The TOTO Group strives without limit to eliminate all causes of hindrances to the implementation of management policies in order to maintain the confidence of society through the fulfillment of its corporate social responsibilities. In cases of unexpected problems, maximum efforts will be made to minimize various effects on stakeholders and to restore confidence of related parties by developing appropriate preventive measures.
Our Risk Management Committee, chaired by the vice president, has as its members the executive officers overseeing major risks and division heads as members. In accordance with risk management rules, the Risk Management Supervising Division General Manager appointed to oversee risk management works with all divisions and Group companies through various committees and meetings to prevent risks and enhance the Group's risk management response capabilities.
Committee chairman : Executive Vice President
Vice chairman：Executive officer in charge of General Affairs
Committee members : Each division manager
Top Management Roles and Responsibilities
Building and penetration of the risk management system
Confirming and evaluating the validity of the risk management system
Providing the needed management resources to achieve the above
Risk Management Committee Roles and Responsibilities
Promotion of Risk Management
Discussing and determining goals and direction of risk management
Progress and follow-up on risk management
Risk detection and evaluation, creating a risk map and prioritizing risk
Improving risk awareness and knowledge
Promoting monitoring and audits
Risk Management Report to Board of Directors
Major Risks in Fiscal 2017
Every year, major risks that could have a significant impact on stakeholders are identified and a general manager of the risk management supervision division is appointed for each risk in order to take preventive measures. Each major risk is mapped out on a matrix evaluating degree of impact and frequency of occurrence from the viewpoints of damage to the brand, impact on personnel and financial consequences. Risks scoring high in risk points are flagged as priority risks and monitored by the Risk Management Committee, and risk mitigation activities are promoted throughout the entire Group.
BCP & BCM activities
TOTO has a business continuity plan (BCP) to help achieve early resolution and keep damage to a minimum, should a risk materialize. When the Great East Japan Earthquake occurred in March 2011, a countermeasures headquarters was immediately set up to help continue business operations, minimize damage and keep inconvenience to customers to a minimum. Our efforts in this respect were recognized by the Business Continuity Advancement Organization (BCAO) when we won the Grand Prize at the 2011 BCAO Awards for having the best business continuity measures in place. Following the Great East Japan Earthquake, risks in the procurement of important parts and power restrictions have become evident. We have therefore strived to improve our business continuity management by, for example, taking measures in advance. We also established a task force immediately after the Kumamoto Earthquake in April 2016 in an effort to ensure the continuity of our businesses and minimize damage. In case of a major earthquake directly hitting central Tokyo or the Nankai megathrust earthquake, we will strengthen our internal system in accordance with the review of the assumptions, which is to be announced, and we will review our contingency plans to react to the disaster and continue our businesses.
Systems and measures to be activated in the event of a crisis are defined in the Rules for Risk Management. But no one knows when a crisis will occur, and unless there are clear rules on how to respond or who to contact in an emergency, any initial response will be delayed. To resolve this issue, we have set up a group-wide emergency contact desk which operates 24 hours a day year-round. In fiscal 2013, we established an even smoother emergency response system by setting up an email point of contact in addition to the call center. An Emergency Procedures Card has also been distributed to all Group employees. First reports of a critical event can be received 24 hours a day year-round and are centrally managed. From fiscal 2012, ten items were added to the card to help educate employees in how to protect themselves and their families, including preparations for an earthquake disaster and initial responses in the event of an earthquake. In an emergency, the situation will be reported promptly to the risk management supervising division, personnel from the departments concerned will gather quickly, and actions will be taken to help resolve the crisis immediately and keep any damage to a minimum.
Proactive risk communication
Risk management training is provided to all new section managers, new department general managers and new group company presidents. Corporate internal communication sites contain descriptions of risk management activities on web pages dedicated to risk management, risk trends, emergency response manuals and a variety of other information available for viewing by all group personnel. Of particular note are the dedicated sites in the corporate homepage in 2011 when the Great East Japan Earthquake struck to facilitate communication in easy-to-navigate categories such as damage to those affected, response policy and daily progress. Disaster response information was summarized in news releases as the company worked to provide up-to-the-minute information disclosure.
Practical risk simulations
To improve our prevention and response capabilities to major risks, we have been carrying out practical risk simulations targeting all workplaces, including overseas. A total of 140 have been conducted between fiscal 2005 and last fiscal year. Notably, the unforeseeable response required at the occurrence of the Great East Japan Earthquake needed to be mitigated via flexible decision-making and execution to respond to disaster conditions that changed by the minute. Real-time risk simulation (of a metropolitan area devastated by an earthquake) was conducted for all Directors and Division General Managers in fiscal year 2013. Personnel responsible for unforeseeable management risk reviewed "what to do when it occurs" in advance of a disaster, and shared trends in business continuity to recognize that Directors and General Managers of Divisions themselves make prompt decisions when disaster strikes.Subsequently, the training will continue in the areas that the Nankai megathrust earthquake or Great Tokyo Earthquake would affect. We also introduced real-time risk simulations (mock disasters) in fiscal 2011and have been conducting training at each business site. Real-time training has been conducted 69 times in the interim 4 years and completed at all sites in fiscal 2014. Outside Japan, we have been conducting risk simulations with the host country, which changes every year. In fiscal 2016, we held a risk simulation on the measures against product accidents in the United States.
TOTO Group Security Policy
The TOTO Group recognizes that the protection and appropriate safety management of its information assets and all other management assets held by the TOTO Group is an extremely important social responsibility. The TOTO Group ensures that all of its employees understand this policy, strives to provide products and services that customers feel secure using, and continuously improves its security. Through these efforts, The TOTO Group aspires to be a company that is trusted by its customers.
The TOTO Group operates a security management system based on the TOTO Group Security Policy which sets out the basic requirements for the system. The division responsible for information security conducts risk assessments, sets objectives, formulates an implementation plan and puts it into operation in cooperation with the Internal Audit division. In fiscal 2012, we changed notations/definitions and methods of displaying different types of confidential information, reviewed our rules on confidential information and drew up new guidelines. In fiscal 2014, regulations were strengthened by adding certain restrictions regarding laws concerning use of personal devices and media on company sites as a measure to improve information security. Each division and Group company has set up an information security management organizational chart, a confidential information management ledger and a management status disclosure ledger, and was asked to perform a self-check (implementation rate 100%) on handling confidential information in accordance with the new rules and guidelines. In addition, we implemented information security education through e-learning for all TOTO Group employees, including those of cooperating companies.
In response to the Act on the Protection of Personal Information, enforced in April 2005, TOTO established personal information protection guidelines and has used e-learning to familiarize employees with them. Beginning in fiscal 2010, TOTO's subcontractors began performing self-assessments that help TOTO manage subcontractors more effectively. Furthermore, TOTO's divisions and Group companies are working to revise the personal information management records and structures for managing personal information, and managers are performing self-inspections with an implementation rate of 100%, in order to thoroughly manage personal information and raise awareness about it.