Canon Inc. recognizes that the improvement and implementation of a risk management system to deal with serious risks that Canon Group may face in the course of business is extremely important to ensure the proper operation of the Group and to continually improve corporate value.
Canon Inc. has established a risk management committee based on a resolution of the Board of Directors. Chaired by the Executive Vice President, the committee has established three subcommittees: the Financial Risk Management Subcommittee, Compliance Subcommittee, and Business Risk Management Subcommittee.
The Risk Management Committee develops various measures to promote the Canon Group’s risk management activities, including identifying any significant risks (violations of laws and regulations, inappropriate financial reporting, quality issues or information leaks, etc.) that the Canon Group may face in the course of business.
The committee creates an annual basic policy for risk management activities and, after obtaining the approval of the Board of Directors, carries out risk management activities at Canon Inc. divisions and Group companies. The committee evaluates the improvement and implementation of the risk management system for each division and Group company, and reports the result of such evaluation to the CEO and Board of Directors. In 2016, the result of the evaluation did not discover any major flaws in the system.
Based on the above basic policy, the heads of Canon Inc. divisions and presidents of Canon Group companies, as a risk management promotion officer, formulate an yearly risk management plan for their own division or Group company, and assume the responsibility of promoting their own risk management activities. Risk management promoters appointed for each division and Group company coordinate risk management practices.
Additionally, Canon Inc. administrative divisions with jurisdiction over miscellaneous risks associated with business activities, including the legal division, human resources division, security trade control division, and quality assurance division, control and support the risk management activities of each division and Canon Group company.
During training for newly appointed Canon Group executives conducted by the human resources division, Canon Inc. educates them on the importance of autonomously improving and implementing a risk management system at each company and the role of executives in improving and implementing such system.
Similarly, when the human resources division conducts training for newly appointed general managers and managers, it educates them on the importance of the system to manage legal risk and the role of management in constructing such system.
In addition, an intranet website provides employees of Canon Inc. and Group companies with timely information on the Canon Group’s approach regarding risk management and updates on activities.
The Financial Risk Management Subcommittee carries out activities to strengthen internal controls pertaining to financial risks for the entire Canon Group, including compliance with Japan’s Companies Act and Financial Instruments and Exchange Act as well as the United States’ Sarbanes-Oxley Act.
We endeavor to make qualitative improvements in ensuring the reliability of the Group’s financial reporting. We support independent initiatives and self-driven educational activities at Group companies as they implement the PDCA cycle (review business procedures for financial risk).
As a result of these initiatives, Canon’s accounting auditor determined that the company’s internal controls related to financial reporting were effective in fiscal 2016.
The Compliance Subcommittee works to promote corporate ethics in accordance with the Canon Group Code of Conduct, and to improve the Group’s legal risk management system.
Canon established the Canon Code of Conduct in 1992, and later updated it as the Canon Group Code of Conduct in 2001. This set of principles clarifies the Canon Group’s management stance and standards that Canon Group executives and employees must comply with in their duties. In addition to Japanese, the Code of Conduct has been translated into 14 languages, including English, French and Chinese, and adopted by resolution of the Board of Directors of each Canon Group company, which also strives to ensure that it is known and practiced by all.
In addition, a portable Compliance Card has been created in Japanese as well as 16 other languages, including English, French and Chinese, and given out to Group executives and employees inside and outside Japan. Written on one side of the card is the San-ji (Three Selfs) Spirit, which has been the guiding principle of the company since its founding, and on the other side is a compliance test that enables employees to carry out self-questioning of their actions on a daily baisis.
Canon Inc. carries out corporate ethics and compliance training for employees suited to the circumstances and conditions of the region where they operate.
For example, Canon Inc. conducts rank-based training designed to foster compliance awareness for newly appointed general managers and managers as well as new employees.
Additionally, Canon Inc. and its subsidiaries in Japan have since 2004 designated a Compliance Week twice a year—once in the first half of the year and the other in the second half—in order to foster discussions in the workplace about compliance issues. Through these efforts, we strive to develop and improve operational processes to ensure that employees are aware of compliance and abide by the law.
Canon Inc. has established a hotline to receive information related to compliance issues. The confidentiality of callers is strictly maintained, and they are guaranteed not to suffer any unfair treatment for using the hotline. We continually work to encourage use of the system by raising awareness of the hotline services, using such means as an intranet compliance website and compliance training.
Hotlines have been established at nearly all Group companies inside and outside Japan. Canon Inc. and Group company divisions in charge of the hotlines are in close coordination to continuously respond to incoming reports and increase system reliability.
At Canon, we have identified significant legal risks that the Canon Group may face in the course of business (e.g. violations of anti-trust laws, anti-bribery laws and export control regulations) by considering the potential likelihood and impacts on Canon’s business. To minimize these risks, we are working to improve a system to ensure legal compliance by improving operational workflows and rules, providing training on laws for related employees, and conducting audits and checks.
Canon Inc. has established a security trade control framework headed by the president and overseen by the Foreign Trade Legal Division within the Global Logistics Management Center. This ensures that we can implement proper security trade controls in compliance with strict regulations on the export of goods and technologies for civil use that could be diverted for use in weapons of mass destruction or conventional weaponry.
The Foreign Trade Legal Division works with divisions involved with individual goods and technologies to double-check such issues as whether export goods and technologies are controlled by regulations, or whether counterparties are engaged in the development of weapons of mass destruction. We have also established and revised Security Trade Control Guidelines, and hold regular briefings and training sessions for persons in charge of Canon Inc. business divisions and Group companies in Japan to further educate employees about the importance of security trade control. We also provide Group companies with templates for company rules, training materials for employees, and support via the help desk to help these companies establish control frameworks and rules.
Such thorough internal controls have ensured that the Canon Group has never violated security trade control laws. Canon Inc. has also maintained a bulk export license from Japan’s Ministry of Economy, Trade and Industry continuously since 1990. This license is granted only to exporters who exercise strict controls.
|Category||Subject||Number of sessions|
|Rank-based||New employee training||1|
|New manager training||3|
|New general manager training||2|
|Expatriates||International staff training||7|
|Canon Group||Expert training for security trade control employees||9|
|Global e-learning (Japanese, English, Chinese and Thai languages)||Ongoing|
Anti-trust laws apply to all of Canon’s business activities, from product development to production, sales and after-sales service, and therefore, Canon recognizes that compliance with these laws is absolutely vital.
Based on this awareness, business divisions of Canon Inc. and sales and service companies of the Canon Group inside and outside Japan conduct regular training for employees of divisions exposed to the risk of anti-trust law violations to educate them about the laws, provide examples of legal violations, and inform them of what to be aware of in carrying out their duties. We also make our anti-trust law hotline known to all employees and thoroughly encourage employees to use this hotline if they are unsure of how to interpret or apply anti-trust laws.
The Canon Group Code of Conduct clearly stipulates that Canon will not receive benefits in the form of gifts or entertainment that exceed the social norm, or provide similar benefits to other parties.
Canon carries out regular training for employees of divisions involved with negotiations between public officials and business partners to inform them about the latest regulatory trends (including provisions to prevent bribery of public officials outside Japan) in major countries and details of the Code of Conduct.
The Business Risk Management Subcommittee is responsible for operational risks excluding legal violations and errors in financial reporting.
Individual risks are assigned to the responsible administrative divisions for the entire Canon Group. The Business Risk Management Subcommittee works with working-level divisions in charge from each Canon Inc. organization and Canon Group company to implement risk mitigation activities and further develop the risk management system.
Recognizing that information security is a vital management task, Canon has established an appropriate management system for the entire Group, in accordance with the fundamental principles of information security regulations. Under this system, we implement training to raise employee’s awareness and to prevent external threats and leaks of confidential internal information.
Since 2005, Canon has had external certification, ISO27001, for its information security management systems.
Canon has established an Information Security Committee as the decision-making body for information security measures. This committee is made up of experts from information security departments and is responsible for information security management for the entire Group.
Committee members have also drawn up Canon Group Information Security Rules in order to maintain the same level of and approach to information security across the entire company. These rules apply to all Group companies worldwide. Each Group company creates regulations and guidelines based on these rules in line with its needs, and conducts training and awareness activities.
Based on these rules, regional administration companies conduct regular inspections to confirm how information security is being implemented at each Group company, using the data to review and improve information security controls.
If an information security incident occurs, the matter must be reported to the Information Security Committee via the respective regional administration company. In turn, the committee issues appropriate instructions.
CSIRT*, a dedicated team for dealing with growing information network threats, was established within Canon Inc. in 2015. At that time, Canon officially joined the Nippon CSIRT Association as Canon-CSIRT in order to address the increasingly sophisticated nature of cyber attacks by strengthening collaboration with external CSIRTs. Additionally, in 2016, Canon Inc.’s Information & Communication Systems Headquarters implement information security checks on 29 Group companies in Japan and 18 Group companies overseas. These inspections found that each company’s system was sound and in good working order.
Canon will maintain an expedient and smooth communication channel with its Group companies and make every effort to ensure that its mechanisms can identify and remedy issues based on regular information security checks. Moreover, we are also working to further reinforce our information security system by establishing a structure to discover information security incidents at an early stage and measures to eliminate security leaks and risks connected to these incidents.
Canon implements measures to safeguard the three elements of information security: confidentiality*1, integrity*2, and availability*3.
The most important information is stored using a dedicated system with reinforced security. By controlling access and recording usage, we guard against external attacks and prevent information leaks from within.
In addition, we have established an environment in which employees can safely access the company’s information assets while away on a business trip, and we have also placed restrictions on email attachments and taking company computers and storage media offsite.
To safeguard against the threat of external attacks, we implement training and other measures to prevent tampering with Canon’s official websites and to deal with targeted email attacks.
In 2016, we continued with these initiatives and also worked on responses to cyber attacks, upgraded email security, and improved security regarding internet access to further enhance security and protect against the threat of information leaks. Going forward, we will continue to work on improving our countermeasures to maintain the three elements of information security.
Canon recognizes that personal information is an important asset, and that protecting this asset is one of its social responsibilities.
At Canon Inc., we have created rules to safeguard personal information, including a Personal Information Protection Policy and Personal Information Protection Rules, and conduct training and audits regularly as part of our system to prevent leaks of information.
Starting in 2015, we expanded the scope of these activities to include all Group companies, creating a centralized management system covering the entire Canon Group. As a result, there were no incidents involving the loss or leakage of personal information at Canon Inc. or any of its Group companies in 2016.
Canon Inc. and Group companies in Japan have also implemented measures to deal with Japan’s new Social Security and Tax Number System (referred to as the “My Number” system) , which was introduced in Japan last year, in an appropriate manner. To this end, the entire Group in Japan formulated My Number Handling Rules, My Number Regulations as well as a detailed handling procedure manual. In particular, our measures regarding physical and technological security are more stringent than those mandated by law, and we continue to collaborate with the IT department on this matter.
Going forward, Canon will regularly monitor its management of ”My Number” and other personal information while reviewing operations as needed to make appropriate improvements.
In order to maintain and improve information security, Canon is focusing on raising awareness among the employees who use information systems.
New employees are thoroughly trained on Canon’s information security measures and rules through group training for both regular and mid-career hires. In addition, all employees undergo annual training using our e-learning system.
In 2016, roughly 27,000 employees—equivalent to Canon Inc.’s total workforce—received information security training. The training curriculum focused on reaffirming essential measures, focusing on cyber security in particular. This included how to respond to targeted email attacks, what to look out for when sending emails and the risk of information leaks from posting on external translation websites, among other protocols for using information infrastructure.
Canon is committed to improving the content of its training programs in order to raise employee understanding and awareness of information security matters.
Aiming to strengthen physical security, Canon has been working to establish physical-security systems at each of its operational sites based on the following three policies:
Canon has established Canon Security Guidelines that outline policies and rules regarding room entry and exit management and other aspects of physical security. We have also been proactively implementing security measures according to these guidelines, and revising the guidelines as needed. Each Canon site is now responsible for drafting a self-checklist that complies with the guidelines and also takes into account the unique security risks of each region in order to check the adequacy of its security protocols. In this way, each site implements security measures tailored to changes in its own environment.
In addition, the Group has adopted an Integrated Entry and Exit Management System and a control system that comprehensively manage surveillance cameras and sensors as part of Canon’s efforts to strengthen physical security across the entire Group.
Due to the serious risk to society posed by toxic materials, we have developed a particularly thorough audit system, covering all Canon Group sites in Japan.Improvements and revisions to physical security measures are implemented based on audit results.
Learning from the terrorist incidents in Paris and Belgium, Canon has stepped up its security efforts in order to quickly detect suspicious persons and suspicious objects with the aim of preventing indiscriminate terrorist attacks against companies considered to be soft targets. We are also working more closely with the police, fire departments and other government agencies to heighten vigilance against possible attacks.
Canon believes that establishing a system to ensure that business operations can continue after a natural disaster or emergency represents one of the most important social responsibilities of any company. Based on this recognition, we have formulated a business continuity plan (BCP) *1 and Canon Group Disaster Preparedness Guidelines, and are working hard on advancing business continuity measures for disasters, including upgrading buildings constructed according to old aseismic design standards, concluding disaster agreements with local communities, and developing systems for collecting information and reporting.
Due to the critical importance of our Shimomaruko headquarters in Tokyo, Japan, as the home base for all Group operations, we have rebuilt all on-site buildings, established a crisis control center, installed backup generators, stockpiled fuel, equipment, and supplies, and established a multiplex communication system. Moreover, we set up a Disaster Recovery Center*2 to back up information systems to ensure that the core IT system will operate securely in the event of a disaster.
We have also updated all Group company facilities, setting up emergency communications equipment and support structures, and inculcated a sense of readiness in our employees through practical disaster-preparedness training. We also have systems that use data from canon surveillance cameras installed at each Group location to enable swift understanding of damage incurred at other locations and factories in the event of a disaster. Furthermore, we have prepared a manual for persons in charge in order to safeguard human life immediately following a natural disaster or fire, prevent secondary disasters, and protect company assets. Using this manual as a model, Group companies are also creating localized manuals based on the unique risks in the areas where they operate to facilitate the smooth restoration of services in the event of a disaster. Last year, 35 operational sites conducted 36 emergency drills based on these manuals.
|Organization in charge||Facility Management Headquarters (Facility Management Division)|
|Policy||Conduct drills to verify that manuals prepared by individual sites are effective. Revise manual where there are shortcomings to improve ability to respond in an emergency.|
|Goals||Each operational site to conduct a drill once a year|
Disaster Agreement with Ota Ward, Tokyo
Canon Inc. has concluded a disaster agreement with Ota Ward, Tokyo, where its Shimomaruko headquarters is located. In line with the request of the Disaster Prevention Section of Ota Ward, under the agreement our newest facilities, including a lecture hall, gymnasium and heliport, can be offered in the case of an emergency situation.
Going forward, we will continue to work closely with local governments to fulfill the role of a disaster-response base in the local community.
In July 2016, Canon Inc.’s Fuji-Susono Research Park concluded a disaster agreement with Susono City, Shizuoka Prefecture, regarding support in the event of a major disaster. Susono City is working to create an urban environment resilient against disaster. Under the agreement, if there is a major earthquake in Susono City, the two parties will offer mutual support and cooperate in relief and recovery activities, such as providing food aid and permission to travel along designated disaster roads.