Global Site
Displaying present location in the site.
Risk Management
Governance
Risk Management Framework
The NEC Group has a companywide cross-sectional risk management system centered on the Risk Control and Compliance Committee and the CRCO to accurately comprehend and to respond appropriately to both internal and external risks related to NEC Group’s businesses. An overview of this system is shown in the diagram below.
In NEC Corporation important matters related to companywide risk management, including a risk management policy and selection of and response policies to “Priority Risks” that requires countermeasures across the NEC Group, as well as measures to address risks that require companywide management in response to changes in risk environment during the fiscal year, are discussed at the Risk Control and Compliance Committee and then reported to the Business Strategy Committee and the Board of Directors on a regular basis.
The Company has the CRCO to monitor and address companywide risks centrally and cross-functionally and to manage possibilities to make losses. The CRCO takes a lead in the companywide risk management by detecting and analyzing risks that are diversifying and becoming more complex in constantly changing social and business environment, and evaluating impacts, while prioritizing countermeasures and closely collaborating with other chief officers in charge of each risk.

Thought Process
Policies, Processes, and Operational Status for Risk Identification
Policies
The NEC Group refers to the Enterprise Risk Management - Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and ISO 31000 which is a standard that provides principles and guidelines for risk management. On this basis, the NEC Group, in order to pursue returns through appropriate risk management, has categorized the risks associated with the NEC Group’s businesses into a Risk Total Picture and has decided on responsible divisions and response policies for each risk. In the Risk Total Picture, integrity is recognized as the foundation of all risk management activities and risks are classified into three categories according to their nature.
The Company has developed a response flow in case such risk should materialize, especially in the event of a crisis that threatens the existence of the Company.

Processes
Based on a comprehensive list of risks that the NEC Group should be aware of, the CRCO engages in dialogue with the other chief officers in charge of managing each risk and conducts risk assessments. The CRCO creates a risk map that visualizes risk priorities by evaluating impact on a five levels and urgency on three levels taking into consideration changes in the external and internal environment and the status of each risk countermeasure.

Operational Status
Through the above process, the CRCO updates the risk map through the review of the Risk Control and Compliance Committee on a quarterly basis, and regularly reports to the Business Strategy Committee and the Board of Directors.
The current risk map is shown below.
Among these, the NEC Group considers “Provision of Appropriate Products and Services” to be particularly important, and “Cybersecurity ,” “Respect for Human Rights,” “Occurrence of Serious Misconduct,” and “Human Capital Management” to be the next most important risks, which referred to and decided below as priority risk and significant risks. For more information, please refer to the specific risk management details.

Risk Management
Long-term Risk
Risk Management Status
The management status of significant risks is provided below. Please see the linked pages for further details on countermeasures.
Priority Risk: Provision of Proper Products and Services
Risk Awareness
The NEC Group conducts business offers a wide variety of products, systems, and services, and conducts business in Japan and abroad with a globally supply chain. If the NEC Group is unable to maintain quality control and safety management in the NEC Group and unable to maintain the trust of a wide range of stakeholders, including suppliers, it may result in legal liabilities and social reputational harm, which may have a material adverse impact on the NEC Group’s business.
Countermeasures
- Quality and safety implementation framework and quality and safety risk management framework
- Evaluation framework for new projects
- Supply chain management framework
Significant Risk: Cybersecurity
Risk Awareness
Now that the entire world is openly connected and the use of AI is increasing, the NEC Group is exposed to various risks, including the sophisticated and commercialized cyberattacks, the growing risk of information leakage stemming from the extensive use of cloud services, and challenges in information management in view of economic security. If the NEC Group is unable to appropriately address cybersecurity risks, not only for the NEC Group itself but also for our customers and business partners, it may result in legal liabilities and social reputational harm, which may have a material adverse impact on the NEC Group’s business.
Countermeasures
Significant Risk: Respect for Human Rights
Risk Awareness
By continuously assessing the actual or potential negative impacts across the value chain, the NEC Group identifies salient human rights issues that it considers having a particularly high impact. If the NEC Group is unable to address these salient human rights issues appropriately, it may result in legal liabilities, economic sanctions and social reputational harm, which may have a material adverse impact on the NEC Group’s business.
Countermeasures
- NEC Group Human Rights Policy
- Salient human rights issues
-
New technology and human rights (AI and human rights)
-
Human rights risks related to geopolitical situations and conflicts
-
Labour in supply chains
-
Employee safety and health
For information on the occurrence of serious misconduct, please refer to “Compliance.” For details on human capital management, please refer to “Human Capital Management.”
Business Continuity Management
NEC has prepared a business continuity plan (BCP) and is promoting business continuity management so that the Company can fulfill its social responsibilities based on the continued stable supply of products and services even when risks materialize in the form of earthquakes, typhoons, or other natural disasters; global pandemics; wars; or terrorist attacks.
Our goal is to be able to continue NEC Corporation’s business to the greatest extent possible, and to restore operations quickly if they are interrupted.
Basic Disaster Response Policies
-
Ensure the safety of employees and visitors
-
Rapidly recover and establish a business environment that enables NEC to fulfill its social responsibilities, including the maintenance and recovery of backbone systems, such as communications, public infrastructure, traffic, defense, and finance
-
Minimize management damage caused by operation disruption
Business Continuity Management Framework
NEC will continue to conduct business proactively and flexibly through the following three functions. The status of activity will be reported regularly to the Board of Directors.
-
Business Continuity and Disaster Recovery Headquarters
This function is headed by the president and comprises corporate divisions. The headquarters maintains senior management’s decision-making function and prepares an environment that will facilitate the recovery of operations. -
Business Unit BCP Teams
These teams are formed in each business unit. They confirm the safety of NEC Group employees and conduct activities for recovery of business (customer response, gathering information of damage to operations, recovery, logistics, and securing materials, etc.). -
Workplace BCP Teams (Bases)
These teams are formed at the workplace and base level. They ensure the safety of workplaces and bases, quickly restore infrastructure, support employees’ lives, assist those who wish to return home, and coordinate with the community.
In addition, outside Japan we have formulated BCPs in response to each country’s risk profile under the global system of five Regional Headquarters (RHQ), along with information escalation rules in the case of emergencies.
Main Initiatives
Initiatives to Foster a Risk Culture
Internal Feedback Process for Latent Risks
The Risk Control and Compliance Committee and officers exchange and discuss information about latent and emerging risks to enhance the Company’s ability to address risks. We also continuously improve our risk management methodology.
Risk Management Evaluation Indicators and Monetary Incentives
NEC Corporation’s Employee Disciplinary Regulations stipulate that employees who cause damage to the Company intentionally or through negligence will be liable for damages in addition to being subject to disciplinary action.
Risk Management Training and Education
Each year, NEC conducts training for all employees as part of its risk management training, covering topics such as compliance, the environment, human rights, and information security.
In addition, training is provided for management to enhance awareness and understanding of risk management.
As part of the onboarding process for new outside directors, we conduct training under the theme of NEC’s risk management.
Confirmation and Reporting of Latent Risks by Employees
We also strive to detect potential risks at an early stage by conducting annual risk assessments that capture insights and concerns at the operational level.
Education, Exercises and Training on Disaster Prevention and Business Continuity
Education and Web-based Training
NEC and affiliated companies in Japan conduct the following training and drills every year to prepare for large-scale natural disasters with the aim of minimizing damage and resuming operations as quickly as possible.
- Conduct training to review disaster response procedures tailored to different work styles.
- Hold web-based training and workplace discussions to think about how to act during a natural disaster, what can be done beforehand, and the necessary preparations for dealing with a large-scale earthquake.
Enhancing the Degree of Completion of BCPs
- NEC visualizes the business continuity status for each company and division by using indices such as “organizational state in regular times and at the time of disaster,” “leadership,” “disaster preparedness and business continuity plan,” “support status,” “effective operation,” and “evaluation and improvement.”
- We will evaluate and refine our initiatives to instill a business continuity mindset and disaster preparedness and continue making improvements across the entire NEC Group to enable each division and employee to think and act autonomously during disasters.
Response to Large-scale Disasters, Incidents and Accidents, and Infectious Diseases
Addressing Natural Disaster Risks such as Earthquakes and Storm and Flood Damage
NEC has constructed a system in which the Company’s internal disaster information sharing system automatically receives disaster information from the Japan Meteorological Agency. This allows us to understand at a glance information regarding the suppliers and other stakeholders located within that range.
Furthermore, we use the latest hazard maps to evaluate risk. Based on these evaluations, we implement countermeasures with due consideration of the balance between the impact of a disaster and cost.
ISO 22301:2019 Certification Acquisition
NEC has acquired ISO 22301:2019 certification, mainly in its system maintenance divisions and datacenter operationsdivisions.
ISO 22301:2019 is an international standard for Business Continuity Management Systems (BCMS).
Moreover, divisions that have not acquired ISO 22301 certification are complying with the international standard as far as possible and have put in place efficient and effective countermeasures to prepare for potential threats to business continuity, including earthquakes, floods, typhoons, and other natural disasters; system faults; pandemics; power outages; and fires.