Risk Management

Under the supervision of the Risk Management Subcommittee, we extract, analyze, and rate risks, then consider and implement countermeasures for high-priority risks. We also apply the Plan Do Check Action (PDCA) cycle to this process to promote risk management.

Basic Policy on Risk Management

With the approval of our Board of Directors, Kureha has established the following Basic Policy on Risk Management.

Basic Policy on Risk Management

  • Understand the risks to our management on a company-wide scale and prevent them from occurring, and take necessary preventive measures to reduce the impact of risks that occur to an acceptable range.

Risk Management System

Acting under the supervision of the Risk Management Subcommittee (a body under the Sustainability Coordination Committee which is under the direct control of the President), the departments and subcommittees appropriate to the classification of risks accompanying business activities take charge of risk management, in cooperation with the departments that directly address individual risks.
The Risk Management Subcommittee works to build our risk management system and verify implementation processes, while preventing oversights and omissions in the recognition of high-priority risks from a company-wide (i.e., management-level) perspective.

Goals and Vision

  • Establish a risk management system and ensure a structure that enables the minimization of damage and the continuation of our corporate activities when unforeseen events occur.

Fiscal Year 2022 Plan

  • Instill risk management activities at Group companies.
  • Instill BCP within the Company and within the Group by making guidelines known.

Fiscal 2022 Performance and Outcomes

  • Amid the spread of COVID-19, Group companies enacted appropriate preventive measures in line with their business conditions, successfully continuing business without major impacts.

Risk Management Implementation

Kureha manages risk through the following process:

  1. Identify risks
    The supervising department identifies individual risks (in detail) according to type, analyzes their level of importance, and rates them by priority of response.
  2. Analyze and rate risks
    The Risk Management Subcommittee reviews the results of individual risk analyses and ratings, and gives any necessary instructions to the supervising department.
  3. Monitor the response to risks
    The supervising department monitors how the responsible department responds to individual risks judged to be high-priority and gives further instructions accordingly.
  4. Report and verify monitoring results
    The supervising department reports the results of monitoring to the Risk Management Subcommittee. Reports are submitted by the Subcommittee to the Sustainability Coordination Committee, which verifies the results of monitoring and, in line with the results of verification, provides necessary instruction to the supervising department.

The Risk Management Subcommittee reports on the status of the above to the Executive Committee and the Board of Directors through the Sustainability Coordination Committee, and releases timely updates on responses to major high-priority risks as appropriate.

Business Continuity Plan

In May 2014, we developed and strengthened countermeasures to large-scale disasters such as earthquakes and formulated a Business Continuity Plan (BCP). In fiscal 2019, we started updating our BCP to include countermeasures to storm and flood damage, which have been increasingly severe in recent years. And we will continue to enhance our BCP by predicting and analyzing ever-changing disaster scenarios.
With the recent worldwide spread of the COVID-19 pandemic, we revised our Guidelines for Control of New Infectious Disease on the basis of the various measures we undertook to prevent the spread of COVID-19 and to ensure the safety of our employees. We created new COVID-19 response manuals matched to the specifics and circumstances of our head office and business sites, ensuring business continuity.

Overseas Crisis Management System

Kureha and Group companies have formulated a manual for expatriates and business travelers to use in crises to ensure employee safety and minimize damage in the event of an emergency overseas. We are also providing a medical assistance service run by a crisis management company for our employees while they are overseas.
We also support our overseas employees by providing crisis management information, timely alerts, instructions on travel restrictions, etc.

Information Security

Kureha has established basic policies for information security and maintains the availability, integrity, and confidentiality of the information assets of our Group, managing information appropriately through an information security management system.

Information Security Policies

Basic Policy

Establishing safe and reliable controls for appropriate sharing and utilizing of all business-related information is one of our most important management issues. Our basic policy on information security is as follows:

  1. We will maintain the availability, integrity, and confidentiality of our information assets and promote appropriate information security management activities.
  2. We will oversee and direct continual efforts to improve the information security of the entire Kureha Group. We will also continue to provide education so that every Group employee can recognize the importance of information security and put it into practice.
  3. Kureha and Group companies will carry out risk assessments on their respective information assets and take appropriate risk management measures.
  4. Kureha and Group companies will strictly adhere to relevant laws and regulations.

Policy on Global Information Security

In fiscal 2018, we formulated a global information security policy to strengthen information security for the entire Group, and we work to make sure both operational rules and the regulations of each Group company comply with this Policy. In fiscal 2021, we brought all of our Group companies into compliance with these policies. In fiscal 2023, we will undertake an inspection and revision of our global information security policies to meet the latest security threats.

Information Security System

We established an Information Security Subcommittee under the Sustainability Coordination Committee, and have built and operate an Information Security Management System (ISMS) conforming to JIS Q 27001:2014 in order to effect continuous improvements to our information security. In fiscal 2019, we set up a Computer Security Incident Response Team (CSIRT) and a system to minimize information security incidents. We are also undertaking a review of our workflows and systems to address major threats and enable immediate action by the CSIRT.

Goals and Vision

  • Prevent the occurrence of information security incidents.
  • In the event of an incident, carry out appropriate information disclosure and prompt recovery.

Fiscal Year 2022 Plan

  • Information security incidents: Zero.
  • Fully comply with critical measures in departments subject to information security risk assessments.
  • Strengthen measures against new cyberattacks.
  • Implement information security measures for our research and production facilities and equipment.

Fiscal 2022 Performance and Outcomes

  • Information security incidents: Zero.
  • Conducted information security risk assessments at 23 departments and seven Group companies to ensure full compliance with critical measures. This periodic risk assessment has helped us to better understand the information security threats that could occur at Kureha and measures to control them.
  • Implemented information security measures for research departments facilities and equipment in 16 departments and production facilities and equipment in 13 departments; improved effectiveness of measures.

Information Security Measures

In accordance with our Basic Policy on Information Security, we collect a wide range of data related to information security and continually implement the following measures:

  1. Take countermeasures to cyberattacks
    We have introduced systems to detect and block incoming cyberattacks and to minimize damage when intrusion is detected. We maintain stable operation of the system through 24/7 year-round monitoring by a security vendor.
  2. Assess risk of information assets
    We are reducing risk by systematically assessing the security risks of our information assets and implementing countermeasures.
  3. Prevent information leaks
    We maintain a system of high-level security at all times through regular diagnostics by security vendors and through measures to strengthen security in response to cyberattacks, which are increasing in sophistication and ingenuity day by day.
  4. Educate and train about information security
    We continually provide information security education to all employees. We also conduct drills that simulate targeted email attacks to train users in proper responses to suspicious email.
  5. Fight the spread of COVID-19 (by remote access tools for business continuity)
    During this pandemic, we are working to ensure that employees are aware of the information security risks of using remote access tools while working from home by establishing oaths and encouraging their thorough implementation.

Countermeasures to Information System Disasters

We have introduced cloud services that incorporate disaster countermeasure environments for our enterprise system and internal email system. We make use of robust data centers in Japan, taking into account disaster countermeasures for our electronic file system as well.