The Group’s View of Risk Management
The Group defines risk as “uncertainty that affects the achievement of business management goals and has both a positive side and a negative side.” We believe a company will grow in a sustainable way if the positive side and the negative side of risk are addressed properly.
Enterprise Risk Management (ERM) Centered on the Risk Management Committee
J. Front Retailing has a Risk Management Committee, which is chaired by the President and Representative Executive Officer and comprises Executive Officers and others. The committee has a secretariat headed by an officer in charge of risk management. The secretariat shares important matters decided by the committee with operating companies to promote enterprise risk management (ERM). We position risk as the starting point of strategy and link risk with strategy so that risk management will enhance corporate value.
Risk Management Process
The Group promotes risk management through the process below.
Specifically, based on external and internal environment analyses and the recognition of the management team including Directors and people responsible for practical operations, we strive not to omit any important risks for the Group.
Extremely important risks in the Group’s management over the medium term are positioned as “business risks,” which are the starting point of the Group’s Medium-term Business Plan.
Annual risks identified based on the “business risks” are listed in the “Group risk list” and evaluated using a “risk map” and we implement measures to address them in order of priority.
Latest Environmental Changes and Risk Awareness
The scope and area of impact of COVID-19 are wide and deep and the Group faces difficulty surviving.
COVID-19 is changing people’s values about consumption, consumption behavior and values expected of retailers faster than expected. Work styles, lifestyles, and also the role of cities partly due to remote work. In such a drastically changing environment, the business models of existing businesses including the core Department Store Business took a heavy hit and we have to change them radically.
The Group has something that should not be changed and something that should be changed. The things that should not be changed are our corporate credos “Service before Profit” and “Abjure All Evil and Practice All Good” and the Group Vision “Create and Bring to Life ‘New Happiness.’” On the other hand, we should change the business models of existing businesses and make the transition to sustainability management.
Going forward, we will make progress toward sustainable growth without wavering between the things that should not be changed and the things that should be changed.
Recently, the Group focuses on response to natural disasters, of which risk awareness is growing, for example, by strengthening a business continuity plan (BCP) on the assumption of disasters. Also with regard to epidemic prevention, we take the opportunity of the COVID-19 pandemic to overhaul epidemic response measures.
In preparation for natural disasters, which threaten business continuity, we developed a “business continuity manual” and continuously conduct BCP training so that we will be able to continue important operations (financing and systems maintenance) and rapidly recover from disasters and resume business operation.
With respect to COVID-19, we set up an emergency headquarters early and continue to take thorough infection prevention measures in an organized manner. At the same time, we are working on the verification of past measures and the development of an “infection response manual” in preparation for a future new pandemic.
Information Security Measures
Incidents have become more complex and sophisticated, and information security risk is increasing. To minimize such risks, we continuously implement security measures for each Group company using the Group’s common security policy as guidelines. In addition, in April 2020, we formulated the IT Governance Policy and Rules as guidelines for controlling a series of activities from formulating IT strategies to implementing them.
With regard to visualizing and improving the status of security measures, we interview each company using a checklist and assess vulnerability to confirm the safety of their websites that have a high risk of data breaches and their systems that hold personal information, and make improvements to promptly ensure the safety of their websites and systems where problems are found. We also continuously survey the status of communications to check whether employees use unapproved cloud services on devices provided by the Company including personal computers used by them for business purposes. In addition to continuing these efforts, we also take measures to strengthen security, including investigating the robustness of servers, strengthening monitoring, and reviewing internal rules for more appropriate information management.
In addition, in order to strengthen the security management system, we established CSIRT* in the Company and joined the Nippon CSIRT Association. The Company works with people responsible for information security management of the Group companies to develop manuals in preparation for incidents while continuously providing incident response training. By doing so, we go on strengthening the security management system of the entire Group.
And as employee education is an important element to ensure information security, we continue activities to raise the level of information security, including e-learning-based education and targeted attack email training for all employees
* CSIRT: Computer Security Incident Response Team