gv02
Governance | Risk Management
Risk Management gv02_01
Basic Philosophy regarding Risk Management
In response to the series of recall issues in 2010, Toyota has been reinforcing its risk management systems. A Risk Management Meeting (now renamed Corporate Governance Meeting) was established in June 2010 and risk managers were appointed as part of global measures in each section to take preventive action across the range of risk occurring in business activities.
gv02_02
Organization and Structure
Appointment of Risk Management Personnel Toyota appointed a Global Chief Risk Management Officer (CRO) to head global risk management and established a structure under the Global CRO to monitor risks on a daily basis. This makes it possible to respond immediately in the event of an emergency. Regional CROs are appointed under the Global CRO to oversee individual regions, and each region has its own risk management structure. In the in-house Head Office, the chief officers and the
risk managers in each department and division are appointed to be responsible for managing risks according to function, while in each company the respective presidents and risk managers are appointed to be responsible for managing risks according to products to cooperate with and support each Regional Head Office.
Promotion by Corporate Governance Meeting Since April 2015, an optimal governance structure has been deliberated in the Corporate Governance Meeting, which serves as a supervising body over business implementation, to realize growth and business strategies that have taken a wide range of social challenges into consideration. The Meeting discusses matters related to risk management. Two of the five yearly meetings of the Corporate Governance Meeting are attended by the CRO of each region, all Chief Officers and all Company Presidents. This enables the meeting to comprehensively identify risks to business activities and initiate preventive action. At the meeting, improvements and reinforcements to the risk management system of each region are
confirmed and serious risks are reported along with all current risk items. Reports are also made on the status of initiatives against imminent serious risks and other risks with global implications. In particular, we are focusing on information security and Business Continuity Management (BCM) where businesses are recently exposed to increased risk. Risks that could affect Toyota’s business operations are listed in the Form 20-F. These risks include items relating to industry and business risks, financial market and economic risks, event risks in relation to politics, regulations, legal proceeding, disasters, etc. that could impact the decision of investors.
Form 20-F
Web
http://www.toyota-global.com/investors/ir_library/sec/
Board of Directors
Corporate Governance Meeting
Risk management Chairman: Global CRO Nobuyori Kodaira, Director
Respective groups (functional)
Respective regions
Regional CRO
Respective Companies
Chief Officers Collaboration
Regional functions
Collaboration
Secretariats for functions
Collaboration
145
Sustainability Data Book 2016
Presidents
Governance
Company’s Risk Managers
Governance | Risk Management
Initiatives for Information Security gv02_03
Basic Philosophy regarding Information Security
With cyber-attacks becoming more sophisticated and complicated, the information and information systems of the company and the network of control systems regarding the plant facilities and automobiles could become attack targets, which has increased the importance of information security for Toyota.
Toyota will ensure safety and security of our customers from cyberattack. From the viewpoints of governance and risk management, regarding it as our social responsibility to protect our customers’ personal information, Toyota is taking a range of measures to maintain information security.
Information Security Policy
Toyota’s basic approach to information security
In June 2016, Toyota and its consolidated subsidiaries established the Information Security Policy in order to clarify the basic policy and initiatives of information security and work cooperatively to address information security.
1. Compliance 2. Maintenance of stable business infrastructure 3. Providing safe products and services 4. Contribution to the establishment of safe Cyberspace 5. Information Security Management
Information Security Policy
Web
http://www.toyota-global.com/sustainability/csr/risk-management/pdf/information-security-policy_en.pdf
gv02_04
Organization and Structure
Under the overall control of the Chief Information Security Officer, security officers are respectively assigned in the individual security fields to promote information security activities. Details of activities in each security field and overall common challenges have been shared and discussed at the Information Security Promotion Meeting to improve information security throughout Toyota.
Board of Directors
Corporate Governance Meeting
Information Security Management Meeting Security Area
(Set up according to the risks of information security)
Confidentiality Management Trade Secret Personal Information
Information Systems
Chairman: Shigeki Tomoyama, Senior Managing Officer Chief Information Security Officer (CISO)
Vehicle Control Systems
Facilities Control Systems
Financial Services
Application of Measures
Development & Support of Measures
Each Divisions in TMC
Subsidiaries / Dealers / Suppliers
146
Sustainability Data Book 2016
Governance
Governance | Risk Management gv02_05
Initiatives for Information Management
Toyota has established the All Toyota Security Guidelines (ATSG) covering Toyota, its subsidiaries and affiliates that seek to prevent in-house information leaks, unauthorized access from outside, etc. and is trying to ensure complete information security. The ATSG establishes measures in organizational, personnel, technological, and physical management and also stipulates a
response system for the event of an information leak occurring. We work to ensure information security from multiple approaches. Under the ATSG, an annual inspection of the status of information security initiatives at each company is conducted to maintain and continuously improve information security.
All Toyota Security Guidelines (ATSG)
Organizational management measures Establishment of systems and rules
Personnel management measures Employee education, etc.
Technological management measures Data access restrictions, etc.
Physical management measures
Control of room entry and exit, etc.
Establishment of response system for the event of a leak
Structure for ATSG Implementation at Subsidiaries and Affiliates 1. Request for ATSG introduction/inspection
Toyota (HQ) 3. Report of inspection result
Subsidiaries Affiliates
4. Improvement advice and support
147
Sustainability Data Book 2016
Governance
2. Self-inspection 5. Improvement initiatives
Governance | Risk Management
Business Continuity Management at Toyota gv02_06
Basic Philosophy and Background regarding Business Continuity Management
Although Toyota was not directly affected by large-scale disasters such as the Great East Japan Earthquake and the Thailand floods, our production operations were brought to a halt for a long period of time which caused inconvenience to customers both in sales and services. We have deep concerns about the possibility of a Nankai Trough earthquake these days, as the Toyota Group Companies’ main functions are concentrated in the Nankai Trough areas, and it is expected that a large scale earthquake would severely impact the production of our products and operations. To be prepared for such incidents, the Business Continuity Plan (BCP*2) was established to facilitate early recovery of business operations with limited resources. In order to contribute to enriching lives of communities, Toyota will work on disaster recovery according to the Basic Guidelines on the right.
Toyota’s Basic Guidelines Priorities following a disaster
1
Humanitarian aid (lifesaving first, relief)
2
3
Early recovery of the affected areas (communities)
Restoration of Toyota’s operations and production
After the Kumamoto Earthquake which occurred in April 2016, we provided supporters based on the BCP. *1 BCM: Business Continuity Management *2 BCP: Business Continuity Plan
Humanitarian Aid and Early Recovery of Disaster-affected Areas (Communities) To improve the feasibility of the Basic Guidelines, which give priority to regional recovery following a disaster, and to help build disasterresilient communities, Toyota has concluded disaster support agreements with local governments (October 2013: Toyota City; February 2014: Miyoshi City; March 2015: Tahara City; August 2015: Susono City). Humanitarian support and regional recovery assistance are to be provided under mutual cooperation with local governments. Toyota is preparing relevant implementation structures, etc. by incorporating necessary provisions in its business continuity plan (BCP).
Details of recovery support: (1) Rescue and relief in the wake of the disaster (2) Provision of temporary evacuation facilities to accommodate local people affected by the disaster (3) Provision of the designated shelter facilities (4) Provision of food, drinking water, and daily necessities for distribution through local governments (5) Cargo handling assistance at municipal relief supply facilities (6) Provision of land necessary for restoration of local infrastructure (water supply and drainage, roads, etc.) (7) Employee participation in local recovery activities
Business Continuity Management (BCM) at Toyota Each division and function at Toyota has formulated a recoveryoriented BCP (organization chart, operational flowchart, and operational procedure manual). Using this in training and exercises, the PDCA cycle is implemented and continuous improvement is undertaken to constantly raise the practical effectiveness of the plan. These activities are identified as the Business Continuity Management (BCM), which are delivered through coordination
Formulation and Revision of BCP 1. Organization Chart
P
3. Operational Procedure Manual
D
Carry out training, etc.
A
Coordinated Activities
C
Identify issues
Toyota
Solve issues
148
Toyota Group Companies and Suppliers
Employees and Families
BCM
Action Plan in Emergency 2. Operational Flowchart
among employees and their families, Toyota Group companies and suppliers, and Toyota. Through this process of formulation and review of the BCP, we aim to develop human resources with the ability to respond to an incident and to build, as a routine task, a system of risk-resilient organizational structures, workplaces, and individuals.
Sustainability Data Book 2016
Governance
Governance | Risk Management
Focus
Building a Disaster-resilient Supply Chain Together with Suppliers Toyota has provided recovery support in accordance with the following priorities: (1) Humanitarian aid; (2) Recovery of the disaster-affected area; (3) Restoration of Toyota’s operations and production. Since the Great East Japan Earthquake, with the aim of prompt initial action and early recovery, we have united with suppliers in each country and region to build a disasterresilient supply chain by sharing supply chain information and setting up measures of preparedness. In sharing supply chain information in Japan, we receive highly confidential information from suppliers to build up a database known as the RESCUE* system based on the concept of protecting Japanese monozukuri (manufacturing). Under strict compliance with its duty of confidentiality, Toyota conducts regular training with suppliers that could be usefully applied in the event of a disaster. It was also utilized after the occurrence of the Kumamoto Earthquake in April 2016. Moreover, this system has been standardized and shared with other companies along with case studies of its application through the Japan Automobile Manufacturers Association, helping thus to lay the foundations of a disaster-resilient supply chain. Toyota is implementing equivalent initiatives with suppliers in each country and region overseas. * RESCUE: REinforce Supply Chain Under Emergency
RESCUE system storing supply chain information
Toyota Motor Corporation
RESCUE
Suppliers Tier 1 suppliers
Supply Chain Information Database
Sharing of Supply Chain Information
149
Risk Analysis
Sustainability Data Book 2016
Registration of Supply Chain Information
Governance
Tier 2 suppliers
Tier 3 suppliers