Corporate ethics and compliance policy

Basic policy

The Daiwabo Group’s basic policy is for the entire organization, including every individual manager and every individual employee, to comply with all legal requirements and internal rules, and fulfill the company’s social responsibility by respecting corporate ethics and social norms. 

Daiwabo Group Charter of Corporate Behavior

The Daiwabo Group Charter of Corporate Behavior embodies the Daiwabo Group’s commitment to respecting human rights and complying with all laws and international rules, both within and outside Japan, and its commitment to fulfilling its social responsibility with social decency and high ethical standards, to contribute toward the sustainable development of society. All employees and all company officers are required to abide by the charter.
So that we can thoroughly disseminate the respect for the law and corporate ethics stipulated by the charter among all group employees and company officers, Daiwabo works to ensure familiarity with relevant laws, compiles internal rules and manuals, and strives to implement effective employee education. 

Compliance promotion system and compliance education

Compliance promotion system

Daiwabo has established a Compliance Committee, chaired by the representative director, which promotes and oversees measures relating to compliance with legal requirements and to corporate ethics horizontally across the entire Daiwabo Group. Meetings of the Compliance Committee are held on a quarterly basis, and the committee works to stimulate and spread compliance awareness by maintaining and managing the group’s compliance system, and overseeing the provision of compliance education for all employees. 

Compliance education

We plan to have all employees of the Daiwabo Group in Japan participate in compliance education once a year, in which the compliance issues in the industry and those that have emerged within the group are shared with all employees as case studies. By gradually making improvements, we are aiming to expand the content of our compliance education. 

Internal whistleblowing and consultation system

Internal whistleblowing response system

To prevent in advance, discover at an early stage, and respond effectively to compliance violations in our business activities, we have established an internal whistleblowing system within the Daiwabo Group. If a consultation regarding harassment and overall compliance issue (including anti-corruption due to corruption, bribery, etc) is requested, and a violation of laws or ethics, or actions which it is feared may involve a violation of laws or ethics, are discovered, then the reporting party can submit a report or a request for consultation, either anonymously or giving their real name, whichever they prefer. Besides the internal contact point for receiving reports and requests for consultation, there is also an external contact point, and reports and requests for consultation can be submitted by e-mail, telephone, or letter, making the system as user-friendly as possible. When a report or request for consultation is received, the secretariat of the Compliance Committee plays a central role in liaising with other relevant departments, and works speedily to investigate and confirm, as far as possible, the facts of the case and the relevant laws and rules. Based on this, a determination is made as to whether a compliance violation has occurred, and where necessary measures are taken in response to remedy the situation and/or prevent recurrence. In such cases, besides safeguarding the anonymity and privacy of the reporting party, any retaliatory action is strictly prohibited, and measures are taken to ensure that the reporting party does not suffer any adverse treatment due to submitting the report. The reporting party receives feedback as appropriate regarding the subsequent confirmation and investigation of the case, and the final outcome. 

Risk Management

Basic policy for risk management

The company group’s basic policy is to identify various risks associated with corporate activities and classify and manage them systematically in accordance with their characteristics aimed at the maintenance and improvement of financial soundness and corporate value.
In particular, we identify and manage risks throughout the group that could have a significant impact on our financial position or social credibility, such as compliance violations and information security issues.

Risk management system

We have established risk management rules to take a bird’s eye view of the group overall, and to implement risk management comprehensively and efficiently across the group overall. We classify risks into three categories: management risks, including compliance violations; operational risks; and environment, safety and quality risks, and have established group-wide risk items, risk assessment methods, etc. In addition, we have established crisis management rules to prepare for the event that risks materialize, and we are striving to minimize the impact of significant losses and prevent their reoccurrence.
If a particularly significant risk actually occurs, or if there are signs that one may occur, we will establish a response headquarters based on these rules and transition to a crisis management system. On top of that, we have established a system to implement preemptive or crisis response measures and monitor the situation.
To oversee and promote these initiatives across the group, we have established a Risk Management Committee chaired by the Representative Director, President and Chief Executive Officer. In addition, we have established committees equivalent to a Risk Management Committee at the company and important group companies. The company’s Risk Management Committee (Group Committee) compiles the discussions and activities of each company’s committee and oversees the risk management of the group as a whole.
The committee reports regularly to the Board of Directors on the state of the risk management system and the matters discussed by the Group Committee, and it oversees these activities.

Risk mitigation activities

With regard to specific activities, for each risk category, the company’s divisions and group companies identify risks related to their business operations, assess the impact at the time of occurrence and likelihood of occurrence, and then prepare risk management tables.
The Risk Management Committee secretariat and group companies coordinate risks identified and assessed using risk management tables from the perspectives of the strengthening of internal controls groupwide and risks overall, taking into account the impact and likelihood of their occurrence.
We consider and implement various initiatives aimed at risk mitigation and other countermeasures for significant risks determined through this process. Further, the secretariat and the committee monitor the effectiveness of those measures regularly and increase their effectiveness by implementing the PDCA cycle, selecting and implementing additional countermeasures as required for matters and issues that should be improved.
In addition, apart from matters recognized as significant issues through discussions on the committee, we have established a policy of selecting priority activities annually, such as increasing awareness and use of the groupwide internal reporting desk or the early detection and prevention of risk occurrence, and carry out risk mitigation activities intensively.
Moreover, group committees and committees at each company determine response policies promptly for new risks associated with changes in social conditions, and we are working actively on risk mitigation efforts to ensure the effectiveness of our risk management framework.
It is not only discussions on committees that are essential for risk management. Each and every employee must also understand the relationship between their work and risk and face up to it proactively. The company shares information on risks and risk mitigation activities widely through regular education, and is working on the fostering of a sound risk culture. And we will also work aiming for the improvement of the sustainable growth of corporate value by balancing the equity story outlined in “2030 VISION,” our medium to long-term vision, and risk management.

Risk management system

Risk management system

Significant risks we recognize

The company group has a low level of dependence on specific customers, products, technologies, or legal regulations, and our business results are relatively stable. However, because we belong to an industry in which technological innovation is rapid and the market fluctuates wildly, the company group’s sales and profits may also fluctuate due to the industry’s structure changing with the launch of new products and services, and demand for existing products and services fluctuating.
To deal with such changes, we have established a system that enables the group as a whole to respond promptly to customer requests by grasping technological innovations and market trends appropriately through close information exchanges with suppliers and customers.
Over the past few years, we have recognized as particularly significant risks: business suspensions associated with ransomware attacks; reputation risk; information security risks such as the leakage of confidential or personal information; and the risk of scandals arising from violations of insider trading regulations or other fraudulent activity due to inadequate internal control systems.
In response to these significant potential risks, we are considering and implementing various risk mitigation activities across the group as a whole, such as the implementation of response drills assuming cases where information security incidents have occurred, the ongoing implementation and increased frequency of various education including compliance training for all group employees, and the penetration of the use of the internal reporting desk for the early detection and prevention of misconduct.

List of risks relating to business operations

Major risks

Summary

(1) Risks relating to products

IT Infrastructure Distribution Business

  • Slackened growth for PCs, which are the main products in the business, due to increasingly high adoption rates
  • Negative impact on performance due to price competition and competitors in the market
  • Inventory disposal incurring loss, due to procured products remaining unsold
  • Impact on sales due to global shortage of parts, supply shortfalls, or significant problems affecting major manufactures

Industrial Machinery Business

  • Weak demand due to reduced capital expenditure and personal consumption during an economic downturn leading to a reduction in order volume, causing the business’s performance to worsen (as this business is particularly vulnerable to the impact of changes in the business climate)

(2) Risks relating to production activities and R&D

  • Unexpected incidents relating to capital investment, production engineering or R&D which may have a negative impact on business performance

⇒Countermeasures:

  • Following the risk management manual, and striving to prevent, in advance, any injury to consumers' life, health or property caused by product defects
  • Setting up a response headquarters and active our crisis management system in the event of a serious negative impact resulting from an unexpected incident

(3) Risks relating to the external environment

  • Various impacts from the external environment, such as rising raw material or fuel prices, interest rate fluctuations, changes in the legal or economic environment, or natural disasters, that may lead to increased costs, loss of sales opportunities, production delays, or extraordinary loss

⇒Countermeasures:

  • Implementation of risk identification, assessment, and management
  • Putting in place of an emergency response system in case a particularly major risk emerges, or in case there are indications that such a risk may emerge

(4) Risks relating to intellectual property rights

  • Negative impact on profitability or business feasibility due to violation of rights, including patent rights or other intellectual property rights, by another company or by our own company

⇒Countermeasures:

  • Management by the intellectual property department of matters relating to litigation risk, and risk of having to pay damages, in relation to intellectual property rights

(5) Risks relating to IT system problems and information security

  • Threat to business continuity due to major impacts on the operating activities of individual businesses caused by a natural disaster, accident, unforeseen unauthorized access, or infection with a computer virus, that cloud lead to a communications network outage or the leaking of confidential information or personal information
  • Possibility of the group’s finances or its operational performance, being negatively impacted, depending on the scale of the damage

⇒Countermeasures:

  •  Establish the response headquarters stipulated in the group’s information security policy, and establish a framework to transition to a crisis management system, implement advance measures, and monitor the situation as it develops.
  •  Implementation of regular education for employees
  •  Implement the measures outlined in the “Information security” section below to address cyberattacks, unauthorized access, etc.

(6) Risks relating to direct delivery

  • Lack of clarity in transactions due to the difficulty in tracking goods caused by implementing direct delivery from the supplier in the IT Infrastructure Distribution Business in order to reduce the environmental footprint of delivery, shorten lead times and cut costs

⇒Countermeasures:

  • Clarifying the role played by our company and its business partners in the business flow, and determining the economic appropriateness of transactions individually to ensure that only appropriate transactions are carried out

Information security

Daiwabo Holdings is deeply aware of the importance of information security. In order to implement necessary measures to safeguard information on an ongoing basis, and to prevent any unforeseen circumstances from developing in relation to information assets, we have formulated the information-security basic policy. 

Defending against cyberattacks

As cybersecurity measures, the company group has established an “information security policy” (group policy), the group’s basic policy. This policy consists of the “information-security basic policy,” “the information security policy rules,” and the “information security measures standards,” and establishes the group’s chief information security officer and the “Risk Management Committee” as the organization that oversees the group’s information security.
This policy indicates the company group’s way of thinking on information security and summarizes the management measures to protect information assets from intentional or accidental tampering, destruction or leakage.
This policy has been approved by the Board of Directors, which oversees its implementation by receiving reports on its status regularly and providing guidance as appropriate.
In addition, we have appointed a group chief information security officer. The group chief information security officer works with group companies and Group Information Security Operations Division to oversee the planning, execution, and evaluation of the groupwide information security strategy.
Specifically, this role oversees the state of operation of this policy, conducts risk assessments and prioritizes countermeasures, issues instructions to address vulnerabilities, develops and promotes employee education, and directs and reports on responses to incidents.
If a serious security incident occurs, the group chief information security officer reports the situation and the response policy to the Board of Directors promptly. The Board of Directors receives reports from the group chief information security officer, issues necessary instructions, reviews policies and approves countermeasures.

 

Each group company has established its own “information security policy” in a format consistent with this policy and takes information security measures tailored to its business operations based on its own policy.
Daiwabo Information System Co., Ltd., a company that runs IT infrastructure distribution business and has expertise in information security, provides various information on knowhow and vulnerabilities. In addition, centered on the Risk Management Committee, the group chief information security officer checks the policies of each group company, the state of information security measures implemented based upon them and any vulnerabilities, and directs improvements as necessary. By implementing the PDCA cycle in this way, we are working continuously on the strengthening of our measures and systems. The group chief information security officer reports any significant security risks to the Board of Directors, and if a significant incident occurs, reports promptly to the Board of Directors and implements measures based on its instructions.
Specific cybersecurity measures include physical and technical measures such as “entrance controls” that prevent unauthorized infiltration from outside and “exit controls” that prevent information leaking outside, and we implement various measures that combine human and organizational measures, such as drills that send virtual suspicious emails, the formulation of emergency response plans that establish procedures for responding to suspected cyber incidents and the communication framework, and the implementation of information security education for all employees.
The Board of Directors receives reports regularly from the group chief information security officer on the effectiveness of these systems and measures, and issues instructions for additional measures, etc., that it judges to be necessary.

Information-security basic policy

Information-security basic policy

Users of the company group’s information assets must recognize the importance of information security and comply with the group’s “information security policy” (group policy), including this “information-security basic policy.”
Any person who violates these rules may be subject to disciplinary action based on the company’s employment rules, etc., depending on the details of the violation. In addition, if anybody discovers an incident that is suspected of being a cyber incident, such as unauthorized access or another type of cyberattack, they must report it promptly in accordance with the communication framework established by group policy.
Moreover, if there is a suspicion of virus infection or unauthorized access on a PC, it must be reported immediately upon discovery after that PC is disconnected from the network. In particular, if fraudulent activity is discovered, the various relevant data must be secured to prevent the deletion or alteration of the various data that will serve as evidence of the fraudulent activity.
The information security manager who receives the report will issue instructions promptly to the department in charge of information systems, contact related departments, related companies, external vendors, etc., request their cooperation, and take prompt countermeasures.
We will inform all employees regularly and implement initiatives continuously for the improvement of awareness through training, etc., with regard to these initial responses to cyber incidents.