Risk and Compliance

KIOXIA Group enforces global compliance with relevant laws and regulations, social and ethical norms, and internal rules, and carries out risk and compliance activities.

Risk and Compliance Policy and Structure

At KIOXIA Group, we strive to ensure thorough compliance with all relevant laws and regulations based on the Kioxia Group Standards of Conduct, in order to ensure fair and honest competition.
At KIOXIA, the President and CEO is assigned lead responsibility for ensuring risk compliance; the Human Resources & Administration Director and the Legal Affairs Director have joint second-level responsibility. KIOXIA has established a process whereby our Risk and Compliance Committee has complete authority and responsibility with regard to all risk and compliance-related issues across the entire Group. Our statutory auditors attend meetings of this Committee as “observers.”
In line with our Risk Compliance Management Regulations, KIOXIA Group collects, analyzes and assesses all relevant risk-related information, including compliance risks, before formulating priority measures and implementing them. Furthermore, we have constructed a framework that allows swift and organization-wide response to risks across the entire Group when required.
We classify risks into a number of categories, including compliance-related risks, finance/accounting-related risks, and business risks, and have established committees and review groups for each category to enable agile management of these. Each committee and review group reports on activities and status to the Risk and Compliance Committee on a timely basis. The Risk and Compliance Committee, which meets every six months, determines risks that may cause a crisis, or “crisis risks,”*1 and discusses all matters related to Group-wide risks and compliance activities. Furthermore, the Committee formulates, implements and supports risk and compliance management measures (priority measures), monitors the activities of each committee, and reports on these to the Board of Directors, which reviews them as appropriate. 
When a crisis risk or an event that may develop into one occurs, the Officer Responsible for Risk Compliance immediately contacts the Risk and Compliance Secretariat of KIOXIA Holdings, and receives direction from them on how to respond to the situation and prevent recurrences.

  • *1 Crisis risk is serious and immediate risk that cannot be addressed through usual decision-making channels and is at a level that has the potential to significantly endanger the value of the company.

Risk & Compliance Committee Structure

Risk & Compliance Committee Structure Risk & Compliance Committee Structure

Whistleblower System

Whistleblower "Risk Hotline" for Employees

In order to create an open work environment and reduce risk, in addition to encouraging day-to-day communication within each workplace, KIOXIA Group operates a whistleblower system. All employees are informed about this system through internal websites, emails and other means. The system is designed to protect the anonymity of whistleblowers and ensure that they are not treated disadvantageously. The number of reports received and consultations undertaken through the whistleblower system in FY2021 was 158. Of the reports received, those referencing inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts issued. In cases involving consultations and questions about the duties of the informants themselves, we gave advice on how to deal with each situation. For reports other than those that were anonymously submitted, in principle we explained the status of our responses to the informants. Except in cases where prior consent is obtained from the employees concerned, the names or contact details of informants are never disclosed.

Business Partner Hotline

KIOXIA Group has established a Business Partner Hotline to assist business partners such as suppliers to report to us any violations or suspected violations of laws and regulations, Kioxia Group Standards of Conduct, the KIOXIA Group Procurement Policy, business agreements, corporate ethics, or other applicable rules, standards and norms established by KIOXIA Group in connection with procurement and other business transactions, and to help KIOXIA Group rectify these.
We investigate and confirm the facts and in principle notify the results of our investigation to the whistleblower. The personal details of the person who made the allegation are not disclosed to anyone outside the Business Partner Hotline Secretariat without their consent. Moreover, we ensure there is no unfair treatment of the whistleblower or their company arising from their allegation.
The number of reports received and consultations undertaken through the Business Partner Hotline in FY2021 was one. The alleged situation was investigated, and the results of the investigation were shared and confirmed with the whistleblower.

Risk and Compliance Training

KIOXIA Group provides various compliance training programs and thoroughly disseminates details of the Kioxia Group Standards of Conduct to all directors and employees in order to reinforce risk and compliance awareness.

Anti-Corruption Efforts

KIOXIA Group defines risks related to compliance as priority risk management issues that have the potential to severely impact our business; we strive to prevent such risks and to respond swiftly in the event of an occurrence. The basic policy for behavior are defined in the “Kioxia Group Standards of Conduct 1. Sound Business Management and 2. Fair Business Operations.” Initiatives include the establishment of internal rules and operational frameworks aimed at ensuring compliance with anti-trust laws and regulations and with those related to the prevention of bribery or insider trading, or potential third-party risks such as political donations and funding.

Compliance with Anti-Trust Laws and Anti-Bribery Measures

KIOXIA Group enforces compliance with anti-trust laws and is strengthening measures to tackle bribery globally.
In the light of recent global regulatory trends, KIOXIA Group has been making rigorous efforts to prevent cartelization and bribery. In FY2020 specifically, these included core KIOXIA Group companies worldwide performing self-audits to verify their observance of internal anti-trust and anti-bribery guidelines, which allowed us to establish compliance levels at those companies and provide thorough compliance training.
KIOXIA Group promotes rigorous compliance with business-related laws and regulations by providing training, making effective use of relevant databases, and performing periodic self-audits. We implement improvements aimed at mitigating any risks identified by those third parties in order to continue to enhance our compliance structure.
As a part of our anti-bribery initiatives, we perform due diligence on our outsourcing partners and other business partners that may have relationships with public officials, in order to identify potential bribery risks and any other risks before commencing business with them. In addition to incorporating provisions that prohibit bribery in our contracts with the aforementioned parties, we also notify them about our anti-bribery policy, among other activities.

Furthermore, KIOXIA Group is taking steps to raise compliance awareness among our staff based on our own Standards of Conduct. KIOXIA Group in Japan provided their directors and employees with e-learning training on sales-related risks from December 2021 to January 2022, to raise the level of our sales-related legal risk management.

Prevention of Insider Trading

To prevent insider trading and ensure proper management of all information, KIOXIA Group has formulated its “Insider Trading Prevention Regulations” and developed processes designed to manage the flow of insider information centered around prevention manager stipulated under this regulations. In September 2020, e-learning designed to prevent insider trading was conducted for all employees of our Group, including those of overseas subsidiaries. This initiative aimed to ensure that the contents and objectives of the “Insider Trading Prevention Regulations were thoroughly understood.

Political Contributions

The Kioxia Group Standards of Conduct stipulate that KIOXIA Group shall not provide inappropriate benefits or favors to any politician or political organization.
As part of its contribution to society, and when deemed to be necessary, KIOXIA Group does make transparent donations to political parties, in order to encourage the adoption of policies that will support our business and aid the healthy development of parliamentary democracy. Where we make donations to political parties, procedures in accordance with internal rules are followed and, in the case of donations made in Japan, we ensure we are compliant with Japan’s Political Funds Control Law.

Donations and Provision of Funds

While the KIOXIA Group forbids the incurring of inappropriate expenses, we do stipulate that appropriate donations may be made to appropriate organizations. We therefore donate to a number of different organizations, taking into consideration factors such as the contribution made by the organization to society, its causes, and the community aspects of its activities.

Continued Severing of Relationships with Antisocial Groups

All KIOXIA Group companies in Japan have taken various measures to ensure that all links with antisocial groups are severed. In particular, we have developed and implemented “Basic Public Relations Management Rules” and appointed public relations management officers in each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with any antisocial groups. If during those background checks the need arises for further investigation, our Human Resources and Administration Division will verify whether there is any evidence of a relationship between the customer and any antisocial groups.

We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when a business partner is identified as being part of an antisocial group.
We also continuously ensure that employees understand the importance of excluding antisocial groups from the business activities they conduct.

Information Security Management

Information Security Management Policy

The utilization of data and cloud services and the use of AI have advanced in line with digital transformation, and we are also seeing changes in working styles, such as the rise in telecommuting. With cyber-attacks becoming increasingly sophisticated and potentially able to cause more serious damage to companies' businesses, cyber security measures have become more important each year.
Information security is a key management issue for the KIOXIA Group, and recognizes the value of all information handled during the course of our business activities, including personal information, customer and business partner information, management information, and technical and production information. Our basic policy is to manage this information in a confidential manner in order to protect it and prevent inappropriate disclosures, leaks, or improper use.
KIOXIA Group has drawn up this basic policy of information security management.

Structure of Information Security Management

KIOXIA Group has established the role of Chief Information Security Officer, whose responsibility it is to oversee and ensure compliance with our Information Security Management Policy. Information security management processes incorporating the protection of personal information have been implemented at each business site and organization, including all Group companies. The Information Security Committee deliberates matters that are deemed key to ensuring information security throughout the Group.
In addition, the implementation status of relevant measures and specific issues arising in any of our Group companies are reported to the company's directors every six months in order to standardize and improve the level of information security throughout the KIOXIA Group.

Information Security Management Structure

Information Security Management Structure Information Security Management Structure

Information Security Measures

In FY2021, KIOXIA Group implemented information security measures that included the reinforcement of networks and internal system monitoring from four perspectives.

Implementation of Information Security Measures

Category

Description

(1) Organizational measures:
Establishing organizational structure and rules

  • Periodic reviews of information security-related regulations
  • Development and maintenance of information security management structure
  • Performing of audits.

(2) Human resource and legal measures:
Ensuring adherence to rules

  • Regulation of information protection duties and disciplinary measures in the case of any breach of rules of employment
  • Provision of periodic employee education and training
  • Contractor information security evaluation and conclusion of confidentiality agreements

(3) Physical measures:
Supporting implementation of rules in terms of physical security

  • Carry-in/carry-out control of devices holding information
  • Facility access control, room/building entry control
  • Locking of highly important information

(4) Technical measures:
Supporting implementation of rules in terms of technology

  • Encryption of hard disks and measures to combat malware 
  • Assessment of the vulnerability of devices such as servers that are accessible to the public and enhancement of relevant protective measures
  • Implementation of a system to detect unauthorized external access or data breaches

Education, Inspection and Audit of Information Security Management

All KIOXIA Group divisions and organizations conduct annual self-inspections and self-audits of their compliance with information security policies and internal rules; they identify any issues and seek to address these in an effort to improve the level of information security within each of them.
KIOXIA Group conducts annual training for all officers and employees and communicates relevant messages regarding information security from the management to all employees in order to ensure strict compliance with all in-house regulations. We also ask our business partners and subcontractors to provide a similar level of training for their employees.

Responding to Incidents such as Leakage of Confidential Information

In the event an information security incident such as a leakage of confidential information occurs, KIOXIA Group responds promptly in accordance with its information security incident reporting processes.
When we become aware of the occurrence or potential occurrence of an incident involving a serious leakage of confidential information that may entail a violation of any laws or ordinances, we strive to respond promptly based on our risk and compliance management processes.

Information Security Incident Reporting Process

Information Security Incident Reporting Process Information Security Incident Reporting Process

Status of Incidents such as Leakage of Confidential Information

In FY2021, there were no incidents of sensitive information held by KIOXIA Group companies being leaked, nor were there any complaints from relevant external individuals or regulatory bodies concerning personal information. We will continue to work to prevent information security incidents and to be fully prepared for any situation that might arise.

Product Security Management

Product Security Management Policy

KIOXIA Group is required to respond promptly to any cyber-security risks emerging in society at large, and to requests from business partners and other stakeholders related to product security.
KIOXIA Group defines “Product Security” as the prevention of any malicious information leaks, falsification, or unforeseeable faults in the products and services we sell or provide to customers.
Our basic policy is to provide safe and secure products, by establishing a product security management framework and aiming to minimize any cyber-security risks associated with them.

We have drawn up this basic policy of product security and ensure all employees and officers of the company are aware of it.

Structure of Product Security Management

The Group has appointed a Chief Information Security Officer to oversee compliance with our Product Security Policy. In each business division we have formulated product security processes that are strongly integrated with our quality management system. We have also established a special support service we call PSIRT*2 which enables us to respond promptly to inquiries and to address any security vulnerabilities in our products.

  • *2 PSIRT: Product Security Incident Response Team – a team that responds to product security issues

Structure of Product Security Management

Structure of Product Security Management Structure of Product Security Management
  • *3 CSIRT(Computer Security Incident Response Team): team that responds to information security issues

Product Security Measures

In addition to the aforementioned organizational measures and human process and legal measures, the following have been established as internal rules and regulations in order to implement security measures for our products.

Category

Description

(1) Legal and regulatory compliance

  • Investigation of and response to security regulations and laws related to our products

(2) Secure development: establishing processes to ensure we provide secure products 

  • Consistent maintenance and enhancement of security measures throughout product lifecycles
  • Maintenance and enhancement of security measures in product supply chains 

(3) Incident system development: dealing with product vulnerabilities, inquiries, etc.

  • Establishment of PSIRT
  • Addressing security requirements and responding to inquiries from stakeholders

Response to Security Incidents related to Products

In the event of a security incident caused by a cyber-attack, for example one targeting product vulnerabilities, KIOXIA Group will strive to respond promptly, with PSIRT and management executives assessing the situation based on our product security management processes and on our formulated responses to product incidents.

Status of Product Vulnerabilities and Responses

There were no serious incidents associated with vulnerabilities in any of our products in FY2021. We will continue to strive to prevent the risk of product vulnerabilities, and will ensure the swift detection of any, and a prompt response. 

Ensuring Appropriate Tax Reporting

The basic policy of the KIOXIA Group is to fulfill our obligations to pay all due taxes through business activities conducted based on the principles of fairness, integrity, and transparency. Our tax policy stipulates that KIOXIA Group must (a) comply with the guidelines of the Organization for Economic Cooperation and Development (OECD) and with the applicable laws and regulations of each country and region; (b) contribute to the tax administration of local communities through sales, profits, and payment of taxes in accordance with the purpose and reality of our business activities; (c) develop our business while ensuring tax transparency; and (d) appropriately manage and reduce any tax risks. These activities are carried out in accordance with the following:

1. Tax Governance (Structure)

Our Chief Financial Officer has official responsibility for ensuring that the KIOXIA Group complies with all relevant tax regulations and reports to the Board of Directors on its compliance with these, on its implementation of relevant initiatives, and on any key issues. The KIOXIA Holdings Group Tax Office periodically arranges internal training on tax policies in order to cultivate human resources who are familiar with the tax system of each country and region; it also identifies any potential tax issues, collects information, and shares knowledge. Group companies are required to report on any potential tax risks or other tax issues to the Chief Financial Officer.

2. Compliance

KIOXIA complies with the OECD Transfer Pricing Guidelines and with the laws and regulations of each country and region, and undertakes proper tax reporting and payment.

3. Tax Risk Management

KIOXIA recognizes the possibility of tax risks arising in situations where laws and regulations differ or are interpreted differently in different countries and regions. When a potentially significant risk is identified, we strive to minimize it by means of thorough scrutiny and analysis, by obtaining advice from tax specialists, by making prior referral to tax authorities or by means of a process of advance pricing agreement.

4. Transfer Pricing

Transfer prices between Group companies are decided according to the arm’s length principle. The functions and risks of all Group companies are analyzed and periodically monitored to ensure profits are allocated on the basis of the contributions of each company. 

5. Tax Incentives and Tax Havens

Tax deductions and incentives in each country and region are utilized in a manner that accords with our business objectives, and we strive to pay all appropriate levels of tax. Business activities are conducted in accordance with appropriate tax structures in line with our business objectives; we do not specifically conduct transactions or other activities in low tax countries or tax havens.

In addition, we strive to eliminate double taxation by utilizing the prevailing relief systems and tax treaties in each country and region. Situations where the tax position is uncertain are documented in accordance with proper accounting standards.

6. Ensuring tax transparency

KIOXIA Group supports the reform of international taxation proposed by the OECD and the G20. Furthermore, in accordance with the process by which information is exchanged between tax authorities in regions where Group companies are situated, we submit country by country reports and master files according to regulations in each country or region. We strive to ensure tax transparency by providing the information required for tax reporting and payment in a timely and appropriate manner.

7. Relationships with Tax Authorities

KIOXIA seeks to maintain good relationships based on mutual trust with the tax authorities overseeing each country and region. We respond to requests from tax authorities with honest and accurate representations of the facts.

Tax Governance (Structure)

Tax Governance (Structure) Tax Governance (Structure)

Corporate Tax Paid by Region (millions of yen, FY2021)

Japan 2,925 (72%)、Asia 339 (8%)、Europe 283 (7%)、Americas 540 (13%)

Risk Management through Business Continuity Planning (BCP)

KIOXIA Group identifies, analyzes and assesses business risks and strengthens risk management across all areas of its business in order to prevent interruptions to our operations in times of emergency, such as earthquakes or other natural disasters, accidents, or pandemics. The Group has stipulated business continuity planning regulations in accordance with our BCP Policy, and implemented measures to ensure the safety of employees and their families and ensure disaster readiness at our business sites and factories. We conduct practical training and prepare for emergencies so that we can continue or quickly resume delivering products and services in the event of damage or loss.

We have initiated business continuity planning at KIOXIA Group manufacturing, sales, and technical bases as well as at administrative bases. However, in response to various changes in the social environment, we are further reinforcing our supply chain management and strengthening ties between other committees, including the Information Security Committee and Quality Conference Committee, in order to promote business continuity planning that spans companies throughout the entire KIOXIA Group.