Risk Management
Guidelines & Structure
The Fujitsu Group aims to achieve business continuity, enhanced corporate value, and the sustainable development of corporate activities. Uncertainties that might affect the achievement of these objectives are considered to be risks. To address these risks, the Fujitsu Group established a Risk Management & Compliance Committee based on the Policy on the Internal Control System determined by the Board of Directors.
The Committee reports directly to the Board of Directors (including the Independent Directors and Auditors Council) and oversees risk management and compliance for the entire Fujitsu Group.
The Risk Management & Compliance Committee is chaired by the CEO and is composed of Board Members. Its primary function is to continually assess and verify risks that could potentially lead to losses for the Fujitsu Group. The Committee proactively implements measures to control risks identified during the course of business operations (potential risk management). Additionally, the Committee regularly analyzes realized risks to minimize losses, reporting them to the Board of Directors and working to prevent their recurrence (materialized risk management).
The Risk Management & Compliance Committee has established Regional Risk Management & Compliance Committees in each region that forms part of the global, region-based business execution structure. These regional committees operate as subcommittees. The Risk Management & Compliance Committee has deployed Risk Management & Compliance Officers to Business units (First line), as well as to Group companies and regions, both in Japan and overseas. Together, these entities collaborate to build a structure that promotes risk management and compliance throughout the Group.
To further strengthen the Group’s risk management capabilities, the company has established the Corporate Risk Management Office (Second line), a department which reports directly to the CEO and is independent of the business divisions. The Committee’s secretariat function is provided by the Corporate Risk Management Office and is supervised by the Chief Risk Management Officer (CRMO). The Secretariat monitors overall risk information, providing rapid and appropriate responses, and ensuring thorough risk management under the CEO’s direction. As well it convenes a monthly meeting of the Risk Management & Compliance Committee to ensure the swift and effective implementation of corporate policies.
To check that the risk management and compliance system is functioning properly, the company conducts annual audits by corporate auditors and internal audits by audit departments (Third line).
Processes
Potential Risk Management Process
-
Identification and review of important risks of the Fujitsu Group
The Risk Management & Compliance Committee Secretariat (Corporate Risk Management Office, Second line) identifies and reviews the 16 important risks considered important to the Fujitsu Group, taking into account environmental changes affecting the Group. Risk scenarios are defined for each important risk, and they are classified into pure risk and management risk. -
Appointment of risk management departments (Second line)
A risk management department is assigned to each important risk, and is responsible for maintaining control over that specific risk. -
Evaluation of risks to the Fujitsu Group
Risk management departments, Business units, and Group companies evaluate the impact of each important risk, the likelihood of its occurrence, and the status of mitigation measures.
We select the risks that must be actively taken to achieve the Group's business strategies and goals, and those that must be actively avoided. -
Ranking and mapping of important risks
Based on the evaluation results of the Group, we rank important risks and create risk maps to visualize their importance. By plotting to four quadrants on a risk map, important risks are evaluated at four levels (avoid/transfer/reduce/hold). From these evaluation results and status of materialized risks, importance is evaluated and high priority risks are determined. -
Risk Management & Compliance Committee Report
Analyses are conducted based on the evaluation findings, and mitigation policies are discussed and determined to address high priority risks and important risks to the Group. -
Issuing of corrective instructions to Business units and Group companies
Based on the evaluation results, feedback is provided to Business units and Group companies, advising them on improvements. -
Risk monitoring within Business units and Group companies
Regular risk monitoring is implemented within Business units and Group companies to assess the status of mitigation measures and reduce risk exposure.
Addressing Materialized Risks
- Risk management regulations mandate rules (such as prompt escalation to the Risk Management & Compliance Committee) and require employees to be informed accordingly.
- Establish escalation rules for Business units and Group companies, and deploy promptly, based on risk management standards and rules for escalating risks to the Risk Management & Compliance Committee.
-
Analyze risks and deploy mitigation measures, and report to the Board of Directors as necessary, to prevent recurrence.
By cycling through this risk management process and having the risk management departments monitor it regularly throughout the year, we aim to reduce risks across the Fujitsu Group and to minimize the impact when risks emerge.
High Priority Risks
Considering the findings from evaluations conducted in the Potential Risk Management Process and the status of materialized risks, we have chosen to focus on high priority risks based on their impact on achieving the Fujitsu Group's business strategies and goals. Consequently, we have identified the following two important risks as high priority for FY2025:
- Security risks
- Deficiencies or flaws in products and services
Important risks of the Group (*1)
- 1. Security risks (Pure risk)
- 2. Risks of natural disasters and unforeseen Incidents (Pure risk)
- 3. Human rights risks (Pure risk)
- 4. Compliance risks (Pure risk)
- 5. Financial risks (Management risk)
- 6. Risks related to environment and climate change (Pure risk)
- 7. Risks related to the Fujitsu Group facilities and systems (Pure risk)
- 8. Risks related to competitors and industries (Management risk)
- 9. Deficiencies or flaws in products and services (Pure risk)
- 10. Risks related to economic and financial market trends (Management risk)
- 11. Intellectual property risks (Management risk)
- 12. Customer risks (Management risk)
- 13. Risks related to suppliers, alliances, etc (Management risk)
- 14. Risks related to investment decisions and business restructuring (Management risk)
- 15. Risks related to public regulation, public policy and tax matters (Management risk)
- 16. Risks related to human resources (Management risk)
*1: These are just some examples of the risks associated with doing business.More detailed risk-related information can be found in our securities and other reports.
- https://pr.fujitsu.com/jp/ir/secreports/
- Please refer to the web page below for detailed risk information in accordance with our Task Force on Climate-related Financial Disclosures (TCFD) declaration.
Risk Management Education, etc.
To enforce risk management across the entire Fujitsu Group, we conduct education and training at every level.
These programs are targeted at newly appointed executives and managers, as well as others, to educate them on our basic approach to risk management and our rules for promptly escalating issues to the Risk Management & Compliance Committee. The programs present specific instances relating to products, services, and information security, with the aim of continually improving participants’ awareness of risk management and enhancing their capacity to respond to risks.
Furthermore, by incorporating risk management into employee evaluation indicators, the risk management departments aim to not only link evaluations to financial incentives, but also enhance the organization’s risk responsiveness by improving its risk management skills.
Refer to the “FY2024 Performance” section for information on education outcomes for FY2024.
Group-Wide Disaster Management
The basic policy of Fujitsu and its group companies in and outside Japan is to ensure the safety of staff and facilities when disasters occur, to minimize harm and to prevent secondary disasters. We also aim to ensure that business operations resume quickly, and that we can assist in disaster recovery for our customers and suppliers. To this end, we are building robust collaborative structures in our internal organizations and strengthening our business continuity capabilities.
In addition to supporting our customers through the management structure in each business unit and group company, the Fujitsu Group is building ‘area-based disaster management systems’ in each region for working in cooperation with and responding to customers.
To verify the efficacy of our disaster management systems and enhance our response capabilities, we conduct drills tailored to every level, from the entire company through to task forces, workplaces, and employees. We also implement voluntary inspections and verification activities to prevent accidents and minimize the level of harm in each of our facilities. These efforts enable us to accurately identify existing issues and review and implement measures to address those issues, thereby allowing us to work toward continually improving our capacity to prepare for disasters and sustain our business operations.
For more information on our Group-wide disaster management, joint disaster response drills and verification activities, please refer to the PDF listed below, and for activity outcomes for FY2024 refer to the “FY2024 Performance” section.
Business Continuity Management
Recent years have seen a myriad of risks that threaten continued economic and social activity. Such events include earthquakes, floods and other large-scale natural disasters, disruptive incidents and accidents, and pandemics involving infectious diseases. To ensure that Fujitsu and its group companies both in and outside Japan can continue to provide a stable supply of products and services offering the high levels of performance and quality that customers require, even when such unforeseen circumstances occur, we have formulated a Business Continuity Plan (BCP). We are also promoting Business Continuity Management (BCM) as a way of continually reviewing and improving our BCP.
In its response to disasters and infectious diseases, the Fujitsu Group placed the highest priority on maintaining the health and safety of its customers, suppliers and employees, and their families . It also promoted initiatives to sustain the supply of products and services to customers and to help resolve the many societal issues that arise due to disasters and infectious diseases.
For more information on our BCM activities, infectious disease countermeasures and BCM in our supply chain, please refer to the PDF listed below, and for activity outcomes for FY2024 refer to the “FY2024 Performance” section.
FY2024 Performance
Risk Management Education
Fujitsu Group new executive training: 38 people
Uses specific examples to illustrate key points that new executives need to take note of, including internal regulatory systems and issues relating to risk management and compliance.
Training for Board of Directors: 9 (including 6 non-executive directors)
Providing e-learning in various fields, including risk management, for non-executive and executive directors.
Fujitsu Group new manager training: 1,012 people
An e-Learning course that covers areas such as the basic approach to risk management and the role of managers regarding risk management.
Risk management education program: Fujitsu Group 120,000 people
Implemented e-Learning on risk management in general (information security, compliance, etc.)
Disaster Management Forum: 357 people
These forums are targeted at Fujitsu Group staff responsible for disaster management and business continuity, and all employees in Japan. They offer an opportunity for participants to share knowledge with the aim of improving our on-site responses to large-scale disasters.
Serious Incident Response Training
Serious incident response exercise (Europe region, April 2024: 143 people; Uvance, January 2025: 88 people): 231 people in total
To strengthen the response to a serious incident (including initial measures, cause investigation, cooperation between the site or region and head office, customer response, response to personal information leakage, and media response), we verified the incident response process through training run on two levels, to the site units, and to management in the form of an incident response meeting. Incident response capabilities and inter-organizational cooperation in overseas regions will be enhanced by identifying issues through training and making continuous improvements.
Disaster Management & BCM Training
Joint disaster response drills: FY2024 Drill - Earthquake in the Chugoku/Shikoku area
These annual drills are used to ensure and to verify that Fujitsu and its group companies in Japan are fully versed in the essentials of dealing collaboratively with major disasters. (Proposed scenarios include the “Tokyo Metropolitan Area Earthquake” and the “Nankai Trough Megaquake”.)
Training exercise involving a hypothetical pandemic scenario to check BCP
An awareness training exercise centered on a hypothetical scenario involving the loss of human resources in a crisis situation was implemented for all our employees around the globe. The objective was to raise the awareness of every employee involved in business continuity, and measure the business continuity capabilities of the organization as a whole. In addition, a simulation of operations and inter-organizational coordination as outlined in each organization’s BCP was used to identify issues and improve the Fujitsu Group BCP.