Risk Management

Linking operations and management to strengthen risk management

The CxO system is intended to provide thorough Group governance over the EBARA Group. Risk management used to be conducted separately by each in-house company or Group company, but the CxO system allows risk management to be conducted in an integrated manner through the CRO and risk officers (ROs). As a result, risk information from operational sites is reaching management more rapidly, and an integrated risk management system is being put in place across the Group.

The risks we face are increasingly diversifying, including changes in international affairs and issues related to technology succession. In 2025, we will conduct a Groupwide risk assessment, which we do every three years, to identify the risks the Group faces and to promote reliable risk management. In this context, we will also enhance our preparedness for emerging risks such as geopolitical shifts and generative AI. We aim to build a sustainable risk management framework by incorporating diverse stakeholder perspectives, grounded in the integrity and flexibility that define the EBARA Way.

In response to recommendations from the Japan Fair Trade Commission regarding mold management, we are enhancing monitoring by all executive officers. We intend to fully enforce rules and raise awareness of legal compliance through education and training for employees, and we are also enhancing institutional systems and technical management frameworks to ensure reliable mold management at the operational level.

Toru Nakayama
Executive Officer, CRO

We are focusing on risk management and governance that supports business growth by accurately capturing changes in the risk environment surrounding the EBARA Group. In our risk management activities, we emphasize both perspectives of being a good corporate citizen trusted by stakeholders and increasing social, environmental and economic value.

 

Changes in the risk environment surrounding the EBARA Group

Internal risks	- Further globalization of business - Increasing independence of business divisions due to organizational structure shift to target-market specific structure - Increased regulatory exposure to evolving SME regulations and security trade controls
External risks	- Geopolitical risks like the Russia-Ukraine conflict - New technology risks such as generative AI - Intensifying global weather disasters

 

 

Strategy Overview

Implementing proactive risk management	Enhancing the organizational structure for risk management	- Collaboration between the Risk Management Panel (RMP) and Risk Management Committees (RMCs) - Establish the CRO Office - Expand Group CRO Council - Enhance risk management structures at in-house company-level (internal controls and security trade controls)
	Advancing risk response capabilities	- Review the risk inventory and risk assessment - Enhance incident management plans according to the type of crises - Switch to an all-hazards business continuity plan - Introduction of global insurance
	Addressing emerging risks	- Respond to geopolitical and generative AI-related risks - Conduct scenario-based risk analysis - Leverage intelligence for proactive risk detection - Strengthen responsiveness to evolving societal expectations
	Reinforcing compliance framework	Promote shared values of the EBARA Way and the Code of Conduct - Prevent cartels and bid-rigging Strengthen anti-corruption measures - Ensure robust security trade controls Enhance personal data protection Improve internal reporting systems
	Contributing to a decarbonized, circular, and nature-positive society	Promote carbon neutrality Reduce environmental impact through products and services Ensure proper management of water and waste Conduct comprehensive environmental management

The EBARA Group systematically identifies and assesses risks that may arise from its business operations and implements measures to minimize risk that may impact the ongoing survival and development of the Group. We are shifting from a system that focused on responding ad hoc to individual risks that emerged in the course of business to a more systematic approach that emphasizes continuous implementation of system improvements parallel to enacting risk control measures. We have also established the CRO Office, which includes the CRO and Risk Officers from each in-house company, creating an overarching risk-response system that transcends traditional business silos

The Risk Management Panel (“RMP”) is an organization that oversees the EBARA Group’s risk management activities, deliberates, and provides guidance and support for improvement. The RMP is chaired by the President and Representative Executive Officer and is comprised of all executive officers. Non-Executive Directors sit on the RMP to provide advice and other assistance as necessary to ensure risk management activities are undertaken with adequate objective supervision. The deliberations of the RMP are reported to the Board of Directors which provides appropriate oversight over risk management.

The CxO system that was introduced in E-Plan 2025 has helped to clarify the division of roles and scope of responsibilities for management and business execution, thus enabling us to provide further assistance to business divisions in terms of risk management. Information on risks is reported mainly to the CxO in charge, so sharing information between CxOs is important. We have specified indices with which to identify potential incidents and whether information on those incidents needs to be shared so that necessary information on risks can be shared among CxOs. Moreover, we have been enhancing risk management training for managers and auditors of Group companies since 2023, and we are focusing on encouraging communication with personnel on-site and enhancing cooperation more than ever before.

In response to the changing risk environment surrounding our group, we regularly conduct risk assessments, reevaluate our risk response system, clarify the responsible departments for each risk, and reflect this in our operations. As a part of the risk response system, in emergency situations or when otherwise deemed necessary, a company wide task force headed by the President, Representative Executive Officer is established, to enable prompt reporting, communication, and decision making.

We conduct a groupwide risk assessment every three years to identify the group's important risks. This assessment covers over 100 potential risk items relevant to our business operations. Through surveys of and group interviews with business and department managers, we evaluate each risk based on its likelihood, potential impact, and residual risk after mitigation. Identified key risks are assigned to lead departments responsible for risk response and are reported to the RMP. In the 2022 assessment, 11 key risks were selected, and their mitigation status has been continuously reported to the RMP.

 

 

As the globalization of the Group’s business accelerates, continuing to transition to a target market-based organization and encouraging autonomous risk management by business divisions is becoming increasingly important. In light of these changes in the environment, we will strengthen our Groupwide legal compliance framework while also enhancing measures such as security trade controls in each segment. Each in-house company faces and manages business-specific risks, which are designated as in-house company major risks. In the past, each company has identified risks independently, but we plan to standardize the process of identifying risks by incorporating the process of selecting in-house company major risks in the Groupwide risk assessment conducted in 2025.

Collaboration with Group companies in each country has been strengthened after implementing response measures for the COVID-19 pandemic, and we have made progress in building a global business continuity management system.
However, other natural disasters such as heavy rain, floods, and typhoons have caused increasingly severe damage in recent years, so we have been working to reduce such damage by preparing physical countermeasures such as sandbags and water bags, especially at our main bases and Group companies in Japan. x We are also simultaneously working to raise awareness for disaster preparation and mitigation by distributing disaster preparation guides to every employee and putting disaster response posters up at bases. We are taking measures to prepare for volcanic eruptions, including Mt. Fuji.
Going forward, we will further strengthen our global business continuity management system while also taking into account geopolitical risks.

In response to the tightening of regulations on personal information in various countries, we are enhancing our global protection system for the entire Group by formulating a Group privacy policy and rules. We are also addressing the cross-border transfer of personal information in contracts among Group companies and we are complying with the laws and regulations of individual countries such as China. In order to accelerate global management using data such as a human resources database, we will strengthen information security and the protection of personal information and reduce risks associated with the global use of personal data.

To strengthen risk management globally, we have introduced a system to manage insurance across the entire group starting in 2022. After developing a group-wide risk approach to natural disaster and contract risks, major group companies uniformly take out insurance for property, liability, and logistics, and transfer risks. We will continuously review the matters and eligibility in our global insurance and conduct efficient, effective risk management.

We believe that providing products and services to support the continued functioning and early recovery of important facilities related to the lives and property of citizens in the event of a major earthquake or large-scale infectious disease is an important part of our business. Accordingly, we have established a business continuity management system and organized our organizational structure and plans.

Initial Activities are led by the local headquarters established in each region, and are engaged in evacuation, rescue, fire fighting, and other activities to ensure the safety of employees and the preservation of assets.. At the same time, the business continuity and recovery activities begin, with the intent to mitigate damage to ongoing projects and facilitate the rapid recovery of important business. The headquarters for company business continuity measures monitors company wide progress, disseminates information and makes company wide instructions.

In order to quickly gather information on the situation of affected areas during large-scale disasters, we utilize a safety confirmation system and information sharing sheets on a cloud server. In addition, in order to ensure information sharing, satellite phones have been installed at each site, and key members of the disaster response team carry priority disaster phones. Furthermore, in order to ensure that information is not lost via our website even if our head office in Tokyo is damaged, we have established a system in which information is transmitted from our Osaka branch office.

We conduct annual simultaneous disaster drills across the domestic EBARA Group including for earthquakes and other disasters.
Additionally, we regularly conduct response training for the safety confirmation system for each employee.

We conduct annual drills where we practice setting up the Osaka branch office to provide remote support in the event of a large-scale earthquake under the Tokyo metropolitan area, which prevents the Tokyo headquarters from responding accordingly.

We have installed generators, storage batteries, solar panels, etc. at our major business locations to ensure power supply in the event of a power outage. In addition, all Executive Officers have portable storage batteries/solar panels installed in their homes, enabling them to quickly take command of business continuity even during power outages.

We have prepared sandbags and water barriers to prevent flooding at sales offices and business sites with a high risk of being affected by tsunamis or torrential rains.

Three days worth of food, water, survival sheets, and other suppliers are stocked at major locations for use in the event of a large-scale disaster.

We implement measures for those unable to return home based on the "Tokyo Metropolitan Government's Handbook for Measures for Those Unable to Return Home," and regularly conduct awareness-raising activities by viewing the Tokyo Metropolitan Government's video on restraining mass return home on the company intranet.

*Our company has been certified as a model company promoting the restraint of mass return home in Tokyo. ( Introduction page of our initiatives)

We protect our information systems while managing data in an appropriate fashion and never use information in unethical ways. We will also work to protect personal information.

The following five principles are part of the EBARA Group’s information security policy and must be followed by all executive officers and employees of the EBARA Group
The following five principles are part of the EBARA Group’s information security policy and must be followed by all executive officers and employees of the EBARA Group

1. When handling information, we comply with information security-related regulations and the instructions of department heads, and do not misuse information.
2. Fully understand the impact of information leakage and recognize the necessity of protection from such leakage.
3. We do not use information devices for purposes other than those permitted.
4. We take necessary actions for the protection and management of information assets, such as updating software
5. In the event of an information security incident or accident, or if one is anticipated, we promptly contact the information security manager and take necessary actions.

We have established a company-wide system for information security.

We have established various regulations related to information security and are operating in accordance with these regulations. We also regularly use various manuals, educational materials, and e-learning to improve employee literacy.

We also protect our infrastructure and other data including documents and storage media through proper security measures such as theft prevention measures and proper disposal methods at various business locations to prevent data leakage.

We also monitor and protect a variety of devices in order to catch security threats early. In addition, we use encryption technology and passwords, etc. to protect sensitive information and minimize information security incidents.

We ensure the proper management of passwords, IDs, approval authority, access to privileged information and systems based on our IT General Control Rules.

We are constantly evaluating and working to improve our incident management, duplication of important equipment and networks, back-ups as well as our communication, reporting and established recording processes based on our management system.

Cyber attacks targeting companies have become commonplace, and we are strengthening our response as the EBARA Group. Recently, we have increasingly been asked by business partners to address cybersecurity as part of supply chain management. To reliably respond to such demands and gain trust from the market, compliance with globally recognized international standards and frameworks is positioned as important, and we are promoting compliance with ISO 27001 for information security and CIS Controls^*1 for cybersecurity. Additionally, to strengthen security governance required of global companies, we have established a system as Global CSIRT^*2 by welcoming members from overseas group companies and are continuously operating and improving it.

 

^{*1. A framework compiled by the non-profit organization CIS in the United States, outlining what companies should undertake as cybersecurity measures
*2. Global Computer Security Incident Response Team}

 

Japan and other countries cooperate internationally to control the export of military-sensitive goods and technologies, including relevant dual-use goods and technologies from passing to countries that may threaten the security of the world or terrorists.
The EBARA Group has established the "EBARA Group Basic Policy on Security Trade Control" and actively promotes self-management efforts, contributing to the maintenance of international peace and security, not just complying with laws and regulations.

Basic Policy on Security Trade Control of the EBARA Group
1. Compliance with domestic export control laws and U.S. re-export regulations
2. Compliance with Japan's security trade control-related laws and requests based on them
3. Management of exports in cooperation with the international community, such as international export control regimes
4. The applications of products and technologies handled by the EBARA Group are limited to civilian use
5. Prohibition of transactions directed to specially designated regions (North Korea and Iran)

In order to properly implement and promote security trade control, a security trade control system has been established with the representative executive officer of EBARA Corporation as the highest responsible person, and a specialized department for security trade control is placed at the headquarters of EBARA Corporation as the company-wide export control department. Each in-house company has a security trade control promotion division that is responsible for compliance with and thorough implementation of export control-related laws and regulations. The division not only prevents violations of laws and regulations, but also endeavors not to engage in transactions that are contrary to corporate social responsibility.