Displaying present location in the site.

Risk Management

Risk Management Policies

NEC has appointed a CRO to accurately identify and address internal and external risks related to its businesses. The Company maintains a system to mitigate the probability of losses through Groupwide oversight and centralized response to risks across the Group.

The CRO chairs the Risk Control and Compliance Committee and provides leadership in detecting and analyzing the increasingly diverse and complex risks in the Company’s constantly evolving social and business environment, assessing the impact of risks, prioritizing responses according to a risk map, and implementing the required risk countermeasures.

Medium- to Long-term Targets, Priority Activities and Progress, Achievements and Issues

Medium- to Long-term Targets and Priority Activities

(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026

Conduct appropriate risk management

Select important risks that affect business execution and both plan and implement effective countermeasures

FY2023 Goals, Progress, Achievements and Issues, and FY2024 Goals

FY2023 Goals

Conduct appropriate risk management
Establish and implement effective measures for Priority Risks

  • Risk of human rights infringements in the value chain

Progress, Achievements and Issues

Measures implemented for Priority Risks

  • Clarify customer due diligence perspectives in high-risk regions
  • Introduce risk mitigation measures for NEC direct trade projects
  • Raise awareness among people involved in businesses in high-risk regions

Examine and assess status of countermeasures for other important risks

FY2024 Goals

Enhancement of a comprehensive and centralised system to control Companywide risks, including the appointment of a CRO
Planning and execution of effective measures for Priority Risks

  • Harassment
  • Compliance with laws and regulations related to quality and safety
  • Improvement of project contract quality

Risk Management Framework

Board of Directors

Given its oversight role with respect to business execution, the Board of Directors oversees the effectiveness of risk management by receiving reports related to material misconduct and reports on the measures taken for the Priority Risks.

Executive Committee

The Executive Committee discusses important NEC management issues such as policies and strategies, including Priority Risks and other important risks related to management and strategies.

Chief Risk Officer (CRO)

The CRO chairs the Risk Control and Compliance Committee and supervises Companywide activities comprehensively to mitigate NEC Group risks.

Risk Control and Compliance Committee

  • The Risk Control and Compliance Committee, whose members are officers, investigates the underlying causes of serious compliance breaches, studies plans for the prevention of recurrence and preventive measures, and deliberates on policies for risk management activities and policies for selection of and countermeasures to the Priority Risks. The committee executes a supervisory function in Companywide risk control by, for example, regularly receiving reports from the divisions in charge of deliberations and progress status related to specific Priority Risk measures, verifying the activity results and issues and future activity plans and providing direction for improving and enhancing measures as needed.
  • The CRO chairs this committee, supervising the implementation of Companywide risk management and reporting as necessary on important matters and outcomes of the committee’s proceedings to the Executive Committee, which includes the CEO.

System for Crisis Management and Business Continuity

Risk Assessment

Risk Assessment Methodology

Selecting Priority Risks and Countermeasures

The Company creates a risk map based on the results of risk assessments conducted for business divisions and staff divisions, and every year identifies Priority Risks with a potentially significant impact on corporate management because of their degree and urgency. The Board of Directors receives reports on the Priority Risks and implements countermeasures.

The Risk Control and Compliance Committee discerns changes in internal and external factors as the basis for discussing and periodically reviewing the potential impact of risks.

Long-term Risk

Response to Emerging Risks

Risks Related to Climate Change


Climate change has brought with it an increase in unexpected natural disasters that could cause difficulties with business continuity for NEC, its customers, and their supply chains. The introduction and expansion of carbon pricing worldwide, aimed at reducing CO2 emissions, could lead to higher costs as NEC works to reduce the emissions produced through its business activities.

Impact on business

If customers experience trouble with business continuity, it could cause orders from these customers to fall below expectations. Moreover, this would result in higher costs. For example, costs will rise by 2.77 billion yen per year (using 130 yen to the dollar), assuming carbon pricing (130 dollars per t-CO2) was applied to its Scope 1 and Scope 2 emissions (about 164,000 tons).

Mitigation measures

  • We conduct scenario analyses that envision 2030 and 2050 and cover the entire supply chain and the future of our lifestyles and government.
  • We have joined RE100 and are working to expand renewable energy use.
  • We have set internal carbon pricing with the aim of improving energy efficiency and promoting the introduction of lowcarbon facilities and equipment. This price allows us to convert the CO2 reduction that would result from a given capital investment into a monetary value, which we can then use as a reference when making investment decisions.
  • We promote initiatives with an eye on potential increases in carbon taxes and emissions trading.
  • We provide customers with a variety of ICT solutions to help them reduce their CO2 emissions. In addition, we conduct the setting of environmental management goals aimed at reducing CO2 emissions across the entire supply chain and improving business succession measures.

Information Management Risks Associated with Increasingly Sophisticated Cyber Attacks


As cyber attacks become increasingly sophisticated and the targeted businesses are expanding and more complicated, it is difficult to discover and mitigate threats such as unauthorized access or vulnerabilities in information management systems in a timely manner.

Impact on business

NEC collects, holds, uses, transfers and otherwise processes a large amount of personal and confidential information. In the event that personal or confidential information held by NEC is leaked or exposed through unauthorized access or cyber attacks and is used fraudulently, NEC may be legally responsible and may be subject to disciplinary action by regulatory authorities. This could damage NEC’s reputation and brand value. The risk of unauthorized access and cyber attacks exists not only for NEC’s own products, services and systems, but also for those of our customers, contractors, suppliers, business partners and other third parties.

Mitigation measures

We are implementing robust and flexible measures throughout the Group based on the CISA1 Zero Trust Maturity Model. Based on Cybersecurity Management Guidelines Ver. 3.0 formulated by the Ministry of Economy, Trade and Industry, Government of Japan and Cybersecurity Framework (Version 1.1) of the NIST,2 we are strengthening intelligence (proactive defense) and resilience (ability to recover from attacks) against cyber attacks.
In addition, presenting cybersecurity risks to all employees on a dashboard as part of our data-driven transformation is supporting quick management decisions and autonomous front-line actions.
Furthermore, based on Security by Design 3.0 , which considers security from the design stage, we are enhancing measures that include our supply chain in order to provide safe, high-quality services.
Please refer to our Information Security Report for details about our initiatives.

  • 1.
    Cybersecurity & Infrastructure Security Agency (an agency of the United States Department of Homeland Security)
  • 2.
    National Institute of Standards and Technology (an agency of the United States Department of Commerce)

Risk Culture

Incentives Based on the Personnel Evaluation Process and Risk Management Evaluation Indicators

A department is responsible for the system for each risk, and the response to that risk is directly linked to the operations of that department. Business performance is directly reflected in performance appraisals.

Risk Management Training and Education

NEC provides risk management training for managers to increase awareness and understanding of risk management.

Confirmation and Reporting of Potential Risks by Employees

Internal Feedback Process for Potential Risks

The Risk Control and Compliance Committee and senior management exchange and discuss information about latent and emerging risks to enhance the Company’s capability to address risks. We also continuously improve our risk management methodology.

Crisis Management and Business Continuity

Crisis Management and Business Continuity Policies

NEC has prepared a business continuity plan (BCP) and is promoting business continuity management so that the Company can fulfill its social responsibilities by continuing to stably supply customers with products and services even when risks actualize in the form of earthquakes, typhoons, and other natural disasters; global pandemics; wars; or terrorist attacks.
Our goal is to be able to continue NEC Corporation’s business as far as possible, and to recover operations quickly if they are interrupted.

Basic Disaster Response Policies

  1. Ensure the safety of employees and visitors
  2. Rapidly recover and establish a business environment that enables NEC to fulfill its social responsibilities, including the maintenance and recovery of backbone systems, such as communications, public infrastructure, traffic, defense, and finance
  3. Minimize management damage caused by operation disruption

Crisis Management and Business Continuity Organization

NEC Corporation will continue business proactively and flexibly through the following three functions. The status of activity will be reported regularly to the Board of Directors.

  1. Business Continuity and Disaster Recovery Headquarters
    This function is headed by the president and comprises corporate divisions such as the Human Resources and General Affairs Department. The Headquarters maintains senior management’s decision-making function and prepares an environment for recovering operations.
  2. Business Unit BCP Teams
    These teams are formed in each business unit. They conduct activities for recovery of business (customer response, gathering information of damage to operations, recovery, logistics, and securing materials, etc.).
  3. Workplace BCP Teams (Bases)
    These teams are formed at the workplace and base level. They secure the safety of the workplace, confirm the safety of employees, quickly recover worksite infrastructure, support employees’ lives, assist those who wish to return home, and coordinate with the community.

In addition, internationally we have formulated BCPs in response to each country’s risk under the global system of five Regional Headquarters (RHQ), along with information escalation rules in the case of emergencies.

Response to Large-scale Disasters, Incidents and Accidents, and Infectious Diseases

Response to COVID-19

NEC implemented the following measures in fiscal 2023 to prioritize the lives and safety of its employees.

  • All employees take thorough precautions against COVID-19
  • Temperature checks each morning, handwashing, and gargling
  • Staggered work hours, telework and other measures to prevent the spread of infection at work
  • Following rules for reporting when not feeling well
  • Checking movement history around time of testing, maintaining distance from other people and thorough measures to prevent the spread of infection such as disinfecting surfaces
  • The third work-sponsored vaccination for employees

The categorization of COVID-19 under the Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases changed in May 2023, and relevant infection control measures are now the same as those for seasonal influenza.

Responding to the Risk of Storm and Flood Damage

NEC Corporation has constructed a system in which the Company’s internal disaster information sharing system automatically receives disaster information from the Japan Meteorological Agency and displays the range of impact on a map. This allows us to understand at a glance information regarding the Company’s sites, customers, suppliers, and others located within that range.

Furthermore, we prepare for storm and flood damage by using the latest hazard maps to evaluate storm and flood damage risk at each business site. Based on these evaluations, while taking into account the balance between the impact of a disaster and cost, we are establishing periphery flood barriers at facilities that would require considerable time to restore.

ISO 22301:2019 Certification Acquisition

NEC has acquired ISO 22301:2019 certification, mainly in its system maintenance divisions and datacenter operations divisions. ISO 22301:2019 is an international standard for Business Continuity Management Systems (BCMS).

Moreover, divisions that have not acquired ISO 22301:2019 certification are complying with the international standard as far as possible and have put in place efficient and effective countermeasures to prepare for potential threats to business continuity, including earthquakes, floods, typhoons, and other natural disasters; system faults; pandemics; power outages; and fires.

Exercises and Training on Disaster Prevention and Business Continuity

Education, Exercises and Training on Disaster Prevention and Business Continuity

Education and online training

NEC and affiliated companies in Japan conduct the following training and drills every year to prepare for large-scale natural disasters with the aim of minimizing damage and resuming operations as quickly as possible.

  • NEC conducts drills to confirm disaster response procedures in accordance with work styles as part of work style transformation.
  • NEC holds online training and workplace discussions that serve as opportunities to think about how to act during a natural disaster, what can be done beforehand, and the necessary preparations for dealing with a large-scale earthquake, while drawing up specific natural disaster scenarios.

Enhancing the degree of completion of BCPs

  • Since 2016, NEC has introduced systems for visualizing the business continuity status for each company and division by using indices such as “organizational state in regular times and at the time of disaster,” “leadership,” “disaster prevention and business continuity plan,” “support status,” “effective operation,” and “evaluation and improvement.”
  • We will refine the system to cement a business continuity mindset as part of our organizational culture and continue making improvements across the entire NEC Group to enable each division and employee to think and act autonomously during disasters.

Participation in the Activities of External Organizations

NEC Corporation has been a Business Ethics Research Center (BERC) member since its establishment in 1997. BERC collects worldwide information relating to business ethics, undertakes research on ethics, offers consulting on business activities, and educates businesspersons while promoting ethics. We have utilized information on examples of initiatives at other companies obtained through BERC in the planning of various measures.