Governance Initiatives

Compliance and Risk Management

Compliance

Code of Conduct

We have the PHC Group Code of Conduct, which applies to all countries and employees. It is organized by each of our values: “Diversity & Collaboration,” “Innovative Thinking,” “Challenging Spirit,” and “High Standards of Integrity.” We focus on the key risks of our business and key principles for acting ethically and in compliance with company policies.
In addition to our Code of Conduct, we also comply with applicable local, national, regional, and international rules, regulations, and legal doctrines. If there is a conflict between our policies, standards and Code of Conduct, and applicable laws and regulations, we will follow the most stringent regulation.
Please click the following link to learn more about our Code of Conduct.
https://www.phchd.com/-/media/phchd/csr/activities/code-of-conduct/PHC_Code_Conduct_EN.pdf

Training and education

Continuous training and education activities are essential for promoting compliance with company policies. In fiscal 2022, the year following our listing on the Tokyo Stock Exchange, we hosted a training on the critical topic of preventing insider trading. We provided the training to executives, managers, and employees who have opportunities to come into contact with insider information, as specified in our group policy. The attendance rate for the training was 99.8% (excluding employees who were unable to attend due to leave of absence, maternity leave, childcare leave, etc.). We also implemented a system in which employees who do not fall under one of the categories above can voluntarily attend training on insider trading.
We will continue to provide training necessary to ensure compliance.

Internal control systems

PHC Group has introduced a group-wide compliance helpline for use by employees. Compliance issues such as potential fraud or human rights violations can be reported by phone and email. The helpline can be used anonymously. In addition to contact points at each company, third-party reporting points such as law firms are also available in various regions around the world, thereby creating an environment which facilitates consultation and reporting by employees. Each company responds to any reported cases of noncompliance, and PHC Group has an escalation policy in place to handle any serious cases.

Risk Management

We manage various risks based on the PHC Group Risk Management Policy, which defines the basic policies, systems, and initiatives for the entire group. Every year, the entire group identifies risks that affect business continuity, such as natural disasters, geopolitical risks, cybersecurity issues, and technology inheritance. For priority risk areas, we have designated risk managers, and have created and implemented mitigation plans to avoid their occurrence and minimize their impact should they occur.
The Chief Operating Officer (COO) of PHC Holdings serves as the officer in charge of risk, conducts group-wide activities based on regulations, and reports to the Board of Directors on risk details and response policies.
We will establish a Risk Management Committee in fiscal 2023 to further systematize and promote these initiatives.

Business Continuity Plan (BCP) Initiatives

Under business continuity management (BCM), our company has established business continuity plans (BCPs) in each business division and department to manage situations that may threaten business continuity, such as earthquakes, floods, snow damage, typhoons, pandemics, cyberattacks, or acts of terrorism. In this way, we are prepared for emergencies at all times. The basic policies of the BCM guidelines established by PHC Group are as follows:

  • (1) Prioritize the lives of employees;
  • (2) Maintain product supply quantities or service levels acceptable to stakeholders; and
  • (3) Restore business and operations within the deadline permitted by stakeholders.

We have established these as our basic policies and are preparing for potential emergencies through the development of various countermeasures and education initiatives. We also conduct practical training at plants, laboratories and sales offices. This includes disaster prevention drills conducted by fire prevention and disaster prevention teams organized within workplaces and offices, training by the IT Department to operate websites in the event of a core system outage, and review of procedure manuals through desk training. Through such training, we are instilling emergency preparedness within the company and our operations.

Cybersecurity and Data Protection

Company-wide policy

PHC Group has prepared standard documents such as information security management standards for group companies based on the framework of the international information security standard ISO 27001. We operate and manage these standards on a global scale by using a unified system and rules.
Please click the following link to learn more about our company’s cybersecurity efforts.
https://www.phchd.com/global/sustainability/activities/security

Training and education

As part of cybersecurity training in fiscal 2022, we conducted two e-learning training sessions for group employees in Japan: (1) Information security training (general education) and (2) Targeted email attack countermeasures training. The training attendance rate was 99.4% for (1), excluding employees transferred internationally or within Japan and those on long-term leave, and 97.0% for (2), excluding employees without email addresses.
From fiscal 2023, we will provide training on data protection to employees across the entire group, including outside Japan.

Vendor review

We aim to conduct cybersecurity reviews at 100% of our outsourced vendors, and conduct annual measures for management of vendors. Based on the degree of cybersecurity impact, we target high-risk outsourced vendors from the following three perspectives.

  • Data: Vendors who receive, store, process and transmit “strictly confidential” or “confidential” information
  • System/network access: Vendors who directly access the networks or systems of PHC Group
  • Business processes: Vendors who support important business processes or require certain qualifications

Specifically, we investigate the status of ISO 27001 and Privacy Mark certifications for outsourced vendors. If vendors are not certified, we use a cybersecurity standard checklist and require that they have a score of 90 or higher, or that they have security standards that are equivalent to or higher than those of PHC Group. If compliance standards are not met, we consult with the outsourced vendors and take measures to avoid and reduce risks. We also conduct regular reviews and strive to maintain security standards.

Cybersecurity Committee

PHC Group convenes a Cybersecurity Committee to discuss the group’s cybersecurity policy, KPI reviews, incident reports, and correction of security vulnerabilities. The meetings are attended by all executive officers, including the President. At the meetings, members discuss any cybersecurity concerns and responses surrounding our business, and determine and implement necessary measures.