Risk Management
Risk Management
Sumitomo Pharma has enacted "SMP Group Risk Management policy" stipulating the Company's fundamental approach to risk management and has developed a system to appropriately promote risk management for the Group. Under this promotional framework, according to the particularities of each risk, risks are divided into those requiring a horizontal, group-wide approach (group-wide risks), and those requiring specific approaches by each company (business activity risks). The Company keeps track of the risk management of the group companies as a whole through reports from each group company, and provides each group company with its guidance, advice and the like as necessary.
In order to address risks bearing an impact on business activities, we have enacted the internal "Risk Management Rule" that clarifies the President's role in overseeing risk management, and specifies a system for promoting management of each specific risk. The status of operations in each system to promote risk management is periodically reported to the Board of Directors. One of the Company's specific initiatives is to carry out annual risk assessments for all business units, including Group companies in Japan and overseas, and formulate necessary countermeasures based on the results followed by implementation and evaluation. This is undertaken systematically by each business unit group-wide working on the solution to each problem.
Risk Management System
Click here (Risk Management in the "About Us") for details.
Rebuilding Business Continuity Plan (BCP)
Sumitomo Pharma formulates its business continuity plan (BCP) from the viewpoint of ensuring a stable supply of the pharmaceutical products, which is our social mission, and accounts for the possibility of events such as large-scale disasters and new infectious diseases (pandemic).
In recent years there have been many natural disasters other than earthquakes, such as typhoons and local heavy rain. Given these circumstances, we are rebuilding our BCP to be effective for responding to diverse disasters and unexpected situations, while also establishing sustainable BCP management (BCM). Our goal is to strengthen the Company's risk management, transition to a more effective BCP, and move forward in establishing a more effective management cycle. For the Oita Plant, there is a risk of earthquake-induced tremors and liquefaction under the plant, as well as a risk of flooding and the river overflowing due to the resulting tsunami. We therefore made the rebuilding of its BCP a priority, completing it at the end of fiscal 2021.
Initial Response Plan
We separated certain functions, such as the information gathering functions and publicity functions, that had previously been handled by Disaster Response Headquarters, and launched a Crisis Management Team (CMT)* that, immediately after a disaster occurs, starts gathering information, outlines the status of damage, offers advice on whether a Disaster Management Headquarters should be established, and if established, works to gather further information.
We carry out regular, remote CMT training and other measures with the objective of increasing our swift and precise first-response capabilities. We are currently carrying out training to facilitate coordination between the CMT and administrative offices (the Disaster Management Headquarters in the disaster area) as well as the Disaster Response Headquarters, and are working to boost crisis management capabilities during times of disaster.
* CMT (Crisis Management Team): A team that is quickly assembled after a disaster breaks out, then starts gathering information, surveying the status of damage, and offering advice on whether a Disaster Response Headquarters should be established. If a Disaster Response Headquarters is established, the CMT continues gathering information, outlining the situation, and conducting similar tasks.
Information Management
"Information" is an essential asset in our corporate activities, and how it is utilized and protected is of particular importance to Sumitomo Pharma. We have established global policies for records and information management as well as various rules for information management and Information Technology security, etc. to minimize risks.
Management of Confidential Information and inside information
In accordance with the internal rules, we manage confidential information in an appropriate manner according to the degree of importance. We have the information management system such as an executive officer in charge of information management and the Information Management Committee. In order to prevent insider trading, we have internal rules which specify matters that all officers and employees must comply with. Additionally, we regularly hold training for officers and employees and we work to increase their level of awareness.
Managing Personal Information
Sumitomo Pharma has a privacy policy in place, and in accordance with its internal rules, properly handles and protects personal information acquired through its business activities from healthcare professionals, product users, business partners, shareholders, employees and other persons. In addition, Sumitomo Pharma actively promotes protection of personal information by building a solid management system that includes an executive officer in charge of personal information management and a personal information hotline, and educating and training its officers and employees.
Information Security
As information security efforts, we continue to update technical measures, rules, and procedures according to societal changes and advances in information technology as we monitor compliance. In addition, we hold periodic information security training for officers and employees to raise awareness.
We also strive to address information security risks at our group companies and business partners.
Moreover, in addition to creating a system (Computer Security Incident Response Team: CSIRT) that prevents and detects unauthorized access and responds rapidly when an incident occurs, we continue to implement efforts to prevent information security incidents. CSIRT also conduct regularly response training presents a cyberattack scenario.