Compliance and Risk Management

To manage corporate ethics activities across the organization, we have established a permanent Corporate Ethics Committee chaired by the Chief Legal Governance Officer.

Corporate ethics-related organizational chart

Code of Conduct
The TOKYO KEIKI Group Code of Ethical Conduct* forms a basis for encouraging sound behavior by every employee. Working from basic stances that include the avoidance of words and acts in violation of laws and regulations, and appropriate response to acts that violate corporate ethics, the Code of Ethical Conduct sets out our responsibilities to all stakeholders, including the provision of products and services of benefit to society, contribution to society through our corporate activities, and the creation of safe and comfortable working environments. By complying with this code of conduct, we will fulfill our responsibilities to society.
Note that we also translate the Code of Ethical Conduct into local languages and ensure that our overseas subsidiaries are thoroughly versed in the code.

＊https://www.tokyokeiki.jp/company/rinri.html

Status of training implementation
In response to the COVID-19 pandemic, we changed the way we ran our FY 2021 Code of Ethical Conduct education, which had previously focused on classroom-based group training. In order to enable all employees to take and complete the education, training was primarily conducted via e-learning and online meetings, and the period over which education was provided was also lengthened. Following completion of the course, all employees submitted an Affidavit Concerning the Code of Ethical Conduct.

Internal audits
Based on Internal Audit Rules shared by the entire Group, internal audits are conducted with the aim of helping to increase Group management soundness and efficiency. Internal audits investigate the appropriateness and effectiveness of internal control systems from a standpoint that is independent of the division, department, or subsidiary being audited. Improvements are then implemented based on the results.
The results of internal audits are reported to the President & CEO. The results of internal audits as well as corrective measures aimed at any identified deficiencies are also reported and shared in Corporate Ethics Committee meetings.

Whistleblowing system
Our Group has set up contact points inside and outside the company for directly accepting information on legally suspect acts or similar information, with the guarantee that no disadvantage will befall whistleblowers.
Two contact points inside the company are the Internal Auditors Office and the Audit and Supervisory Committee. The latter handles violations of laws and regulations by directors and executive officers, playing a role in preventing the concealment of violations by officers.
In FY 2021, there was one case of whistleblowing, which involved a minor issue, handled by the company’s internal points of contact. We will continue working to entrench this system and enforce compliance with laws and regulations.

In our business activities, we face risks that must be identified, evaluated, and analyzed at the management level, and for which the priority of responses must be made clear. Our Group’s risk management system is organized into a Legal Governance Affairs Office, Internal Auditors Office, Audit and Supervisory Committee, and other bodies, centered on the Management Conference and with the President & CEO as the chief officer responsible for company-wide risk management.

Risk management system diagram

Risk management implementation
We have established Risk Management Rules that are shared Group-wide and that apply to the entire Group.
We implement risk management separately for “serious management risks” and for all other risks.
What is deemed serious management risks is reviewed and re-drafted annually by the Legal Governance Affairs Office in accordance with the Risk Management Rules as a report titled “Serious Management Risks and Key Measures.” The Chief Legal Governance Officer submits this report for approval to the Management Conference and the Board of Directors. Various divisions, departments, and subsidiaries are identified as being in charge in “Serious Management Risks and Key Measures.” Based on the ideal situations and key measures described in the report, these divisions, departments, and subsidiaries create “Serious Risk Measure Programs” for each specific measure that are submitted to the Legal Governance Affairs Office by the end of each year. The Legal Governance Affairs Office verifies the content of the “Serious Risk Measure Programs” submitted by the various departments in charge and, in the event of any deficiencies, indicates improvements to the relevant department. Each department integrates the determined risk measures into their medium-term business plans, and those measures that can be put into effect immediately are implemented as required.
Risks other than serious management risks are handled in accordance with the Risk Management Rules. Each department, etc. follows a risk questionnaire to discover and identify risks that pose the possibility of causing a loss to the department. Departments conduct this process by investigating each risk category identified in the rules for that department’s own business goals. Even when risks may not be applicable at the current time, full consideration is given to enumerating risks that can be expected to arise in the future due to environmental changes.
Each department then engages in evaluation and calculation of all identified risks. This evaluation and calculation includes an evaluation of the frequency of occurrence and the impact of each risk. These values are in turn multiplied to produce an overall evaluation. Risks whose overall evaluation score is 10 or more points are identified as serious risks. Measures for these serious risks are recorded according to a set format and submitted to the Legal Governance Affairs Office. They are also integrated into the department’s own medium-term business plan. In addition, those measures that can be put into effect immediately are implemented as required. Those risks whose overall evaluation score is less than 10 points are, based on the respective department’s controls (measures, practices, and self-evaluation), tackled as part of work efficiency improvement activities, etc.
At the end of each term, the departments evaluate the status of the implementation of the risk measures they formulated in the preceding fiscal year and report the results to the Legal Governance Affairs Office.
The Internal Auditors Office evaluates the “Serious Risk Measure Programs” from an independent perspective and, as necessary, conducts internal audits (inspections) and indicates corrections and improvements.

Examples of serious management risks

1. Domestic and foreign economic changes	7. Transactions with public agencies
2. Natural disasters and epidemics	8. Increasing competition
3. Development of new products	9. Material and component procurement
4. Product quality	10. Information security
5.Securing human resources	11. Intellectual property rights
6.Interest rate fluctuations	12. Retirement benefit liabilities

*Details regarding the above risks are provided in our Annual Securities Report.

Overview of BCP
In the event of emergencies, we place utmost priority on ensuring the safety of human life and promptly resolving the situation. The foundation of our response is minimization of losses and quick recovery from damage to ensure business continuity. Toward this end, we maintain and improve regulations and work manuals common across our Group, namely, the Crisis Management Regulations that set forth basic matters concerning crisis management, and the Crisis Management Manual that describes procedures for responding to specific incidents.

BCP system
The chief officer responsible for crisis management is the President & CEO, or a director or executive officer who is appointed to the position by the President & CEO. The organization that actually responds to an emergency is generally the department in charge involved in the crisis situation, with the Legal Governance Affairs Office providing support.
When deemed necessary by the chief responsible officer, an emergency response task force is set up with the chief responsible officer as the task force head and the department in charge as the secretariat. In 2020, we established a COVID-19 Emergency Response Task Force with the President & CEO as the chief responsible officer, and this task force was still in operation in FY 2021.

Information security policy
Our Information Security Basic Policy is aimed at ensuring the confidentiality, integrity, and availability of the information that constitutes a vital asset of ours, as well as protecting that information from threats including disasters and accidents. The appropriate discretionary measures that we undertake in this area are grounded in the aims of this Basic Policy.
The Information Security Basic Policy consists of the following four categories.

Information Security Basic Policy

System for promoting information security
We have established an Information Security Management Committee (ISMC), chaired by the Chief Information Officer and composed of members selected from departments. Our Strategic Information Planning Department under the Corporate Planning & Administration Office oversees formulation of measures related to information security. When formulating key measures, the department submits these to the ISMC and, depending on the content, consults with the Management Conference. In addition, TOKYO KEIKI INFORMATION SYSTEMS INC. (TIS), a subsidiary of ours, is in charge of our Group’s information system development and operation. TIS has acquired ISO/IEC 27001 certification, an international standard for an information security management system (ISMS).

Information security incident response
We have created flowcharts and made these available on our intranet explaining in an easy-to-understand way what actions a user should immediately take in order to respond quickly when the risk of an information leak occurs due to the loss of a PC or smartphone, or when there is a serious information asset threat due to a computer virus infection, etc. Depending on the scope of the incident as reported by the chairperson of the ISMC, in accordance with the Crisis Management Regulations and per the judgment of the President & CEO, an emergency response task force for the information security incident may be established with the aim of swiftly bringing the incident under control and resolving it.

Example of information security incident response flowchart
(computer virus)

Information system user support
User education is extremely important in order to increase the effectiveness of information security management. The Strategic Information Planning Department under the Corporate Planning & Administration Office holds briefings for users when new systems and services are implemented. The department also conducts e-learning classes on basic information security. In FY 2021, the department called attention to Emotet, a computer virus wreaking havoc; and business email compromise (BEC) scams. As a specific example, the department conducted targeted attack email training. Email training is considered an effective measure in a time when the threat of targeted emails is on the rise. By sending mock emails in the training, individual employees gain the knowledge to make proper decisions and take the correct action when they receive a suspicious email, making it possible to increase the level of awareness among employees.
Further, in response to the COVID-19 pandemic, we worked to strengthen our remote access environment, previously only used by a small section of users, and expanded the number of users of this system. Improvements included augmenting network equipment and expanding services available for use via remote access.
In addition, we made it possible for all remote access users to access the intranet site of the COVID-19 Emergency Response Task Force established in response to the COVID-19 pandemic, so that they may know what actions to take even when working from home.

COVID-19 Emergency Response Task Force page