1. Sustainability TOP
  2. Governance
  3. Risk Management

Risk Management

Basic Approach

The Isuzu Group manages various risks surrounding its business in a systematic and integrated manner in order to achieve sustainable growth and enhance corporate value. Through risk management initiatives, we will strive to minimize risk, improve operational efficiency, create business opportunities, enhance our competitive advantage, and build relationships of trust with our stakeholders.

Risk Governance Structure

To improve the division of responsibilities and effectiveness of risk management activities throughout the Group, we have established a risk governance structure based on a Group-wide three-line defense system.
Isuzu's divisions and the Group companies under their supervision serve as the first line; the Enterprise Risk Management Department functions as the second line under the direction of the Group Chief Risk Management Officer (CRMO); and the Corporate Audit Department serves as the third line. Each line of defense works in cooperation with the others in risk management activities.
In order to ensure the effectiveness of risk management activities, Risk Management Review Meeting is held every month to confirm the status of risk mitigation efforts and incident management of each division and Group company, focusing on the Group's priority risk, and to report the details of the meeting to management.

Risk Management Review Meeting

Risk Management Process

The Isuzu Group comprehensively identifies risks that could affect its business management, assesses them quantitatively and qualitatively, formulates specific risk mitigation plans for risk reduction, and then promotes implementation and monitoring of the plans.
Believing that it is essential for all employees to view risk management activities as their own business, we also continue to foster a risk culture to achieve sustainable growth and maximize corporate value.

Group Priority Risks

The Isuzu Group prioritizes risk mitigation efforts for risks of particularly high importance in each division of the Company and in each Group company. From the Group-wide perspective, the Group has defined risks that could affect its business or management as Group Priority Risks and implemented Group-wide risk mitigation efforts.
Group Priority Risks are identified and selected from the following four perspectives to ensure that no omissions are made:

  1. Bottom-up risk identification through risk assessments from each division of the Company and Group companies
  2. Top-down risk identification through CRMO interviews
  3. Risk occurances within the Company or at other companies
  4. Changes in the external environment, etc.
  1. *Please refer to the Business and Other Risks section of the Annual Securities Report, which is compiled based on the Group Priority Risks.

Crisis Response

The Isuzu Group has established a structure to comprehensively and promptly identify risk occurances and implement effective initial responses. If any such risks have the potential to affect the business or management of the Isuzu Group, they are promptly escalated to management, and management makes a decision on how to respond to them. Then, under the direction and supervision of the CRMO, a crisis response team is formed, and various countermeasures are implemented to minimize the risk.
Furthermore, we analyze the root causes of risk occurances to verify the effectiveness of our countermeasures. By doing so, we organically link the Risk Management Process and the Crisis Management Process, aiming to optimize risk management across the entire Isuzu Group.

Information Security

The Isuzu Group recognizes information security risk as a particularly important risk in its risk management activities.
To prepare against existing risks such as information leaks as well as new risks such as cyber-attacks, the Group strives to ensure information security by developing internal structures, and by implementing various countermeasures, including education and training for employees.

Management Structure

Under the Group Information Security Policy, the Isuzu Group has established a Group-wide information security management structure and is developing and implementing various regulations, including operational processes.
Under the information security management structure, the CRMO is responsible for information security management for the entire Isuzu Group. By assigning information security managers, management personnel, etc. to each Isuzu division, the Group implements various measures for information security, including those of Group companies that are under the supervision of such divisions.
In addition, the Information Security Management Meeting, hosted by CRMO, is held on a regular basis. At the meeting, annual activity plans for information security are formulated, activity plans of each division, including those of Group companies, are monitored, and instructions for countermeasures are given as necessary. Through these efforts, we are striving to maintain and improve the Group's information security. These activities are regularly reported to the Management Meeting and the Board of Directors, and the effectiveness of the activities is confirmed by management.

Cybersecurity Initiatives

In recent years, the automotive industry has seen rapid advancements in vehicle digitalization and automated driving technology due to advances in IT technology, and this has increased the importance of information security. Also, the risk of cyber-attacks and data leaks has increased, making it essential to protect customer information and vehicle control systems.
The Isuzu Group is strengthening cybersecurity for its products, plants, IT systems, and the supply chain. We participate in J-Auto-ISAC*, an organization that collects and analyzes information related to cybersecurity of vehicles. Through this participation, we gather information on security incidents detected within the industry and have established a system for the development and manufacturing of vehicles with cybersecurity considerations in place.
These activities are conducted with reference to the Cybersecurity Management Guidelines set forth by the Ministry of Economy, Trade and Industry, as well as international standards such as ISO 21434, ISO 27001, NIST SP800-171, and UN-R155/156, which were adopted by the World Forum for Harmonization of Vehicle Regulations (WP.29) under the United Nations Economic Commission for Europe.

  1. *J-Auto-ISAC: Japan Automotive ISAC, a Japanese automotive cybersecurity organization.
Information Security Management Operations

Personal Information Protection

The Isuzu Group holds a large amount of personal data, information of customer and business partner, which must be properly managed in accordance with the acts on the protection of personal information of each country. Accordingly, we are working to protect personal information by establishing Group regulations to ensure that personal information is properly managed, as well as by providing education and conducting regular checks of personal information held by the Group.

Response to Incidents

In the event of an incident related to information security, the Isuzu Group strives to respond appropriately under the direction of the CRMO, and in coordination with each division and each group company, to prevent the damage from becoming more serious, according to the rules of incident response. We are also working to prevent recurrence of such incidents by studying, implementing, and monitoring recurrence prevention measures, with the Enterprise Risk Management Dept. playing a central role in this process.