Contact us

A new window will open A new window will open

Risk Management and Compliance

Toshiba Memory Group is enforcing global compliance with laws and regulations, internal rules, social and ethical norms, and advancing our risk compliance activities.

Policy and structure of Risk Management and Compliance

At Toshiba Memory Group, we strive to ensure compliance with laws and regulations, social and ethical norms, and internal rules. We do underpins our commitment to promoting business activities through fair competition and serving the interests of customers to the best of our ability.

Toshiba Memory classifies risks into compliance-related risks, finance / accounting-related risks, business risks, and so on and establishes meeting bodies, such as committees and review groups, for each risk category to deliberate priority measures and monitor activities.

Risk Management and Compliance Committee as of March 2018

Risk Management and Compliance Committee

Whistleblower System

In order to create an open work environment, Toshiba Memory is enhancing its whistleblower system, on top of preventing risks by stimulating day-to-day communication in each workplace. We established a whistleblower system to collect internal information on SOC violations, particularly those concerning laws and regulations.

This system has been communicated to all employees through internal websites and so on. The system is designed to protect the anonymity of whistleblowers and ensure that they are not treated disadvantageously.

The numbers of reports received and consultations undertaken by the "Risk Hotline" in FY2017 are 32.

Of the reports received, those reporting inappropriate situations or concerns about inappropriate situations were reported to the relevant division so that instructions for improvement could be provided or alerts could be issued.

In cases involving consultations and questions about duties of the informants themselves, we gave advice on how to deal with the situation.

For reports other than the anonymous reports described above, we explained the status of our responses to the informants, in principle.

Except in cases in which consent has been obtained from employee, confidential adviser (at the internal secretariat never disclose the names or contact addresses of the informants.

Revision of Toshiba Memory Group Standards of Conduct and Compliance Training

Toshiba Memory provides compliance education through e-learning. In FY2017, employees received accounting compliance education and learned the importance of accounting knowledge and accounting awareness.

Fostering a Compliance-oriented Culture through Workplace Meetings

Each workplace holds meetings focusing on CSR to raise the awareness of each and every employee with regard to compliance matters so as to make compliance an integral part of the corporate culture.

In FY2017, the theme was "Communication at workplace." Participants discussed difference and misunderstanding which might be caused by lack of communication.

Compliance with the Antimonopoly Act and Anti-Corruption

Toshiba Memory Group will enforce compliance with the Antimonopoly Act and strengthen anti-corruption measures globally.

Antimonopoly and Anti-bribery Efforts

In light of global regulatory trends, Toshiba Memory Group has been making rigorous efforts to prevent cartelization and bribery.

In FY2017 specifically, the initiatives involve Toshiba Memory Group companies worldwide performing self-audits based on two internal guidelines: one on antitrust and the other on anti-bribery. Through these audits, Toshiba Memory Group aims to identify compliance levels at the companies concerned and to provide thorough compliance education.

Toshiba Memory promotes rigorous compliance with business-related laws and regulations by providing education, effectively utilizing databases that contain relevant information, and performing periodic self-audits.

In addition, Toshiba Memory’s compliance initiatives are objectively evaluated by outside lawyers once a year. We make improvements to reduce risks pointed out by third parties in order to continue to enhance our compliance structure.

Furthermore, Toshiba Memory is advancing its promotion of compliance awareness, on the axis of the Standards of Conduct which Toshiba Memory established. In Japan, employees received e-learning training on sales-related risks in February - March 2018 for employees, in order to raise the standard of sales-related legal risk management.

Political Contributions

The Toshiba Memory Group Standards of Conduct stipulates that Toshiba Memory Group shall not provide inappropriate benefits or favors to any politician or political organization.

Also, as part of its social contributions, Toshiba Memory offers political contributions, when necessary, in order to contribute to the realization of policy-oriented politics, to support the healthy development of parliamentary democracy and to improve the transparency of political contributions.

In the case of offering political contribution, procedures in accordance with internal rules are followed as well as compliance with the Political Funds Control Law in case of Japan is strictly ensured.

Donations and Provision of Funds

While the Toshiba Memory Group forbids inappropriate expenses, we stipulate that appropriate donations to organizations may be made. We therefore donate to various organizations, taking into consideration factors such as the contribution made by the donee organization to society, its cause and community aspects.

Developing Measures to Continue Breaking Relationships with Anti-social Groups

In order to further ensure that all relations with anti-social forces are cut off, all Toshiba Memory Group companies have taken various measures.

More specifically, we have developed and implemented Basic Public Relations Management Rules and appointed public relations management officers for each department. When conducting transactions with a new customer, the public relations management officers of that department confirm that the customer has no relations with anti-social groups. If a need arises during a background check to further investigate the customer, Human Resources and Administration Division verifies whether there is any information on the customer's relationship with anti-social groups. We also periodically conduct surveys on customers that we already have business relations with. Transaction contracts normally include a clause regarding the exclusion of organized crime syndicates, which enables a contract to be cancelled without notice when the business partner is identified as an anti-social group.

We also continuously ensure that employees understand the importance of excluding anti-social groups from the business they do.

Information Security Management

Policy on Information Security

Toshiba Memory Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba Memory has a fundamental policy "to manage and protect such information assets properly, with top priority on compliance." The policy is stipulated in the chapter "Corporate Information and Company Assets" of the Toshiba Memory Group Standards of Conduct, and managerial and employee awareness on the same is encouraged.

In response to regulatory changes and changes in the social environment, Toshiba Memory revises the related rules on an ongoing basis so as to rigorously manage its information security.

Structure of Information Security Management

Addressing information security as a management priority, Toshiba Memory Group has established, under the supervision of the Chief Information Security Officer, an information security management structure in which the head of each organization, such as head of facilities as well as president of each group company are responsible for information security.

The Risk Compliance Committee deliberates matters that are necessary to ensure information security throughout the company. The Chief Information Security Officer formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective and definitive manner.

The Information Security Management Executive appoints Information Security Implementation Managers who are responsible for operation of the information security management system.

The Information Security Management Executives provide guidance and assistance to the group companies under their control to ensure that they implement information security of a level equivalent to that of Toshiba Memory.

Toshiba Memory has also established a similar management structure for the protection of personal data, and has a department other than the Secretariat (the Internal Audit Division) conduct audits in accordance with JIS Q 15001.

Information Security Management Structure (As of March, 2018)

Information Security Management Structure

Information Security Measures

Toshiba Memory Group implements information security measures from four perspectives (see the table below). IT & Business Transformation Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Memory Group companies through notices and briefings.

Implementation of Information Security Measures from Four Perspectives

Category Description
(1) Organizational measures:
Establish an organizational structure and rules
  • Periodic reviews of information security-related regulations
  • Development and maintenance of structure
  • Implementation of audits, etc.
(2) Personal and legal measures:
Ensure adherence to rules
  • Regulation of information protection duties and disciplinary measures for breach of duties in rules of employment
  • Provision of periodic employee education and training
  • Contractor information security evaluation and conclusion of confidentiality agreements, etc.
(3) Physical measures:
Support implementation of rules in terms of physical security
  • Carry-in/carry-out control of information devices
  • Facility access control, room / facility entry control
  • Locking of highly important information, etc.
(4) Technical measures:
Support implementation of rules in terms of technology
  • Virus protection and hard disk encryption of personal computers
  • Checking the vulnerabilities of servers accessible to the public enhancing their protection
  • Monitoring and controlling unauthorized access from the outside and information leakage, etc.

To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we have strengthened our efforts to block suspicious e-mails and trained all employees in handling targeted attack e-mails. In addition, we enhanced our network monitoring and in-house systems to quickly cope with a virus invasion into the company systems.

Education, Inspection and Audit of Information Security Management

Toshiba Memory considers the autonomous implementation of PDCA (Plan-Do-Check-Act) cycle by each division to be vital for ensuring information security of the company. With this in view, every divisions conduct an annual self-audits in terms of compliance with internal rules, for the purpose of formulating their own improvement plan.

All domestic and overseas Group companies also conduct self-audits annually, in order to improve the level of information security at each company.

Moreover, Toshiba Memory Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations.

There are also programs such as introductory training for new graduate employees, and training for subcontracting companies.

Response to Incidents Such as Leakage of Confidential Information

In the event an information security incident such as the leakage of confidential information occurs, Toshiba Memory responds promptly in accordance with the information security incident reporting structure.

When an employee becomes aware of the occurrence or potential occurrence of an incident involving the leakage of corporate information, the employee promptly reports to the Implementation Manager. The Implementation Manager, upon receipt of such report, devises necessary measures, such as an investigation into the cause and consideration of actions to prevent recurrence. In the case of the occurrence or potential occurrence of a serious leakage of confidential information that may entail a violation of laws or ordinances, Toshiba Memory implements measures in accordance with the applicable laws or ordinances, such as disclosure, following discussion among the related corporate staff divisions.

Information Security Incident Reporting Structure (As of March, 2018)

Information Security Incident Reporting Structure

Status of Incidents Such As Leakage of Confidential Information

In FY2017, there were no incidents in which important information kept by Toshiba Memory Group companies was leaked. Nor were there any complaints from relevant external individuals or regulatory bodies concerning personal data. We will continue to prevent incidents concerning information security, and are fully prepared for any situation.

Risk Management with Business Continuity Plan (BCP)

Failure to respond appropriately to large-scale disasters such as earthquakes, typhoons, and floods could result in the long-term closure of operations, triggering significant financial losses, ultimately affecting our stakeholders.

Toshiba Memory Group implements measures to ensure the safety of employees and their families, support recovery of devastated areas, and maintain business sites and factories.

To Top