Risk Management
An introduction to the Yamaha Motor Group’s initiatives in the areas of risk management, crisis management, and business continuity
Risk Management Structure
Based on the Rules of Risk Management, the risk management structure works toward the thorough reduction of risks on a Groupwide basis. It is led by the Sustainability Committee and the Risk Compliance Secondary Meeting of its subordinate council, the Sustainability Promotion Meeting, which comprises the risk management supervising section and divisions in charge of risk management. The Committee, chaired by the President and Chief Executive Officer, monitors risks on a Groupwide basis while also designating significant risks at the Group level to be tackled as priorities and checking on activities to address risks. The Risk Compliance Secondary Meeting is independent of the business line and the Chief General Manager of Human Resources & General Affairs Center is the person in charge.
Furthermore, the divisions in charge of risk management formulate response policies and rules for the risks under their charge, promote activities to address risk based on these response policies, etc., and monitor activities at headquarters divisions and Group companies. To ensure effectiveness, the integrated auditing division carries out audits of the divisions in charge of risk management.
Risk Management Activity Cycle
Risk management activities are promoted through the repetition of the following PDCA (plan, do, check, and act) cycle. The Yamaha Motor Group has prepared a risk management ledger of all risks that need to be covered, and works to reduce risk by appropriately managing and operating the risk management ledger.
Significant Risks at the Group Level
Each year, risks that need to be prevented and addressed as special priorities are determined to be significant risks at the Group level. In addition to the results of risk assessment at the Group level, significant risks at the Group level can be comprehensively determined and designated based on the Group's business strategy, legal and regulatory changes inside or outside the Group, or other developments including information concerning the likelihood of a risk event occurring or the operating environment.
| Significant Risks at the Group Level | Background | Measures |
|---|---|---|
| Pandemic | Due to the influence of this new coronavirus, the Group has experienced a pandemic. In order to continue the business while securing the health of employees, it is necessary to look back on the activities so far and to review the effectiveness of the internal rules once again. Pandemic has been, therefore, designated a significant risk. |
In the future, the Group is continuing to change the responses according to the risk of infection spread, reviewing the definition of each item and the responses according to the level and brushing up the internal rules to make them more effective, and promoting to ensure that domestic and overseas Group companies can take the same level of countermeasures. |
| Cybersecurity | The degree of reliance on and the importance of information systems within the Group's business activities are increasing. Measures are needed to prevent leaks of personal or confidential information, information system failures, etc., caused by cyberattacks and computer virus infections. Cybersecurity has been, therefore, designated a significant risk. |
The Group has established a Cybersecurity Policy and is promoting to take measures covering both tangible and intangible aspects of cybersecurity to increase protection against external attacks, to detect attacks at an early stage, and to minimize damage in the event of an attack. |
| Products containing environmentally hazardous substances | Countries around the world have been steadily tightening regulations on environmentally hazardous substances, and the Group must strengthen control structures to prevent violation of laws and regulations by the products it manufactures. Products containing environmentally hazardous substances have been, therefore, designated a significant risk. | The Group is promoting to prevent violation of laws and regulations and ordinances, by reliably grasping legal information in countries concerned, by sharing them internally and externally to sections concerned, by executing education by hierarchy, by promoting business standardization of correct management systems and procedures for complicated laws and regulations, and by efficiently utilizing IT systems. |
| Improper Import/Export Procedures | In light of the growing number of bilateral and multilateral free trade agreements, and expanding import/export procedures for global logistics among Group companies, the Group must further enhance its system for preventing any violation of agreements, laws and regulations. Improper import/export procedures have been, therefore, designated a significant risk. | The Group is promoting to establish the group-wide structure in order for any violation not to occur by grasping information of enactment and revision of free trade agreements, by standardizing operation and training persons concerned according to the management system stipulated in the group rules, and by monitoring the operational status of these on a daily and regular basis. |
| Violation of Copyright Law Regarding Software License | Computer software is protected as a copyrighted work and requires proper management. However, due to the diversification of business forms and changes in the environment such as the cloud computing, the license system is becoming more complicated and the risk of violating laws and regulations is increasing regardless of intention. Violation of copyright law regarding software license has been, therefore, designated a significant risk. |
In order to prevent software license violation, the Group is promoting to raise awareness inside the Group through education for managers and employees, as well as to strengthen and further establish IT asset management system and its operation. |
| Bribery | Anti-corruption initiatives are strengthening in every country and region, and there is a need to have an effective system organized in order to prevent regulatory violations and to strengthen antibribery as the Group that conducts business on a global scale. Bribery has been, therefore, designated a significant risk. | Based on Yamaha Motor Group Anti-Bribery Policy, the Group is promoting anti-bribery commitment and management system on global basis, and to conduct trainings, monitoring activities and measures that address risks assessed, and to address anti-bribery effectively and organizationally. Since 2021, we have strengthened the anti-bribery program for high bribery risk regions, and will continue to promote implementation of such program. |
Crisis Management Structure and Activities
The Yamaha Motor Group works to minimize the damage from and quickly resolve crisis situations as per the “Rules for Initial Response to an Emergency.”
In the event of a disaster, accident, or compliance-related incident at the Group, the division involved will report to the risk management supervising section or the divisions in charge of risk management as per standards for determining the level of reporting, which are set in advance. If the reported event is of a scale significant enough to warrant the involvement of Group management or multiple divisions and/or companies, the risk management supervising section will refer the matter to a response team designated in advance, and an Emergency Countermeasure Headquarters, chaired by the President, will be established. The headquarters will work to understand the situation and formulate a provisional response, and, if necessary, will promptly report on the matter to customers and related parties.
Business Continuity Planning
To prepare against envisioned risks that could impact the continuity of our business, Yamaha Motor has formulated “Rules of Business Continuity” and responds as per those Rules.
Yamaha Motor's primary operations are concentrated in Shizuoka Prefecture, and could be affected if a major earthquake were to occur in the Nankai Trough.
To prepare for disasters, we have taken steps such as earthquake-proofing our buildings and facilities based on damage predictions from government bodies in order to prevent and mitigate disasters. We are prepared to respond to tsunamis and have stockpiled food, water and other necessities and prepared emergency means of communication. We regularly conduct company-wide disaster drills (including night drills for some departments) including nearby Group companies, and also conduct periodic drills in safety confirmation. In addition to all this, we have formulated a BCP that seeks to ensure business continuity while prioritizing the lives and safety of our employees.
We implement continuous and comprehensive measures for both tangible and intangible aspects, including identifying and formulating countermeasures to bottlenecks to recovery, clarifying recovery procedures, selecting response personnel in advance and building a structure for gathering information from the supply chain.
Another concern is the outbreak of a potentially global pandemic. To prepare for this possibility, Group companies have developed infection prevention measures and identified issues that could affect the continuity of their operations to formulate response plans.
In regard to the coronavirus that has ravaged world since 2020, we took measures in accordance with our Procedure for Business Continuity (Pandemic Influenza Version), setting up a COVID-19 Task Force headed by the President, which carried out the collection of information, determination of response policies, and the communication of information.
As for overseas operations, we gave instructions to Yamaha Motor employees and their families residing in some countries to return to Japan in accordance with the state of the spread of COVID-19 infections in the country and local medical risks. For employees working at headquarters, we adopted teleworking and staggered office hours systems. These, along with the establishment of a site for headquarters and Group companies to share information, form part of our drive to continue to ascertain the status of infections worldwide and commit fully to preventing infections.
Cybersecurity
Cyberattacks have become increasingly advanced and sophisticated in recent years, and businesses are faced with a heightened risk for infection by computer viruses, leakage of personal and confidential information, and information system failures. The Yamaha Motor Group has established a Cybersecurity Policy with the aim of protecting the products and services used by our customers, as well as our information assets.
In addition to the basic defensive measures already in place, such as monthly vulnerability analysis that includes anti-malware measures, the Group has a Security Operation Center (SOC) that monitors for irregularities to enable early detection and response and a Computer Security Incident Response Team (CSIRT) that responds to incidents to prepare for contingencies. The Group also provides training to increase employees' cybersecurity literacy, conducts assessments to ascertain the situation at each Group company and develop improvement plans, and makes other ongoing efforts to reduce cyber risks.
There were no information security- or cyber security-related violations in FY2021.
- Cybersecurity Policy[PDF]
Management of Information
In 2013, the Yamaha Motor Group established the Group Operations Guidelines, determining the Groupwide policy related to information management in general, including confidentiality management, document control, protection of personal information, and management of disclosed information.
With the development of information communication technology and expansion in the use of big data, and triggered by the 2018 enforcement of data protection laws in Europe, strict laws and ordinances related to the protection of personal information are being established in various countries. In response, Yamaha Motor revised its Information Management Group Operations Guidelines in 2020, in particular establishing a system for protecting personal information and setting rules on the handling of personal information (notifying and obtaining consent when acquiring personal information, safety management steps, handling requests involving an individual's rights, dealing with leaks, etc.). Yamaha Motor and its Group companies around the world are cooperating in the promotion of a global response.
In relation to information management, each year, we also monitor the status of the handling of information among Group companies. Recommendations are made based on the results. At the same time, we execute group training, e-learning, and other educational and awareness-building activities to thoroughly ensure the appropriate handling of information.
In FY2021, there were no allegations that were recognized by regulating authorities, etc., as being violations of our customers’ privacy.
