Risk Management at Shiseido
The Compliance Committee fulfills its corporate governance oversight responsibilities with regard to the identification, evaluation, mitigation, and monitoring of non-strategic, non-financial risks. The Committee has overall responsibility for monitoring and approving the risk management framework and associated practices of the Company.
Starting in 2016, Shiseido has been working on risk mitigation through matching the 100 risks common to global companies against responsible departments, especially focusing on non-strategic/non-financial risks. Also, compliance programs are being prepared for the 4 important themes of "personal information protection", "bribery prevention", "cartel prevention", and "business partner risk prevention" identified in the 2014 risk assessment.
To enable swift and appropriate incident response, Shiseido has clearly defined and categorized incident types. Departments will immediately report incidents to the Compliance Department, which acts as the Compliance Committee Secretariat. The Compliance Department determines the gravity of each incident category, considering impact on employees, business operations, environment, etc. An appropriate taskforce will be set up accordingly, with relevant functions aggregated to minimize impact and collateral damage. The taskforce will continuously review the effectiveness of incident handling and promote countermeasures against recurrence.
Business Continuity Plan (BCP)
Business Continuity Plan (BCP) is a subset of risk management, stipulating actions for incidents/ natural disasters which affect business continuation.
Shiseido (Japan Region) has BCPs in place for major disasters which seriously affect business continuation, stipulating how important operations are resumed/ continued in a manner minimizing damages. At Shiseido, major incidents are categorized into 2 categories: (1) natural disasters/incidents with sudden and unexpected damages (2) natural disasters/incidents with gradual/long-term damages. ’Earthquake BCP’ has been placed for sudden unexpected risks, and ‘Novel Influenza (infectious disease) BCP’ for gradual/long-term risks. If another type of incident should occur affecting business continuation, either of the two BCPs may be utilized, according to the nature of the incident.
The ‘Earthquake BCP’ stipulates action items in 4 phases: 1) Preventive Measures, 2) Emergency Response, 3) Resume Operation, and 4) Restored Operation/ Business Continuation. Once an earthquake of a certain level occurs, ‘HQ emergency taskforce’, led by the Executive Vice President, is activated to confirm employee safety, gather information on damages, and ensure important business operation, such as product supply. When the Great East Japan Earthquake hit in March 2011, Shiseido responded swiftly putting the BCP into action.
The ‘Novel Influenza (infectious disease) BCP’ categorizes influenza by 3 toxic levels. The action items for each group are shown in 4 phases: 1) Prediction stage, 2) Initial Alert stage, 3) Alert stage, and 4) Subsiding Alert stage. ‘Employee Action Guidelines for Novel Influenza’, a specific action guideline for employees, has been prepared based on the BCP. This Guideline is made available on the intranet for employees to familiarize themselves with the required actions.