In order to respond appropriately to changes in laws and regulations in every country of the world, the globalization of management and the diversification of business, Toshiba Group is enforcing global compliance with laws and regulations, internal rules, and social and ethical norms.
We aim to regain the trust from all of our stakeholders by striving to improve and strengthen our internal control system through more stringent compliance and a more robust risk management system.
We held three awareness-raising training sessions for officers and top management to improve the awareness of top management and employees, with a total of 678 executives taking part. We also continued to conduct general compliance training that included accounting compliance.
We will continue striving to implement a more effective compliance system and policy based on an awareness of risk in order to strengthen risk management and compliance for Toshiba Group as a whole.
Toshiba’s shares were designated as securities on alert and stock under supervision on September 15, 2015. As a result of the examinations by the Tokyo Stock Exchange and Nagoya Stock Exchange into the status of improvements made to the internal control system thereafter, the aforementioned designation was lifted on October 12, 2017. Toshiba then released its "Report on Improvements of Internal Management System" on October 20, 2017, and as reported in the "Progress Report on Improvements of Internal Management System" on July 25, 2018, Toshiba will continue its efforts to strengthen the internal control system in the future and will work to regain the trust of shareholders, investors, and all other stakeholders.
At Toshiba Group, we formulated and are striving to entrench the Standards of Conduct for Toshiba Group (SOC) as a specific action guideline since we are a company that contributes to the realization of a sustainable society while conducting fair, sincere and highly transparent business activities. Thus we are working toward making the SOC an integral part of the entire Toshiba Group. Furthermore, in order to respond to changes in the business environment, such as new technologies and growing supply chains in developing countries, and to the diverse and ever-changing risks that arise when conducting business activities, we are striving to prevent risks in advance, and to minimize losses from individual incidents.
At Toshiba, we appoint a Chief Risk Compliance Management Officer (CRO) to oversee risk management and compliance for the whole Group. In addition, the Legal Affairs Division responds to whistleblower reports and attempts to achieve global compliance, and is advancing effective risk management and compliance activities.
There is also a Risk Compliance Committee chaired by the CRO and attended by the executive officers of corporate staff divisions. The Committee analyzes whistleblower reports and cases both inside and outside the Company, and identifies risks based on risk tables that cover the entire management environment. It also reviews activities and deliberates on priority measures from the immediate fiscal year.
Each key Group company is advancing its own priority measures for risk management and compliance, determined by a risk-based approach, in addition to the priority measures common to the whole Company.
In the event of a serious risk management and compliance issue, there is a system in place by which the relevant in-house committees, etc. promptly evaluate and implement countermeasures.
In March 2016, Toshiba established a new Accounting Compliance Committee. Its purpose is to aggregate finance- and accounting-related information, and to identify signs that might point to inappropriate financial reporting, doing both in timely fashion, and to detect risks that threaten internal control at an early stage.
The Chairman and CEO is the head of the Accounting Compliance Committee, and the Audit Committee and the Internal Audit Division act as observers. Together they assess the risk of financial statements not being created or disclosed properly, and the risk that internal control is not functioning effectively to support the reliability of financial reports. Having done this, they supply information needed to prevent these risks, and discuss and decide on measures to deal with them.
Risk Management and Compliance Committee
In order to create an open work environment, Toshiba is enhancing its whistleblower system, on top of preventing risks by stimulating day-to-day communication in each workplace.
In January 2000, Toshiba established a whistleblower system “Toshiba Hotline” to collect internal information on SOC violations, particularly those concerning laws and regulations, and to deal with wrongdoing through a self-rectification system. Under this system, an employee can report an incident and seek advice via e-mail or phone. In addition to the internal office, a reception hotline was set up at an external attorney's office in January 2005, primarily to receive information about potential legal violations. In April 2006, Toshiba also set up a supplier whistleblower system to receive reports from suppliers and business partners to prevent SOC violations by employees in charge of procurement and order placements for construction and other works.
Furthermore, in October 2015, the new Audit Committee Hotline was set up, which allows people to report directly to the Audit Committee, which is composed of outside directors. With this new system, even matters in which the involvement of top management is suspected can be safely reported. The Audit Committee also has access rights to the Toshiba Hotline, and provides appropriate guidance and supervision.
All Toshiba Group companies have implemented a whistleblower system. The whole Group has been directed to ensure the anonymity of the whistleblower for his/her protection, and, if the whistleblower is an employee who was himself/herself involved in the relevant reported act, to take into account as much as possible the fact of his/her coming forward when deciding what internal disciplinary action should be taken. We are also working to enhance awareness of the whistleblower system by regularly issuing a compilation of whistleblower cases that have actually taken place.
Toshiba's Whistleblower System
The numbers of reports received and consultations undertaken by the "Risk Hotline" and "Audit Committee Hotline" in FY2018 are as follows. We notified employees about the existence of the system and its assurance of strict anonymity through e-learning. We also reported on whistleblower cases to the whole Company on a number of occasions.
|Reports received by internal secretariat||204 reports
|Reports received by attorney's office||4 reports
|October 2015 to March 2016||FY2016||FY2017||FY2018|
Of the reports received, those reporting inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts could be issued.
In cases involving consultations and questions about duties of the informants themselves, we gave advice on how to deal with the situation.
For reports other than the anonymous reports described above, we explained the status of our responses to the informants, in principle.
Except in cases in which consent has been obtained from employee, confidential adviser (at the internal secretariat or attorney's office) never disclose the names or contact addresses of the informants.
Out of the whistleblower reports, cases that everyone should bear in mind are taught as part of employee training. In order to protect whistleblower anonymity, such cases are presented without any names.
The number of reports received is released regularly on the company's internal website.
Seminar for senior management
At Toshiba, the President issued a message to all employees, expressing a firm commitment to implementing the corporate governance reform discussed by the Management Revitalization Committee. He also expressed that he would work to the best of his ability to revive Toshiba Group. In an effort to change the mindset of top management, we held sessions for officers and top management three times in FY2016, in FY2017 and FY2018 respectively, with a total of 678 executives participating in the FY2018 sessions. We also held seminars by rank and function for employees to enhance the effectiveness of accounting compliance. Toshiba plans to continue these seminars.
In addition, we provide accounting compliance education through e-learning to deepen employees' understanding about the internal control and J-SOX. In FY2018, all employees (approximately 60,000) of 123 consolidated subsidiary Group companies in Japan and approximately 700 executives of 63 overseas Group companies participated in the seminar.
Toshiba Group has created in 24 languages and made them available on the internal website. Various compliance education programs that incorporate the SOC have been included in the level-based training, occupation-based training and senior management seminars. We are also continuing our education programs, such as e-learning and educational leaflets, for all employees.
Each workplace holds meetings focusing on CSR to raise the awareness of each and every employee with regard to compliance matters so as to make compliance an integral part of the corporate culture.
These meetings aim to prevent compliance violations by encouraging managers and employees to discuss various problems that are likely to arise in the workplace and to share their thoughts with each other in order to create a work environment where they can easily seek advice on all kinds of problems. The theme in FY2018 was "Fraud by individual employees" assuming behavior such as embezzlement. Each workplace shared its operational checking system as well as the importance of communication through discussion concerning case examples. Approximately 56,000 employees at around 5,300 workplaces of Group companies in Japan participated in discussions.
In addition, by soliciting the frank opinions of employees via their workplace managers, and sharing analysis results and key opinions within the company, we monitor the level of compliance awareness at each workplace and develop new measures for the future.
Toshiba's corporate divisions confirm the status of compliance in operations concerning respective areas of jurisdiction and the Internal Audit Division conducts audits of the Group companies.
The Risk-Compliance Committee reviews the results confirming the status of legal compliance in each division and reviews the implementation status of thorough compliance-related measures and provides assistance for each measure.
Every year Toshiba conducts an intranet-based employee survey. The results are used in formulating measures for enhancing awareness on compliance.
In the event of a major noncompliance incident, Toshiba investigates all facts to identify the cause of the violation, treats the facts seriously, and handles such violations rigorously by imposing appropriate disciplinary sanctions on the offenders or implementing other such measures. It makes every effort to prevent recurrence and discloses information in a proper and timely manner as necessary.
In 1997, the Board of Directors resolved to end relations with antisocial forces such as sokaiya (groups of racketeers). Since then, the Group has strictly dealt with approaches from third parties to obstruct our lawful and appropriate corporate activities.
In addition, in order to further ensure that all relations with antisocial forces are cut off, all Toshiba Group companies have taken various measures.
More specifically, we have developed and implemented Basic Public Relations Management Rules and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with antisocial groups. If a need arises during a background check to further investigate the customer, the Legal Affairs Division verifies whether there is any information on the customer's relationship with antisocial groups. We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as an antisocial group.
Toshiba Group also works with the police, corporate attorneys, and third-party organizations such as the National Center for the Elimination of Boryokudan to establish systems that enable us to respond to approaches from antisocial forces in an appropriate and timely manner.
With regard to this stance, the rejection of the involvement of antisocial groups in our business activities has been explicitly stated in the SOC since 2006. Having been revised since then, "antisocial Groups" is now an independent article, further stressing our policy to reject all contact with such groups.
By providing e-learning lessons about the SOC to all employees, we continuously ensure that employees understand the importance of excluding antisocial groups from the business they do.
In accordance with the Standards of Conduct for Toshiba Group and various internal regulations, Toshiba Group’s policy prohibits illegal or improper payments against sound business practices and each country’s laws and regulations.
In addition, Toshiba Group is a member of the UN Global Compact, and as such, it will enforce compliance with the Antimonopoly Act and strengthen anti-corruption measures globally, in keeping with the revision to the Standards of Conduct for Toshiba Group.
In light of global regulatory trends, Toshiba has been making rigorous efforts to prevent cartelization and bribery. In FY2018 the Company continued to step up its initiatives to ensure thorough compliance. Specifically, the initiatives involve Toshiba Group companies worldwide performing self-audits based on two Toshiba-developed guidelines: one on antitrust and the other on anti-bribery. Through these audits, Toshiba Group aims to identify compliance levels at the companies concerned and to provide thorough compliance education.
Furthermore, we have placed managers of legal affairs in major global regions to enhance compliance and support local subsidiaries in such regions. This has been done in order to appropriately control legal risks associated with relevant anti-trust laws, bribery, and the like and ensure thorough compliance in global business, which has been expanding mainly in emerging countries.
Toshiba promotes rigorous compliance with business-related laws and regulations by providing education, effectively utilizing databases that contain relevant information, and performing periodic self-audits.
In addition, Toshiba's compliance initiatives are objectively evaluated by outside lawyers once a year. We make improvements to reduce risks pointed out by third parties in order to continue to enhance our risk management and compliance structure.
Furthermore, Toshiba is advancing its promotion of compliance awareness, on the axis of the Standards of Conduct for Toshiba Group. In Japan, employees received e-learning training on sales-related risks in February 2018, in order to raise the standard of sales-related legal risk management. Overseas, we held legal seminars for those in charge of compliance at local subsidiaries, working together with our regional headquarters and regional legal affairs managers. Attendees discussed measures to enhance compliance in keeping with the Standards of Conduct for Toshiba Group, and fortified the foundations for strengthening the risk management network among Headquarters and all regions.
|Item||Number of cases in FY2018|
|Exposure through price cartel||0|
|Exposure through bribery||0|
The Standards of Conduct for Toshiba Group stipulates that Toshiba Group shall not provide inappropriate benefits or favors to any politician or political organization.
Also, as part of its social contributions, Toshiba offers political contributions, when necessary, in order to contribute to the realization of policy-oriented politics, to support the healthy development of parliamentary democracy and to improve the transparency of political contributions.
In the case of offering political contribution, procedures in accordance with internal rules are followed as well as compliance with the Political Funds Control Law in case of Japan is strictly ensured.
While the Standards of Conduct for Toshiba Group forbid inappropriate expenses, they stipulate that appropriate donations to organizations may be made. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the donee organization to society, its cause and community aspects, as specified by the Standards of Conduct for Toshiba Group.
Toshiba strives to build sound partnerships with suppliers through fair trading in compliance with procurement-related laws and regulations.
Toshiba Group is promoting thorough observance of CSR both in its own procurement activities, and in those of its suppliers.
There is a CSR procurement promotion structure established within the Group, which acts in order to carry out each procurement transaction in compliance with the relevant Japanese and international laws and regulations. Information related to compliance concerning procurement is thoroughly informed to Group companies through this system.
Moreover, measures are thoroughly informed by means of Procurement Compliance Liaison Meetings, organized by the Procurement Division and attended by Compliance Managers and Compliance Coordinators.
Toshiba Group CSR procurement promotion structure
In FY2018, Toshiba strengthened operation of the procurement structure and system at each Group company, conducted an assessment of procurement transactions through patrols and enhanced regulations on legal compliance based on a basic policy of bolstering compliance in procurement processes. In FY2019, we will continue to strengthen the operation of our procurement structure and processes.
In order to ensure compliance and fair transactions, Toshiba has established a whistleblower system for suppliers and business partners called Clean Partner Line, as a point of contact for our suppliers to tell us about issues or concerns regarding persons associated with the Toshiba Group. Personal information on whistleblowers, without the whistleblower's consent, is not disclosed to anyone other than the Clean Partner Line staff. Also, what is reported by whistleblowers is handled based on strict procedures, with care taken not to treat whistleblowers and their companies unfavorably for whistleblowing. We notify our business partners of this system and request that they make use of it.
In Japan, we monitor the subcontracted transactions of the Group companies undertaking such transactions. Regarding items requiring improvement, guidance is provided to make improvements to ensure thorough compliance.
At Toshiba Group, various training programs on compliance in procurement are provided to ensure fair trading practices. For example, since FY2007, we have conducted e-learning for employees of Group companies in Japan on relevant acts, such as the Act against Delay in Payment of Subcontract Proceeds, Etc. to Subcontractors.
In FY2018, a total of 68,019 employees between February and March 2019 participated in the e-learning program on the Subcontract Act.
We also provide compliance education for employees engaged in procurement at various phases of their careers.
Furthermore, we foster promoters specialized in the Act to ensure fair transactions with subcontractors.
As indicated in Standards of Conduct for Toshiba Group, Toshiba Group's basic export policy is to refrain from any transaction that could potentially undermine international peace and security. We comply with all applicable export control laws and regulations of the countries and regions where we operate, for example Foreign Exchange and Foreign Trade Law in the case of Japan and US export control laws and regulations with respect to transactions involving items of US origin.
In accordance with the policy, Toshiba Group has established the Export Control Compliance Program (ECCP). Based on the program, we classify the goods and technology and screen transactions. In addition to periodic export control audits and education for all executives and employees, key Group companies and corporate staff divisions provide instructions and support to the Group companies they supervise.
Toshiba's export control system is organized under the Chief Export Control Officer who has ultimate responsibility for the corporation's export control. The Chief Export Control Officer must be a representative director or an executive officer corresponding thereto. Under the Chief Export Control Officer, the Legal Affairs Division Export Control Office is responsible for overseeing the export control implemented pursuant to the Toshiba Export Control Compliance Program (ECCP). Based on the Toshiba ECPP, Toshiba Group company and corporate staff division has its own export control organization led by the Export Control Officer. The Export Control Officer must be the general manager of the corporate staff division, or president of Group company.
Toshiba Group's export control organization
The technical department classifies the goods or technology and determines whether export license is required. Then, transaction screening is carried out accordingly, such as confirmation of the end-use, end-user, and final destination. Classification and transaction screening are checked and approved by multiple persons in charge. When trading with concerned countries and regions, the Export Control Office conducts stringent assessments and approvals.
Each corporate staff division, as well as each Group company, perform internal self-checks. In addition, the Export Control Office or the supervising department conducts regular audits to check if export control is appropriately performed. Audits are conducted once every one to three years at target companies, and in FY2018, audits were performed for four internal divisions in Japan and eight Group companies. Overseas, audits are done in Europe, the United States, Asia and China, and in FY2018, four Group companies in China received audits. Where problems are identified by the audit, we demand that improvement plans be submitted, and check the progress of the plans.
Training courses on export controls (regular and specialized courses) are offered by the Export Control Office for corporate staff divisions and Group companies to educate employees on the importance of export control and to raise awareness and knowledge of the Toshiba Export Control Compliance Program (ECCP) and related internal regulations.
Furthermore, the Export Control Office provides compulsory export control education for all employees of Group companies in Japan through an e-learning system every year.
Export controls at Group companies including those located overseas are modeled after that of Toshiba, which is implemented under the Toshiba Export Control Compliance Program (ECCP). Export control audits are conducted periodically to evaluate their performances.
The Export Control Office convenes meetings with Group companies. Besides providing information on relevant international situations and regulatory trends, or advices on specific issues, this meeting also provides a forum for exchanging related information and opinions. Key Group companies provide guidance on export controls and related support to Group companies they supervise.
Furthermore, in order to fortify our support for overseas Group companies, we held an export control workshop targeted at local staff working in export control.
Toshiba Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy "to manage and protect such information assets properly, with top priority on compliance." The policy is stipulated in the chapter "Corporate Information and Company Assets" of the Standards of Conduct for Toshiba Group, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba revises the related rules on an ongoing basis so as to rigorously manage its information security.
Addressing information security as a management priority, Toshiba appointed the Chief Information Security Officer (CISO) and each corporate staff division and Toshiba Group company has established, under the supervision of the CISO, an information security management structure.
The Cyber Security Committee deliberates matters that are necessary to ensure information security throughout Toshiba Group. The CISO formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective, and definitive manner.
At each division inside Toshiba and key Group companies, the head of the organization serves as Information Security Management Executive, bearing responsibility for information security at their respective organization. The Executives provide guidance and assistance to the Group companies under their control to ensure that they implement information security at a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure
Toshiba Group implements information security measures from four perspectives (see the table below). The Corporate Technology Planning Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Group companies through notices and briefings.
|(1) Organizational measures:
Establish an organizational structure and rules
|(2) Personal and legal measures:
Ensure adherence to rules
|(3) Physical measures:
Support implementation of rules in terms of physical security
|(4) Technical measures:
Support implementation of rules in terms of technology
* EDR: Endpoint Detection and Response
To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we introduced a function to block suspicious e-mails, enhanced our anti-virus measures for information equipment such as IoT devices, and trained all employees in handling targeted attack e-mails. Toshiba Group has taken an attack and penetration assessment from the specialized cyber security firm in order to validate the effectiveness of its security measures.
In addition, we enhanced the monitoring for our network and in-house systems to quickly cope with a virus invasion into the company systems.
Toshiba, with its wide portfolio of businesses, considers the autonomous implementation of PDCA (Plan-Do-Check-Act) cycle by each business or division to be vital for ensuring information security of the company. With this in view, every divisions conduct an annual self-audits in terms of compliance with internal rules, for the purpose of formulating their own improvement plan. The Corporate Technology Planning Division evaluates the results of these self-audits and the related improvement activities, provides guidance and assistance where necessary. In FY2018, there were cases in which the scope of responsibility related to the regular application of security patches and the response to new threats were not specified in consignment agreements for the development and maintenance of information systems, and guidance was given so that the details of the agreements could be corrected and verified. All domestic and overseas Group companies also conduct self-audits annually, in order to improve the level of information security at each company.
Moreover, Toshiba Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations. There are also programs such as training for those working in information security, and introductory training for new graduate employees.
In the event an information security incident such as the leakage of confidential information occurs, Toshiba responds promptly in accordance with the information security incident reporting structure.
When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports to the CSIRT. The CSIRT Leader, upon receipt of such report, devises necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, Toshiba implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the related corporate staff divisions.
Information Security Incident Reporting Structure
In 2018, it was discovered that a portion of information concerning members registered on Group company’s website may have been leaked following illegal access from the outside. We re-inspected our website and have confirmed that there are no security issues at present. Additionally, we asked members that may be targeted to change their passwords. We will continue to prevent incidents concerning information security, and are fully prepared for any situation. There were no complaints from relevant external individuals or regulatory bodies concerning personal data.
For details on information security management, please refer to our Cyber Security Report.
Toshiba Group provides accurate product information and executes appropriate advertising in accordance with the Standards of Conduct for Toshiba Group, the Code of Fair Competition for Home Appliances*1 and other policies. Quality assurance organizations of Group companies and affiliated companies monitor the safety standards of the countries where products are marketed and technical standards such as the UL Standards*2 and CE Marking*3 to ensure that their product labeling is in compliance with the relevant standards.
In FY2018, Toshiba Group had two violations of the Electrical Appliance and Material Safety Law such as violations of product safety regulations and in-house standards in the life cycle of products and services.
Please see Product Safety and Product Security for information on product safety compliance.
In FY2018, as a result of our strict implementation of the Manufacturing Labeling Standards, there were no violations of the Act Against Unjustifiable Premiums and Misleading Representations among Toshiba Group companies.
Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders. Toshiba implements measures to ensure the safety of employees and their families, support recovery of devastated areas, and maintain business sites and factories.
The BCP, which we have been formulating and developing Group-wide as of FY2007, is one such measure. Focusing on our key businesses that have a large social and economic impact, we are establishing a BCP that takes into account the possibility of large-scale earthquakes and new strains of influenza, and continually update it in order to maintain and improve its effectiveness.
Toshiba Group will continue to strengthen its BCP, so that it can continue its business even in the case of a large-scale disaster, and puts the safety of all its employees above other concerns.
In response to the Great East Japan Earthquake and the floods in Thailand, both of which occurred in 2011, Toshiba Group is promoting to establish a more disaster-resistant procurement system. Based on Toshiba Group's Procurement Policy, we request our suppliers to cooperate in continuing to provide supplies in the event of an unanticipated disaster.
In 2012, we established the BCP Procurement Guidelines to provide crisis management standards. Also, to minimize the risk of supply chain disruptions and to reduce the amount of time required to resolve supply chain disruptions, we have built a system to manage corporate information on upstream suppliers in the supply chain. In the event of an unanticipated disaster, we use this system to quickly investigate its effects on our supplies worldwide so that action can be taken promptly.
Based on the basic policy on taxes, Toshiba Group complies with legal ordinances, notices, and regulations in various countries and makes efforts to properly file tax returns and pay taxes.