Global

Home > About TOSHIBA > Sustainability > ESG Performance > Governance > Risk Management and Compliance

Sustainability

Risk Management and Compliance [SDGs] 5 GENDER EQUALITY[SDGs] 8 DECENT WORK AND ECONOMIC GROWTH[SDGs] 16 PEACE, JUSTICE AND STRONG INSTITUTIONS

In order to respond appropriately to changes in laws and regulations in every country of the world, the globalization of management and the diversification of business, Toshiba Group is enforcing global compliance with laws and regulations, internal rules, and social and ethical norms.

Medium- to Long-term Vision

We aim to regain the trust from all of our stakeholders by striving to improve and strengthen our internal control system through more stringent compliance and a more robust risk management system.

FY2019 Achievement

  • To raise awareness among top management and employees, we held training sessions for executives and senior management five times with a total of 317 participants (Toshiba Group in Japan). We also continued to conduct general compliance training including accounting compliance.
  • In response to COVID-19, we rolled out an emergency operating system with infection prevention measures that included regulating employee access to the workplace and adjusting the business calendar.
  • In response to COVID-19, we took measures coordinated with suppliers to secure the supply of procured items.

Future Challenges and Approaches

We will continue striving to implement a more effective compliance system and policy based on an awareness of risk in order to strengthen risk management and compliance for Toshiba Group as a whole.

To Top

Policy on Risk Management and Compliance

Toshiba’s shares were designated as securities on alert on September 15, 2015 and stock under supervision. As a result of the examinations by the Tokyo Stock Exchange and Nagoya Stock Exchange into the status of improvements made to the internal control system thereafter, the aforementioned designation was lifted on October 12, 2017. Toshiba then released its Report on Improvements of Internal Management System on October 20, 2017, and as reported in the Progress Report on Improvements of Internal Management System on July 25, 2018, Toshiba will continue its efforts to strengthen the internal control system in the future and will work to regain the trust of shareholders, investors, and all other stakeholders.
At Toshiba Group, we formulated and are striving to entrench the Standards of Conduct for Toshiba Group (SOC) as a specific action guideline since we are a company that contributes to the realization of a sustainable society while conducting fair, sincere and highly transparent business activities. Thus we are working toward making the SOC an integral part of the entire Toshiba Group. Furthermore, in order to respond to changes in the business environment, such as new technologies and growing supply chains in developing countries, and to the diverse and ever-changing risks that arise when conducting business activities, we are striving to prevent risks in advance, and to minimize losses from individual incidents.

Toshiba Group's Policy to the Fraud Risk

Based on its policy to the fraud risk, Toshiba Group strives to detect such risks at an early stage and takes advanced measures to prevent it.

Toshiba Group's policy to the fraud risk

  1. Strengthen governance through understanding of the actual situation at each Group company
    1) In April 2019, we developed and began operating our own Risk Management System (RMS), which incorporates corporate-led PDCA*, in order to grasp the actual status of compliance and other risk initiatives at Group companies and encourage them to improve themselves. Furthermore, in FY2020 we will systematically organize and refine fraud risk scenarios in order to reinforce our efforts to prevent fraud among Group companies. We will then strengthen guidance for understanding and improving the status of fraud risk initiatives at Group companies.
    * Plan: Identification and assessment of risks; Do: creation and operation of rules; Check: review and fact-finding surveys; Action: formulation and implementation of improvement plans
    2) In the Toshiba Next Plan, we aim to reduce the number of affiliates by 25%. We will continue to promote this initiative to strengthen the governance of Group companies.
    3) In the future, by introducing the next-generation mission-critical system, which is currently in progress, we will create an environment in which transaction data of each Group company can be extracted and analyzed directly from the system, and then reported to the risk management division and the audit division, etc. so that we can conduct agile investigations, etc.
  2. Identification of fraud risk items based on the business activities of each Group company and scandals at other companies
    As stated in Strengthening governance through understanding of the actual status of each Group company, in FY2020 we began to implement fraud risk management measures that were not sufficiently incorporated into the existing RMS. Specifically, the Group will systematically organize fraud risk scenarios by using outside experts based on cases of fraud at other companies, and collaborate with the divisional companies in charge of business areas as well as the audit division and the accounting auditor to conduct detailed identification of fraud risk items based on business characteristics. The Group will then utilize the results to ascertain the status of fraud risk initiatives at Group companies and provide guidance for improvement.

Response to Compliance Violations

In the event of a major noncompliance incident, Toshiba investigates all facts to identify the cause of the violation, treats the facts seriously, and handles such violations rigorously by imposing appropriate disciplinary sanctions on the offenders or implementing other such measures. It makes every effort to prevent recurrence and discloses information in a proper and timely manner as necessary.

Compliance Initiatives

To Top

Structure of Risk Management and Compliance

At Toshiba, we appoint a Chief Risk Compliance Management Officer (CRO) to oversee risk management and compliance for the whole Group. In addition, the Legal Affairs Division responds to whistleblower reports and attempts to achieve global compliance, and is advancing effective risk management and compliance activities.

There is also a Risk Compliance Committee chaired by the CRO and attended by the executive officers of corporate staff divisions. The Committee analyzes whistleblower reports and cases both inside and outside the Company, and identifies risks based on risk tables that cover the entire management environment. It also reviews activities and deliberates on priority measures from the immediate fiscal year.

Each key Group company is advancing its own priority measures for risk management and compliance, determined by a risk-based approach, in addition to the priority measures common to the whole Company.

In the event of a serious risk management and compliance issue, there is a system in place by which the relevant in-house committees, etc. promptly evaluate and implement countermeasures.

In March 2016, Toshiba established a new Accounting Compliance Committee. Its purpose is to aggregate finance- and accounting-related information, and to identify signs that might point to inappropriate financial reporting, doing both in timely fashion, and to detect risks that threaten internal control at an early stage.
The President and CEO is the head of the Accounting Compliance Committee, and the Audit Committee and the Internal Audit Division act as observers. Together they assess the risk of financial statements not being created or disclosed properly, and the risk that internal control is not functioning effectively to support the reliability of financial reports. Having done this, they supply information needed to prevent these risks, and discuss and decide on measures to deal with them.
Meanwhile, Toshiba has set up a three lines of defense, with the relevant business divisions as the front line, the administrative divisions as the second, and the audit divisions as the third. The system is designed to ensure effective risk management by assigning to each line a clearly defined role and set of duties, which it carries out appropriately, at the same time exercising a checks-and-balances function. In order to strengthen the monitoring function of the third line, on July 8, 2020, we established the Compliance Advisory Meeting by inviting two external experts with extensive knowledge of compliance as a part of wider initiatives to strengthen the internal control system. The role of the panel is to suggest improvements to the measures that Toshiba is implementing to strengthen company-wide compliance and prevent fraud, as well as to make proposals for medium- to long-term measures to achieve continuous improvement of internal control.
In addition to this compliance-related risk management, Toshiba deals with risk related to management decisions (strategic decision-making, execution of business activities, etc.) as business risk by clearly stating management’s duty to contribute to the Toshiba Group’s sustainable growth and corporate value increase through its decision-making, setting out the permissible risk limits and corporate policy on business withdrawal, and subjecting each case to advance risk assessment by the Business Risk Review Committee to establish the maximum risk and items for monitoring.

Risk Management and Compliance Committee

Risk Management and Compliance Committee
  • *1 The Risk Compliance Committee manages matters related to the Standards of Conduct for Toshiba Group and matters related to risk management and compliance.
  • *2 CPL is an abbreviation combining CL (contractual liability) and PL (product liability).
  • *3 The key Group company Technology & Production Compliance Committee can be integrated with other committees such as the company Risk Compliance Committee.

Whistleblower System

In order to create an open work environment, Toshiba is enhancing its whistleblower system, on top of preventing risks by stimulating day-to-day communication in each workplace.
In January 2000, Toshiba established a whistleblower system Toshiba Hotline to collect internal information on SOC violations, particularly those concerning laws and regulations, and to deal with wrongdoing through a self-rectification system. Under this system, an employee can report an incident and seek advice via e-mail or phone. In addition to the internal office, a reception hotline was set up at an external attorney's office in January 2005, primarily to receive information about potential legal violations. In April 2006, Toshiba also set up a supplier whistleblower system to receive reports from suppliers and business partners to prevent SOC violations by employees in charge of procurement and order placements for construction and other works.
Furthermore, in October 2015, the new Audit Committee Hotline was set up, which allows people to report directly to the Audit Committee, which is composed of outside directors. With this new system, even matters in which the involvement of top management is suspected can be safely reported.The Audit Committee also has access rights to the Toshiba Hotline, and provides appropriate guidance and supervision.
To protect the whistleblower, the system ensures that officers or employees who provide risk or compliance-related information with honest and legitimate intent do not receive unfavorable treatment as a result of having provided the information.
All Toshiba Group companies have implemented a whistleblower system. The whole Group has been directed to ensure the anonymity of the whistleblower for his/her protection, and, if the whistleblower is an employee who was himself/herself involved in the relevant reported act, to take into account as much as possible the fact of his/her coming forward when deciding what internal disciplinary action should be taken. We are also working to enhance awareness of the whistleblower system by regularly issuing a compilation of whistleblower cases that have actually taken place.

  • * In May 2019, the Employee Consultation Room, where employees could discuss individual concerns, and the Risk Hotline, an internal whistleblower system, were integrated as the Toshiba Hotline.

Toshiba's Whistleblower System

Toshiba's Whistleblower System

Operational Status of the Risk Hotline in FY2019

The numbers of reports received and consultations undertaken by the Risk Hotline and Audit Committee Hotline in FY2019 are as follows. We notified employees about the existence of the system and its assurance of strict anonymity through e-learning. We also reported on whistleblower cases to the whole Company on a number of occasions.

Number of reports received by the Toshiba Hotline (previously the Risk Hotline) (within parentheses: anonymous reports)
FY2015 FY2016 FY2017 FY2018 FY2019
Reports received by internal secretariat 204 reports
(121 reports)
389 reports
(235 reports)
243 reports
(147 reports)
206 reports
(142 reports)
109 reports
(53 reports)
Reports received by attorney's office 4 reports
(1 report)
12 reports
(7 reports)*
10 reports
(2 reports)*
3 reports
(1 report)
1 reports
(1 report)
Total 208 reports
(122 reports)
399 reports
(240 reports)
253 reports
(149 reports)
209 reports
(143 reports)
110 reports
(54 reports)
  • * Including duplicate reports received by the internal secretariat
Number of reports received by the Audit Committee Hotline (within parentheses: anonymous reports)
October 2015 to March 2016 FY2016 FY2017 FY2018 FY2019
Total 55 reports
(41 reports)
80 reports
(53 reports)
33 reports
(17 reports)
29 reports
(19 reports)
42 reports
(37 reports)

Response Status

Of the reports received, those reporting inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts could be issued.
In cases involving consultations and questions about duties of the informants themselves, we gave advice on how to deal with the situation.
For reports other than the anonymous reports described above, we explained the status of our responses to the informants, in principle.
Except in cases in which consent has been obtained from employee, confidential adviser (at the internal secretariat or attorney's office) never disclose the names or contact addresses of the informants.
Out of the whistleblower reports, cases that everyone should bear in mind are taught as part of employee training. In order to protect whistleblower anonymity, such cases are presented without any names.
The number of reports received is released regularly on the company's internal website.

To Top

Risk Management and Compliance Training

Seminar for senior managementSeminar for senior management

At Toshiba, the President issues message to all employees, and the entire Toshiba Group works to raise compliance awareness and improve corporate culture. In FY2019 the President issued a message to all employees on seven occasions, and a total of 317 people participated in five training sessions for executives and senior management, including those at the Group companies, which have taken place since FY2016 to raise the awareness of top management. Furthermore, to improve the effectiveness of accounting compliance, we also conducted employee seminars targeted by rank and function.
In addition, we provide accounting compliance education through e-learning to deepen employees' understanding about the internal control and J-SOX. In FY2019, all employees (approximately 65,000) of 117 consolidated subsidiary Group companies in Japan and approximately 650 executives of 21 overseas Group companies participated in the seminar.
Going forward, we will continue to implement these training and education programs.

Making the Standards of Conduct for Toshiba Group Available to All Employees

Toshiba Group has created in 24 languages and made them available on the internal website. Various compliance education programs that incorporate the SOC have been included in the level-based training, occupation-based training and senior management seminars.We are also continuing our education programs, such as e-learning and educational leaflets, for all employees.

Fostering a Compliance-oriented Culture through Workplace Meetings

Each workplace holds meetings focusing on CSR to raise the awareness of each and every employee with regard to compliance matters so as to make compliance an integral part of the corporate culture.

These meetings aim to prevent compliance violations by encouraging managers and employees to discuss various problems that are likely to arise in the workplace and to share their thoughts with each other in order to create a work environment where they can easily seek advice on all kinds of problems. The theme in FY2019 was information security. Each workplace held discussions based on a range of information leak scenarios to ensure a shared recognition of the importance of information management at the individual level and to reinforce understanding of correct information management procedures. Approximately 66,000 employees at around 5,800 workplaces of the Group companies participated in discussions.
In addition, by soliciting the frank opinions of employees via their workplace managers, and sharing analysis results and key opinions within the company, we monitor the level of compliance awareness at each workplace and develop new measures for the future.

To Top

Inspection of Implementation Status of Risk Management and Compliance Measures

Toshiba's corporate divisions confirm the status of compliance in operations concerning respective areas of jurisdiction and the Internal Audit Division conducts audits of the Group companies.
In April 2019, we independently developed and began operation of a risk management system (RMS) incorporating a corporate-led PDCA cycle that allows integrated risk assessment of each Group company. The aim was to identify the status at each Group company of initiatives on compliance and other risks and to promote improvement.
The Risk Compliance Committee reviews the legal compliance status in each division, as established through the RMS and other checks, as well as the implementation status of various measures to ensure compliance, and reflects its review findings in each measure.
Toshiba also conducts an employee questionnaire survey each year and uses the results as feedback in the drafting of measures to improve compliance awareness.

To Top

Compliance with the Antimonopoly Act and
Anti-Corruption

Policy on Anti-Corruption

In accordance with the Standards of Conduct for Toshiba Group and various internal regulations, Toshiba Group’s policy prohibits illegal or improper payments against sound business practices and each country’s laws and regulations.
In keeping with this approach, the Toshiba Group is a signatory to the United Nations Global Compact and works globally to comply with antitrust and competition law and prevent corruption.

Antimonopoly and Anti-bribery Efforts

In response to global regulatory trends, Toshiba has engaged in rigorous efforts to prevent violation of antitrust law and bribery, and has established compliance programs reflecting Japanese domestic law and associated sets of guidelines, which include clearly stated policies prohibiting antitrust law violation and bribery. For example, they designate prohibited acts such as cartels and facilitation payments, and also stipulate matters related to internal procedures including pre-screening and consultation, matters related to internal system, education, and audits. We continued in FY2019 with initiatives that included requiring each key Group company to undertake self-audit as well as measures to identify operating status and ensure comprehensive education.
Furthermore, we have placed managers of legal affairs in major global regions to enhance compliance and support local subsidiaries in such regions. This has been done in order to appropriately control legal risks associated with relevant anti-trust laws, bribery, and the like and ensure thorough compliance in global business, which has been expanding mainly in emerging countries.
Toshiba promotes rigorous compliance with business-related laws and regulations by providing education, effectively utilizing databases that contain relevant information, and performing periodic self-audits.
In addition, Toshiba's compliance initiatives are objectively evaluated by outside lawyers once a year. We make improvements to reduce risks pointed out by third parties in order to continue to enhance our risk management and compliance structure.
Toshiba is also progressing with measures to promote compliance awareness anchored in the Standards of Conduct for Toshiba Group. In Japan, we conduct regular training on themes including compliance with the Antimonopoly Act and prevention of corruption, and are working to raise the standard of sales-related legal risk management by conducting e-learning and classroom-based courses on sales-related risk for employees.
Overseas, we held legal seminars for those in charge of compliance at local subsidiaries, working together with our regional headquarters, regional legal affairs managers, and others. Attendees discussed measures to enhance compliance in keeping with the Standards of Conduct for Toshiba Group, and fortifies the foundations for strengthening the risk management network among Headquarters and all regions.

Standards of Conduct for Toshiba Group 6. Competition Law and Government Transactions

Standards of Conduct for Toshiba Group 7. Bribery

Status of breaches to laws related to anticorruption (FY2019)
Item Number of cases in FY2019
Exposure through price cartel 0
Exposure through bribery 0

Political Contributions

The Standards of Conduct for Toshiba Group stipulates that Toshiba Group shall not provide inappropriate benefits or favors to any politician or political organization.
Also, as part of its social contributions, Toshiba offers political contributions, when necessary, in order to contribute to the realization of policy-oriented politics, to support the healthy development of parliamentary democracy and to improve the transparency of political contributions.
In the case of offering political contribution, procedures in accordance with internal rules are followed as well as compliance with the Political Funds Control Law in case of Japan is strictly ensured. Toshiba made no political contributions in FY2019.

Standards of Conduct for Toshiba Group 7. Bribery

Donations and Provision of Funds

While the Standards of Conduct for Toshiba Group forbid inappropriate expenses, they stipulate that appropriate donations to organizations may be made. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the donee organization to society, its cause and community aspects, as specified by the Standards of Conduct for Toshiba Group.

Standards of Conduct for Toshiba Group 19. Community Relations

Social Contribution Activities

To Top

Fair Trading

Fair Trading Policy and Its Promoting Structure

Toshiba strives to build sound partnerships with suppliers through fair trading in compliance with procurement-related laws and regulations.

CSR Management in the Supply Chain

Toshiba Group Procurement Policy

Standards of Conduct for Toshiba Group 3. Procurement

Toshiba Group is promoting thorough observance of CSR both in its own procurement activities, and in those of its suppliers.
There is a CSR procurement promotion structure established within the Group, which acts in order to carry out each procurement transaction in compliance with the relevant Japanese and international laws and regulations. Information related to compliance concerning procurement is thoroughly informed to Group companies through this system.
Moreover, measures are thoroughly informed by means of Procurement Compliance Liaison Meetings, organized by the Procurement Division and attended by Compliance Managers and Compliance Coordinators.

Toshiba Group CSR procurement promotion structure

Toshiba Group CSR procurement promotion structure

In FY2019, in line with a basic policy of strengthening compliance in the procurement process, Toshiba took action to ensure adherence to regulations on legal compliance by checking the operation of each Group company’s procurement processes through investigations of the procurement process and patrols to inspect procurement transactions.
In FY2020, we will continue to strengthen the operation of our procurement processes.

Clean Partner Line, Whistleblower System for Suppliers and Business Partners

In order to ensure compliance and fair transactions, Toshiba has established a whistleblower system for suppliers and business partners called Clean Partner Line, as a point of contact for our suppliers to tell us about issues or concerns regarding persons associated with the Toshiba Group. Personal information on whistleblowers, without the whistleblower's consent, is not disclosed to anyone other than the Clean Partner Line staff. Also, what is reported by whistleblowers is handled based on strict procedures, with care taken not to treat whistleblowers and their companies unfavorably for whistleblowing. We notify our business partners of this system and request that they make use of it.

Checks of Fair Trading Practices (Thorough Compliance with the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors)

In Japan, we monitor the subcontracted transactions of the Group companies undertaking such transactions. Regarding items requiring improvement, guidance is provided to make improvements to ensure thorough compliance.

Training to Ensure Fair Trading Practices

At Toshiba Group, various training programs on compliance in procurement are provided to ensure fair trading practices. For example, since FY2007, we have conducted e-learning for employees of Group companies in Japan on relevant acts, such as the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors.
In FY2019, a total of 62,606 employees between February and March 2020 participated in the e-learning program on the Subcontract Act.
We also provide compliance education for employees engaged in procurement at various phases of their careers.

To Top

Breaking Relationships with Antisocial Groups

In 1997, the Board of Directors resolved to end relations with antisocial forces such as sokaiya (groups of racketeers). Since then, the Group has strictly dealt with approaches from third parties to obstruct our lawful and appropriate corporate activities.
In addition, in order to further ensure that all relations with antisocial forces are cut off, all Toshiba Group companies have taken various measures.More specifically, we have developed and implemented Basic Public Relations Management Rules and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with antisocial groups. If a need arises during a background check to further investigate the customer, the Legal Affairs Division verifies whether there is any information on the customer's relationship with antisocial groups. We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as an antisocial group.
Toshiba Group also works with the police, corporate attorneys, and third-party organizations such as the National Center for the Elimination of Boryokudan to establish systems that enable us to respond to approaches from antisocial forces in an appropriate and timely manner.With regard to this stance, the rejection of the involvement of antisocial groups in our business activities has been explicitly stated in the SOC since 2006. Having been revised since then, antisocial Groups is now an independent article, further stressing our policy to reject all contact with such groups.By providing e-learning lessons about the SOC to all employees, we continuously ensure that employees understand the importance of excluding antisocial groups from the business they do.

To Top

Export Control

Export Control Policy

As indicated in Standards of Conduct for Toshiba Group, Toshiba Group's basic export policy is to refrain from any transaction that could potentially undermine international peace and security. We comply with all applicable export control laws and regulations of the countries and regions where we operate, for example Foreign Exchange and Foreign Trade Law in the case of Japan and US export control laws and regulations with respect to transactions involving items of US origin.
In accordance with the policy, Toshiba Group has established the Export Control Compliance Program (ECCP). Based on the program, we classify the goods and technology and screen transactions. In addition to periodic export control audits and education for all executives and employees, key Group companies and corporate staff divisions provide instructions and support to the Group companies they supervise.

Toshiba Export Control Compliance Program (Toshiba ECCP)

  • Chapter 1 Statement of Corporate Policy
  • Chapter 2 Definition of Terms
  • Chapter 3 Export Control Organizations
  • Chapter 4 Control Procedures
  • Chapter 5 Education
  • Chapter 6 Compliance Reviews
  • Chapter 7 Notification of Violation and Corporate Sanctions
  • Chapter 8 Group Companies

Standards of Conduct for Toshiba Group 9. Export Control

* ECCP: Export Control Compliance Program

Export Control System

Toshiba's export control system is organized under the Chief Export Control Officer who has ultimate responsibility for the corporation's export control. The Chief Export Control Officer must be a representative director or an executive officer corresponding thereto. Under the Chief Export Control Officer, the Legal Affairs Division Export Control Office is responsible for overseeing the export control implemented pursuant to the Toshiba Export Control Compliance Program (ECCP). Based on the Toshiba ECPP, Toshiba Group company and corporate staff division has its own export control organization led by the Export Control Officer. The Export Control Officer must be the general manager of the corporate staff division, or president of Group company.

Toshiba Group's export control organization

Toshiba Group's export control organization

Product Classification and Transaction Review

The technical department classifies the goods or technology and determines whether export license is required. Then, transaction screening is carried out accordingly, such as confirmation of the end-use, end-user, and final destination. Classification and transaction screening are checked and approved by multiple persons in charge. When trading with concerned countries and regions, the Export Control Office conducts stringent assessments and approvals.

Inspection and Audit of Export Control

Each corporate staff division, as well as each Group company, perform internal self-checks. In addition, the Export Control Office or the supervising department conducts regular audits to check if export control is appropriately performed. Audits are conducted once every one to three years at target companies, and in FY2019, audits were performed for three internal divisions in Japan and seven Group companies. Overseas, audits are done in Europe, the United States, Asia and China, and in FY2019, three Group companies in Europe received audits. Where problems are identified by the audit, we demand that improvement plans be submitted, and check the progress of the plans.

Export Control Trainings

Training courses on export controls (regular and specialized courses) are offered by the Export Control Office for corporate staff divisions and Group companies to educate employees on the importance of export control and to raise awareness and knowledge of the Toshiba Export Control Compliance Program (ECCP) and related internal regulations.
Furthermore, the Export Control Office provides compulsory export control education for all employees of Group companies in Japan through an e-learning system every year.
Export controls at Group companies including those located overseas are modeled after that of Toshiba, which is implemented under the Toshiba Export Control Compliance Program (ECCP). Export control audits are conducted periodically to evaluate their performances.
The Export Control Office holds meetings with staff divisions and key Group companies to communicate on matters such as the international situation, regulatory trends, and specific requirements, and additionally to provide a forum for exchange of information and opinions. Key Group companies provide guidance and support on export control to other Group companies under their control.
Meanwhile, to enhance support for overseas Group companies, we issue a quarterly export control bulletin for local staff working in export control, where we share information on export control-related legal revisions, sanctions, cases of legal violation, and other news.

To Top

Information Security Management

Policy on Information Security

Toshiba Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy to manage and protect such information assets properly, with top priority on compliance. The policy is stipulated in the chapter Corporate Information and Company Assets of the Standards of Conduct for Toshiba Group, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba revises the related rules on an ongoing basis so as to rigorously manage its information security.

Standards of Conduct for Toshiba Group 17. Information Security

Privacy Policy

Structure of Information Security Management

Addressing information security as a management priority, Toshiba appointed the Chief Information Security Officer (CISO) and each corporate staff division and Toshiba Group company has established, under the supervision of the CISO, an information security management structure.
The Cyber Security Committee deliberates matters that are necessary to ensure information security throughout Toshiba Group. The CISO formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective, and definitive manner.
At each division inside Toshiba and key Group companies, the head of the organization serves as Information Security Management Executive, bearing responsibility for information security at their respective organization. The Executives provide guidance and assistance to the Group companies under their control to ensure that they implement information security at a level equivalent to that of Toshiba.

Toshiba Group Information Security Management Structure

Toshiba Group Information Security Management Structure
  • * CSIRT: Computer Security Incident Response Team

Information Security Measures

Toshiba Group implements information security measures from four perspectives (see the table below). The Corporate Technology Planning Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Group companies through notices and briefings.

Implementation of Information Security Measures from Four Perspectives
Category Description
(1) Organizational measures:
Establish an organizational structure and rules
  • Periodic reviews of information security-related regulations
  • Development and maintenance of structure
  • Implementation of audits, etc.
(2) Personal and legal measures:
Ensure adherence to rules
  • Regulation of information protection duties and disciplinary measures for breach of duties in rules of employment
  • Provision of periodic employee education and training
  • Contractor information security evaluation and conclusion of confidentiality agreements, etc.
(3) Physical measures:
Support implementation of rules in terms of physical security
  • Carry-in/carry-out control of information devices
  • Facility access control, room / facility entry control
  • Locking of highly important information, etc.
(4) Technical measures:
Support implementation of rules in terms of technology
  • Virus protection and hard disk encryption of information devices, and introduction of EDR tools*
  • Checking the vulnerabilities of servers accessible to the public enhancing their protection
  • Monitoring and controlling unauthorized access from the outside and information leakage, etc.

* EDR: Endpoint Detection and Response

To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we introduced a function to block suspicious e-mails, enhanced our anti-virus measures for information equipment such as IoT devices, and trained all employees in handling targeted attack e-mails. Toshiba Group has taken an attack and penetration assessment from the specialized cyber security firm in order to validate the effectiveness of its security measures.
In addition, we enhanced the monitoring for our network and in-house systems to quickly cope with a virus invasion into the company systems.

Education, Inspection, and Audit of Information Security Management

For the Toshiba Group with its wide portfolio of businesses, to ensure Group-wide information security, it is vital for each member company to conduct an independent PDCA (Plan-Do-Check-Act) cycle. Accordingly, Toshiba and all Group companies carry out an annual self-audit of their compliance with internal rules to identify issues and plan improvements. The Corporate Technology Planning Division evaluates the results of the audits and related improvements carried out by each Toshiba division and key Group companies and provides support and guidance where necessary. In FY2019, three key points were identified: (1) information security at outsourcing contractors, (2) measures to prevent information leaks due to internal fraud, and (3) measures to prevent information leaks due to negligence. In particular with reference to (3), as teleworking means that office computers are now frequently taken home, we reaffirmed measures against information leaks due to loss and theft of computers and provided guidance including presentation of past examples. The audit results and improvement initiatives of each Toshiba Group company in Japan and overseas are subject to assessment by the supervising division, which provides relevant guidance and support.
Moreover, Toshiba Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations. There are also programs such as training for those working in information security, and introductory training for new graduate employees.

Response to Incidents Such as Leakage of Confidential Information

In the event an information security incident such as the leakage of confidential information occurs, Toshiba responds promptly in accordance with the information security incident reporting structure.
When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports to the CSIRT. The CSIRT Leader, upon receipt of such report, devises necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, Toshiba implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the related corporate staff divisions.

Information Security Incident Reporting Structure

Information Security Incident Reporting Structure

Status of Incidents Such As Leakage of Confidential Information

In FY2019, the Toshiba Group experienced no leaks of important information held by the company. There were also no personal data-related complaints or appeals filed by regulatory authorities or other external parties. We will continue working in the future to put in place a system for preventing information security-related incidents to cover all eventualities.
For details on information security management, please refer to our Cyber Security Report.

To Top

Product Safety Information and Advertising

Policy on Product Safety Information and Advertising

Toshiba Group provides accurate product information and executes appropriate advertising in accordance with the Standards of Conduct for Toshiba Group, the Code of Fair Competition for Home Appliances*1 and other policies. Quality assurance organizations of Group companies and affiliated companies monitor the safety standards of the countries where products are marketed and technical standards such as the UL Standards*2 and CE Marking*3 to ensure that their product labeling is in compliance with the relevant standards.

Standards of Conduct for Toshiba Group 2. Customer Satisfaction

Standards of Conduct for Toshiba Group 15. Advertising

  • *1 This refers to the fair competition agreement on representation in the home electronics manufacturing industry. Under the provisions of the Act on Premiums Labeling, the Fair Trade Commission approved in 1978. The domestic electric industry management organization is the National Electric Home Appliance Fair Trade Council, a public interest corporation group. This regulation prescribes prohibition of misrepresentation, necessary representation items, representation standards for specific matters, etc. It aims to contribute to proper product selection, to prevent attraction of unjust customers, and to ensure fair competition.
  • *2 UL Standards: Safety standards established by UL LLC (Underwriters Laboratories Inc.,) that develops standards for materials products, and equipment and provides product testing and certification.
  • *3 CE Marking: A certification mark that indicates conformity with the safety standards of the European Union (EU). The CE marking is required for products sold within the European Economic Area (EEA).

Compliance with Regulations and In-House Standards Regarding Products

In FY2019, there were no violations of product safety regulations or in-house standards in the life cycle of products and services.
There were also no violations of regulations or in-house standards relating to information and labeling for products and services.

Compliance with Regulations on Advertising and Labeling

In FY2019, as a result of our strict implementation of the Manufacturing Labeling Standards, there were no violations of the Act Against Unjustifiable Premiums and Misleading Representations among Toshiba Group companies.

To Top

Tax Affairs

Based on the basic policy on taxes, Toshiba Group complies with legal ordinances, notices, and regulations in various countries and makes efforts to properly file tax returns and pay taxes.

Basic Policy on Tax

Toshiba Group follows the following policy to properly file tax returns and pay taxes:

  1. Compliance with laws and regulations
    Toshiba and Toshiba Group companies shall carry out their tax operations in compliance with all applicable laws and regulations of the countries where their business is conducted, with the understanding of their intents as well as with reference to guidelines published by international organizations such as OECD.
    In addition, Toshiba and Toshiba Group companies shall conduct their business with appropriate tax structures, linked with business purposes and shall not carry out any transactions for the purpose of tax avoidance.
  2. Optimizing tax costs
    Toshiba and Toshiba Group companies shall, in compliance with tax laws and regulations, strive to utilize the legally justified measures such as consolidated tax filing regimes and other tax incentives and optimize their tax costs for Toshiba Group as a whole.
  3. Relationship with tax authorities
    Toshiba and Toshiba Group companies shall aim to maintain good relationships with tax authorities and work with them in a sincere manner.

To Top

Risk Management with Business Continuity Plan (BCP)

Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders. Toshiba implements measures to ensure the safety of employees and their families, support recovery of devastated areas, and maintain business sites and factories.
The BCP, which we have been formulating and developing Group-wide as of FY2007, is one such measure. Focusing on our key businesses that have a large social and economic impact, we are establishing a BCP that takes into account the possibility of large-scale earthquakes and new strains of influenza, and continually update it in order to maintain and improve its effectiveness.
We created a COVID-19 team and declared an internal state of emergency in February, implementing company-wide countermeasures from two perspectives:business continuity and fulfillment of social responsibilities and securing the safety of employees and society.
We have proceeded with unprecedented company-wide countermeasures such as stringent limits on staff access to the workplace and drastic alteration of working hours, in order to prepare for the worst case scenario and to protect lives.
Toshiba Group will continue to reinforce its BCP*, giving utmost priority to the safety of all employees, so that operations can continue even in the event of a large-scale disaster, such as earthquake, storm, flood or other major disasters, occurring in combination with an infectious disease pandemic.

  • * BCP: Business Continuity Plan

Toshiba Group’s response to COVID-19

BCP Procurement Management

In response to the Great East Japan Earthquake and the floods in Thailand, both of which occurred in 2011, Toshiba Group is promoting to establish a more disaster-resistant procurement system. Based on Toshiba Group's Procurement Policy, we request our suppliers to cooperate in continuing to provide supplies in the event of an unanticipated disaster.

In 2012, we established the BCP Procurement Guidelines to provide crisis management standards. Also, to minimize the risk of supply chain disruptions and to reduce the amount of time required to resolve supply chain disruptions, we have built a system to manage corporate information on upstream suppliers in the supply chain. In the event of an unanticipated disaster, we use this system to quickly investigate its effects on our supplies worldwide so that action can be taken promptly.
In order to ensure business continuity and fulfill our social responsibility, we collected information from suppliers in the supply chain in Japan and overseas concerning COVID-19 from an early stage to determine risk, and guarantee supply by taking the necessary countermeasures in collaboration with suppliers, and minimize the impact on business.

To Top

The files or links with these following icons will open in a separate window when you click it.

  • PDF file iconPDF file icon
  • Separate window iconSeparate window icon