Home > About TOSHIBA > Sustainability > ESG Performance > Governance > Risk Management and Compliance
Risk Management and Compliance
![[SDGs] 5 GENDER EQUALITY](../../img/sdgs/E-WEB-Goal-05.png)
![[SDGs] 8 DECENT WORK AND ECONOMIC GROWTH](../../img/sdgs/E-WEB-Goal-08.png)
![[SDGs] 16 PEACE, JUSTICE AND STRONG INSTITUTIONS](../../img/sdgs/E-WEB-Goal-16.png)
In order to respond appropriately to changes in laws and regulations in every country of the world, the globalization of management and the diversification of business, Toshiba Group is enforcing global compliance with laws and regulations, internal rules, and social and ethical norms.
Medium- to Long-term Vision
We aim to regain the trust from all of our stakeholders by striving to improve and strengthen our internal control system through more stringent compliance and a more robust risk management system.
FY2019 Achievement
- To raise awareness among top management and employees, we held training sessions for executives and senior management five times with a total of 317 participants (Toshiba Group in Japan). We also continued to conduct general compliance training including accounting compliance.
- In response to COVID-19, we rolled out an emergency operating system with infection prevention measures that included regulating employee access to the workplace and adjusting the business calendar.
- In response to COVID-19, we took measures coordinated with suppliers to secure the supply of procured items.
Future Challenges and Approaches
We will continue striving to implement a more effective compliance system and policy based on an awareness of risk in order to strengthen risk management and compliance for Toshiba Group as a whole.
- Policy on Risk Management and Compliance
- Structure of Risk Management and Compliance
- Risk Management and Compliance Training
- Inspection of Implementation Status of Risk Management and Compliance Measures
- Compliance with the Antimonopoly Act and Anti-Corruption
- Fair Trading
- Breaking Relationships with Antisocial Groups
- Export Control
- Information Security Management
- Product Safety Information and Advertising
- Tax Affairs
- Risk Management with Business Continuity Plan (BCP)
Policy on Risk Management and Compliance
Toshiba’s shares were designated as securities on alert on September 15, 2015 and stock under supervision. As a result of the examinations by the Tokyo Stock Exchange and Nagoya Stock Exchange into the status of improvements made to the internal control system thereafter, the aforementioned designation was lifted on October 12, 2017. Toshiba then released its “Report on Improvements of Internal Management System” on October 20, 2017, and as reported in the “Progress Report on Improvements of Internal Management System” on July 25, 2018, Toshiba will continue its efforts to strengthen the internal control system in the future and will work to regain the trust of shareholders, investors, and all other stakeholders.
At Toshiba Group, we formulated and are striving to entrench the Standards of Conduct for Toshiba Group (SOC) as a specific action guideline since we are a company that contributes to the realization of a sustainable society while conducting fair, sincere and highly transparent business activities. Thus we are working toward making the SOC an integral part of the entire Toshiba Group. Furthermore, in order to respond to changes in the business environment, such as new technologies and growing supply chains in developing countries, and to the diverse and ever-changing risks that arise when conducting business activities, we are striving to prevent risks in advance, and to minimize losses from individual incidents.
Toshiba Group's Policy to the Fraud Risk
Based on its policy to the fraud risk, Toshiba Group strives to detect such risks at an early stage and takes advanced measures to prevent it.
Toshiba Group's policy to the fraud risk
- Strengthen governance through understanding of the actual situation at each Group company
1) In April 2019, we developed and began operating our own Risk Management System (RMS), which incorporates corporate-led PDCA*, in order to grasp the actual status of compliance and other risk initiatives at Group companies and encourage them to improve themselves. Furthermore, in FY2020 we will systematically organize and refine fraud risk scenarios in order to reinforce our efforts to prevent fraud among Group companies. We will then strengthen guidance for understanding and improving the status of fraud risk initiatives at Group companies.* Plan: Identification and assessment of risks; Do: creation and operation of rules; Check: review and fact-finding surveys; Action: formulation and implementation of improvement plans2) In the Toshiba Next Plan, we aim to reduce the number of affiliates by 25%. We will continue to promote this initiative to strengthen the governance of Group companies.3) In the future, by introducing the next-generation mission-critical system, which is currently in progress, we will create an environment in which transaction data of each Group company can be extracted and analyzed directly from the system, and then reported to the risk management division and the audit division, etc. so that we can conduct agile investigations, etc. - Identification of fraud risk items based on the business activities of each Group company and scandals at other companies
As stated in “Strengthening governance through understanding of the actual status of each Group company,” in FY2020 we began to implement fraud risk management measures that were not sufficiently incorporated into the existing RMS. Specifically, the Group will systematically organize fraud risk scenarios by using outside experts based on cases of fraud at other companies, and collaborate with the divisional companies in charge of business areas as well as the audit division and the accounting auditor to conduct detailed identification of fraud risk items based on business characteristics. The Group will then utilize the results to ascertain the status of fraud risk initiatives at Group companies and provide guidance for improvement.
Response to Compliance Violations
In the event of a major noncompliance incident, Toshiba investigates all facts to identify the cause of the violation, treats the facts seriously, and handles such violations rigorously by imposing appropriate disciplinary sanctions on the offenders or implementing other such measures. It makes every effort to prevent recurrence and discloses information in a proper and timely manner as necessary.
Structure of Risk Management and Compliance
At Toshiba, we appoint a Chief Risk Compliance Management Officer (CRO) to oversee risk management and compliance for the whole Group. In addition, the Legal Affairs Division responds to whistleblower reports and attempts to achieve global compliance, and is advancing effective risk management and compliance activities.
There is also a Risk Compliance Committee chaired by the CRO and attended by the executive officers of corporate staff divisions. The Committee analyzes whistleblower reports and cases both inside and outside the Company, and identifies risks based on risk tables that cover the entire management environment. It also reviews activities and deliberates on priority measures from the immediate fiscal year.
Each key Group company is advancing its own priority measures for risk management and compliance, determined by a risk-based approach, in addition to the priority measures common to the whole Company.
In the event of a serious risk management and compliance issue, there is a system in place by which the relevant in-house committees, etc. promptly evaluate and implement countermeasures.
In March 2016, Toshiba established a new Accounting Compliance Committee. Its purpose is to aggregate finance- and accounting-related information, and to identify signs that might point to inappropriate financial reporting, doing both in timely fashion, and to detect risks that threaten internal control at an early stage.
The President and CEO is the head of the Accounting Compliance Committee, and the Audit Committee and the Internal Audit Division act as observers. Together they assess the risk of financial statements not being created or disclosed properly, and the risk that internal control is not functioning effectively to support the reliability of financial reports. Having done this, they supply information needed to prevent these risks, and discuss and decide on measures to deal with them.
Meanwhile, Toshiba has set up a three lines of defense, with the relevant business divisions as the front line, the administrative divisions as the second, and the audit divisions as the third. The system is designed to ensure effective risk management by assigning to each line a clearly defined role and set of duties, which it carries out appropriately, at the same time exercising a checks-and-balances function. In order to strengthen the monitoring function of the third line, on July 8, 2020, we established the Compliance Advisory Meeting by inviting two external experts with extensive knowledge of compliance as a part of wider initiatives to strengthen the internal control system. The role of the panel is to suggest improvements to the measures that Toshiba is implementing to strengthen company-wide compliance and prevent fraud, as well as to make proposals for medium- to long-term measures to achieve continuous improvement of internal control.
In addition to this compliance-related risk management, Toshiba deals with risk related to management decisions (strategic decision-making, execution of business activities, etc.) as business risk by clearly stating management’s duty to contribute to the Toshiba Group’s sustainable growth and corporate value increase through its decision-making, setting out the permissible risk limits and corporate policy on business withdrawal, and subjecting each case to advance risk assessment by the Business Risk Review Committee to establish the maximum risk and items for monitoring.
Risk Management and Compliance Committee
- *1 The Risk Compliance Committee manages matters related to the Standards of Conduct for Toshiba Group and matters related to risk management and compliance.
- *2 CPL is an abbreviation combining CL (contractual liability) and PL (product liability).
- *3 The key Group company Technology & Production Compliance Committee can be integrated with other committees such as the company Risk Compliance Committee.
Whistleblower System
In order to create an open work environment, Toshiba is enhancing its whistleblower system, on top of preventing risks by stimulating day-to-day communication in each workplace.
In January 2000, Toshiba established a whistleblower system “Toshiba Hotline” to collect internal information on SOC violations, particularly those concerning laws and regulations, and to deal with wrongdoing through a self-rectification system. Under this system, an employee can report an incident and seek advice via e-mail or phone. In addition to the internal office, a reception hotline was set up at an external attorney's office in January 2005, primarily to receive information about potential legal violations. In April 2006, Toshiba also set up a supplier whistleblower system to receive reports from suppliers and business partners to prevent SOC violations by employees in charge of procurement and order placements for construction and other works.
Furthermore, in October 2015, the new Audit Committee Hotline was set up, which allows people to report directly to the Audit Committee, which is composed of outside directors. With this new system, even matters in which the involvement of top management is suspected can be safely reported.The Audit Committee also has access rights to the Toshiba Hotline, and provides appropriate guidance and supervision.
To protect the whistleblower, the system ensures that officers or employees who provide risk or compliance-related information with honest and legitimate intent do not receive unfavorable treatment as a result of having provided the information.
All Toshiba Group companies have implemented a whistleblower system. The whole Group has been directed to ensure the anonymity of the whistleblower for his/her protection, and, if the whistleblower is an employee who was himself/herself involved in the relevant reported act, to take into account as much as possible the fact of his/her coming forward when deciding what internal disciplinary action should be taken. We are also working to enhance awareness of the whistleblower system by regularly issuing a compilation of whistleblower cases that have actually taken place.
- * In May 2019, the Employee Consultation Room, where employees could discuss individual concerns, and the Risk Hotline, an internal whistleblower system, were integrated as the Toshiba Hotline.
Toshiba's Whistleblower System
Operational Status of the “Risk Hotline” in FY2019
The numbers of reports received and consultations undertaken by the “Risk Hotline” and “Audit Committee Hotline” in FY2019 are as follows. We notified employees about the existence of the system and its assurance of strict anonymity through e-learning. We also reported on whistleblower cases to the whole Company on a number of occasions.
| FY2015 | FY2016 | FY2017 | FY2018 | FY2019 | |
|---|---|---|---|---|---|
| Reports received by internal secretariat | 204 reports (121 reports) |
389 reports (235 reports) |
243 reports (147 reports) |
206 reports (142 reports) |
109 reports (53 reports) |
| Reports received by attorney's office | 4 reports (1 report) |
12 reports (7 reports)* |
10 reports (2 reports)* |
3 reports (1 report) |
1 reports (1 report) |
| Total | 208 reports (122 reports) |
399 reports (240 reports) |
253 reports (149 reports) |
209 reports (143 reports) |
110 reports (54 reports) |
- * Including duplicate reports received by the internal secretariat
| October 2015 to March 2016 | FY2016 | FY2017 | FY2018 | FY2019 | |
|---|---|---|---|---|---|
| Total | 55 reports (41 reports) |
80 reports (53 reports) |
33 reports (17 reports) |
29 reports (19 reports) |
42 reports (37 reports) |
Response Status
Of the reports received, those reporting inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts could be issued.
In cases involving consultations and questions about duties of the informants themselves, we gave advice on how to deal with the situation.
For reports other than the anonymous reports described above, we explained the status of our responses to the informants, in principle.
Except in cases in which consent has been obtained from employee, confidential adviser (at the internal secretariat or attorney's office) never disclose the names or contact addresses of the informants.
Out of the whistleblower reports, cases that everyone should bear in mind are taught as part of employee training. In order to protect whistleblower anonymity, such cases are presented without any names.
The number of reports received is released regularly on the company's internal website.
Risk Management and Compliance Training
Seminar for senior management
At Toshiba, the President issues message to all employees, and the entire Toshiba Group works to raise compliance awareness and improve corporate culture. In FY2019 the President issued a message to all employees on seven occasions, and a total of 317 people participated in five training sessions for executives and senior management, including those at the Group companies, which have taken place since FY2016 to raise the awareness of top management. Furthermore, to improve the effectiveness of accounting compliance, we also conducted employee seminars targeted by rank and function.
In addition, we provide accounting compliance education through e-learning to deepen employees' understanding about the internal control and J-SOX. In FY2019, all employees (approximately 65,000) of 117 consolidated subsidiary Group companies in Japan and approximately 650 executives of 21 overseas Group companies participated in the seminar.
Going forward, we will continue to implement these training and education programs.
Making the Standards of Conduct for Toshiba Group Available to All Employees
Toshiba Group has created in 24 languages and made them available on the internal website. Various compliance education programs that incorporate the SOC have been included in the level-based training, occupation-based training and senior management seminars.We are also continuing our education programs, such as e-learning and educational leaflets, for all employees.
Fostering a Compliance-oriented Culture through Workplace Meetings
Each workplace holds meetings focusing on CSR to raise the awareness of each and every employee with regard to compliance matters so as to make compliance an integral part of the corporate culture.
These meetings aim to prevent compliance violations by encouraging managers and employees to discuss various problems that are likely to arise in the workplace and to share their thoughts with each other in order to create a work environment where they can easily seek advice on all kinds of problems.
The theme in FY2019 was information security. Each workplace held discussions based on a range of information leak scenarios to ensure a shared recognition of the importance of information management at the individual level and to reinforce understanding of correct information management procedures. Approximately 66,000 employees at around 5,800 workplaces of the Group companies participated in discussions.
In addition, by soliciting the frank opinions of employees via their workplace managers, and sharing analysis results and key opinions within the company, we monitor the level of compliance awareness at each workplace and develop new measures for the future.
Inspection of Implementation Status of Risk Management and Compliance Measures
Toshiba's corporate divisions confirm the status of compliance in operations concerning respective areas of jurisdiction and the Internal Audit Division conducts audits of the Group companies.
In April 2019, we independently developed and began operation of a risk management system (RMS) incorporating a corporate-led PDCA cycle that allows integrated risk assessment of each Group company. The aim was to identify the status at each Group company of initiatives on compliance and other risks and to promote improvement.
The Risk Compliance Committee reviews the legal compliance status in each division, as established through the RMS and other checks, as well as the implementation status of various measures to ensure compliance, and reflects its review findings in each measure.
Toshiba also conducts an employee questionnaire survey each year and uses the results as feedback in the drafting of measures to improve compliance awareness.
Compliance with the Antimonopoly Act and
Anti-Corruption
Policy on Anti-Corruption
In accordance with the Standards of Conduct for Toshiba Group and various internal regulations, Toshiba Group’s policy prohibits illegal or improper payments against sound business practices and each country’s laws and regulations.
In keeping with this approach, the Toshiba Group is a signatory to the United Nations Global Compact and works globally to comply with antitrust and competition law and prevent corruption.
Antimonopoly and Anti-bribery Efforts
In response to global regulatory trends, Toshiba has engaged in rigorous efforts to prevent violation of antitrust law and bribery, and has established compliance programs reflecting Japanese domestic law and associated sets of guidelines, which include clearly stated policies prohibiting antitrust law violation and bribery. For example, they designate prohibited acts such as cartels and facilitation payments, and also stipulate matters related to internal procedures including pre-screening and consultation, matters related to internal system, education, and audits. We continued in FY2019 with initiatives that included requiring each key Group company to undertake self-audit as well as measures to identify operating status and ensure comprehensive education.
Furthermore, we have placed managers of legal affairs in major global regions to enhance compliance and support local subsidiaries in such regions. This has been done in order to appropriately control legal risks associated with relevant anti-trust laws, bribery, and the like and ensure thorough compliance in global business, which has been expanding mainly in emerging countries.
Toshiba promotes rigorous compliance with business-related laws and regulations by providing education, effectively utilizing databases that contain relevant information, and performing periodic self-audits.
In addition, Toshiba's compliance initiatives are objectively evaluated by outside lawyers once a year. We make improvements to reduce risks pointed out by third parties in order to continue to enhance our risk management and compliance structure.
Toshiba is also progressing with measures to promote compliance awareness anchored in the Standards of Conduct for Toshiba Group. In Japan, we conduct regular training on themes including compliance with the Antimonopoly Act and prevention of corruption, and are working to raise the standard of sales-related legal risk management by conducting e-learning and classroom-based courses on sales-related risk for employees.
Overseas, we held legal seminars for those in charge of compliance at local subsidiaries, working together with our regional headquarters, regional legal affairs managers, and others. Attendees discussed measures to enhance compliance in keeping with the Standards of Conduct for Toshiba Group, and fortifies the foundations for strengthening the risk management network among Headquarters and all regions.
Standards of Conduct for Toshiba Group 6. Competition Law and Government Transactions
Standards of Conduct for Toshiba Group 7. Bribery
| Item | Number of cases in FY2019 |
|---|---|
| Exposure through price cartel | 0 |
| Exposure through bribery | 0 |
Political Contributions
The Standards of Conduct for Toshiba Group stipulates that Toshiba Group shall not provide inappropriate benefits or favors to any politician or political organization.
Also, as part of its social contributions, Toshiba offers political contributions, when necessary, in order to contribute to the realization of policy-oriented politics, to support the healthy development of parliamentary democracy and to improve the transparency of political contributions.
In the case of offering political contribution, procedures in accordance with internal rules are followed as well as compliance with the Political Funds Control Law in case of Japan is strictly ensured.
Toshiba made no political contributions in FY2019.
Standards of Conduct for Toshiba Group 7. Bribery
Donations and Provision of Funds
While the Standards of Conduct for Toshiba Group forbid inappropriate expenses, they stipulate that appropriate donations to organizations may be made. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the donee organization to society, its cause and community aspects, as specified by the Standards of Conduct for Toshiba Group.
Standards of Conduct for Toshiba Group 19. Community Relations
Social Contribution Activities
Fair Trading
Fair Trading Policy and Its Promoting Structure
Toshiba strives to build sound partnerships with suppliers through fair trading in compliance with procurement-related laws and regulations.
CSR Management in the Supply Chain
Toshiba Group Procurement Policy
Standards of Conduct for Toshiba Group 3. Procurement
Toshiba Group is promoting thorough observance of CSR both in its own procurement activities, and in those of its suppliers.
There is a CSR procurement promotion structure established within the Group, which acts in order to carry out each procurement transaction in compliance with the relevant Japanese and international laws and regulations. Information related to compliance concerning procurement is thoroughly informed to Group companies through this system.
Moreover, measures are thoroughly informed by means of Procurement Compliance Liaison Meetings, organized by the Procurement Division and attended by Compliance Managers and Compliance Coordinators.
Toshiba Group CSR procurement promotion structure
In FY2019, in line with a basic policy of strengthening compliance in the procurement process, Toshiba took action to ensure adherence to regulations on legal compliance by checking the operation of each Group company’s procurement processes through investigations of the procurement process and patrols to inspect procurement transactions.
In FY2020, we will continue to strengthen the operation of our procurement processes.
Clean Partner Line, Whistleblower System for Suppliers and Business Partners
In order to ensure compliance and fair transactions, Toshiba has established a whistleblower system for suppliers and business partners called Clean Partner Line, as a point of contact for our suppliers to tell us about issues or concerns regarding persons associated with the Toshiba Group. Personal information on whistleblowers, without the whistleblower's consent, is not disclosed to anyone other than the Clean Partner Line staff. Also, what is reported by whistleblowers is handled based on strict procedures, with care taken not to treat whistleblowers and their companies unfavorably for whistleblowing. We notify our business partners of this system and request that they make use of it.
Checks of Fair Trading Practices (Thorough Compliance with the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors)
In Japan, we monitor the subcontracted transactions of the Group companies undertaking such transactions. Regarding items requiring improvement, guidance is provided to make improvements to ensure thorough compliance.
Training to Ensure Fair Trading Practices
At Toshiba Group, various training programs on compliance in procurement are provided to ensure fair trading practices. For example, since FY2007, we have conducted e-learning for employees of Group companies in Japan on relevant acts, such as the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors.
In FY2019, a total of 62,606 employees between February and March 2020 participated in the e-learning program on the Subcontract Act.
We also provide compliance education for employees engaged in procurement at various phases of their careers.
Breaking Relationships with Antisocial Groups
In 1997, the Board of Directors resolved to end relations with antisocial forces such as sokaiya (groups of racketeers). Since then, the Group has strictly dealt with approaches from third parties to obstruct our lawful and appropriate corporate activities.
In addition, in order to further ensure that all relations with antisocial forces are cut off, all Toshiba Group companies have taken various measures.More specifically, we have developed and implemented Basic Public Relations Management Rules and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with antisocial groups. If a need arises during a background check to further investigate the customer, the Legal Affairs Division verifies whether there is any information on the customer's relationship with antisocial groups. We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as an antisocial group.
Toshiba Group also works with the police, corporate attorneys, and third-party organizations such as the National Center for the Elimination of Boryokudan to establish systems that enable us to respond to approaches from antisocial forces in an appropriate and timely manner.With regard to this stance, the rejection of the involvement of antisocial groups in our business activities has been explicitly stated in the SOC since 2006. Having been revised since then, “antisocial Groups” is now an independent article, further stressing our policy to reject all contact with such groups.By providing e-learning lessons about the SOC to all employees, we continuously ensure that employees understand the importance of excluding antisocial groups from the business they do.
Export Control
Export Control Policy
As indicated in Standards of Conduct for Toshiba Group, Toshiba Group's basic export policy is to refrain from any transaction that could potentially undermine international peace and security. We comply with all applicable export control laws and regulations of the countries and regions where we operate, for example Foreign Exchange and Foreign Trade Law in the case of Japan and US export control laws and regulations with respect to transactions involving items of US origin.
In accordance with the policy, Toshiba Group has established the Export Control Compliance Program (ECCP). Based on the program, we classify the goods and technology and screen transactions. In addition to periodic export control audits and education for all executives and employees, key Group companies and corporate staff divisions provide instructions and support to the Group companies they supervise.
Toshiba Export Control Compliance Program (Toshiba ECCP)
- Chapter 1 Statement of Corporate Policy
- Chapter 2 Definition of Terms
- Chapter 3 Export Control Organizations
- Chapter 4 Control Procedures
- Chapter 5 Education
- Chapter 6 Compliance Reviews
- Chapter 7 Notification of Violation and Corporate Sanctions
- Chapter 8 Group Companies
Standards of Conduct for Toshiba Group 9. Export Control
* ECCP: Export Control Compliance Program
Export Control System
Toshiba's export control system is organized under the Chief Export Control Officer who has ultimate responsibility for the corporation's export control. The Chief Export Control Officer must be a representative director or an executive officer corresponding thereto. Under the Chief Export Control Officer, the Legal Affairs Division Export Control Office is responsible for overseeing the export control implemented pursuant to the Toshiba Export Control Compliance Program (ECCP). Based on the Toshiba ECPP, Toshiba Group company and corporate staff division has its own export control organization led by the Export Control Officer. The Export Control Officer must be the general manager of the corporate staff division, or president of Group company.
Toshiba Group's export control organization
Product Classification and Transaction Review
The technical department classifies the goods or technology and determines whether export license is required. Then, transaction screening is carried out accordingly, such as confirmation of the end-use, end-user, and final destination. Classification and transaction screening are checked and approved by multiple persons in charge. When trading with concerned countries and regions, the Export Control Office conducts stringent assessments and approvals.
Inspection and Audit of Export Control
Each corporate staff division, as well as each Group company, perform internal self-checks. In addition, the Export Control Office or the supervising department conducts regular audits to check if export control is appropriately performed. Audits are conducted once every one to three years at target companies, and in FY2019, audits were performed for three internal divisions in Japan and seven Group companies. Overseas, audits are done in Europe, the United States, Asia and China, and in FY2019, three Group companies in Europe received audits. Where problems are identified by the audit, we demand that improvement plans be submitted, and check the progress of the plans.
Export Control Trainings
Training courses on export controls (regular and specialized courses) are offered by the Export Control Office for corporate staff divisions and Group companies to educate employees on the importance of export control and to raise awareness and knowledge of the Toshiba Export Control Compliance Program (ECCP) and related internal regulations.
Furthermore, the Export Control Office provides compulsory export control education for all employees of Group companies in Japan through an e-learning system every year.
Export controls at Group companies including those located overseas are modeled after that of Toshiba, which is implemented under the Toshiba Export Control Compliance Program (ECCP). Export control audits are conducted periodically to evaluate their performances.
The Export Control Office holds meetings with staff divisions and key Group companies to communicate on matters such as the international situation, regulatory trends, and specific requirements, and additionally to provide a forum for exchange of information and opinions. Key Group companies provide guidance and support on export control to other Group companies under their control.
Meanwhile, to enhance support for overseas Group companies, we issue a quarterly export control bulletin for local staff working in export control, where we share information on export control-related legal revisions, sanctions, cases of legal violation, and other news.
Information Security Management
Policy on Information Security
Toshiba Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy “to manage and protect such information assets properly, with top priority on compliance.” The policy is stipulated in the chapter “Corporate Information and Company Assets” of the Standards of Conduct for Toshiba Group, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba revises the related rules on an ongoing basis so as to rigorously manage its information security.
Standards of Conduct for Toshiba Group 17. Information Security
Structure of Information Security Management
Addressing information security as a management priority, Toshiba appointed the Chief Information Security Officer (CISO) and each corporate staff division and Toshiba Group company has established, under the supervision of the CISO, an information security management structure.
The Cyber Security Committee deliberates matters that are necessary to ensure information security throughout Toshiba Group. The CISO formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective, and definitive manner.
At each division inside Toshiba and key Group companies, the head of the organization serves as Information Security Management Executive, bearing responsibility for information security at their respective organization. The Executives provide guidance and assistance to the Group companies under their control to ensure that they implement information security at a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure
- * CSIRT: Computer Security Incident Response Team
Information Security Measures
Toshiba Group implements information security measures from four perspectives (see the table below). The Corporate Technology Planning Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Group companies through notices and briefings.
| Category | Description |
|---|---|
| (1) Organizational measures: Establish an organizational structure and rules |
|
| (2) Personal and legal measures: Ensure adherence to rules |
|
| (3) Physical measures: Support implementation of rules in terms of physical security |
|
| (4) Technical measures: Support implementation of rules in terms of technology |
* EDR: Endpoint Detection and Response |
To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we introduced a function to block suspicious e-mails, enhanced our anti-virus measures for information equipment such as IoT devices, and trained all employees in handling targeted attack e-mails. Toshiba Group has taken an attack and penetration assessment from the specialized cyber security firm in order to validate the effectiveness of its security measures.
In addition, we enhanced the monitoring for our network and in-house systems to quickly cope with a virus invasion into the company systems.
Education, Inspection, and Audit of Information Security Management
For the Toshiba Group with its wide portfolio of businesses, to ensure Group-wide information security, it is vital for each member company to conduct an independent PDCA (Plan-Do-Check-Act) cycle. Accordingly, Toshiba and all Group companies carry out an annual self-audit of their compliance with internal rules to identify issues and plan improvements. The Corporate Technology Planning Division evaluates the results of the audits and related improvements carried out by each Toshiba division and key Group companies and provides support and guidance where necessary. In FY2019, three key points were identified: (1) information security at outsourcing contractors, (2) measures to prevent information leaks due to internal fraud, and (3) measures to prevent information leaks due to negligence. In particular with reference to (3), as teleworking means that office computers are now frequently taken home, we reaffirmed measures against information leaks due to loss and theft of computers and provided guidance including presentation of past examples. The audit results and improvement initiatives of each Toshiba Group company in Japan and overseas are subject to assessment by the supervising division, which provides relevant guidance and support.
Moreover, Toshiba Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations. There are also programs such as training for those working in information security, and introductory training for new graduate employees.
Response to Incidents Such as Leakage of Confidential Information
In the event an information security incident such as the leakage of confidential information occurs, Toshiba responds promptly in accordance with the information security incident reporting structure.
When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports to the CSIRT. The CSIRT Leader, upon receipt of such report, devises necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, Toshiba implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the related corporate staff divisions.
Information Security Incident Reporting Structure
Status of Incidents Such As Leakage of Confidential Information
In FY2019, the Toshiba Group experienced no leaks of important information held by the company. There were also no personal data-related complaints or appeals filed by regulatory authorities or other external parties. We will continue working in the future to put in place a system for preventing information security-related incidents to cover all eventualities.
For details on information security management, please refer to our Cyber Security Report.
Product Safety Information and Advertising
Policy on Product Safety Information and Advertising
Toshiba Group provides accurate product information and executes appropriate advertising in accordance with the Standards of Conduct for Toshiba Group, the Code of Fair Competition for Home Appliances*1 and other policies. Quality assurance organizations of Group companies and affiliated companies monitor the safety standards of the countries where products are marketed and technical standards such as the UL Standards*2 and CE Marking*3 to ensure that their product labeling is in compliance with the relevant standards.
Standards of Conduct for Toshiba Group 2. Customer Satisfaction
Standards of Conduct for Toshiba Group 15. Advertising
- *1 This refers to the fair competition agreement on representation in the home electronics manufacturing industry. Under the provisions of the Act on Premiums Labeling, the Fair Trade Commission approved in 1978. The domestic electric industry management organization is the National Electric Home Appliance Fair Trade Council, a public interest corporation group. This regulation prescribes prohibition of misrepresentation, necessary representation items, representation standards for specific matters, etc. It aims to contribute to proper product selection, to prevent attraction of unjust customers, and to ensure fair competition.
- *2 UL Standards: Safety standards established by UL LLC (Underwriters Laboratories Inc.,) that develops standards for materials products, and equipment and provides product testing and certification.
- *3 CE Marking: A certification mark that indicates conformity with the safety standards of the European Union (EU). The CE marking is required for products sold within the European Economic Area (EEA).
Compliance with Regulations and In-House Standards Regarding Products
In FY2019, there were no violations of product safety regulations or in-house standards in the life cycle of products and services.
There were also no violations of regulations or in-house standards relating to information and labeling for products and services.
Compliance with Regulations on Advertising and Labeling
In FY2019, as a result of our strict implementation of the Manufacturing Labeling Standards, there were no violations of the Act Against Unjustifiable Premiums and Misleading Representations among Toshiba Group companies.
Tax Affairs
Based on the basic policy on taxes, Toshiba Group complies with legal ordinances, notices, and regulations in various countries and makes efforts to properly file tax returns and pay taxes.
Basic Policy on Tax
Toshiba Group follows the following policy to properly file tax returns and pay taxes:
- Compliance with laws and regulations
Toshiba and Toshiba Group companies shall carry out their tax operations in compliance with all applicable laws and regulations of the countries where their business is conducted, with the understanding of their intents as well as with reference to guidelines published by international organizations such as OECD.
In addition, Toshiba and Toshiba Group companies shall conduct their business with appropriate tax structures, linked with business purposes and shall not carry out any transactions for the purpose of tax avoidance. - Optimizing tax costs
Toshiba and Toshiba Group companies shall, in compliance with tax laws and regulations, strive to utilize the legally justified measures such as consolidated tax filing regimes and other tax incentives and optimize their tax costs for Toshiba Group as a whole. - Relationship with tax authorities
Toshiba and Toshiba Group companies shall aim to maintain good relationships with tax authorities and work with them in a sincere manner.
Risk Management with Business Continuity Plan (BCP)
Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders. Toshiba implements measures to ensure the safety of employees and their families, support recovery of devastated areas, and maintain business sites and factories.
The BCP, which we have been formulating and developing Group-wide as of FY2007, is one such measure. Focusing on our key businesses that have a large social and economic impact, we are establishing a BCP that takes into account the possibility of large-scale earthquakes and new strains of influenza, and continually update it in order to maintain and improve its effectiveness.
We created a COVID-19 team and declared an internal state of emergency in February, implementing company-wide countermeasures from two perspectives:“business continuity and fulfillment of social responsibilities” and “securing the safety of employees and society”.
We have proceeded with unprecedented company-wide countermeasures such as stringent limits on staff access to the workplace and drastic alteration of working hours, in order to prepare for the worst case scenario and to protect lives.
Toshiba Group will continue to reinforce its BCP*, giving utmost priority to the safety of all employees, so that operations can continue even in the event of a large-scale disaster, such as earthquake, storm, flood or other major disasters, occurring in combination with an infectious disease pandemic.
- * BCP: Business Continuity Plan
Toshiba Group’s response to COVID-19
BCP Procurement Management
In response to the Great East Japan Earthquake and the floods in Thailand, both of which occurred in 2011, Toshiba Group is promoting to establish a more disaster-resistant procurement system. Based on Toshiba Group's Procurement Policy, we request our suppliers to cooperate in continuing to provide supplies in the event of an unanticipated disaster.
In 2012, we established the BCP Procurement Guidelines to provide crisis management standards. Also, to minimize the risk of supply chain disruptions and to reduce the amount of time required to resolve supply chain disruptions, we have built a system to manage corporate information on upstream suppliers in the supply chain. In the event of an unanticipated disaster, we use this system to quickly investigate its effects on our supplies worldwide so that action can be taken promptly.
In order to ensure business continuity and fulfill our social responsibility, we collected information from suppliers in the supply chain in Japan and overseas concerning COVID-19 from an early stage to determine risk, and guarantee supply by taking the necessary countermeasures in collaboration with suppliers, and minimize the impact on business.
The files or links with these following icons will open in a separate window when you click it.
PDF file icon
Separate window icon
Select Region