Risk Management

Basic Policies

The basic approach to risk management entails making business continuity plans, ensuring the safety of employees and their families, conserving management resources and retaining the trust of society. IHI manages risk based on our Basic Code of Conduct, adhering to the following principles:

1. Ensure business continuity
2. Improve society's perception of IHI
3. Conserve management resources
4. Avoid actions detrimental to the interests of stakeholders
5. When trouble occurs, work toward a speedy recovery
6. When difficult situations arise, address them in a responsible fashion
7. Respond to society's expectations with regard to risks

Risk Management System

The chief executive officer (CEO) of IHI is responsible for implementing the company's risk-management system. The Risk Management Committee chaired by the CEO discusses important matters related to risk management and makes related decisions.
The Risk Management Committee sets out the IHI Group Risk Management Priority Policy to identify risks that the Group needs to focus on. Based on this policy, divisions within IHI and Group companies worldwide prepare their own risk-management action plans and then assess achievements reached under these plans once every year. Risks to the IHI Group are reported to the Risk Management Committee, and required corrections and improvements are reflected in the next year's risk-management action plans.
For Group-wide risks, the Group Risk Management Unit provides advice and training to help each unit and Group company eliminate such risks. The division also monitors risk-management activities to ensure uniformity and effectiveness across IHI. The Internal Audit Division audits every division according to its respective risk-management action plan. This PDCA cycle improves risk management continuously.

■Risk Management System

As of March 31, 2016

Strengthening our review process for large-scale projects

Considering the continual and significant losses in largescale projects in FY2014 and FY2015, we will strengthen our project review process in FY2016. These losses were caused by insufficient analysis of new field-projects and insufficient identification of risks in projects that involve conditions we had never encountered before. Going forward, we will reinforce these processes by performing our reviews more thoroughly and rigorously. We will also continue to improve the precision of our estimates and strengthen our monitoring structure. Visualization of project progress and review by key experts at each stage will ensure steady implementation of large-scale projects and prevent drops in project profit.

■Support framework for largescale projects

What is tollgate monitoring?
A system in which stages are set in individual projects for each major milestone from estimate to delivery, and major deliverables created by the project manager or proposal manager, etc. (estimate creator) are reviewed by executive management and other relevant individuals in each stage. In tollgate monitoring, you must clear and solve the conditions set at each stage before proceeding to the next stage.


Topics in FY2015

The main activities in FY2015 were as follows.

1. Preventing problems from reoccurring
In FY2015, we ran into additional costs with an offshore F-LNG project, fell behind schedule in another project because of welding-quality issues with the boiler, and lost precious time on a bridge project across Izmit Bay in Turkey because the catwalk for erecting the main cable collapsed. Of course, we quickly took measures to rectify each situation, but to prevent any reoccurrence we also took steps to strengthen our quality controls and project execution practices.

2. Verifying the appropriateness of large investments
Before committing to large investments, we set up tollgates to analyze the appropriateness of the investment plans and the projected returns on those investments. With projects that went forward, we periodically checked progress.

3. Measures against information leaks
Whenever it was necessary to disclose to suppliers or contractors confidential information about defense, nuclear power or other sensitive content, we concluded information security agreements that clearly bound those parties to confidentiality, and verified their fulfillment of stated obligations. Moreover, to deal with targeted threats aimed at IHI, we worked closely with governmental agencies and strengthened our security.

4. Managing working hours
To get an accurate picture of working hours, logged data was fed back to management on a monthly basis.

5. Protecting trade secrets, personal information and important technologies against leaks and hacks
Alongside the start of Japan's national identification number system, strict Group-wide rules were established to manage system support and access rights. Moreover, a working group of concerned divisions was formed to extract risks, set topics of true concern and propose countermeasures.

■FY2016 Risk Management Priority Action Policy

In FY2015, risks emerged in the implementation framework and quality control of multiple large-scale construction projects, causing profits to fall and repeated downward adjustments in performance projections. To prevent these risks from reoccurring, we will take the following priority actions in FY2016.

1. Rebuilding the quality assurance systems
2. Ensuring the appropriateness of the order process in large projects
3. Sound pursuit of large-scale projects and increased accuracy of intermediate cost control

We will also continue the following actions to prevent other risks from occurring.
1. Response to changing business and competitive environment
2. Ensuring the appropriateness of large-scale investments
3. Appropriate response to risks associated with the execution of a global strategy
4. Increased sophistication in dealing with exchange rate risk
5. Strengthening compliance
6. Leaking of trade secrets/personal information/key technological information
7. Ensuring information security
8. Thorough commitment to safety and sound mental health
9. Thorough observance of environmental laws and regulations
10. Appropriate measures in the event of disasters and accidents
11. Public relations and public consultation activities conscious of the responsibility to explain, in order to recover trust
12. Cutting off all ties to anti-social forces
13. Further promotion of diversity improvement
14. Dealing with harassment
15. Promoting human rights education and awareness raising activities


Business Continuity Plans (BCP)

IHI has internal regulations requiring each office and division to prepare for serious disasters. In May of each year, which is designated as BCP Review Month, each division reviews its own BCP to ensure that all employees are registered in the safety-confirmation system, distributes pocket-sized disaster-prevention information cards, updates the telephone-contact chain and verifies the number of emergency kits. Regular training enables IHI to check and more widely promote its BCP plan. Moreover, for emergency response drills, the hypothetical emergency is changed each time to test BCP from diverse angles.

Emergency drill by senior managers

Pocket-sized disaster-prevention card distributed to all employees

Maintaining and Improving Information Security

Information Security Policy

IHI, under its information security policies, strives to effectively manage information while maintaining and improving information security to protect the confidentiality of its customers and business partners, as well as Company information and technical data.

Information Security Measures

IHI addresses information security risks from three perspectives: rules, tools and education. Internal rules include the Information Security Policy, Information Security Standards and Information System User Regulations. Various security tools, including frequently updated antivirus software, are deployed.
E-learning sessions designed to maintain and raise security awareness are held annually. In FY2015, 95.6% of all employees participated in an e-learning program.
Computer virus infections caused by targeted e-mail attacks made headlines in 2011. Since even before then, however, IHI has been working with government agencies and specialists to institute countermeasures against attacks. As of March 2016, IHI has not reported any leaked information or related damage.

Organized and Planned Security Measures and Improvements

The Information Security Committee consisting of representatives from IHI's major divisions and Group companies meets quarterly to coordinate planning, operations and inspections on a yearly basis. Every year since FY2005, IHI has conducted an internal audit of its information security measures and provided guidance on improvements. A written survey of all 52 Group companies was conducted in FY2015, followed by interviews of four selected companies. The audit found no major flaw in security measures.
If a serious information security event were to occur, IHI would respond in accordance with the Basic Rules on Crisis Management for the IHI Group.

International Certification (ISO27001)

Divisions and Group companies of IHI engaged in sensitive projects for the national government are subject to annual certification reviews under the international standard for information security management systems (ISO27001), conducted by an external organization, to maintain a high level of information security.

Topics in FY2015

Two important tools for internal governance concerning information security—the Information Security Policy for the IHI Group and the Basic Rules on Information Security for the IHI Group—were adopted and put into effect across the IHI Group. The new rules were explained to Group companies both in Japan and abroad, and overseas companies were educated about information security via e-learning (10 companies) and lectures (6 companies).

Targets in FY2016

To ensure that Group companies in Japan and abroad establish sound systems and practices for information management, they will implement PDCA activities concerning information security. They also will use ICT to build security measures into their everyday operations.

Protecting Intellectual Property

Basic Policies

IHI is enhancing its intellectual property (IP) activities to support business and R&D. It also manages a Group-wide IP management system. The basic principle is to rigorously protect Group IP while respecting the rights of third parties. To protect its technologies and trade secrets, the company is strategically managing business and product IP through rights acquisition and confidentiality measures.

IP Protection and IP Rights of Third Parties

IHI views both foreign and domestic patent applications as being equally important. In recent years, patent applications filed by IHI outside Japan increased to approximately 180 per year. To reduce related business risks, a team specializing in patent searches in the Intellectual Property Department looks for patents owned by other companies to ensure respect for third-party IP rights.

■Owned patents (Japan and abroad)

■Owned patents by location (2015)

IP Education

Employees learn about IP in their first to fifth years at IHI via e-learning. Moreover, business operation divisions and group companies impart general education covering patent audits, rights acquisition policies, copyrights, brand protection and more. In December 2015, outside speakers were brought in to lecture on IP that effectively made the workforce more aware and knowledgeable of the most recent business strategies and IP activities.

Topics in FY2015

The globalization of IHI's business led to increased patent filings overseas. To improve the cost effectiveness of those activities, standards that peg the selection of countries for patent application to business priorities were established. Also, IHI rebuilt its IP portfolio.
In addition, IHI announced efforts to combat product imitations in FY2015. The policy going forward is to investigate, expose and eliminate any infringements of IHI's IP rights.

Targets in FY2016

In FY2015, IHI began updating internal IP rules because of changes to Japan's Patent Act. In 2016, those updates will be completed and steps will be taken to further boost inventor incentive.
Also, as part of the effort to realize Group Management Policies 2016, IP strategies and practices will be strengthened according to each business. The focus will be to emphasize the quality of IP in addition to maintaining the quantity thereof.