TOTO Group Risk Management Policy

The TOTO Group strives without limit to eliminate all causes of hindrances to the implementation of management policies in order to maintain the confidence of society through the fulfillment of its corporate social responsibilities. In cases of unexpected problems, maximum efforts will be made to minimize various effects on stakeholders and to restore confidence of related parties by developing appropriate preventive measures.

System of Promotion

Our Risk Management Committee, chaired by the vice president, has as its members the executive officers overseeing major risks and division heads as members. In accordance with risk management rules, the Risk Management Supervising Division General Manager appointed to oversee risk management works with all divisions and Group companies through various committees and meetings to prevent risks and enhance the Group's risk management response capabilities.

  • Committee chairman : Executive Vice President
  • Vice chairman:Executive officer in charge of General Affairs
  • Committee members : Each division manager

Risk Management Action Cycle

Top Management Roles and Responsibilities

  1. Building and penetration of the risk management system
  2. Confirming and evaluating the validity of the risk management system
  3. Providing the needed management resources to achieve the above

Risk Management Committee Roles and Responsibilities

Promotion of Risk Management
  1. Discussing and determining goals and direction of risk management
  2. Progress and follow-up on risk management
  3. Risk detection and evaluation, creating a risk map and prioritizing risk
  4. Improving risk awareness and knowledge
  5. Promoting monitoring and audits
  6. Risk Management Report to Board of Directors

Major Risks in Fiscal 2018

Every year, major risks that could have a significant impact on stakeholders are identified and a general manager of the risk management supervision division is appointed for each risk in order to take preventive measures.
Each major risk is mapped out on a matrix evaluating degree of impact and frequency of occurrence from the viewpoints of damage to the brand, impact on personnel and financial consequences along an assumption scenario. Risks scoring high in risk points are flagged as priority risks and monitored by the Risk Management Committee, and risk mitigation activities are promoted throughout the entire Group.

Principal Major Risks

BCP & BCM activities

TOTO has a business continuity plan (BCP) to help achieve early resolution and keep damage to a minimum, should a risk materialize. When the Great East Japan Earthquake occurred in March 2011, a countermeasures headquarters was immediately set up to help continue business operations, minimize damage and keep inconvenience to customers to a minimum. Our efforts in this respect were recognized by the Business Continuity Advancement Organization (BCAO) when we won the Grand Prize at the 2011 BCAO Awards for having the best business continuity measures in place.
Following the Great East Japan Earthquake, risks in the procurement of important parts and power restrictions have become evident. We have therefore strived to improve our business continuity management by, for example, taking measures in advance. We also established a task force immediately after the Kumamoto Earthquake in April 2016 in an effort to ensure the continuity of our businesses and minimize damage. In case of a major earthquake directly hitting central Tokyo or the Nankai megathrust earthquake, we will strengthen our internal system in accordance with the review of the assumptions, which is to be announced, and we will review our contingency plans to react to the disaster and continue our businesses.

Emergency contacts

Systems and measures to be activated in the event of a crisis are defined in the Rules for Risk Management. To prevent the delay of initial response, we have set up a group-wide emergency contact desk which operates 24 hours a day year-round. In fiscal 2013, we established an even smoother emergency response system by setting up an email point of contact in addition to the call center.
An Emergency Procedures Card has also been distributed to all Group employees. First reports of a critical event can be received 24 hours a day year-round and are centrally managed. From fiscal 2012, ten items were added to the card to help educate employees in how to protect themselves and their families, including preparations for an earthquake disaster and initial responses in the event of an earthquake.
In an emergency, the situation will be reported promptly to the risk management supervising division, personnel from the departments concerned will gather quickly, and actions will be taken to help resolve the crisis immediately and keep any damage to a minimum.

Proactive risk communication

Risk management training is provided to all new section managers, new department general managers and new group company presidents. Corporate internal communication sites contain descriptions of risk management activities on web pages dedicated to risk management, risk trends, emergency response manuals and a variety of other information available for viewing by all group personnel.
Of particular note are the dedicated sites in the corporate homepage in 2011 when the Great East Japan Earthquake struck to facilitate communication in easy-to-navigate categories such as damage to those affected, response policy and daily progress. We strive to promptly disclose information on the status of efforts by the company through a news release and other media in the event of an emergency situation.

Practical risk simulations

risk simulations
Real-time risk simulations
To improve our prevention and response capabilities to major risks, we have been carrying out practical risk simulations targeting all workplaces, including overseas.
Especially when a disaster occurs, flexible decision-making and execution in response to the disaster situation that change by the minute are required. On the occasion of the Great East Japan Earthquake we introduced the Real-time Risk Simulation utilizing a mock disaster exercise in FY 2011, and finished the training for all our business sites by FY 2014. In addition, we conducted the Management Risk Response Simulation for Directors and Division General Managers in FY 2013 with the theme of the Tokyo metropolitan area shattered by an earthquake. In the simulation, we shared the direction for business continuity with the participants reviewing "what to do when it occurs" against unforeseeable management risks in advance and recognized that Directors and General Managers of Divisions themselves make prompt decisions when a disaster occurred. Subsequently, we are continuing the training especially in the areas where the Metropolitan Area Earthquakes or the Nankai Megathrust Earthquakes would affect. Outside Japan, we have been conducting risk simulations while changing sites and themes. The total number of the trainings from FY 2005 to FY 2017 was 161.

TOTO Group Security Policy

The TOTO Group recognizes that the protection and appropriate safety management of its information assets and all other management assets held by the TOTO Group is an extremely important social responsibility. The TOTO Group ensures that all of its employees understand this policy, strives to provide products and services that customers feel secure using, and continuously improves its security. Through these efforts, The TOTO Group aspires to be a company that is trusted by its customers.

The TOTO Group operates a security management system based on the TOTO Group Security Policy which sets out the basic requirements for the system. The division responsible for information security conducts risk assessments, sets objectives, formulates an implementation plan and puts it into operation in cooperation with the Internal Audit division.
In fiscal 2012, we changed notations/definitions and methods of displaying different types of confidential information, reviewed our rules on confidential information and drew up new guidelines.
In fiscal 2014, regulations were strengthened by adding certain restrictions regarding laws concerning use of personal devices and media on company sites as a measure to improve information security. Each division and Group company has set up an information security management organizational chart, a confidential information management ledger and a management status disclosure ledger, and was asked to perform a self-check (implementation rate 100%) on handling confidential information in accordance with the new rules and guidelines.
In addition, we implemented information security education through e-learning for all TOTO Group employees, including those of cooperating companies.

Privacy Policy

The TOTO Group recognizes that the protection and appropriate safety management of its customer information and all other personal information held by the TOTO Group is an extremely important social responsibility. The TOTO Group ensures that all of our employees understand this policy and implements measures for promoting protection of personal information. Through these efforts, The TOTO Group aspires to be a company that is trusted by its customers.

Utilizing the Intranet to familiarize the employees with the privacy policy
Utilizing the Intranet to familiarize
the employees with the privacy policy
In response to the Act on the Protection of Personal Information, enforced in April 2005, TOTO established personal information protection guidelines and has used e-learning to familiarize employees with them. Beginning in fiscal 2010, TOTO's subcontractors began performing self-assessments that help TOTO manage subcontractors more effectively. Furthermore, TOTO's divisions and Group companies are working to revise the personal information management records and structures for managing personal information, and managers are performing self-inspections with an implementation rate of 100%, in order to thoroughly manage personal information and raise awareness about it.