SGH

Risk Management

Risk Management/BCP

In our management, the SG Holdings Group regard as risks all factors that might have an impact on our business. For each category of risk, we make an appropriate assessment of the potential impact on our business, and take appropriate measures based on our Risk Management Regulations, while minding the relevant laws and changes in the social environment. As new risks come to the fore, our aim is to minimize the potential losses these risks might cause, by taking the necessary measures.

As a group, we are mindful of the following risk categories. (quoted from Risk Management Regulations)

  • Strategic risks
    Risks to management or to the execution of business plans
  • Operations risk
    Risks to our day-to-day operations and business activities
  • Financial reporting risk
    Risks associated with external reporting of disclosure items that might have a significant impact on our financial statements, or on the trustworthiness of our financial statements.

Goals and Results

To strengthen risk countermeasures for the group as a whole, we conduct Business Continuity Training.

Boundary Medium- to Long-term Goals Fiscal 2020 Goals Fiscal 2019 Results
Sagawa Express Create and maintain a compliance system that does not stop at merely strict compliance with laws and regulations but also meets the expectations of society at large Improve business continuity capability against progressive- and compound-type disasters such as wind and flood damage ● Group BCP update
SG Holdings
Group companies in Japan ● BCP update
● Business continuity
training sessions

Systems

Directors of SG Holdings are the people who bear responsibility for the group. In addition, we have established the following persons and departments of responsibility, to promote risk management for the group as a whole.

  • Group Risk Management Supervision Manager
    Director responsible for SG Holdings Management and Control
  • Risk Management Supervision Manager
    Head of Division with Jurisdiction over Risk Management
  • Risk Management Supervision Dept.
    Division with Jurisdiction over Risk Management
  • Risk Management Manager
    Head of Division with Jurisdiction over Important Risks

SG Holdings Group Risk Management Systems

SG Holdings Group Risk Management Systems

Risk Management at Normal Times

When things are normal, Group companies manage risk based on the flow shown here. First, risks must be assessed. Risk maps are used to categorize risks by impact and frequency. Risks are then listed in priority order, and countermeasures are taken.

Risks are discussed quarterly in SG Holdings Group Risk Management Meetings, so the Group as a whole can deal with risk management effectively and efficiently.

Risk Management Flow

Identification

Monitoring and unified risk management

Evaluation

Prioritizing risks by degree of impact and frequency of occurrence
Risk maps make things visible

Countermeasures

Development of countermeasures in accordance with the order of priority

Review

Quarterly review of risk identification, evaluation, and countermeasures

Risk Map
Risk Map

BCM/BCP for Major Damage, Accidents

Due to the particular characteristics of the logistics business, we regard natural calamities and accidents as risks of particular significance. To ensure the continuity of Group operations in the event of a major earthquake, fire, explosion, flooding or other accident or contingency, the Group has formulated a Business Continuity Plan (BCP) clearly setting forth an action plan starting from initial response through the restart of business activities. We continue to work assiduously on Business Continuity Management measures to ensure that the BCP works as effectively as envisioned.

Safety Check Training

For all group employees in Japan, we conducted response training twice in fiscal 2018, using Safety Check Systems. Based on the BCP, we have set a target rate of 90% for responses within 24 hours after the occurrence of an incident.

Business Continuity Training

We conduct business continuity training throughout the Group once a year. In fiscal 2018, SG Holdings, along with 18 Group companies from Japan and elsewhere, participated in simulation exercises based on the kinds of advanced composite calamities, such as major typhoons and urban flooding that have become more frequent recently.(Activity suspended in fiscal 2019 to prioritize measures to prevent COVID-19 infections)

SG Holdings Group BCM Systems (in Japan)

SG Holdings Group BCM Systems (in Japan)

*Effective October 1, 2020, Sagawa Financial and SG Expert merged into SG Systems.

Information Security

The SG Holdings Group considers the protection of information assets an important social responsibility. We have formulated an "Information Security Basic Policy" and a "Personal Information Protection Policy" and work toward strengthening information security.

Information Security Basic Policy

SG Holdings Co., Ltd. (the "Company"), aiming to contribute to economic development and striving to be a business broadly useful to society, considers the protection of the Company's information assets, including the information received from customers, a key social responsibility and to that end has formulated the Information Security Basic Policy (the "Basic Policy") shown below. The Company continues to work to effectively implement and enhance information security.

Enactment and Implementation of Internal Rules

The Company will establish information security regulations and other relevant regulations based on the Basic Policy and implement information security measures.

Establishment of an Information Security Management System

The Company will establish a management system for ensuring information security and also build and employ a system for coordinating as necessary with external entities.

Information Security Measures

The Company will adopt appropriate information security measures and work to prevent alteration, loss, leakage, improper access or other interference with the use of information assets.

Continuing Education

The Company will work to ensure that all officers and employees, etc. are fully cognizant of the Basic Policy and will conduct necessary education on information security on an ongoing basis.

Incident Response

If an information security incident occurs, the Company will promptly investigate the cause, work to prevent the expansion of damage and take steps to prevent a reoccurrence.

Compliance with Laws and Regulations, etc.

The Company will strictly comply with all laws and regulations and internal rules, etc.
concerning information security.

Evaluation and Review of Information Security Activities

The Company will periodically review whether information security is being appropriately enforced and supported and implement remedial measures as needed.

Effective September 21, 2014

Personal Information Protection Policy

Systems

SGH-CSIRT

Enhanced information security management systems are now more critical than ever as the potential danger from a wide range of cyberattacks originating outside the company has grown significantly over the past several years. At SG Holdings Group, in addition to our administrative systems of the past, we have established SGH-CSIRT to minimize harm through preemptive prevention of data security accidents, and fast response when incidents occur. CSIRT is short for Computer Security Incident Response Team. It is the specialist that handles data security problems for the group as a whole.

Goals and Results

Boundary Medium- to Long-term Goals Fiscal 2020 Goals Fiscal 2019 Results
Sagawa Express Identification and adoption of steps to mitigate the risks facing the Group as a whole and, as a business responsible for social infrastructure, attainment of a high level of crisis management ● Hold information security
training sessions
twice a year
● Hold targeted e-mail attack
response training sessions
twice a year
● Held information security
training sessions twice a year
● Due to frequent natural calamities,
targeted e-mail attack
response training was held
once in the second half of the year
Group companies in Japan
Overseas companies ● Held information security
training sessions
twice a year
● Targeted e-mail attack
response training sessions
carried out in part

To strengthen security measures for the group as a whole, we held data security training and exercises.

Initiatives

Security Assessment

Security assessment is an essential tool for evaluating the effectiveness of data security management systems, to prevent serious information security incidents. Specifically, the assessment consists of 1) setting a target level of cybersecurity upon evaluation of the internal and external environment, 2) identifying the challenges to attaining that level, and 3) proposing and prioritizing the required solutions. At SG Holdings Group, we are implementing highly effective security policies, based on our own security assessments and our three-year security policy road map.

Enlightenment Activities

For all Group employees, in Japan and abroad, we hold group readings of the Security Handbook twice a year, followed by comprehension tests. Furthermore, we provide response training for targeted e-mail attacks, where we study first actions, for example, counting the number of times an attached file is opened, the number of clicks on link URLs, and reports to senior managers. For employees who fail to make the appropriate responses, we have e-learning follow-up training and other ongoing educational measures.

Enlightenment Activities
Enlightenment Activities

Building a Responsible Management Foundation