Risk and Compliance Committee Structure
Risk and Compliance
KIOXIA Group enforces global compliance with relevant laws and regulations, internal rules, and social and ethical norms, and carries out risk and compliance activities.
Policy and Structure of Risk and Compliance
At KIOXIA Group, we strive to ensure thorough compliance with all relevant laws and regulations on the basis of fair and honest competition.
KIOXIA has established a system whereby our Risk and Compliance Committee has complete authority and responsibility with regard to issues of risk and compliance. We classify risks into categories including compliance-related risks, finance/accounting-related risks, and business risks, and have established committees and review groups for each category to enable agile management of these. Each committee and review group reports on activities and status to the Risk and Compliance Committee on a timely basis.
In order to create an open work environment and reduce risk, in addition to encouraging day-to-day communication within each workplace, KIOXIA Group operates a whistleblower system. All employees are informed about this system through internal websites, emails and other means. The system is designed to protect the anonymity of whistleblowers and ensure that they are not treated disadvantageously. The number of reports received and consultations undertaken through the whistleblower system in FY2020 was 105. Of the reports received, those referencing inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts issued. In cases involving consultations and questions about the duties of the informants themselves, we gave advice on how to deal with each situation. For reports other than those that were anonymously submitted, in principle we explained the status of our responses to the informants. Except in cases where consent has been obtained from the employee, the names or contact details of the informants are never disclosed.
Business Partner Hotline
KIOXIA Group has established a Business Partner Hotline to assist our business partners, such as suppliers, to report to us any violations or suspected violations of laws and regulations,
Kioxia Group Standards of Conduct, the KIOXIA Group Procurement Policy, business agreements, corporate ethics, and other applicable rules, standards and norms established by KIOXIA Group in connection with procurement and other business transactions, and to help KIOXIA Group rectify the situation.
We will investigate and confirm the facts and in principle notify the results of our investigation to the whistleblower. The personal details of the person who made the allegation will not be disclosed to anyone outside the Business Partner Hotline Secretariat without their consent. Moreover, we will ensure there is no unfair treatment of the whistleblower or their company arising from their allegation.
Risk and Compliance Training
KIOXIA Group provides training for directors and employees to raise their awareness of the need for legal compliance.
Compliance with Anti-trust Law & Anti-Bribery Measures
KIOXIA Group enforces compliance with anti-trust laws and is strengthening measures to tackle bribery globally.
Anti-trust and Anti-bribery Efforts
In the light of recent global regulatory trends, KIOXIA Group has been making rigorous efforts to prevent cartelization and bribery. In FY2020 specifically, these efforts involved KIOXIA Group companies worldwide performing self-audits to verify their observance of internal anti-trust and anti-bribery guidelines. Through these audits, KIOXIA Group aims to identify compliance levels at the companies concerned and to provide thorough compliance education.
KIOXIA Group promotes rigorous compliance with business-related laws and regulations by providing education, making effective use of relevant databases, and performing periodic self-audits.
We make improvements aimed at mitigating any risks identified by those third parties in order to continue to enhance our compliance structure.
Furthermore, KIOXIA Group is taking steps to raise compliance awareness among our staff based on our own Standards of Conduct. KIOXIA Group companies in Japan provided their directors and employees with e-learning training on sales-related risks from December 2020 to February 2021, to raise the standard of sales-related legal risk management.
Kioxia Group Standards of Conduct stipulate that KIOXIA Group shall not provide inappropriate benefits or favors to any politician or political organization.
As part of its contribution to society, and when deemed to be necessary, KIOXIA Group does make transparent donations to political parties, in order to encourage the adoption of policies that will support our business and aid the healthy development of parliamentary democracy.
Where we make donations to political parties, procedures in accordance with internal rules are followed and, in the case of donations made in Japan, we ensure we are compliant with Japan’s Political Funds Control Law.
Donations and Provision of Funds
While the KIOXIA Group forbids the incurring of inappropriate expenses, we do stipulate that appropriate donations may be made to appropriate organizations. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the organization to society, its causes, and the community aspects of its activities.
Continuing to Sever Relationships with Antisocial Groups
All KIOXIA Group companies in Japan have taken various measures to ensure that all links with antisocial groups are severed.
More specifically, we have developed and implemented “Basic Public Relations Management Rules” and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with any antisocial groups. If during those background checks the need arises for further investigation, our Human Resources and Administration Division will verify whether there is any evidence of a relationship between the customer and any antisocial groups.
We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when a business partner is identified as being part of an antisocial group.
We also continuously ensure that employees understand the importance of excluding antisocial groups from the business activities they conduct.
Information Security Management
Information Security Policy
KIOXIA Group regards as important assets information such as personal data, customer information, management information, and technical and production information handled during the course of business activities. We accordingly adopt policies aimed at ensuring that all corporate information is managed in a confidential manner and that it is not disclosed, leaked, or used inappropriately. These include a fundamental policy whose stated aim is “to manage and protect such information assets properly, with top priority on compliance.” The policy is stipulated in the “Information Security” chapter of the Kioxia Group Standards of Conduct and managerial and employee awareness of this is encouraged.
In response to regulatory changes and changes in the social environment, KIOXIA Group revises those policies on an ongoing basis so as to rigorously manage its information security.
Structure of Information Security Management
Addressing information security as a management priority, KIOXIA Group has established, under the supervision of the Chief Information Security Officer, an information security management structure under which the head of each organization, such as the head of each business site, as well as the president of each group company, is responsible for information security.
The Information Security Committee deliberates matters that are deemed key in ensuring information security throughout the company. The Chief Information Security Officer formulates and enacts measures to ensure that internal rules related to information security are enforced in a problem-free, effective and definitive manner.
The Information Security Management Executive appoints the Information Security Implementation Managers, and is responsible for operation of the information security management system.
The Information Security Management Executive also provides guidance and assistance to all group companies under its control to ensure that they implement information security at a level equivalent to that of the KIOXIA Group.
KIOXIA Group has also established a similar management structure for the protection of personal data, and has a department external to the Secretariat (the Internal Audit Division) that conducts audits.
Information Security Management Structure
Information Security Measures
KIOXIA Group implements information security measures from four perspectives (see table below). The Cyber Security Center and the IT & Business Transformation Division incorporate these measures into regulations and guidelines and make them fully known to all KIOXIA Group companies through notices and briefings.
Implementation of Information Security Measures from Four Perspectives
(1) Organizational measures:
(2) Human and legal measures:
(3) Physical measures:
(4) Technical measures:
To protect against cyber-attacks, which are becoming more sophisticated every year, and with changes in working styles, including working from home due to COVID-19, we have enhanced our network monitoring and in-house systems to be able to accurately detect and quickly cope with attacks from outside as well as information leaks from inside. For attacks via e-mail, we have strengthened processes in order to block suspicious e-mails and trained all employees in the handling of targeted e-mail attacks to help prevent virus infections.
Education, Inspection and Audit of Information Security Management
KIOXIA Group considers the autonomous implementation of the PDCA (Plan-Do-Check-Act) cycle by each division to be vital for ensuring the company’s information security. With this in mind, every division conducts an annual self-audit of its compliance with internal rules, for the purpose of formulating their own improvement plan.
All domestic and overseas Group companies also conduct annual self-audits to improve the level of information security at each of them.
Moreover, KIOXIA Group conducts annual training for all officers, as well as for permanent and temporary employees, in order to ensure strict compliance with in-house regulations.
Other programs include introductory training for new graduate employees, and training for the employees of subcontractor companies.
Response to Incidents such as Leakage of Confidential Information
In the event an information security incident occurs, such as the leakage of confidential information, KIOXIA Group responds promptly in accordance with its information security incident reporting structure.
When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports it to the Implementation Manager. Upon receipt of the employee’s report, the Implementation Manager draws up a list of all necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, KIOXIA Group implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the relevant corporate staff divisions.
Information Security Incident Reporting Structure
Status of Incidents such as Leakage of Confidential Information
In FY2020, there were no incidents of sensitive information held by KIOXIA Group companies being leaked, nor were there any complaints from relevant external individuals or regulatory bodies concerning personal data. We will continue to work to prevent information security incidents and to be fully prepared for any situation.
Measures on Rational Tax Reporting
KIOXIA Group has bases in countries around the world and operates globally. We comply with the laws and regulations in each of those countries and regions, we take into account other guidelines issued by international organizations and we properly report and pay taxes attributable to activities generating income. In addition, we conduct our business activities under an appropriate tax structure tied to business objectives and refrain completely from transactions aimed at tax avoidance.
KIOXIA Group’s policy regarding taxation is to ensure transparency in our business activities, striving to maintain good relations with the tax authorities in each country or region while demonstrating sincerity and maintaining high ethical standards.
Risk Management through Business Continuity Plan (BCP)
KIOXIA Group identifies, analyzes and assesses business risks and strengthens risk management across all areas of its business in order to prevent interruptions to operations in times of emergency, such as earthquakes or other natural disasters, accidents, or pandemics. The Group has stipulated BCP management regulations and implemented measures to ensure the safety of employees and their families as well as to ensure disaster readiness at our business sites and factories. We conduct practical training and prepare for emergencies so that we can continue or quickly resume delivering products and services in the event of damage or loss. We have established BCP promotional structures at KIOXIA Group manufacturing, sales, and technical bases as well as at administrative bases, and implement a PDCA cycle as part of these efforts.