergency Response Committee, chaired by the Representative Director, President & COO, and established a system designed to minimize the impact on operations even if a natural disaster or serious accident occurs, so that we can continue business activities, and even if they are suspended, recover promptly and resume them. And for management during normal times, we have a Business Continuity Management (BCM) Committee, which is chaired by the Head of Corporate Strategy & Planning (Representative Director, Executive Vice President) and is in charge of business continuity management, and a Management Office to maintain and strengthen our abilities to respond to crisis and continue our business operations, and promote relevant management activities.
We have prepared for disasters by installing systems such as emergency generators and duplicate power service in our Headquarters, the Tokyo Building, and all of our plants and research institutes, and we have also introduced seismic isolation systems to prepare for earthquakes in our Headquarters, the Tokyo Building, Minase Research Institute, and the Yamaguchi Plant. Also, in order to prepare for a large-scale disaster, we have divided our disaster action bases into the Headquarters in Osaka and the Tokyo Building so that we have two bases to function against disasters.
The BCM Committee establishes business continuity plans responding to all hazards in the medium- to long-term, conducts drills based on inter-division cooperation, and thereby increases effectiveness in handing business continuity. In addition, the BCM Committee is developing global emergency response plans and business continuity plans, including for overseas subsidiaries, in consideration of our own marketing operations in Europe and the U.S.A.
Major Risks
The Ono Pharmaceutical Group's performance may be significantly affected by various business development risks that may arise in the future. The following is a list of major potential risks to the group's business development efforts. However, this is not an exhaustive list of every risk, and risks other than those listed may also exist, which may affect investors' decisions. Furthermore, items regarding future matters in the text were decided on by the Ono Pharmaceutical Group as of the end of FY2023.
Risks are classified into three categories, namely, “Strategic Risk,” “External Risk Factor,” and “Operational Risk,” and basic policies and priorities for dealing with those risks have been determined. The basic policy for responding to each risk classification is as follows:
- Strategic Risk: A risk associated with the business itself, such as failed business plans, which should be addressed in medium-term plans, etc.
- External Risk Factor: A risk arising from external factors that cannot be managed and should be addressed through ERM, including BCP.
- Operational Risk: A risk that arises through management failures that could have been avoided if imagination was used, and should be addressed through ERM.
Based on these three categories, our “major risks” are as follows:
- New Product Development
- Risk Item: Failure to develop new products
- Risk Classification: Strategic risk
- Corporate Acquisitions
- Risk Item: Failure to acquire benefits, etc., of acquisition
- Risk Classification: Strategic risk
- Responding to Changes in the Market Environment
- Risk Item: Increased competition from competing products and generics
- Risk Classification: Strategic risk
- Compliance
- Risk Item: Anti-bribery laws and regulations violations, Code of Practice violations, antitrust laws violations, and Pharmaceutical and Medical Device Act violations
- Risk Classification: Operational risk
- Product Quality Control
- Risk Items: Product defects and recalls
- Risk Classification: Operational risk
- Information Security
- Risk Items: Cyber attacks, unauthorized access, and leakage of personal information from external parties
- Risk Classification: Operational risk
- Recruitment, Training, and Retention of Human Resources
- Risk Item: Delays in the recruitment, training, and retention of human resources
- Risk Classification: Strategic risk
- Natural Disasters and Accidents Associated with Major Earthquakes and Climate Change
- Risk Item: Natural disasters and accidents
- Risk Classification: External risk factor
- Supply Chain (Stable Supply)
- Risk Item: Supply chain risks
- Risk Classification: External risk factor
- Reform of the Health Insurance System
- Risk Item: Failure to respond to medical cost control measures
- Risk Classification: External risk factor
- Dependence on Certain Products
- Risk Item: Failure to break away from dependence on specific products
- Risk Classification: Strategic risk
- New side effects
- Risk Item: Occurrence of new side effects, etc.
- Risk Classification: Strategic risk
- Overseas Business Expansion
- Risk Item: Failure to market our own products in the West
- Risk Classification: Strategic risk
- Intellectual Property
- Risk Item: Infringement of third party intellectual property
- Risk Classification: Operational risk
- Litigation
- Risk Item: (Included in other risks)
- Collaboration with Other Companies
- Risk Item: Failure of business partnership
- Risk Classification: Strategic risk
- Fluctuations in Financial Market Conditions
- Risk Items: Exchange rate fluctuations, changes in the price of financial assets
- Risk Classification: External risk factor
- Exchange rate fluctuation
As the Ono Pharmaceutical Group internationally expands its business and receives royalties and pays expenses in foreign currencies, etc., we are exposed to the risk that fluctuations in exchange rates may reduce sales revenue, increase purchase costs and research and development costs, and incur foreign exchange losses. In order to mitigate the above risks, our group hedges a certain percentage of foreign currency transactions with forward exchange contracts in accordance with our market risk management policy. However, our group's business results and financial standing could be affected if foreign currency exchange rates fluctuate greater than expected. - Price Fluctuations
The Ono Pharmaceutical Group is exposed to the risk of stock price fluctuations arising from capitalized financial instruments. The Ono Pharmaceutical Group does not hold any capitalized financial instruments for short-term trading purposes but holds capitalized financial instruments to smoothly execute its business strategy. Our group regularly assesses the fair value of such instruments and the financial status of their issuers, etc., and reviews their holdings as necessary while taking into account our relationship with relevant companies. However, our group's business results and financial standing could be affected if the fair value of capitalized financial instruments changes significantly beyond expectations.
- Addressing Environmental Issues
- Risk Items: Increased costs of measures against global warming, the occurrence of environmental pollution accidents
- Risk Classifications: External risk factor, operational risk
- Large-scale Spread of Infectious Diseases
- Risk Item: Outbreak of a new pandemic
- Risk Classification: External risk factor
- Impairment of Sales Rights, In-process R&D Expenses, and Goodwill
- Risk Item: Occurrence of huge impairment losses
- Risk Classification: Strategic risk
Information Security Management
Basic Approach
Information assets are very important management resources.
We established a global policy on information security to protect information resources strictly, including data related to research and development and the personal information of internal and external stakeholders, and to manage the information appropriately. In consideration of the global increase in cyberattacks and security threats, we are also addressing the further strengthening of cybersecurity based on the global standard framework.
Information Security Management System
We have established Information Security Global Policy and procedures, as well as an information-security-related management system to ensure the effectiveness of these policies and procedures.
Overall responsibility for information security rests with Risk Management officer of Digital Technology (Executive Director of Digital Technology). The Risk Management officer of Digital Technology is responsible not only for formulating the ONO Group’s information security management strategy, but also for creating, revising, implementing and managing related policies, etc., and for ensuring that the ONO Group complies with them, while taking into account changes in the environment surrounding Ono Pharmaceutical and the latest trends in relevant laws and regulations, etc. Under the Risk Management officer of Digital Technology, a Head of Information System Department of the Company and the Information Security Department Manager are appointed to perform information security management duties at each division and Group company*.
Initiatives related to information security and cybersecurity are reported and shared at the Board of Directors following the Digital Technology Division meeting and the Risk Management Committee.
- A company of which 100% of voting rights are owned by ONO PHARMACEUTICAL CO., LTD.
Organizational Structure for Information Security Management
Click here for our Privacy Policy.
Cyber Security Measures
Cyberattacks are becoming increasingly sophisticated and complex, so in response to these changes in the external environment, we continuously review and improve measures to address this issue. Some specific examples of such measures include implementing multi-layered defenses, strengthening our global security infrastructure, thoroughly enforcing policies, and conducting periodic vulnerability assessments.
Responding to Security Incidents
We have organized a Computer Security Incident Response Team (CSIRT) for the purpose of quickly resolving security incidents and minimizing damage. The CSIRT strives to maintain and improve the security level of the entire group by collecting vulnerability and threat information and issuing alerts. In addition to conducting regular incident response training, the CSIRT also actively collects and shares information by participating in security organizations and communities.
Security Education & Awareness
In order to prevent security incidents from occurring, it is important to not only implement technical countermeasures but to also raise the security awareness of each and every employee. That is why we regularly educate our employees on information security and conduct e-mail training on a global basis. We have also established a website to disseminate information related to information security, and are making efforts to explain and inform our employees about various guidelines and rules on information security.