Risk Management
Basic approach to Risk Management
We have developed a Risk Management Policy that outlines our basic approach to preventing and responding to risks that may impede the business operations of our Group, as well as the Risk Management Regulations that define the organization and roles for risk management. Through these measures, we are working on risk management and promoting BCP/BCM (Business Continuity Plan/Business Continuity Management) across the entire Group.
With the aim of preventing risks and minimizing damage when crises occur, we have established a Risk Management Committee chaired by the Executive Officer in charge of the ESG Promotion Department (who has oversight of risk management). The committee regularly checks up on the various risks surrounding NTN Group business activities including risk identification, analysis, evaluation, and treatment. Risks are classified into the following 20 risk categories from the viewpoint of comprehensiveness, and management managers and promotion divisions are determined for each specific risk, with the aim of reducing risk. The deliberations of the Risk Management Committee are reported to the Board of Directors twice a year.
■Management process
■Relevant risks
Organization Chart
The risk management structure consists of a General Manager (the Executive Officer in charge of risk management), the Integrated Management Department, the Promotion Department, and the Implementation Department (working departments). The Integrated Management Department serves as the Secretariat of the Risk Management Committee and is responsible for overseeing the identification, analysis, assessment, and response to risks across the entire NTN Group. The Promotion Department, as a department responsible for each risk in their respective operations, is responsible for conducting risk assessments, reporting to the Integrated Management Department, formulating regulations and other measures related to their assigned risks, establishing management systems, providing education and awareness regarding risk management for their assigned risks, and providing guidance and advice to subsidiaries.
■Structure
Crisis management structure
When an emergency situation involving life safety or incidents/accidents affecting management occurs, the crisis information manager of the department where the incident occurred reports to the Executive Officer in charge of that department. The Executive Officer who receives the report consults with the Executive Officer in charge of the relevant risk promotion department and the Executive Officer in charge of risk management oversight to determine the crisis response level for the emergency situation. Crisis response levels are classified into the following two levels according to the degree of impact on management. Level 1 refers to cases where the impact on management is deemed extremely significant, and when a judgment meeting determines it to be Level 1, the Central Headquarters established at the Head Office will implement comprehensive response measures. Level 2 refers to cases where the degree of impact on management is judged to not reach Level 1 - these cases are handled by the department where the emergency occurred with the cooperation of the relevant promotion department as necessary.
■Crisis Management Structure Diagram
Promotion of BCP/BCM
We have been developing a BCP/BCM structure designed to respond to major earthquakes in Japan and are working to strengthen our disaster response systems, including those of our group companies. We have completed the formulation of BCPs to enable rapid recovery at all production sites across Japan. Based on our experience from the Noto Peninsula Earthquake in 2024, we are carrying out BCP training and developing systems for rapid recovery in case of emergencies. In addition, we have compiled materials documenting our response from earthquake occurrence through recovery, which are utilized in our BCM activities.
Strengthening the computer security incident response team
Strengthening CSIRT structure
In response to increasing risks of cyberattack and data breaches and in view of the importance of information security today, we have established a Basic Policy of Information Security alongside our Environment Policy, Human Rights Policy, Safety and Health Basic Policy and Procurement Policy as one of the NTN Group’s basic policies set forth under our Management Policy.
(Information Security Basic Policy can be found here)Cyberattacks are becoming increasingly complex and sophisticated daily, with numerous similar incidents and information breaches occurring at other companies. When information security incidents occur, it is essential to respond swiftly from detection through reporting to handling of information security risks. We have established a cross-departmental emergency response system for handling information security risks (NTN-CSIRT: NTN Computer Security Incident Response Team), and have begun operations in conjunction with a dedicated security organization (SOC: Security Operation Center) that monitors cyberattacks 24 hours a day, 365 days a year for early detection of cyberattacks.
Furthermore, as part of personnel security measures, we regularly conduct incident response trainings hat assume the occurrence of information security incidents, training for dealing with spoofed mails, and e-learning programs to deepen understanding of information security-related regulations and how to deal with information security threats.
[Objectives of establishing the Computer Security Incident Response Team (NTN-CSIRT)]
(1) Detect information security risks and accelerate communication, reporting, handling, and recovery in case of risk occurrence
(2) Reduce the risk of information security incidents and prevent them from occurring
(3) Strengthen governance to improve overall information security standards