Risk Management Framework

The NEC Group has a companywide cross-sectional risk management system centered on the Risk Control and Compliance Committee and the Chief Risk Officer (CRO) to accurately comprehend and to respond appropriately to both internal and external risks related to the Group’s business.

Specifically, the Risk Control and Compliance Committee, discusses risk management policy, policies for selection of and response to “Priority Risks” that require countermeasures across the NEC Group, as well as measures to address risks that require companywide management due to fluctuations in the risk environment during the fiscal year, and other important matters related to companywide risk management, then reports them to the Business Strategy Committee and the Board of Directors on a regular basis.

In addition, we have a CRO to monitor and address companywide risks centrally and cross-functionally and to manage possible losses. The CRO leads companywide risk management, detecting and analyzing varied and complex risks in the social and business environment, which changes day by day, and evaluating impacts, while prioritizing countermeasures and closely collaborating with other chief officers managing each risk.

Crisis Management and Business Continuity Organization

NEC Corporation will continue to conduct business proactively and flexibly through the following three functions.
The status of activity will be reported regularly to the Board of Directors.

In addition, outside Japan we have formulated BCPs in response to each country’s risk profile under the global system of five Regional Headquarters (RHQ), along with information escalation rules in the case of emergencies.

Risk Management Policies

In order to pursue returns through appropriate risk management, the NEC Group has categorized the risks associated with its businesses into a Risk Total Picture and has decided responsible divisions and response policies for each risk in line with this picture. The NEC Group recognizes integrity as the foundation of all risk management activities and classifies risks into three categories according to their nature. Should a risk materialize, especially in the event of a crisis that threatens the survival of the NEC Group, NEC has developed a response flow centered on the divisions responsible for each risk.

Based on a comprehensive list of risks that require the NEC should be aware of, the CRO engages in dialogue with the other chief officers in charge of managing each risk and conducts risk assessments. The CRO creates a risk map that visualizes risk priorities under common criteria such as impact and urgency based on changes in the external and internal environment and the status of each risk countermeasure. The CRO updates the risk map through the review of the Risk Control and Compliance Committee on a quarterly basis, and regularly report to the Business Strategy Committee and the Board of Directors.

Crisis Management and Business Continuity Policies

NEC has prepared a business continuity plan (BCP) and is promoting business continuity management so that the Company can fulfill its social responsibilities based on the continued stable supply of products and services even when risks materialize in the form of earthquakes, typhoons, or other natural disasters; global pandemics; wars; or terrorist attacks. Our goal is to be able to continue NEC Corporation’s business to the greatest extent possible, and to restore operations quickly if they are interrupted.

Risk Management Process

Risk Assessment Methodology

Designating Priority Risks and Countermeasures

Based on a comprehensive list of risks that require the NEC Group’s attention, the CRO engages in dialogue and conducts risk assessments with the chief officers in charge of particular risks. The CRO then creates a risk map that visualizes risk priorities based on common criteria such as the degree of impact and urgency, taking into account changes in the external and internal environment and the status of each risk countermeasure. Among the risks mapped, those that are particularly material in terms of their impact on corporate management and urgency are designated as Priority Risks, and countermeasures are implemented. The risk map is updated quarterly following deliberation by the Risk Control and Compliance Committee, and is reported to the Business Strategy Committee and the Board of Directors on a regular basis.

Designated Priority Risks and related initiatives are as listed under Indicators and Goals.

Long-term Risk

Response to Emerging Risks

Security Risks from Increasingly Sophisticated and Complex Cyber Attacks due to Rising Geopolitical Risk

Description

As the geopolitical situation changes and digital transformation advances rapidly, private companies are also becoming targets of national cyber attacks, and companies that possess critical information such as advanced technological information are facing increasing security risks. The rapidly increasing sophistication and complexity of cyber attacks, along with external factors such as geopolitical risk, may hamper timely mitigation of security risks.

Impact on Business

In the event that personal or confidential information held by NEC or contained in its products, services, or systems is leaked or exposed through unauthorized access or cyber attacks and used fraudulently, NEC may be subject to disciplinary action by regulatory authorities due to its position of legal responsibility. As a result, NEC may not only lose the trust of its customers as a Social Value Innovator, but its business performance may also be adversely affected. The risk of unauthorized access and cyber attacks exists not only for NEC’s own products, services and systems, but also for those of its customers, contractors, suppliers, business partners and other third parties.

Mitigation Measures

We are implementing robust and flexible measures throughout the Group based on the CISA¹ Zero Trust Maturity Model. Based on Cybersecurity Management Guidelines Ver. 3.0 formulated by the Ministry of Economy, Trade and Industry, Government of Japan and Cybersecurity Framework (Version 2.0) of the NIST,² we are strengthening intelligence (proactive defense) and resilience (ability to recover from attacks) against cyber attacks.

In addition, presenting security risks to all employees on a cybersecurity dashboard as part of our data-driven transformation is supporting quick management decisions and autonomous front-line actions. Thus, we are transforming the expertise and countermeasure doctrines developed through our front-line experience into solutions that we offer to our customers.

Furthermore, based on Security by Design 3.0 , which considers security from the design stage, we are enhancing measures that include our supply chain in order to provide safe, high-quality services.
Please refer to our Information Security Report for details about our initiatives.

Response to Large-scale Disasters, Incidents and Accidents, and Infectious Diseases

Addressing Natural Disaster Risks such as Earthquakes and Storm and Flood Damage

NEC Corporation has constructed a system in which the Company’s internal disaster information sharing system automatically receives disaster information from the Japan Meteorological Agency and displays the range of impact on a map. This allows us to understand at a glance information regarding the Company’s sites, customers, suppliers, and others located within that range.

Furthermore, we use the latest hazard maps to evaluate risk at each business site. Based on these evaluations, we implement countermeasures with due consideration of the balance between the impact of a disaster and cost.

ISO 22301:2019 Certification Acquisition

NEC has acquired ISO 22301:2019 certification, mainly in its system maintenance divisions and datacenter operations divisions. ISO 22301:2019 is an international standard for Business Continuity Management Systems (BCMS).

Moreover, divisions that have not acquired ISO 22301 certification are complying with the international standard as far as possible and have put in place efficient and effective countermeasures to prepare for potential threats to business continuity, including earthquakes, floods, typhoons, and other natural disasters; system faults; pandemics; power outages; and fires.

Initiatives to Foster a Risk Culture

Internal Feedback Process for Latent Risks

The Risk Control and Compliance Committee and senior management exchange and discuss information about latent and emerging risks to enhance the Company’s ability to address risks. We also continuously improve our risk management methodology.

Risk Management Evaluation Indicators and Monetary Incentives

NEC Corporation’s Employee Disciplinary Regulations stipulate that employees who cause damage to the Company intentionally or through negligence will be liable for damages in addition to being subject to disciplinary action.

Risk Management Training and Education

NEC provides risk management training for managers to increase awareness and understanding of risk management.

As part of the onboarding process for new outside directors, we conduct training under the theme of NEC's risk management. We also conduct training for all employees on specific risks, including compliance, the environment, human rights and information security.

Confirmation and Reporting of Latent Risks by Employees

We also collect information from employees through risk assessments.

Education, Exercises and Training on Disaster Prevention and Business Continuity

Education and Online Training

NEC and affiliated companies in Japan conduct the following training and drills every year to prepare for large-scale natural disasters with the aim of minimizing damage and resuming operations as quickly as possible.

Enhancing the Degree of Completion of BCPs

Participation in the Activities of External Organizations

NEC Corporation has been a Business Ethics Research Center (BERC) member since its establishment in 1997.
BERC collects worldwide information relating to business ethics, undertakes research on ethics, offers consulting on business activities, and educates businesspersons while promoting ethics. We have utilized information on examples of initiatives at other companies obtained through BERC in the planning of various measures.

Hotline

NEC has set up a Compliance Hotline to facilitate the early detection of compliance violations and promote self-regulation.

NEC has also set up a hotline for anonymous reporting by a broad range of stakeholders, from NEC Group employees and temporary employees to business partners, customers and local residents. This hotline enables us to swiftly and accurately identify the causes of human rights violations or potential violations and to take appropriate corrective actions.

This hotline ensures that a whistleblower is thoroughly protected by maintaining the confidentiality of the whistleblower’s identity and the details of the report, and by prohibiting any unfavorable treatment or retaliation against the whistleblower.

Medium- to Long-term Goals, Priority Activities and Progress, Achievements and Issues

Medium- to Long-term Goals and Priority Activities

(Scope: NEC Corporation unless otherwise specified. Period: April 2021 to March 2026)

Conduct appropriate risk management
Select important risks that affect business execution and both plan and implement effective countermeasures

FY2024 Goals, Progress, Achievements and Issues, and FY2025 Goals

FY2024 Goals

Enhancement of a comprehensive and centralized system to control companywide risks, including the establishment of the position of CRO
Planning and execution of effective measures for Priority Risks

Progress, Achievements and Issues

Measures implemented for Priority Risks (during fiscal 2024, Priority Risks were unchanged)

FY2025 Goals

Enhancement of a comprehensive and centralized system to control companywide risks
Planning and execution of effective measures for Priority Risks