Risk Management
An introduction to the Yamaha Motor Group’s initiatives in the areas of risk management, crisis management, and business continuity
Risk Management Structure
The Yamaha Motor Group, as part of its risk management framework, appoints a Chief Risk and Compliance Officer (CRCO) who, based on the Rules of Risk Management, serves as the chair of the Global Risk and Compliance Management Committee, which is composed of executive officers appointed by the CRCO, and monitors risks on a Groupwide basis while also designating significant risks at the Group level to be tackled as priorities and checking on activities to address risks.
In addition, as a subordinate committee, the Group has established the Global Risk and Compliance Steering Committee, which is composed of Risk and Compliance Officers overseeing major regions appointed by the CRCO, and the Risk and Compliance Promotion Meeting, which is composed of division managers of divisions responsible for risk at the headquarters, to deliberate on policies, plans, monitoring, and countermeasures for risk management from a specialized perspective. The results of these discussions are reported to the Board of Directors by the CRCO as appropriate, and a system that ensures effectiveness is in place.
Furthermore, the divisions in charge of each individual risks, based on the deliberations of the Global Risk and Compliance Management Committee, establish risk response policies and regulations for their respective risks. Additionally, they shall promote countermeasure activities, monitor activities, etc., based on the response policies, directed towards the relevant departments at headquarters and group companies.
To ensure effectiveness, the integrated auditing division carries out audits of the divisions in charge of risk management.
Risk Management Activity Cycle
Risk management activities are promoted through the repetition of the following PDCA (plan, do, check, and act) cycle. The Yamaha Motor Group has prepared a risk management ledger of all risks that need to be covered, and works to reduce risk by appropriately managing and operating the risk management ledger.
Significant Risks at the Group Level
Each year, risks that need to be prevented and addressed as special priorities are determined to be significant risks at the Group level. In addition to the results of risk assessment at the Group level, significant risks at the Group level can be comprehensively determined and designated based on the Group's business strategy, legal and regulatory changes inside or outside the Group, or other developments including information concerning the likelihood of a risk event occurring or the operating environment.
2025 Group Major Risks
| Group Major Risks | Background | Measures |
|---|---|---|
| Factory Closedown Due to Interruption of Supply Chain | Although the semiconductor supply shortage has been improving in recent procurement environments, geopolitical risks, natural disasters, and other country-specific risks persist, which leads to an increased risk of supply chain disruptions. In addition, based on the platform strategy, certain components and business partners are tied to production models in each country, and makes global efforts to enhance resilience during normal times necessary. |
The company as a whole decided on priority BCP businesses and models, and Motorcycle focused on NMAX and Marine focused on large outboard motors and jet pumps to begin risk reduction activities. In response to geopolitical risks, we will increase inventory in the short term and incorporate alternative suppliers in the medium to long term. In response to risks specific to each country, we will identify risks and then establish a first response system, and pursue global monitoring and collaboration. |
| Leakage of confidential information | Although we have been working to reduce the risk of leakage of confidential information for some time, concerns are growing from the perspective of economic security regarding the sensitive technical information we handle, and we have selected this as an area that requires even more action at all the Yamaha Motor Group level. | We will conduct activities to manage confidential information at Group companies by globally deploying confidential information group business guidelines. The division in charge will strengthen systems and check the information control structure of Group companies in Japan and overseas. In addition, we will work with related departments and Group companies in Japan and overseas to investigate and supervise the status of confidential information management, with a focus on sensitive technical information of the Yamaha Motor Group, and provide support to reduce the risk of information leaks. |
| Cybersecurity | In addition to conventional measures led by the IT division, measures for the supply chain, including factory equipment and business partners, and collaborative activities with each company and department are necessary due to the increasing sophistication of cyberattacks. In the event of a cyberattack, there is a greater need for company-wide activities, such as building a response and recovery system that takes into account business continuity. |
We implement measures for both hardware and software based on cybersecurity policies that comply with global standard cybersecurity frameworks. Such measures strengthen defense and response capabilities against increasingly sophisticated attacks. Incorporating measures to detect attacks early and minimize damage in case of an attack is also a priority. |
| Human rights violations | Recently, problems such as conflicts and poverty have intensified, leading to an increasing trend in human rights violations and opportunities for such violations to occur. Meanwhile, the Company operates across multiple industries, and the supply chain is wide-ranging, so globalization is expanding and the risk environment is becoming more severe. |
We will incorporate human rights clauses and secure memorandums of understanding with dealers and direct material suppliers, aiming for 100% by 2027. We will continue to build up our track record of human rights due diligence activities at Group companies, focusing particularly on direct material suppliers in the supply chain, completing information collection through risk assessments and SAQs (self-assessment questionnaires), and finalizing risk levels based on this information. We conduct on-site verification of priority business partners, and support the implementation of human rights activities at partner sites while also rolling out initiatives to secondary and tertiary suppliers. |
| Harassment | With increased social awareness of harassment and the expanded application of the Act on Comprehensive Promotion of Labor Policies to SMEs, we have identified the need to strengthen activities aimed at reducing harassment risks. | We are continuously working to prevent harassment by adding new initiatives to raise awareness of harassment prevention, respond quickly and appropriately when incidents occur, and prevent recurrence. In addition, we will continue to support the harassment risk reduction activities of Group companies, while promoting the development of our unique training program in Japan, which aims to create a shared awareness across all relevant division and also to approach the issue from the perspective of the different roles involved. |
| Deaths and serious injuries during work due to equipment and machinery | A serious industrial accident involving equipment and machinery occurred at Yamaha Motor during the first half of 2023. The Yamaha Motor Group uses a large amount of equipment and machinery in the course of its business activities. We have selected this as a priority because we need to raise the level of occupational health and safety throughout the entire Group in order to prevent such serious industrial accidents from occurring again. |
In 2024, we formulated Group policies and targets and improved our governance structure in order to foster a culture of safety first throughout the entire Group and continuously implement initiatives aimed at achieving zero industrial accidents. From 2025, we will minimize the risk of occupational accidents by thoroughly working to eliminate and reduce risks through the development and implementation of an occupational health and safety management system (ISO 45001) centered on manufacturing bases. In addition, we will strengthen governance and recurrence prevention initiatives by gaining an understanding of and conducting an analysis on the occurrence of occupational accidents at all Group companies. |
| Violation of laws and regulations concerning product quality | Compliance with laws and regulations related to product quality is directly linked to the trust of customers and local communities, and strict management is increasingly required. In addition, it is expected that new laws and regulations will be established in line with the spread and diversification of CASE-related products and services in the world and the realization of a recycling society, and that such laws and regulations will be expanded to each country. We have selected this system because it is necessary for the entire company to respond to these changes without delay. |
We will work to ensure that we comply with product quality-related regulations through means such as collecting and disseminating regulatory information, and confirming that regulatory requirements are incorporated. At the same time, we will strengthen the foundations of the legal management processes of each business, with the Corporate Regulation Contorol Division, which was established in 2022, as the hub for company-wide activities, in conjunction with the development of the Yamaha Motor Group Quality Assurance Regulations, which are based on ISO 9001. |
Crisis Management Structure and Activities
The Yamaha Motor Group works to minimize the damage from and quickly resolve crisis situations as per the “Rules for Initial Response to an Emergency.”
In the event of a disaster, accident, or compliance-related incident at the Group, the division involved will report to the risk management supervising section or the divisions in charge of risk management as per standards for determining the level of reporting, which are set in advance. If the reported event is of a scale significant enough to warrant the involvement of Group management or multiple divisions and/or companies, the risk management supervising section will refer the matter to a response team designated in advance, and an Emergency Countermeasure Headquarters, chaired by the President, will be established. The headquarters will work to understand the situation and formulate a provisional response, and, if necessary, will promptly report on the matter to customers and related parties.
Business Continuity Planning
To prepare against envisioned risks that could impact the continuity of our business, Yamaha Motor has formulated “Rules of Business Continuity” and responds as per those Rules.
Yamaha Motor's primary operations are concentrated in Shizuoka Prefecture, and could be affected if a major earthquake were to occur in the Nankai Trough.
To prepare for disasters, we have taken steps such as earthquake-proofing our buildings and facilities based on damage predictions from government bodies in order to prevent and mitigate disasters. We are prepared to respond to tsunamis and have stockpiled food, water and other necessities and prepared emergency means of communication. We regularly conduct company-wide disaster drills including nearby Group companies (including night drills for some departments), conduct periodic drills in safety confirmation and also hold initial response drills for individual locations. In addition to all this, we have formulated a BCP that seeks to ensure business continuity while prioritizing the lives and safety of our employees.
We have selected our priority businesses, and we implement continuous and comprehensive measures for both tangible and intangible aspects, including identifying and formulating countermeasures to bottlenecks to recovery, clarifying recovery procedures, selecting response personnel in advance and establishing a system for gathering information from the supply chain.
Furthermore, Group companies have developed infection prevention measures, identified issues that could affect the continuity of their operations, and are formulating response plans in case a pandemic should occur.
We responded to COVID-19 in accordance with our Procedure for Business Continuity (Pandemic Influenza Version), setting up a COVID-19 Task Force headed by the President which collected information, determined response policies, and communicated information. Furthermore, to prepare for the possibility of another pandemic occurring in the future, we are engaged in ongoing initiatives that use the experiences and knowledge we gained from dealing with COVID-19.
Cybersecurity
To protect the products and services used by our customers, and also protect information assets such as personal and confidential information, the Yamaha Motor Group has established a Cybersecurity Policy and is taking steps to address this issue.
Specifically, in addition to the basic defensive measures already in place, such as anti-malware and anti-vulnerability measures, the Group has a Security Operation Center (SOC) that monitors for irregularities and a Computer Security Incident Response Team (CSIRT) that responds to incidents to prepare for contingencies. The Group also provides training to increase employees' cybersecurity literacy, conducts assessments to ascertain the situation at each Group company and develop improvement plans, and makes other ongoing efforts to reduce cyber risks.
To help ensure product security, we joined Auto-ISAC* in both Japan and the USA, and the company's Product Security Incident Response Team (PSIRT) uses an understanding of the latest security information and of incidents that have occurred, including in the supply chain, to assist in its responses.
In FY2023, we confirmed that there had been unauthorized access, a ransomware attack, and an information leak at a subsidiary manufacturing and selling motorcycles in the Philippines. As of November 2023, we had confirmed that the effects were limited to certain servers managed by the subsidiary and that the Group, including headquarters, was not affected.
*Auto-ISAC(Automotive Information Sharing & Analysis Center)
- Cybersecurity Policy[PDF]
Management of Information
In 2013, the Yamaha Motor Group established the Group Operations Guidelines, determining the Groupwide policy related to information management in general, including confidentiality management, document control, protection of personal information, and management of disclosed information. With the development of information communication technology and expansion in the use of big data, and triggered by the 2018 enforcement of data protection laws in Europe, strict laws and ordinances related to the protection of personal information are being established in various countries. In response, Yamaha Motor revised its Information Management Group Operations Guidelines in 2020, in particular establishing a system for protecting personal information and setting rules on the handling of personal information (notifying and obtaining consent when acquiring personal information, safety management steps, handling requests involving an individual's rights, dealing with leaks, etc.). Yamaha Motor and its Group companies around the world are cooperating in the promotion of a global response.
In the same year, we revised the Yamaha Motor Group Privacy Policy to state compliance with the laws and regulations regarding personal information protection in each country. In relation to overall information management (including the protection of personal information), each year, we also monitor the status of the handling of information among Group companies. Recommendations are made based on the results. At the same time, we execute group training, e-learning, and other educational and awareness-building activities to thoroughly ensure the appropriate handling of information.
If the Yamaha Motor Group becomes aware of any leak (or the possibility of a leak) of personal information, we will promptly conduct the necessary investigation and take the necessary measures such as reporting to the supervisory authority and notifying the individual in accordance with applicable laws and regulations, as well as taking disciplinary action and other strict measures in accordance with applicable regulations.
There were no significant legal violations, penalties, surcharges, etc. related to the protection of personal information in 2023.
