Risk Management

Approach

The ISID Group has set management rules to identify factors that hinder the achievement of management objectives or threaten the conduct of business activities. Accordingly, it has measures in place to prevent risks from being taken, and to minimize impact should they arise. To make this possible, we promote appropriate risk management and collect timely information on possible risks across the organization.

Structure

The ISID Group manages risks from an overview of the Group as a whole under the Sustainability Promotion Council established in January 2022, which comprehensively promotes sustainability-related initiatives.

The Sustainability Promotion Council identifies and evaluates the risks that the Group assumes when conducting business activities, determines the most critical risks, decides the departments and managers to address them, provides instructions for formulating risk response plans, and monitors the implementation of countermeasures. The results are reported to the Board of Directors.

The ISID Group Risk Management Structure is as follows.

Organizational chart

Board of Directors It monitors risk management to ensure it remains effective.
Sustainability Promotion Council This council collects information on risks from each business division, management division, and each Group company, identifies and evaluates the risks, determines the most critical risks, the departments responsible for addressing them and person in charge. It also monitors both the response plans—of departments responsible for addressing them—and the status of the risks.
Departments Responsible for Addressing Risks & Subcommittees Departments & Subcommittees responsible for addressing risks develop risk response plans and carry out countermeasures.
Risk management departments of each Group company Departments are involved in identifying the most critical risks, formulating and implementing response plans.

Risk Management Process

Identifying, Evaluating Risk

The Sustainability Promotion Council identifies potential risks in the business environment, the Group’s business strategy, its business-related and crisis management; among its personnel and labor force; as well as in the areas of accounting and finance, corporate governance, information security, and ethical compliance.

This is done through interviews at each business division, management division, and the Group companies. Risks identified are evaluated regularly on the basis of probability and possible impact.

Compelling Risks

The Sustainability Promotion Council identifies the most critical risks from the perspective of the need to implement risk countermeasures with the highest priority or the need to implement additional risk countermeasures from among risks with the potential to significantly impact business continuity based on the results of risk assessments, then selects the department and people in charge of addressing these risks.

Planning Responses

The departments responsible for addressing risks and the Group companies devise response plans stipulating steps both to prevent potential risks, and to minimize the impact should risks be identified.

The plans are approved or advised by the Sustainability Promotion Council.

Response Implementation, Risk Monitoring

Departments responsible for addressing risks and the Group companies do so according to approved response plans, as well as compile, and keep updated, manuals on the relevant regulations.

The Sustainability Promotion Council conducts reviews of risk response plans and the status of risks, reporting the results to the Board of Directors.

Should risks arise, the committee sees that additional countermeasures are formulated and carried out.

Details on risk management and an overview of countermeasures against significant risks are disclosed in the Securities Report.

Ethical Compliance

The ISID Group believes there is more to ethical compliance than just regulatory and legal aspects. According to the Group, it includes the ability, as a member of society, to make sensible judgments in any situation and to appropriately respond to societal demands.

Thus, by means of awareness-raising activities—including in-house training such as e-learning and compliance caravans for all employees—ISID disseminates both Our Declaration of Conduct, summarizing the ethical aspects of its code of conduct for business, and the Dentsu Group Code of Conduct.

In the event that employees have problems that are difficult to resolve in the workplace, or if it is inappropriate to consult a supervisor, ISID has an Ethics Hotline. Employees can report any issues by accessing the number from inside or outside the Company.

We do our best to ensure that a functioning internal system exists for whistleblowers. This we do by holding regular study sessions to improve the consultation response skills of staff operating the system, and by increasing awareness of the system by displaying posters around the Company.

Information Security

The ISID Group considers it important to strictly manage information held by the Company and that obtained from business partners. In addition to complying with the Dentsu Group Basic Policy for Information Security, we have rules and guidelines to appropriately manage information across the Group.

The information security system is operated by an information security officer, information security managers, and promotion personnel in each department. Through the Information Security Subcommittees led by the officer, we seek to maintain and improve information security by disseminating the rules, introducing and carrying out appropriate measures, and at the same time checking, reviewing, and improving security as necessary.

In a bid to eradicate breaches of information security, we provide training on information security. For this we have e-learning programs for all officers and employees, and in-house caravans to check and improve security efforts in each workplace.

To protect ISID information from the increasing cyber-attacks, we constantly are improving the security level of our systems and networks. At the same time, we conduct comprehensive cyber security training, which includes teaching all officers and employees how to handle targeted email attacks.

Security Management Certification

In December 2000, ISID was awarded the Privacy Mark that is given to business operators that appropriately handle personal information. The award was made by the Japan Institute for Promotion of Digital Economy and Community (formerly the Japan Information Processing Development Corporation), in recognition of our bid to manage personal information appropriately.

In March 2005, ISID was awarded information security standard BS 7799 certification, and the ISMS certification standard as a group, both of which are international standards.

Later, BS 7799 was changed to ISO/IEC 27001 and, as of June 1, 2020, a total of 54 companies, including Dentsu Group Inc., 52 Dentsu Japan Network companies, and 47 CLUB, which is a Dentsu-affiliated company, have acquired ISO/IEC 27001: 2013 and JIS Q 27001: 2014 certification (standards in Japan that have been made into Japanese Industrial Standards (JIS) based on ISO/IEC 27001).

ISO/IEC 27001: 2013

BS7799/ISMS認証基準

IS 598941/ISO (JIS Q) 27001

protecting your PRIVACY 11820084(11))

Crisis Management

ISID maintains various manuals in the event of a crisis, such as a major earthquake or the outbreak of a serious infectious disease. This it does to ensure that employees and business partners are safe, and that a business continuity structure is in place.

Specifically, in terms of disaster response, we regularly carry out practical work training and desktop simulations, and as a measure for people who, in times of emergency, may have difficulty returning to their homes, assuming that employees and business partners will remain at work for some time, we stockpile drinking water, food, portable toilets, and other necessary items at each business site. We also have a safety confirmation system, in connection with which training is ongoing.

Further, to ensure the safety of ISID employees abroad on business, as well as employees and business partners working at ISID Group companies overseas, we work with external consultants to formulate business trip approval standards, according to the degree of risk involved such as local security conditions, as well as create an Overseas Safety Handbook that outlines the precautions and safety measures to be taken when abroad.