Risk Management
Approach to risk management
The Kirin Group defines risk as uncertainty with the potential to seriously impede the accomplishment of business targets or impact business continuity. The Group also defines crisis as risk manifested at a certain point and requiring urgent action. The Group’s fundamental risk management policy is to mitigate risk, prevent risk from being actualized, and keep risk within a manageable level so that we can earn trust of our stakeholders in a sustainable manner. By treating strategies and risks as two sides of the same coin, we assess and implement appropriate risk control measures by analyzing risks in the phases of selecting and implementing strategies, as well as risks that could develop into crises, from various perspectives. Risk information is disclosed in a timely and appropriate manner on our corporate website and other means.
Risk management structure and process for determining and monitoring significant risk
The Group has established the Group Risk and Compliance Committee consisting of Kirin Holding’s Senior Executive Officers or higher and chaired by the Executive Officer in Charge of Risk. The committee oversees the Group’s risk management activities, including collecting risk information, controlling risks, setting risk policy for the medium-term business plans and for each fiscal year, preparing important items for compliance, introducing risk reduction measures, communicating the information and implementing countermeasures when a risk arises, and providing necessary instructions and support to Group companies. The Board also oversees the effectiveness of risk management through deliberations and reports on the Group’s major risks. (Figure 1)
Figure 1 Risk management structure
The process for identifying the Group’s major risks is based on the Kirin Group’s risk management policy set for each fiscal year. Each Group company examines and identifies risks related to its strategy and business execution and risks that could develop into a severe crisis, and Kirin Holdings aggregates these business-specific risks and investigates common risks across the Group. The Group Risk and Compliance Committee assesses each risk from both quantitative and qualitative angles from a group-wide management perspective, such as economic losses, business continuity, and damage to reputation. Then, considering the probability of occurrence, risks with a high priority for action are selected. The Board deliberates these risks and determines them as major risks for the Group.
The Group’s major risks are managed centrally on a risk map based on their degree of impact and likelihood of occurrence. With regard to the most major risks, the Board also takes stock of changes in risk conditions and reviews measures against these risks. (Figure 2) Kirin Holdings and the Group companies promote and exercise risk management in cooperation with each other by formulating and implementing measures tailored to each risk. Meanwhile, we monitor the status from the dual perspectives of business and function to manage and control strategic risks. At the same time, we have put in place a risk management system that is designed to prevent the manifestation of risks that could develop into a crisis and minimize any potential negative impact when such a crisis occurs. (Figure 3)
Figure 2 Process for determining significant risk
Figure 3 Risk map
Figure 4 PDCA cycles for risk management
- The Kirin Group has established a risk management system based on the framework of the ISO 31000 risk management standard.
Kirin group significant risk
Major risks associated with the execution of Kirin Group's strategies, businesses, and other activities are described here. Please refer to the following for details on measures for each risk, such as scenario analysis for ESG-related risks.
- The Kirin Group has established a KIRIN-CSIRT (Computer Security Incident Response Team) to respond to increasingly serious threats from cyber-attacks, and is working on information-security measures, which are one of the major risks for the Kirin Group. We have established a security response system within the Group and countermeasures by human, physical and technological side. By doing this we can strengthen countermeasures against the threat of cyber attacks, such as virus infections and unauthorized access from outside.
- From the perspective of respect for human rights, The Kirin Group supports the eight basic principles listed in “Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data” adopted by the Organization for Economic Cooperation and Development (OECD) and established “Kirin Group Privacy Data Protection Policy” to put these principles into practice.
In addition to the eight basic principles, the Kirin Group Privacy Data Protection Policy includes Kirin's own initiatives for continuous improvement in response to changes in social norms and employee education.
We will evaluate each Group company based on the Privacy Data Protection Policy, formulate improvement plans for each company in the future, monitor the status of implementation, and disclose the status of compliance and improvement. We will appoint responsible officer of privacy data protection at each company and strive to raise understanding and awareness of privacy data protection.
Crisis Management and Business Continuity Planning
In the event of a crisis, Kirin Holdings provides the required support and instructions to Group companies, and Group companies report to and consult with Kirin Holdings, thereby mutually working together and establishing a system to respond appropriately. We are also advancing the development of a Business Continuity Plan (BCP) to prepare for all types of crises, such as natural disasters and infectious diseases. We regularly review our initial response and recovery plans aimed at business continuity in the event of a disaster. Based on these plans, we conduct drills focusing on specific business areas, assuming scenarios like a major earthquake directly under the capital area. Through these exercises, we strive to enhance the effectiveness of our BCP by identifying issues and considering countermeasures.
Risk Management Initiatives
Review of potential health hazard response flow in 2024
The Kirin Group does not view cases that occur outside the company as "fire on the other side of the river," but rather uses them as an opportunity to review measures against potential risks to the Group and responses in the event of an emergency. In the case of the health food recall that occurred at another company in 2024, an investigation report by an external expert pointed out that the damage had spread due to the delay in the decision to recall. In response to this case, the Kirin Group reviewed processes related to decisions and responses, including the recall of health foods in the event of a potential health hazard.
The safety of products and services is a top priority in all the Kirin Group's business domains, including food & beverages, health science, and pharmaceuticals. While the priority is to prevent accidents and damage, if a health hazard occurs or the possibility of one is confirmed, it is necessary to disseminate information immediately and minimize the impact. In April 2024, the Kirin Group established a project team to review the response to consumer health complaints regarding foods for specified health uses and foods with functional claims. In this project, we divided the process of identifying and disseminating information about health hazards into three stages and reviewed each stage. We identified the operational processes that needed to be addressed and then aligned our understanding of the current situation with respect to specific processes, such as who is responsible for addressing each issue and how, and the time required for each process. The response flow developed in the project has been shared with each Group company, and each Group company is also working to develop a system through training and reading through the response flow. We will continue to provide regular opportunities for dissemination and penetration, rather than just providing written information.
Through this initiative, we have reaffirmed the importance of viewing crisis issues as our own and taking action to address them. In addition, reviewing the response status of each Group company has led to a review of our quality assurance system, production management, and quality control to provide safe and reliable products. We will strive to improve our ability to respond to emergencies, while continuing to raise the risk awareness of the entire Group and accumulating the knowledge and lessons learned from various incidents, bearing in mind that even the smallest change can lead to a major crisis.