Risk Management and Compliance
Toshiba Group conducts business activities, giving the highest priority to life, safety, and compliance with laws and regulations, and social and ethical norms. In order to respond appropriately to changes in laws and regulations in every country of the world, the globalization of management and the diversification of business, Toshiba Group has established systems to address various risks.
Medium- to Long-term Vision
We aim to regain the trust from all of our stakeholders by striving to improve and strengthen our internal control systems through more stringent compliance and a more robust risk management system.
- Top management delivered messages on compliance (seven times).
- Featuring the topic of fraud, we conducted workplace meetings and employee seminars targeted by function (Toshiba Group in Japan).
- To ensure compliance and continuously improve corporate culture, we held the Senior Management Risk Compliance Seminar for executives of Toshiba and senior management of Toshiba Group in Japan. Participants totaled 254 people. We also continued to conduct general compliance training including accounting compliance.
- In response to COVID-19, we took infection prevention measures such as setting a target attendance rate and promoting teleworking. For workplaces where work-from-home is not feasible, we encouraged flexible work arrangements while making efforts to reduce infection risks.
- The Compliance Advisory Meeting completed its eight months of activities in March 2021 and issued an advisory opinion. It will help us strengthen compliance and raise the level of fraud management.
Future Challenges and Approaches
We established a Risk Management & Compliance Office in the Legal Division on April 1, 2021 by following the advisory opinion issued in March 2021 by the Compliance Advisory Meeting. We will reinforce Group-wide compliance awareness and strengthen cross-organizational compliance systems and measures.
- Policy on Risk Management and Compliance
- Structure of Risk Management and Compliance
- Major Risks Identified and Their Countermeasures
- Risk Management and Compliance Training
- Inspection of Implementation Status of Risk Management and Compliance Measures
- Compliance with the Antimonopoly Act and Anti-corruption
- Fair Trading
- Breaking Relationships with Antisocial Groups
- Export Control
- Information Security Management
- Product Safety Information and Advertising
- Tax Affairs
- Risk Management Using the Business Continuity Plan (BCP)
Policy on Risk Management and Compliance
Risk management is one of the important elements of the Toshiba Next Plan to achieve targets set forth in the plan, along with investment in growth and improvement of core earnings. Toshiba has set up a three lines of defense, with the relevant business divisions as the front line, the administrative divisions as the second, and the audit divisions as the third. The system is designed to effectively manage risks by assigning to each line a clearly defined role and set of duties, which it carries out appropriately, at the same time exercising a checks-and-balances function. In order to respond to changes in the business environment, such as new technologies and growing supply chains in developing countries, and to the diverse and ever-changing risks that arise when conducting business activities, we will strengthen the three-line defense and ensure effective risk management.
Toshiba’s shares were designated as securities on alert on September 15, 2015 due to inappropriate accounting. After that, Toshiba improved its internal control system and the designation was lifted on October 12, 2017. As reported in the Report on Improvements of Internal Management System and Progress Report on Improvements of Internal Management System released on October 20, 2017 and July 25, 2018 respectively, Toshiba has continued its efforts to strengthen the internal control system and worked to regain the trust of shareholders, investors, and all other stakeholders. On August 1, 2017, Toshiba’s shares were reassigned to the Second Section of Tokyo Stock Exchange and Nagoya Stock Exchange. As a result of aforementioned efforts, our shares were designated as first section securities of both of the exchanges again on January 29, 2021. Toshiba will continue to work to enhance its internal control system.
At Toshiba Group, we formulated and are striving to entrench the Standards of Conduct for Toshiba Group (SOC) as a specific action guideline since we are a company that contributes to the realization of a sustainable society while conducting fair, sincere and highly transparent business activities. We are also working toward making the SOC an integral part of the entire Toshiba Group. The SOC is one of the Toshiba Group’s important basic guidelines, and therefore, its revision requires approval by the Board of Directors.
Please see the page below for details of the compliance initiatives Toshiba Group is working on.
Compliance Advisory Meeting
In July 2020, Toshiba established the Compliance Advisory Meeting, which evaluated and verified Toshiba Group’s compliance and fraud prevention system. The Compliance Advisory Meeting provided a positive evaluation in that we had put in place a fundamental compliance system for the whole Group and administrative divisions had carried out compliance-related duties by drawing on their appropriate experience, knowledge and ability. The meeting issued an advisory opinion to improve the management level and completed its activities in March 2021. By following the advisory opinion, we have been taking the following measures in FY2021.
- Reinforce Group-wide compliance awareness and strengthen cross-organizational compliance systems and measures under the leadership of the Risk Management & Compliance Office newly established in the Legal Division on April 1, 2021.
- Secure greater penetration of compliance awareness by delivering timely and appropriate messages and developing educational programs that effectively disseminate the principle that compliance takes priority over performance targets.
- After reinforcing a policy of zero tolerance against fraud, maintain and operate rules necessary to prevent fraud, including standardizing fraud countermeasures, setting internal regulations on control activities, preparing manuals, and strengthening awareness of disciplinary action.
- Further improve the structure to promote the use of our internal whistleblower system, by increasing awareness of such a system among employees, receiving reports in English in Japan, and strengthening the overseas whistleblower network.
- Strengthen the function of internal audit on the fraud risk management system through measures such as assigning additional staff.
Response to Compliance Violations
In the event of a major noncompliance incident, Toshiba investigates all facts to identify the cause of the violation, treats the facts seriously, and takes a stance of zero tolerance against fraud. Moreover, Toshiba handles such violations rigorously by imposing appropriate disciplinary sanctions on the offenders or implementing other such measures. At the same time, it makes every effort to prevent recurrence and discloses information in a proper and timely manner as necessary.
Structure of Risk Management and Compliance
Toshiba has separate management systems for compliance and other risks and business risks. Business risks refer to uncertain factors that may prevent the achievement of business and project objectives on strategic decision-making and execution of business activities.
To address compliance and other risks, we appoint a Chief Risk Compliance Management Officer (CRO) to oversee risk management and compliance for the whole Group. In addition, the Legal Division responds to whistleblower reports and attempts to achieve global compliance, and is advancing effective risk management and compliance activities.
The CRO chairs the Risk Compliance Committee, which is attended by executives in charge of corporate staff divisions. The committee analyzes whistleblower reports and cases both inside and outside the Company and evaluates the impacts of risks and the status of risk control in accordance with the risk table that covers compliance risks based on the Standards of Conduct for Toshiba Group. It then determines priority measures of the immediate fiscal year. The Risk Compliance Committee is attended by members of the Audit Committee who also serve as directors. The agenda deliberated at the committee is reported to the Board of Directors.
Toshiba operates a risk management system (RMS) incorporating a PDCA cycle* led by administrative divisions at the second line of defense. The aim is to identify the status at each Group company of initiatives on compliance risk and to promote improvement in an integrated manner. With the RMS, we implement the Risk Assessment Program (RAP) to assess risks of Group companies. The administrative divisions provide guidance to improve the compliance risks identified. At the same time, the relevant business divisions at the front line of defense themselves work to identify and mitigate the risks autonomously.
Furthermore, since FY2020, we have systematically organized fraud risk scenarios and conducted inspections on Group companies to understand the status of their fraud risk, while strengthening guidance to improve such status.
In addition, we assess the risk of financial statements not being created or disclosed properly, and the risk that internal control is not functioning effectively to support the reliability of financial reports. Having done this, we supply information needed to prevent these risks, and discuss and decide on measures to deal with them.
In the event of a serious issue on compliance or other such matters, there is a system in place by which the relevant in-house committees, etc. at Group companies promptly evaluate and implement countermeasures.
Meanwhile, Toshiba deals with business risks by clarifying management decision criteria, permissible risk limits and corporate policy on business withdrawal in making management decisions for business execution to achieve Toshiba Group’s sustainable growth and increase corporate value. In addition, for each risk case, the Business Risk Review Committee conducts risk assessment, identifies the maximum risk, and establishes items for monitoring.
- * Plan: Identification and assessment of risks; Do: creation and operation of rules; Check: review and fact-finding surveys; Action: formulation and implementation of improvement plans
Risk Management and Compliance Committee
- *1 The Risk Compliance Committee manages matters related to the Standards of Conduct for Toshiba Group and matters related to risk management and compliance.
- *2 CPL is an abbreviation combining CL (contractual liability) and PL (product liability).
In order to create an open work environment, Toshiba is enhancing its whistleblower system, on top of preventing risks by stimulating day-to- day communication in each workplace.
In January 2000, Toshiba established a whistleblower system Toshiba Hotline to collect internal information on SOC violations, particularly those concerning laws and regulations, and to deal with wrongdoing through a self-rectification system. Under this system, an employee can report an incident and seek advice via e-mail or phone. In April 2019, we transferred the function of receiving whistleblower reports to an external organization to further ensure anonymity, lower the hurdle of reporting to the hotline, and build a stronger sense of safety. E-mail support is available 24/7. The Toshiba Hotline was registered as conforming to the Consumer Affairs Agency’s Whistleblowing Compliance Management System certification (self-declaration of conformity registration system) on April 23, 2021.
In addition to the internal secretariat, a reception hotline was set up at an external attorney’s office in January 2005, primarily to receive information about potential legal violations.
Furthermore, in October 2015, the new Audit Committee Hotline was set up, which allows people to report directly to the Audit Committee, which is composed of outside directors. With this new system, even matters in which the involvement of top management is suspected can be safely reported.
The Audit Committee also has access rights to the Toshiba Hotline, and provides appropriate guidance and supervision.
In April 2006, Toshiba set up a supplier whistleblower system Clean Partner Line to receive reports from suppliers and business partners to prevent SOC violations by employees in charge of procurement and order placements for construction and other works.
Each Toshiba Group company has its own whistleblower system. Toshiba Group overseas have gradually started to implement not only their own whistleblower systems but also global whistleblower systems by designating the each Regional Representative Subsidiaries as the secretariat for the corresponding region so as to cover laws and regulations and languages for different countries and regions.
At Toshiba Group, in accordance with laws, regulations, and internal regulations, officers and employees who make whistleblower reports with honest and legitimate intent do not receive unfavorable treatment such as dismissal and demotion as a result of having made the reports. Toshiba Group strives to ensure that the officers and employees can use the whistleblower system at ease. Specifically, each Group company has stipulated in its regulations a confidentiality obligation that allows limited persons in charge to access to what is reported by whistleblowers and a prohibition of unfavorable treatment of whistleblowers, as well as prepared manuals for persons in charge of whistleblowing.
Toshiba's Whistleblower System
Operational Status of the Whistleblower System in FY2020
The numbers of reports received and consultations undertaken by the Risk Hotline and Audit Committee Hotline in FY2020 are as follows. We notified employees about the existence of the system and its assurance of strict anonymity through e-learning. We also reported on whistleblower cases to the whole Company on a number of occasions.
|Reports received by internal secretariat||389 reports
|Reports received by attorney’s office||12 reports
- * Including duplicate reports received by the internal secretariat
Of the reports received, Toshiba investigated all facts on cases of possible legal violations or fraud to identify the cause, and handled such cases rigorously by imposing appropriate disciplinary sanctions on the offenders and implementing other such measures. It also made every effort to prevent recurrence. Meanwhile, the majority of the reports received were related to labor and general affairs. When a reported case was not a legal violation but there were or likely to be inappropriate situations, we provided instructions for improvement or issued alerts in cooperation with the relevant division. In cases involving consultations and questions about duties of the informants themselves, we gave advice on how to deal with the situation. For reports other than anonymous reports, we explained the status of our responses to the whistleblowers, in principle.
In accordance with laws, regulations, and internal regulations, confidential advisers (at the external organization or attorney’s office for the Toshiba Hotline, and at the internal secretariat for the Audit Committee Hotline) never disclose the names or contact addresses of the informants, except in cases in which consent has been obtained from them.
Out of the whistleblower reports, cases that everyone should bear in mind are taught as part of employee training. In order to protect whistleblower anonymity, such cases are presented after some details are changed and without any names so that the whistleblower and the workplace where he/she works cannot be identified.
The number of reports received is released regularly on the company’s internal website.
Major Risks Identified and Their Countermeasures
Major business risks and compliance and other risks identified by and countermeasures taken by Toshiba Group are as follows.
Toshiba Group’s businesses require highly advanced technology for their operation. At the same time, it faces fierce global competition. Thus, these businesses could be adversely affected by changes in the business environment, such as investment trends in and outside Japan, increases in material and personnel costs, fiercer competition with other companies, and exchange rate fluctuations. With the Toshiba Next Plan, Toshiba Group has striven to improve earnings and achieve stable growth of sales and profits. Specifically, we formulated measures to improve earnings of monitored businesses, namely, printing, system LSI, thermal power generation, and mobile HDD, through business structure transformation. We will strictly monitor the progress of the measures on a regular basis. Due to the global pandemic of COVID-19, a decrease in demand and negative impact on business activities are expected for a while. However, Toshiba Group is engaged in many businesses and services that sustain society such as social infrastructure, the cornerstone of life. To fulfill our responsibilities and provide these businesses and services, we are continuing activities to the extent necessary for business related to delivery, maintenance, and services for customers and business partners as well as businesses that sustain society, after taking further appropriate measures to minimize the risk of the infection.
Climate change imposes risks associated with responses to relevant laws and regulations and business continuity risks due to disasters caused by climate change. We therefore analyzes such risks in accordance with the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD). At the same time, we are intensifying efforts to achieve our greenhouse gas reduction targets approved by a global initiative the Science Based Targets (SBT).
Compliance and Other Risks
Since inappropriate accounting treatment for FY2015 came to light, Toshiba Group has made efforts to continuously enhance its internal control. However, fraudulent transactions by an employee of Toshiba International Corporation and fictitious and cyclical transactions at Toshiba IT-Services Corporation were discovered in 2019 and 2020, respectively. We conducted a thorough investigation on those matters, carried out comprehensive verification within Toshiba Group, and rolled out measures to prevent recurrence. We will continue to strive to raise the level of fraud risk management by implementing measures according to the advisory opinion provided in March 2021 by the Compliance Advisory Meeting.
For details, please see our Business Risk Factors.
Risk Management and Compliance Training
A scene from a seminar
At Toshiba, the President and CEO issues message to all employees, and the entire Toshiba Group works to raise compliance awareness and improve corporate culture. In FY2020, we focused our efforts on fraud prevention. The President issued a message to all employees on seven occasions, and a total of 254 people, including participants online, participated in the Senior Management Risk Compliance Seminar for executives of Toshiba and senior management of Toshiba Group in Japan to ensure compliance and continuously improve corporate culture. Moreover, we incorporated education on fraud prevention into employee seminars targeted by function, such as sales, procurement, or accounting; and training by level, such as newly appointed executives and managers.
In addition, we provide accounting compliance education through e-learning to deepen employees’ understanding about the internal control and J-SOX. In FY2020, all employees (approximately 80,000) of 95 consolidated subsidiary Group companies in Japan and approximately 10,000 executives of 83 overseas Group companies participated in the seminar. Going forward, we will continue to implement these training and education programs.
Making the Standards of Conduct for Toshiba Group Available to All Employees of Toshiba Group
Toshiba Group has created the Standards of Conduct for Toshiba Group (SOC) in 24 languages and made them available on the internal website. Various compliance education programs that incorporate the SOC have been included in the level-based training, occupation-based training and senior management seminars. We are also continuing our education programs, such as e-learning (the attendance rate in Toshiba Group in Japan was 99.2%) and educational leaflets, for executives and all employees (including contract employees and temporary employees).
Fostering a Compliance-oriented Culture through Workplace Meetings
Each workplace holds meetings focusing on CSR to raise the awareness of each and every employee with regard to compliance matters so as to make compliance an integral part of the corporate culture.
These meetings aim to prevent compliance violations by encouraging managers and employees to discuss various problems that are likely to arise in the workplace and to share their thoughts with each other in order to create a work environment where they can easily seek advice on all kinds of problems. In FY2020, based on actual fraud cases occurred within the Group, discussions were held on the possibility that similar cases may occur at the workplace and their countermeasures. These meetings are held at all the workplaces of Toshiba Group companies in Japan.
Frank opinions provided by employees at workplace meetings are collected via their workplace managers and helped us monitor the level of compliance awareness at each workplace and develop new measures for the future.
Inspection of Implementation Status of Risk Management and Compliance Measures
At Toshiba Group, administrative divisions, the second of the three-line defense, confirm the status of compliance in operations concerning respective areas of jurisdiction by conducting audits and inspections.
With the Risk Management System (RMS), which began its operation in April 2019, we annually implement the Risk Assessment Program (RAP) to assess compliance risks of Toshiba Group companies. The administrative divisions provide instructions to improve the risks identified. At the same time, the relevant business divisions at the front line of defense themselves work to identify and improve the risks autonomously.
The Risk Compliance Committee reviews the compliance status as established through those audits, inspections, and the RAP as well as the implementation status of various measures to ensure compliance, and reflects its review findings in each measure.
Furthermore, since FY2020, we have systematically organized and refined fraud risk scenarios, and then strengthened guidance for understanding and improving the status of fraud risk initiatives at Toshiba Group companies.
In addition, at the third line of defense, the Internal Audit Division conducts compliance-related audits of Group companies.
Toshiba conducts an employee questionnaire survey each year and questionnaires with e-learning participants about the Standards of Conduct for Toshiba Group to check the degree of penetration of the standards and the level of compliance awareness among employees. This helps it to develop measures for further improvement.
Compliance with the Antimonopoly Act and Anti-corruption
Policy on Anti-corruption
In accordance with the Standards of Conduct for Toshiba Group and various internal regulations, Toshiba Group’s policy prohibits illegal or improper payments against sound business practices and each country’s laws and regulations.
Competition Law and Government Transactions (quote from Standards of Conduct for Toshiba Group)
Competition Law and Government Transactions (quote from Standards of Conduct for Toshiba Group)
Bribery (quote from Standards of Conduct for Toshiba Group)
In keeping with this approach, the Toshiba Group is a signatory to the United Nations Global Compact and works globally to comply with antitrust and competition law and prevent corruption.
Furthermore, we request suppliers to agree to and practice the Toshiba Group Procurement Policy.
Antimonopoly and Anti-corruption Efforts
In response to global regulatory trends, Toshiba has engaged in rigorous efforts to prevent violation of antitrust law and bribery based on the structure of risk management and compliance. For both, it has established compliance programs reflecting laws and regulations in Japan and overseas as well as associated sets of guidelines. Those guidelines clearly define prohibited acts such as corruption including cartels, bribery and facilitation payments. In addition, the compliance programs and guidelines stipulate matters related to internal procedures including pre-screening and consultation, matters related to the internal systems, education, and audits. Toshiba promotes rigorous compliance with business-related laws and regulations by providing education and effectively utilizing databases that contain relevant information.
Toshiba also conducts training on themes including compliance with the Antimonopoly Act and prevention of bribery as part of measures to promote compliance awareness anchored in the Standards of Conduct for Toshiba Group. Going forward, we will strive to enhance the content of such education programs and increase the number of target companies.
In addition, Toshiba assess risks of Group companies every year. In FY2020, it also made efforts to identify operating status and take measures for improvement. As for these compliance initiatives, we make improvements to reduce risks pointed out in internal audits and other checks in order to continue to enhance our risk management and compliance structure.
To prevent violations and early detect situations leading to violations, Toshiba established the whistleblower system for employees and the Clean Partner Line for suppliers and business partners as a system to report violations or suspected violations.
Furthermore, Regional Representative Subsidiaries in major global regions support local subsidiaries as a foundation for risk management in such regions. This has been done in order to appropriately control legal risks associated with relevant anti-trust laws, bribery, and the like and ensure thorough compliance in global business, which has been expanding mainly in emerging countries.
|Item||Number of cases in FY2020||Loss resulting from legal violations (yen)|
|Exposure through price cartel||0||0|
|Exposure through bribery||0||0|
The Standards of Conduct for Toshiba Group stipulates that Toshiba Group shall not provide inappropriate benefits or favors to any politician or political organization.
Also, as part of its social contributions, Toshiba offers political contributions, when necessary, in order to contribute to the realization of policy-oriented politics, to support the healthy development of parliamentary democracy and to improve the transparency of political contributions. In the case of offering political contribution, procedures in accordance with internal rules are followed as well as compliance with the Political Funds Control Law in case of Japan is strictly ensured.
Toshiba and key Group companies made no political contributions in FY2020.
Donations and Provision of Funds
While the Standards of Conduct for Toshiba Group forbid inappropriate expenses, they stipulate that appropriate donations to organizations may be made. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the donee organization to society, its cause and community aspects, as specified by the Standards of Conduct for Toshiba Group.
Fair Trading Policy and Its Promoting Structure
Toshiba Group strives to build sound partnerships with suppliers through fair trading in compliance with procurement-related laws and regulations.
Toshiba Group is promoting thorough observance of CSR both in its own procurement activities, and in those of its suppliers.
There is a CSR procurement promotion structure established within the Group, which acts in order to carry out each procurement transaction in compliance with the relevant Japanese and international laws and regulations. Information related to compliance concerning procurement is thoroughly informed to Group companies through this system.
Moreover, measures are thoroughly informed by means of Procurement Compliance Liaison Meetings, organized by the Procurement Division and attended by Compliance Managers and Compliance Coordinators.
Toshiba Group CSR procurement promotion structure
In FY2020, in line with a basic policy of strengthening compliance in the procurement process, Toshiba took action to ensure adherence to regulations on legal compliance by checking the operation of each Group company’s procurement processes through investigations of the procurement process and patrols to inspect procurement transactions. In FY2021, we will continue to strengthen the operation of our procurement processes.
Clean Partner Line, Whistleblower System for Suppliers and Business Partners
Toshiba Group has established a whistleblower system for suppliers and business partners called Clean Partner Line, as a point of contact for our suppliers to tell us about issues or concerns regarding persons associated with the Toshiba Group. Personal information on whistleblowers, without the whistleblower’s consent, is not disclosed to anyone other than the Clean Partner Line staff. Also, what is reported by whistleblowers is handled based on strict procedures, with care taken not to treat whistleblowers and their companies unfavorably for whistleblowing. We notify our business partners of this system and request that they make use of it.
Checks of Fair Trading Practices (Thorough Compliance with the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors)
In Japan, we monitor the subcontracted transactions of Toshiba Group in Japan undertaking such transactions. Regarding items requiring improvement, guidance is provided to make improvements to ensure thorough compliance.
Training to Ensure Fair Trading Practices
At Toshiba Group, various training programs on compliance in procurement are provided to ensure fair trading practices. For example, since FY2007, we have conducted e-learning for employees of Group companies in Japan on relevant acts, such as the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors.
In FY2020, a total of 76,504 employees between January and February 2021 participated in the e-learning program on the Subcontract Act.
We also provide compliance education for employees engaged in procurement at various phases of their careers.
Breaking Relationships with Antisocial Groups
In 1997, the Board of Directors resolved to end relations with antisocial forces such as sokaiya (groups of racketeers). Since then, the Group has strictly dealt with approaches from third parties to obstruct our lawful and appropriate corporate activities. With regard to this stance, the rejection of the involvement of antisocial groups in our business activities has been explicitly stated in the SOC. By providing e-learning lessons about the SOC to all employees, we continuously ensure that employees understand the importance of excluding antisocial groups from the business they do. In addition, in order to further ensure that all relations with antisocial forces are cut off, all Toshiba Group companies have taken various measures, such as developing and implementing Basic Public Relations Management Rules and appointing public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with antisocial groups. We also periodically conduct surveys on customers that we already have business relations with.
Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as an antisocial group. Toshiba Group also works with the police, corporate attorneys, and third-party organizations such as the National Center for the Elimination of Boryokudan to establish systems that enable us to respond to approaches from antisocial forces in an appropriate and timely manner.
Export Control Policy
As indicated in Standards of Conduct for Toshiba Group, Toshiba Group’s basic export policy is to refrain from any transaction that could potentially undermine international peace and security. We comply with all applicable export control laws and regulations of the countries and regions where we operate, for example Foreign Exchange and Foreign Trade Law in the case of Japan and US export control laws and regulations with respect to transactions involving items of US origin.
In accordance with the policy, Toshiba Group has established the Export Control Compliance Program (ECCP). Based on the program, we classify the goods and technology and screen transactions. In addition to periodic export control audits and education for all executives and employees, key Group companies and corporate staff divisions provide instructions and support to the Group companies they supervise.
* ECCP: Export Control Compliance Program
Export Control System
Toshiba’s export control system is organized under the Chief Export Control Officer who has ultimate responsibility for the corporation’s export control. The Chief Export Control Officer must be a representative executive officer or an executive equivalent thereto. Under the Chief Export Control Officer, the Legal Division Export Control Office is responsible for overseeing the export control implemented pursuant to the Toshiba Export Control Compliance Program (ECCP). Based on the Toshiba ECCP, Toshiba Group companies and corporate staff divisions have their own export control organizations led by the Export Control Officers. The Export Control Officers must be heads of the corporate staff divisions in the case of corporate staff divisions, or presidents of Group companies in the case of Group companies.
Toshiba Group’s export control organization
Product Classification and Transaction Review
The technical department classifies the goods or technology and determines whether export license is required. Then, transaction screening is carried out accordingly, such as confirmation of the end-use, end-user, and final destination. Classification and transaction screening are checked and approved by multiple persons in charge. When trading with concerned countries and regions, the Export Control Office conducts stringent assessments and approvals.
Inspection and Audit of Export Control
Corporate staff divisions and Group companies under their control perform internal self-checks. In addition, the Export Control Office or the supervising department conducts regular audits to check if export control is appropriately performed. Audits are conducted once every one to three years at target companies, and in FY2020, audits were performed for four internal divisions in Japan and five Group companies. Overseas, audits are done in Europe, the United States, Asia and China, and in FY2020, eight Group companies in Asia received audits. Where problems are identified by the audit, we demand that improvement plans be submitted, and check the progress of the plans.
Export Control Trainings
Training courses on export controls (regular and specialized courses) are offered by the Export Control Office for corporate staff divisions and Group companies to educate employees on the importance of export control and to raise awareness and knowledge of the Toshiba Export Control Compliance Program (ECCP) and related internal regulations.
Furthermore, the Export Control Office provides compulsory export control education for all employees of Group companies in Japan through an e-learning system every year.
Export controls at Group companies including those located overseas are modeled after that of Toshiba, which is implemented under the Toshiba Export Control Compliance Program (ECCP). Export control audits are conducted periodically to evaluate their performances.
The Export Control Office holds meetings with corporate staff divisions and key Group companies to communicate on matters such as the international situation, regulatory trends, and specific requirements, and additionally to provide a forum for exchange of information and opinions. Key Group companies provide guidance and support on export control to other Group companies under their control.
Meanwhile, to enhance support for Toshiba Group overseas, we issue a quarterly export control bulletin for local staff working in export control, where we share information on export control-related legal revisions, sanctions, cases of legal violation, and other news.
Information Security Management
Policy on Information Security
Toshiba Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy “to manage and protect such information assets properly, with top priority on compliance.” The policy is stipulated in the chapter “Corporate Information and Company Assets” of the Standards of Conduct for Toshiba Group, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba Group revises the related rules on an ongoing basis so as to rigorously manage its information security.
When providing information to outsourcing contractors, we request them to maintain confidentiality and comply with relevant laws and regulations in the same manner as Toshiba does.
Structure of Information Security Management
Addressing information security as a management priority, Toshiba Group appointed the Chief Information Security Officer (CISO) and each corporate staff division and Toshiba Group company has established, under the supervision of the CISO, an information security management structure.
The Cyber Security Committee deliberates matters that are necessary to ensure information security throughout Toshiba Group. The CISO formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective, and definitive manner.
At each division inside Toshiba, key Group companies, and subsidiaries and affiliates*1, the head of the organization serves as Information Security Management Executive, bearing responsibility for information security at their respective organization. The Executives provide guidance and assistance to Group companies in Japan and overseas under their control to ensure that they implement information security at a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure
- *1 Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, Toshiba Carrier Corporation, and Toshiba Plant Systems & Services Corporation
- *2 CSIRT: Computer Security Incident Response Team
Information Security Measures
Toshiba Group implements information security measures from four perspectives (see the table below). The Corporate Technology Planning Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Group companies through notices and briefings.
|(1) Organizational measures:
Establish an organizational structure and rules
|(2) Personal and legal measures:
Ensure adherence to rules
|(3) Physical measures:
Support implementation of rules in terms of physical security
|(4) Technical measures:
Support implementation of rules in terms of technology
* EDR: Endpoint Detection and Response
To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we introduced a function to block suspicious e-mails, enhanced our anti-virus measures for information equipment such as IoT devices, and trained all employees in handling targeted attack e-mails. Toshiba Group has taken an attack and penetration assessment from the specialized cyber security firm in order to validate the effectiveness of its security measures. In addition, we enhanced the monitoring for our network and in-house systems to quickly cope with a virus invasion into the company systems.
Education, Inspection, and Audit of Information Security Management
Toshiba Group covers a diverse portfolio of businesses. To ensure Group-wide information security, it is vital for each Group company to rotate the PDCA (Plan-Do-Check-Act) cycle independently. Accordingly, Toshiba Group carries out an annual self-audit of its compliance with internal rules to identify issues and plan improvements. The Corporate Technology Planning Division evaluates the results of the audits and related improvements carried out by each Toshiba division, key Group companies, and subsidiaries and affiliates*1, and provides support and guidance where necessary. In FY2020, three key points were identified: (1) need of measures to prevent loss and theft of information devices, (2) information security related to the procurement of technology from external parties, and (3) information security at Toshiba Group overseas. In particular with reference to (3), we have recently witnessed an increasing tendency in which cyber attackers targeting Japanese companies try to steal information stored in Japan via overseas subsidiaries. To address this trend, we checked whether passwords for server administrator IDs were weak using a dedicated tool, and instructed overseas subsidiaries to manage passwords with stronger security. The audit results and improvement initiatives of each Toshiba Group company are subject to assessment by the supervising division, which provides relevant guidance and support.
Toshiba Group companies in Japan have obtained the Information Security Management System (ISMS) certification*2 and PrivacyMark certification*3 according to their business areas and have received external audits from certification authorities.
Moreover, Toshiba Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations. There are also programs such as training for those engaged in information security operations, and introductory training for new graduate employees.
- *1 Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, Toshiba Carrier Corporation, and Toshiba Plant Systems & Services Corporation
- *2 A third-party certification system for the information security management system compliant with ISO/IEC 27000 series
- *3 A certification mark granted through third party assessment to businesses that have a system to ensure appropriate handling of personal information in compliance with Japan Industrial Standards (JIS) Q 15001: Personal Information Protection Management System–Requirements
Response to Incidents Such as Leakage of Confidential Information
In the event an information security incident such as the leakage of confidential information, Toshiba responds promptly in accordance with the Information Security Incident Reporting Structure.
When an employee becomes aware of an incident or potential incident involving the leakage of corporate information, the employee immediately reports to the CSIRT. In response, the CSIRT Leader devises necessary measures, such as an investigation into the cause and review of actions to prevent recurrence. In the event of a serious leakage or potential leakage of confidential information that may constitute a violation of laws and ordinances, Toshiba implements measures such as disclosure following discussion among the related corporate staff divisions in accordance with the applicable laws and ordinances.
In the event an incident occurs that could have an impact on confidential information obtained from outside the Company or on external parties, we will take appropriate measures with sincerity, including communicating necessary information such as all relevant facts and measures to be taken to prevent recurrence.
Information Security Incident Reporting Structure
- * Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, Toshiba Carrier Corporation, and Toshiba Plant Systems & Services Corporation
Status of Incidents Such as Leakage of Confidential Information
In FY2020, Toshiba Group experienced no leaks of important information held by the Company. There were also no personal data-related complaints or appeals filed by regulatory authorities or other external parties. We will continue working in the future to put in place a system for preventing information security-related incidents to cover all eventualities.
For details on information security management, please refer to our Cyber Security Report.
Product Safety Information and Advertising
Policy on Product Safety Information and Advertising
Toshiba Group provides accurate product information and executes appropriate advertising in a lawful manner and in accordance with the Standards of Conduct for Toshiba Group. Quality assurance divisions of Group companies and affiliated companies monitor the safety standards of the countries where products are marketed and technical standards such as the UL Standards*1 and CE Marking*2 to ensure that their product labeling is in compliance with the relevant standards.
- *1 UL Standards: Safety standards established by UL LLC (Underwriters Laboratories Inc.,) that develops standards for materials, products, and equipment and provides product testing and certification.
- *2 CE Marking: A certification mark that indicates conformity with the safety standards of the European Union (EU). CE marking is required for products sold within the European Economic Area (EEA).
Compliance with Regulations and In-House Standards Regarding Products
In FY2020, there were no violations of product safety regulations or in-house standards in the life cycle of our products and services. There were also no violations of regulations or in-house standards relating to information and labeling of products and services.
Compliance with Regulations on Advertising and Labeling
As a result of strict compliance with the Antimonopoly Act, the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices, and the Act Against Unjustifiable Premiums and Misleading Representations by Toshiba Group in Japan, there were no legal violations related to advertising in FY2020.
Basic Policy on Tax
Based on the Basic Policy on Tax, Toshiba Group complies with legal ordinances, notices, and regulations in various countries and makes efforts to properly file tax returns and pay taxes.
Code of Conduct for Tax Operations
Toshiba Group shall act based on the following three codes, in order to achieve the aims of the basic policy.
Efforts on Tax Operations
Toshiba Group shall carry out the following tax operations, based on the basic policy.
Training for Employees and Use of External Specialists
Tax operations of Toshiba Group companies shall be carried out by their employees who are well-versed in their respective local taxation. Toshiba Group shall provide opportunities to their employees who are involved in tax operations depending on their positions and experience levels. In principle, Toshiba Group shall regularly be reviewed by external specialists to confirm that their tax operations are appropriately carried out in accordance with laws and regulations, and make the final tax-related decisions.
Efforts on International Tax Systems
Toshiba Group shall have a responsibility to carry out cross border transactions with foreign related parties at the arm’s length price , and document the transaction details based on the relevant laws and regulations in the tax jurisdiction.
When carrying out cross-border transactions, Toshiba Group shall confirm whether a tax treaty exists between the relevant countries, and if so, utilize the benefits with full knowledge of the details , and make efforts to minimize tax costs and eliminate double taxation.
Risk Management Using the Business Continuity Plan (BCP)
Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders. Toshiba Group implements measures to ensure the safety of employees and their families, support recovery of devastated areas, and maintain business sites and factories. In addition, we are promoting measures from the perspective of business continuity to enable continued supply or early recovery of products and services in the event we suffer damages or losses.
The Business Continuity Plan (BCP), which we have been formulating and developing Group-wide since 2007, is one such measure. Focusing on our key businesses that have large social and economic impacts, we have established a BCP that assumes potential large-scale earthquakes and new strains of influenza, and continually updates our Plan in order to maintain and improve its effectiveness.
We created a COVID-19 team and declared an internal state of emergency in February 2020, implementing Group-wide countermeasures from two perspectives: “business continuity and fulfillment of social responsibilities” and “securing the safety of employees and society.” We have proceeded with unprecedented Group-wide countermeasures such as stringent restrictions on staff access to the workplace and drastic alteration of working hours, in order to prepare for the worst case scenario and to protect lives.
Toshiba Group will continue to reinforce its BCP, giving utmost priority to the safety of all employees, so that operations can continue even in the event of a large-scale disaster, such as earthquake, storm, flood or other major disasters, occurring in combination with a pandemic.
BCP Procurement Management
In response to the Great East Japan Earthquake and the floods in Thailand, both of which occurred in 2011, Toshiba Group has been working to establish a disaster-resistant procurement system. Based on Toshiba Group’s Procurement Policy, we request our suppliers to cooperate in continuing to provide supplies in the event of an unanticipated disaster.
In 2012, we established the BCP Procurement Guidelines to provide crisis management standards. Also, to minimize the risk of supply chain disruptions and reduce the amount of time required to resolve supply chain disruptions, we have built a system to manage corporate information on suppliers upstream in the supply chain. In the event of an unanticipated disaster, we use this system to quickly investigate its effects on our suppliers worldwide for prompt action.
In response to COVID-19, we have taken necessary countermeasures in collaboration with suppliers to ensure supply in order to minimize the impact on business. In addition, in response to a tight supply and demand for semiconductors worldwide that began in the second half of FY2020, we have been negotiating with semiconductor suppliers for supply and switching to alternatives.