The Otsuka group carries out risk management under the supervision of top management based on the recognition that pursuing management efficiency and controlling the risks inherent in business activities is important to enhancing corporate value.
In establishing a risk management system for the Otsuka group, we have put in place the Risk Management Policy and set up a Risk Management Committee. The committee comprises the President and Representative Director as the chair, the director in charge of administration as the vice chair, as well as the information disclosure officer and the internal control officer. Leveraging the controls operated by each risk management department, the Risk Management Committee assesses and comprehensively manages risks that could jeopardize the sustainable enhancement of group value.
To further enhance risk management at Otsuka Holdings (“the Company”) and its main operating companies, the Company introduced enterprise risk management (ERM) in July 2020 for the purpose of recognizing and assessing group-wide risks, and prioritizing allocation of resources to the control of principal risks.
As part of ERM activities, we have established a group-wide risk management framework and a system for risk assessment, and are identifying principal risks through risk assessments at the main operating companies, and formulating countermeasures against those risks.
These risk management activities are reported to the Risk Management Committee, which is chaired by the President and Representative Director of the Company. The Risk Management Committee monitors principal risks, examines past risk management activities and considers proposals for their improvement, and regularly reviews the risk management system.
Responsibilities of the Risk Management Committee
The Risk Management Committee examines group risk management policies, coordinates between all companies and departments and issues instructions when a risk manifests, reports risk information to the Board of Directors, issues instructions to all companies, and promotes compliance.
The Otsuka group individually assesses risks in each of its businesses. Risk management officers are responsible for analyzing and evaluating risk, and formulating and executing action plans so that each organization can meet its objectives and targets. We also periodically implement employee training with reference to events that could pose a risk within the organization. Training related to topics such as corruption prevention and the protection of human rights based on the Otsuka Group Global Code of Business Ethics is another part of this approach. Furthermore, we regularly hold drills to prepare for unexpected events such as disasters.
Business Continuity Planning and Management
The Otsuka group has business continuity plans (BCPs) in place to ensure that the group continues to operate as effectively as possible in order to maintain the stable supply of products, even when large-scale earthquakes and disasters strike.
From the perspective of business continuity management (BCM), Otsuka Holdings and its group companies are cooperating to construct a group-wide business continuity framework. In August 2012, we acquired ISO 22301 certification for the production and stable supply of pharmaceutical products, beverages, and foods, and we have since gradually expanded the scope of certification. We acquired additional certification for the stable supply of intravenous solutions in April 2015, and for the stable supply of anticancer agents in May 2016. The acquisition of ISO 22301 certification demonstrates that our organization is fully equipped and prepared from a BCM standpoint.
Through collaboration mainly between Otsuka Pharmaceutical, Otsuka Pharmaceutical Factory, Taiho Pharmaceutical, and Otsuka Warehouse, the Otsuka group is making every effort to strengthen its countermeasures and systems so that the group as a whole can effectively continue its business activities and thereby ensure stable product supply even during times of disaster. In 2018, major group companies jointly conducted a desktop simulation drill for the scenario of an earthquake with an epicenter directly below Tokyo. Then in 2019, they jointly conducted another desktop simulation drill, this time for the scenario of a typhoon passing directly over western Japan. These drills provided opportunities for testing cooperation systems under close-to-realistic conditions, with a focus on ensuring stable product supply.
Risk Management Training
Risk management training is held annually for directors, Audit & Supervisory Board members, executive officers, and department heads of major group companies. Training includes simulation drills and lectures by outside experts, and involves discussions and reviews on the subject of domestic and overseas risk, referencing serious incidents and other matters. Topics include initial response and coordination of information among the group when a crisis occurs, measures to ensure business continuity, and corporate social responsibility.
The Otsuka group has established the Otsuka Group Global Security Policy as its basic policy on information security. We endeavor to ensure shared awareness of the policy at all group companies, including overseas subsidiaries. In striving to raise the level of, and constantly improve, comprehensive security across the group, we set up the Otsuka Group Information Security Committee to examine specific measures and to share up-to-date information with regard to information security based on the policy. In order to counter the risk of cyberattacks, the Otsuka group employs a number of measures, such as arranging system security audits by external specialists, diagnosing website vulnerabilities, conducting drills related to targeted email attacks, and monitoring posts on social media. The group also conducts regular emergency drills with a focus on the core systems that construct data. In addition, we have built capabilities for responding to cybersecurity emergency situations, including the establishment of the Computer Security Incident Response Team (CSIRT), which preempts the occurrence of damage from cyberattacks targeting personal information and trade secrets held by respective group companies.