Shiseido promotes risk management through the Compliance Committee, which is under the direct authority of the Board of Directors. The Compliance Committee not only promotes initiatives to reduce risks but also continuously confirms the steps until the occurred risks are resolved.
Shiseido conducts "risk assessment" on the group level. We extract important risks based on the results of the assessment questionnaires conducted on the impact/probability/response level of 40 compliance-related risk items in HQ departments and domestic/overseas business offices/affiliates as well as items pointed out by external consultants. Through this, we aim to prevent risks and minimize the damage in case of risks by clarifying the issues involving risk management and maintaining a certain level of measures in the overall group, etc. As a result of risk assessment, we especially focus on the 4 items of "personal information protection", "bribery prevention", "cartel prevention", and "business partner risk prevention" as the reinforcement themes involving compliance. We are promoting the establishment of the PDCA system (compliance program) for the entire group to thoroughly promote the initiatives.
Responding to occurred risks
With the aim of taking swift and appropriate measures against occurred risks, Shiseido has clearly defined and categorized risks into 10 types. When a risk occurs, it is swiftly reported to the Compliance Committee secretariat from the department, in which the risk occurred, based on the definition and categorization of the risk. The Compliance Committee secretariat determines the level of the risk from 3 levels, judging from the management impact scale and social impact. The organization to respond according to the risk level considers the measures to minimize the damage and prevent secondary damage, continuously confirms the measure status, measure results, and recurrence prevention measures, and reports to the Compliance Committee as necessary and appropriately.
Business Continuity Plan and Employee Earthquake Manual detailing action to be taken in the event of a major earthquake or the outbreak of a virus
Shiseido has established a Business Continuity Plan (BCP) spelling out how important operations would be restored and carried on in the event of disasters including major earthquakes and new strains of influenza, in a manner that would allow the company to minimize damage and resume operations at the earliest possible opportunity.
The BCP requires response to all disasters/risks that may lead to discontinuation of the operation. Shiseido has categorized risks into 2 categories according to the characteristics, including "disasters/risks that result in damage unexpectedly" and "disasters/risks that result in continuous damage in a gradual/long-term manner." We have established the "earthquake response BCP" as the representative of unexpected risks and the "infectious disease response BCP" as the representative of gradual/long-term risks. Either the "earthquake response BCP" or the "infectious disease response BCP" is applied to other risks that may affect the continuation of the business according to the characteristics of the risks.
The "earthquake response BCP" stipulates execution items by phase for the 4 phases of 1) preventive measures, 2) emergency response, 3) resuming operation, and 4) restoring/carrying on business before and after the earthquake. The system includes the "HQ emergency countermeasure headquarters," which is led by the Executive Vice President to confirm people's safety, comprehend damage status, and consider execution of product supply, as an important operation. We responded to the Great East Japan Earthquake in March 2011 in a swift manner based on the BCP.
The "infectious disease response BCP" has established responses by level, including temporary business suspension, to address various conditions from strong toxicity to weak toxicity of new strains of influenza. The "Employee Action Guidelines for New Strains of Influenza Countermeasures," which is a guideline for employees' actions for different levels of responses, was created and posted on the intranet to arouse awareness among employees to enable them to calmly respond to emergencies.