Risk Management
An introduction to the Yamaha Motor Group’s initiatives in the areas of risk management, crisis management, and business continuity
Risk Management Structure
Based on the Rules of Risk Management, the risk management structure works toward the thorough reduction of risks on a Groupwide basis. It is led by the Sustainability Committee and the Risk Compliance Secondary Meeting of its subordinate council, the Sustainability Promotion Meeting, which comprises the risk management supervising section and divisions in charge of risk management. The Committee, chaired by the President and Chief Executive Officer, monitors risks on a Groupwide basis while also designating significant risks at the Group level to be tackled as priorities and checking on activities to address risks. The Risk Compliance Secondary Meeting is independent of the business line and the Chief General Manager of Human Resources & General Affairs Center is the person in charge.
Furthermore, the divisions in charge of risk management formulate response policies and rules for the risks under their charge, promote activities to address risk based on these response policies, etc., and monitor activities at headquarters divisions and Group companies. To ensure effectiveness, the integrated auditing division carries out audits of the divisions in charge of risk management.
Risk Management Activity Cycle
Risk management activities are promoted through the repetition of the following PDCA (plan, do, check, and act) cycle. The Yamaha Motor Group has prepared a risk management ledger of all risks that need to be covered, and works to reduce risk by appropriately managing and operating the risk management ledger.
Significant Risks at the Group Level
Each year, risks that need to be prevented and addressed as special priorities are determined to be significant risks at the Group level. In addition to the results of risk assessment at the Group level, significant risks at the Group level can be comprehensively determined and designated based on the Group's business strategy, legal and regulatory changes inside or outside the Group, or other developments including information concerning the likelihood of a risk event occurring or the operating environment.
2024 Group Major Risks
Group Major Risks | Background | Measures |
---|---|---|
Cybersecurity | The method of Cyber-attacks is going to be advance. The co-working countermeasures will be required more with business division like production division, not only IT division's activity. Because they have a own high-tech MES (e.g.) which was connected network. Also company-wide activity will be more important like making the business contingency plan in entire supply chain pipe-line and like building the company-wide recovery team when we got the cyber attacking. |
Implement both hardware and software measures based on a global cyber security policy which was forcused by Global security standard. We will inclease the cyber attack protection power against the advanced attacking. Implement early detecting systems for the minimization of incident in early stage, even if we got the attachking. |
Violation of Human Rights | We have selected this theme in response to growing social demands and compliance regarding business and human rights in recent years, and the need to strengthen the Group's response to human rights, particularly in its supply chain. | Develop a Yamaha Motor Group Human Rights Policy to clarify the Group's approach to respect for human rights, implement human rights due diligence to identify, avoid and mitigate adverse human rights impacts in the Group's supply chain, and obtain contracts for human rights compliance from all business partners/suppliers, and develop a complaint handling mechanisms to address adverse human rights impacts. In addition, we plan a field investigation based on human rights due diligence in 2024. |
Harassment | We have also selected this theme because of the needs to strengthen activities to reduce harassment risks. The background is the growing social concern about harassment and the expansion of application of the power harassment prevention law to small and medium-sized enterprises. |
We will raise awareness to prevent harassment, promptly and appropriately respond when an incident occurs, review measures to prevent recurrence, and work on effective risk reduction activities. We will promote the company-wide deployment of the training we have been conducting since 2023, and continue to support the harassment reduction activities of group companies. |
Violation of Laws And Regulations Concerning Product Quality | Compliance with laws and regulations regarding product quality is directly linked to the trust of customers and communities, and strict control is increasingly required. In addition, the spread and diversification of CASE-related products and services in the world and the enactment of new laws and regulations in line with the realization of a recycling-oriented society are expected to be expanded to other countries. The selection is based on the need for the entire company to keep up with these changes without fail. |
To ensure compliance with laws and regulations concerning product quality, we will engage in activities such as collecting and developing legal information and checking the incorporation of legal requirements. We will also conduct strategic legal activities for new businesses. At the same time, we will develop the Yamaha Motor Group Quality Assurance Regulations in accordance with ISO 9001, and strengthen the foundation of legal and regulatory management processes for each business, with the corporate legal and regulatory management division established in 2022 as the hub for company-wide activities. |
Death Or Serious Injury During Business Activities Due to Equipment, Machinery, etc. |
A fatal occupational accident occurred due to equipment and machinery at YMC factory in the first half of year 2023. We have selected this theme because many group companies also have similar equipment and machinery in conducting business activities and it is necessary to raise the level of occupational safety and health by entire group, so that such serious occupational accidents never occur again. | In order to foster a safety first culture throughout the Group and to continuously promote initiatives aimed at zero occupational accidents, we will formulate a Group policy and targets and develop a governance system, etc. We will minimize the risks of occupational accidents by thoroughly eliminating and reducing risks through the development and operation of an occupational health and safety management system. |
Factory Closedown Due to Interruption of Supply Chain | In the recent proc. environment, although semiconductor supply shortages are being resolved, there are risks specific to each country, such as geopolitical risks and natural disasters, and the risk of SC disruption is increasing. Furthermore, based on PF strategy, specific parts and suppliers are linked to the production model of each country, so activities to strengthen global resilience are required on a global scale even during normal times. |
All Yamaha groups decided on priority projects and models for BCP, and we narrowed the target to NMAX for MC and large outboard motors and Jet Pump for Marine and started risk reduction activity. In response to geopolitical risk, we will increase stock in the short term and for medium to long term, will proceed implementation of alternative sources. For country-specific risks, we will establish initial response structure after identifying risks, and promote monitoring and coordination globally. |
Confidential Information Leakage | With regard to the leakage of confidential information, we have continued our risk reduction activities up until now. However, we have selected this theme because there is a growing concern from the economic security point of view about sensitive technical information handled by our company, and more activities are required at the companywide level. |
Confidential Information Management Group Guidelines will be globally deployed to promote confidential information management activities within group companies. Responsible department will strengthen the organization and the system, and cooperate with related departments throughout the company and domestic and overseas group companies to investigate and supervise the status of confidential information management, focusing on sensitive technical information of the Yamaha Motor Group, and provide support to reduce the risk of information leaks. |
Crisis Management Structure and Activities
The Yamaha Motor Group works to minimize the damage from and quickly resolve crisis situations as per the Rules for Initial Response to an Emergency.
In the event of a disaster, accident, or compliance-related incident at the Group, the division involved will report to the risk management supervising section or the divisions in charge of risk management as per standards for determining the level of reporting, which are set in advance. If the reported event is of a scale significant enough to warrant the involvement of Group management or multiple divisions and/or companies, the risk management supervising section will refer the matter to a response team designated in advance, and an Emergency Countermeasure Headquarters, chaired by the President, will be established. The headquarters will work to understand the situation and formulate a provisional response, and, if necessary, will promptly report on the matter to customers and related parties.
Business Continuity Planning
To prepare against envisioned risks that could impact the continuity of our business, Yamaha Motor has formulated Rules of Business Continuity and responds as per those Rules.
Yamaha Motor's primary operations are concentrated in Shizuoka Prefecture, and could be affected if a major earthquake were to occur in the Nankai Trough.
To prepare for disasters, we have taken steps such as earthquake-proofing our buildings and facilities based on damage predictions from government bodies in order to prevent and mitigate disasters. We are prepared to respond to tsunamis and have stockpiled food, water and other necessities and prepared emergency means of communication. We regularly conduct company-wide disaster drills including nearby Group companies (including night drills for some departments), conduct periodic drills in safety confirmation and also hold initial response drills for individual locations. In addition to all this, we have formulated a BCP that seeks to ensure business continuity while prioritizing the lives and safety of our employees.
We have selected our priority businesses, and we implement continuous and comprehensive measures for both tangible and intangible aspects, including identifying and formulating countermeasures to bottlenecks to recovery, clarifying recovery procedures, selecting response personnel in advance and establishing a system for gathering information from the supply chain.
Furthermore, Group companies have developed infection prevention measures, identified issues that could affect the continuity of their operations, and are formulating response plans in case a pandemic should occur.
We responded to COVID-19 in accordance with our Procedure for Business Continuity (Pandemic Influenza Version), setting up a COVID-19 Task Force headed by the President which collected information, determined response policies, and communicated information. Furthermore, to prepare for the possibility of another pandemic occurring in the future, we are engaged in ongoing initiatives that use the experiences and knowledge we gained from dealing with COVID-19.
Cybersecurity
To protect the products and services used by our customers, and also protect information assets such as personal and confidential information, the Yamaha Motor Group has established a Cybersecurity Policy and is taking steps to address this issue.
Specifically, in addition to the basic defensive measures already in place, such as anti-malware and anti-vulnerability measures, the Group has a Security Operation Center (SOC) that monitors for irregularities and a Computer Security Incident Response Team (CSIRT) that responds to incidents to prepare for contingencies. The Group also provides training to increase employees' cybersecurity literacy, conducts assessments to ascertain the situation at each Group company and develop improvement plans, and makes other ongoing efforts to reduce cyber risks.
To help ensure product security, we joined Auto-ISAC* in both Japan and the USA, and the company's Product Security Incident Response Team (PSIRT) uses an understanding of the latest security information and of incidents that have occurred, including in the supply chain, to assist in its responses.
In FY2023, we confirmed that there had been unauthorized access, a ransomware attack, and an information leak at a subsidiary manufacturing and selling motorcycles in the Philippines. As of November 2023, we had confirmed that the effects were limited to certain servers managed by the subsidiary and that the Group, including headquarters, was not affected.
*Auto-ISAC(Automotive Information Sharing & Analysis Center)
- Cybersecurity Policy[PDF]
Management of Information
In 2013, the Yamaha Motor Group established the Group Operations Guidelines, determining the Groupwide policy related to information management in general, including confidentiality management, document control, protection of personal information, and management of disclosed information. With the development of information communication technology and expansion in the use of big data, and triggered by the 2018 enforcement of data protection laws in Europe, strict laws and ordinances related to the protection of personal information are being established in various countries. In response, Yamaha Motor revised its Information Management Group Operations Guidelines in 2020, in particular establishing a system for protecting personal information and setting rules on the handling of personal information (notifying and obtaining consent when acquiring personal information, safety management steps, handling requests involving an individual's rights, dealing with leaks, etc.). Yamaha Motor and its Group companies around the world are cooperating in the promotion of a global response.
In the same year, we revised the Yamaha Motor Group Privacy Policy to state compliance with the laws and regulations regarding personal information protection in each country. In relation to overall information management (including the protection of personal information), each year, we also monitor the status of the handling of information among Group companies. Recommendations are made based on the results. At the same time, we execute group training, e-learning, and other educational and awareness-building activities to thoroughly ensure the appropriate handling of information.
If the Yamaha Motor Group becomes aware of any leak (or the possibility of a leak) of personal information, we will promptly conduct the necessary investigation and take the necessary measures such as reporting to the supervisory authority and notifying the individual in accordance with applicable laws and regulations, as well as taking disciplinary action and other strict measures in accordance with applicable regulations.
There were no significant legal violations, penalties, surcharges, etc. related to the protection of personal information in 2023.