We are aware that major risks may occur, which is why we have established a system that not only prevents the occurrence of such risks, but also takes appropriate measures to deal with them should they occur. In an aim to realize optimal company-wide risk management, we have established the Risk Management Global Policy and introduced Enterprise Risk Management (ERM).
We have established our ERM System with the Representative Director, President & COO as Chief Risk Management Officer, and Representative Director, Executive Vice President as Head Risk Management Officer, and as we regard risk management issues as important issues for our business strategy, we are taking action to respond to those issues. In addition, a Risk Management Committee has been established under the Management meeting to promote ERM, mainly led by the Risk & Compliance Management Department, which is the department (secretariat) in charge of risk management. Moreover, the Audit & Supervisory Boards and the Internal Audit Department are responsible for auditing the status of ERM promotion. The Risk Management Committee also regularly reports the results of company-wide risk assessments and the status of responses to risks to the Board of Directors in an effort to improve the effectiveness of risk management.
ONO’s risk management system
In the event that a serious risk does emerge, the Representative Director, President & COO will establish an Emergency Response Committee, as necessary, to take measures to minimize damage and promote a speedy recovery.
Auditors conduct audits every year on our risk management process. In addition, the ERM Secretariat reports semiannually to the Audit & Supervisory Boards (including two outside auditors) on the status of ERM, including risk identification (methods and results), risk assessment (priority rating), responses to major risks, and the results of those responses, among other matters. Furthermore, with regard to internal operational audits, the ERM Secretariat shares with the Internal Audit Department the status of operational risk management confirmed by each division and the occurrence of new risks as needed, and this information is reflected in the selection of items for operational audits. The Internal Audit Department regularly reports the results of audits to the Audit & Supervisory Boards.
Our training on risk management is conducted through a combination of level-specific and theme-specific training to ensure that all employees understand the importance of risk management and to enhance the implementability of our risk prevention activities. In our level-specific training, we provide Risk Management Leadership Training to leader-level employees. In this training, we conduct the following series of four e-learning training sessions, which are designed to enhance the risk identification ability, sensitivity, and response capability of our leader-level employees:
Vol.1 | Basic knowledge and idea of risk management |
---|---|
Vol.2 | Why misconducts occur despite conducting risk management? |
Vol.3 | Why Bad News First does not function? |
Vol.4 | How can we increase the capability of staff members to imagine potential risks? |
In our theme-specific training, we conduct e-learning twice a year, in the first and second halves of the year, on the basics of compliance, which is basic information that every employee should know as a member of society. This is done in an effort to foster a corporate culture within the company.
While respecting the autonomy of each subsidiary, we provide advice and guidance on group-wide risk management through means such as periodic reports on business activities and discussions regarding important matters. Since FY2020, we have been expanding our ERM System to our subsidiaries in Japan and overseas, and have been using the “Risk Assessment Sheet” in our operations since FY2021.
We strive to continuously improve ERM through the following four processes: First, we clarify the purpose of ERM for strengthening our management foundation, the target risks, and preconditions such as common risk evaluation criteria for the entire company (Step 1). Next, we conduct semiannual risk hearings with each division and department to identify potential risks and reassess existing risks, and formulate and update plans for dealing with those risks. We also conduct interviews with management to identify key risks that should be managed on a company-wide basis (Step2). Risks that are particularly important to management are selected by the Risk Management Committee as “major risks” and are focused on as countermeasures are taken (Step 3). The Risk Management Committee monitors, etc., the progress and plans for addressing major risks twice a year, and also reports to the Board of Directors (Step 4). In addition, a risk owner is selected for each major risk to be responsible for managing those major risks, and efforts are being made to enhance corporate value through the promotion of risk management.
We have set up a BCP Management Headquarters under the Emergency Response Committee, chaired by the Representative Director, President & COO, and established a system designed to minimize the impact on operations even if a natural disaster or serious accident occurs, so that we can continue business activities, and even if they are suspended, recover promptly and resume them. And for management during normal times, we have a Business Continuity Management (BCM) Committee, which is chaired by the Head of Corporate Strategy & Planning (Representative Director, Executive Vice President) and is in charge of business continuity management, and a Management Office to maintain and strengthen our abilities to respond to crisis and continue our business operations, and promote relevant management activities.
We have prepared for disasters by installing systems such as emergency generators and duplicate power service in our Headquarters, the Tokyo Building, and all of our plants and research institutes, and we have also introduced seismic isolation systems to prepare for earthquakes in our Headquarters, the Tokyo Building, Minase Research Institute, and the Yamaguchi Plant. Also, in order to prepare for a large-scale disaster, we have divided our disaster action bases into the Headquarters in Osaka and the Tokyo Building so that we have two bases to function against disasters.
The BCM Committee establishes business continuity plans responding to all hazards in the medium- to long-term, conducts drills based on inter-division cooperation, and thereby increases effectiveness in handing business continuity. In addition, the BCM Committee is developing global emergency response plans and business continuity plans, including for overseas subsidiaries, in consideration of our own marketing operations in Europe and the U.S.A.
The Ono Pharmaceutical Group's performance may be significantly affected by various business development risks that may arise in the future. The following is a list of major potential risks to the group's business development efforts. However, this is not an exhaustive list of every risk, and risks other than those listed may also exist, which may affect investors' decisions. Furthermore, items regarding future matters in the text were decided on by the Ono Pharmaceutical Group as of the end of FY2023.
Risks are classified into three categories, namely, “Strategic Risk,” “External Risk Factor,” and “Operational Risk,” and basic policies and priorities for dealing with those risks have been determined. The basic policy for responding to each risk classification is as follows:
Based on these three categories, our “major risks” are as follows:
Information assets are very important management resources.
We established a global policy on information security to protect information resources strictly, including data related to research and development and the personal information of internal and external stakeholders, and to manage the information appropriately. In consideration of the global increase in cyberattacks and security threats, we are also addressing the further strengthening of cybersecurity based on the global standard framework.
We have established Information Security Global Policy and procedures, as well as an information-security-related management system to ensure the effectiveness of these policies and procedures.
Overall responsibility for information security rests with Risk Management officer of Digital Technology (Executive Director of Digital Technology). The Risk Management officer of Digital Technology is responsible not only for formulating the ONO Group’s information security management strategy, but also for creating, revising, implementing and managing related policies, etc., and for ensuring that the ONO Group complies with them, while taking into account changes in the environment surrounding Ono Pharmaceutical and the latest trends in relevant laws and regulations, etc. Under the Risk Management officer of Digital Technology, a Head of Information System Department of the Company and the Information Security Department Manager are appointed to perform information security management duties at each division and Group company*.
Initiatives related to information security and cybersecurity are reported and shared at the Board of Directors following the Digital Technology Division meeting and the Risk Management Committee.
Organizational Structure for Information Security Management
Click here for our Privacy Policy.
Cyberattacks are becoming increasingly sophisticated and complex, so in response to these changes in the external environment, we continuously review and improve measures to address this issue. Some specific examples of such measures include implementing multi-layered defenses, strengthening our global security infrastructure, thoroughly enforcing policies, and conducting periodic vulnerability assessments.
We have organized a Computer Security Incident Response Team (CSIRT) for the purpose of quickly resolving security incidents and minimizing damage. The CSIRT strives to maintain and improve the security level of the entire group by collecting vulnerability and threat information and issuing alerts. In addition to conducting regular incident response training, the CSIRT also actively collects and shares information by participating in security organizations and communities.
In order to prevent security incidents from occurring, it is important to not only implement technical countermeasures but to also raise the security awareness of each and every employee. That is why we regularly educate our employees on information security and conduct e-mail training on a global basis. We have also established a website to disseminate information related to information security, and are making efforts to explain and inform our employees about various guidelines and rules on information security.