Risk Management Risk Management

img_sustainability_logo

Internal Control and Risk Management

Advantest has established a Basic Policy for Systems for Ensuring the Appropriateness of the Business based on the Companies Act, and implements the development, maintenance, and operation of internal control systems to ensure appropriate business operations and control risks.
Concerning potential risks in the management environment, business activities and company assets of the group, we identify and categorize the risk factors for each important business process and analyze the size, occurrence probability, and frequency of the risks. We also document policies and procedures concerning appropriate responses to the risks as a part of important internal control activities.
We have also established the Internal Control Committee to promote internal control systems. The President & CEO, who is the head of business execution, serves as the Chairman of this Committee, and the members are the representatives of each business location and affiliates of the Advantest Group. The Committee is held every half year, and risks are analyzed after the risks recognized by each department are aggregated by each risk category based on the risk assessment of each department to grasp company-wide trends. In addition, case examples of activities by each department are reported, in an effort to promote the risk management system.
The Committee also reports important risks to the Board of Directors.

Systems for Disasters and Other Emergency Situations

The Advantest Group has established the Risk Management Group, and will conduct measures to minimize damage should any of the following events occur:

  1. If damage is caused to buildings or facilities, or if networks and systems stop functioning, thereby making it difficult to continue our business operations, or if there is the possibility of this type of situation occurring due to a disaster or accident;
  2. If there is the danger of one of our executives or employees being killed or injured or their life or physical health is put at risk due to a disaster or accident;
  3. If there is an occurrence of scandal or incident that has the potential to become a matter of social concern; or,
  4. If any event other than those described above were to occur that could cause a significant impact on the business of the Group or its affiliates due to a disaster or accident.

In December 2001, Advantest established a Risk Management Group with the Company's president as its head. When any of the above events occur, the Risk Management Group will consolidate information flows, evaluate the problem, direct the initial response, and formulate recovery plans. The Group will remain in operation until recovery is complete.

Major Risk

Risks associated with Advantest's business are shown below.

Practice of Risk Management

Advantest has established a risk management system with the Internal Control Committee at the center, in which risks related to each sector and affiliate company are identified and risk assessment is conducted to determine how to respond to risks.
We will monitor the state of our risk management and practice the plan-do-check-action cycle to review and improve the system in the future.

  • Risks identified by risk assessment: 333 risks

In fiscal 2018, issues such as export controls related to the trade friction between the U.S. and China and approaches for maintaining production quality were discussed.
The number of risks identified by risk assessment has increased by 31 compared to the previous fiscal year. This is because more risks that need to be addressed have become recognized and are managed due to the increase in the risk management awareness in each department and affiliate.

Cultivating a Risk Management Culture

Advantest conducts risk management education for every employee for the purpose of correctly recognizing and properly handling the risks that the company faces.

Employee Training Conducted in FY2018

Name of Training Scope Attendance Rate
Code of Conduct Training Advantest Group 100.0%
Anti-corruption and Bribery Prevention Training Advantest Group 100.0%
Intellectual Property Management Training Advantest Group 100.0%
Occupational Health and Safety Employees in Japan 95.8%
ISO14001 Environmental Education Advantest Group 99.1%
Specialized Chemical Substance Training Employees who interact with chemical substances 100.0%

Business Continuity Plan

Advantest Corporation established the following basic policy during fiscal 2007 in preparation for large-scale natural disasters. We have devised our business continuity plan based on this policy.

Business Continuity Plan (BCP) – basic policies

  • We will place top priority on ensuring human safety should a major disaster strike.
  • We will fulfill our responsibility to our stakeholders by ensuring that any impairment to our operations has a minimal adverse impact on our suppliers and other stakeholders.
  • We will cooperate with local bodies in regular disaster prevention measures, and if a disaster should strike near any of our locations, we will contribute to local recovery.

After the Great East Japan Earthquake in March 2011, we began reviewing our disaster prevention arrangements. In fiscal 2012, we revised our Business Continuity Plan (BCP) to take into account the possibility of an earthquake directly under Tokyo and flooding along the Tone River, and to ensure the integrity of our supply system even in the event of such disasters. Within the BCP, the following measures are stipulated in line with the basic policy.

Basic Policy Specific Measures
1. Ensuring human safety In addition to continuing with regular disaster prevention drills and safety confirmation drills, we will strengthen crisis management and business continuity systems, making human safety the top priority.
2. Fulfillment of supply responsibilities When an earthquake occurs, supply systems at our main manufacturing plant (i.e. the Gunma Factory) will continue. In the case of a flood, it is assumed that supply systems will be maintained at alternative manufacturing sites.
In preparation for cases where workplace attendance is temporarily impractical because of damage to offices or infrastructure, we will establish an environment allowing high-priority work to be done from home.
3. Regional & social contributions Our Gunma R&D Center has been designated by the town of Meiwa as an evacuation shelter in case of flooding, and we contribute to the area by keeping the site ready for flood evacuees.

Measures Implemented in Fiscal 2018

In fiscal 2018, management reviews were conducted about the role, policies, and state of activities of the Risk Management Group in April. Based on these reviews, the Business Continuity Plan was reviewed and shared for each function of the Risk Management Group. In addition, internal regulations related to business continuity were also provided.

Disaster Responses

June 2018 Osaka Earthquake: Safety confirmation was performed for all domestic companies.
July 2018 The Western Japan Floods: Safety confirmation was performed for all domestic companies.
September 2018 Hokkaido Eastern Iburi Earthquake: Safety confirmation was performed for all domestic companies.
January 2019 Kumamoto Earthquake: Safety confirmation was performed for all domestic companies.
February 2019 Hokkaido East Central Iburi Earthquake: Safety confirmation was performed for all domestic companies.

Approach to Materiality in Customer Privacy

Information that we receive from our customers and business partners is information that should be socially protected and it is also thus information asset for the company. We recognize that the proper protection and management of this information is vital.

Supervising division Security departments
KPI Number of complaints relating to information security
FY2018 target 0
Results achieved in fiscal 2018 0
Boundary Advantest Group
Relevant policies Basic Information Security Policy, Privacy Policy
Relevant commitments
Responsible department/division
Relevant complaint processing policy We accept inquiries and complaints at the email address below that is available on our website.
informationSecurityCommittee@advantest.com
Assessment

Information Security Management Policy

Advantest is fully aware that the information we receive from suppliers and information pertaining to our technical and sales operations are important assets; to effectively manage this information, we pursue information security practices that include developing regulations, constructing control systems and providing employee training.

Policies and rules relating to information security

Advantest has established an Information Security Basic Policy. Rules are specified in five policies: our Privacy Policy, Confidential Information Management Policy, Education & Incident Management Policy, IT Security Policy, and Social Media Policy.

img_csr_fair_fig03_jp

Organization of Information Security Management System

Advantest regards the implementation of information security control as a key management issue, and has accordingly assigned the Senior Executive Officer to act as Information Security Officer responsible for such systems on a global basis.

Moreover, we have set up a system that enables our offices in respective countries to autonomously address information security issues. Under this system, Regional Information Security Officers posted in respective countries bring a variety of viewpoints to the table in the course of deliberating on potential information security measures to be applied on a group-wide basis, and also when considering which policies and rules should be adopted, or otherwise revised or abolished.

Specifically, the head of each Group company's administration division has been assigned to the position of Regional Information Security Officer, responsible for security management in their respective regions. Meanwhile, members from related divisions in respective countries have been tasked with implementing information security measures.

Information Security Training

Based on the view that the final barrier for information security is "people," we aim to thoroughly publicize information security policies and related regulations. We administer information security training on each policy (Privacy Policy, Confidential Information Management Policy, Education & Incident Management Policy, and IT Security Policy), as well as training simulating an actual cyber-attack case, to all employees in Japan and overseas.

Going forward, we intend to continue developing more practical content and offering more pragmatic training through learning activities that entail repeated exposure to information security rules and content covering key topics in that regard.

Training/Awareness Raising as Part of the Information Security Training

  • Information Security Training through e-learning: 1
  • Targeted email threat training: 1
  • Awareness raising for all employees: 1
  • Broadcast of information to raise awareness: 10

Initiatives for Strengthening Information Security

In fiscal 2011, we adopted a system whereby internal audit divisions perform information security audits, which enables us to conduct more objective rule-based checks and provide feedback to divisions that have been audited.

When updating our rules governing access to information equipment, we removed requirements stipulating that employees must use encrypted PCs only, and now allow them to use thin client computer platforms through which they can perform work in secure environments without leaving data behind in the computer after use. We also made sure that our uniform Group-wide guidelines for business-related use of smartphones enable our employees to draw on such devices effectively in a business context, and in a manner that facilitates better customer service.

We also undergo security assessments and vulnerability tests via an external agency as an objective evaluation of our information security measures. We then refine the points to improve security based on those results to strengthen our level of security.

Confidential Information Protection

Our Information Security Basic Policy defines confidential information as that which has been disclosed by clients under contract along with that which is important to the company; moreover, the policy stipulates that such information be handled in accordance with relevant regulations.

Accordingly, we are committed to ensuring that confidential information is not divulged outside the company by ensuring that it is protected through the use of adequate controls governing its storage, disclosure and handling. In fiscal 2018, there were no incidents involving the unauthorized disclosure of important confidential information, etc.

Personal Information Protection

We consider the confidentiality of all personal information entrusted to us to be very important, and accordingly we take steps to ensure that such information is properly protected and managed. In fiscal 2018, there were no incidents involving the unauthorized disclosure of important personal information, etc.

Our commitment to safeguarding personal information entails posting personal information managers in divisions handling such duties, and furthermore ensuring that those managers properly carry out their duties in regard to overseeing such information. Furthermore, we perform regular audits of personal information control and use practices in the respective divisions, and make improvements whenever deficiencies are discovered.

In Group companies outside of Japan, Regional Information Security Officers work to protect and manage personal information in accordance with the laws, regulations, and demands of each respective country or region.