Preparing for Risks

Lawson has established a division under the CRO* to supervise risk management, formulates rules related to risk management, and maintains a group-wide preventive system at normal times.
In each department as well, we identify risks that may greatly influence management related to our business goals, analyze the probabilities of such risks occurring and the level of their impact, assess the risks to see if they require intensive measures, and take measures in accordance with the characteristics of the risks.
Furthermore, to secure the effectiveness of risk management, we have established the Compliance and Risk Management Committee meetings, Information Security Management Committee meetings, as well as three small committees. We established a system while clearly defining the administrative authority and responsibilities of these committees and chairpersons, and appointed risk management personnel in each department and affiliated company. We also implement risk management training programs and drills to maintain and improve risk management awareness.

* CRO (Chief Compliance and Risk Officer): The executive with overall responsibility for the legal compliance and risk management system and framework in Lawson Group

Response to Risks When They Occur

With the purpose of minimizing damage in the event of a situation that may lead to an emergency or crisis such as interruption of its business or damage due to a risk occurring in the Lawson Group or other situations that may cause such, Lawson has formulated rules to promptly take measures and report them in accordance with the predetermined report route and method as well as standards to establish the headquarters’ response to critical risk situations when they occur. After measures are taken for risks that have occurred, we analyze their causes and then review and improve our measures to prevent any recurrence.
Furthermore, Lawson has established a system and rules related to business continuity management (BCM) to prepare for emergencies that are accompanied with serious damage to the Lawson Group in order to avoid interruption of important business, on the premise that people’s safety is secured, and resume business activities by the target recovery time even if business activities are interrupted.

Improvement of the Information Security Framework

Lawson has established the Information Security Policy to appropriately protect the relevant information assets from all threats whether intentional or accidental and internal or external, and to continuously and stably provide customer services and conduct business operations. In addition, we have established the Lawson Group Personal Information Protection Policy to promote the protection of personal information obtained and used by the Lawson Group (Lawson and a group of companies defined by Lawson as applicable). Under the supervision of the CRO, who is an executive officer, we have appointed a person responsible for assessing and handling information security risks and personal information protection in each division and in-house company. With the support of the department that supervises risk management and the department that supervises system security, we maintain a system for the general management of information security risks and personal information protection across the company through the Information Security Committee.
For franchise stores to understand and practice the specific requirements of the Information Security Policy and the Personal Information Protection Policy, we provide manuals detailing potential mistakes and complaints at stores, as well as practical responses, thereby raising store awareness. For headquarters employees, we summarize rules to be observed in the Information Security Guidebook and conduct periodic checks to ensure that each employee can effectively practice the rules.
For handling customers' important personal information, we specify methods for collection and storage, retention periods, and managers for individual cases and measures, and have procedures for receiving checks by specialized departments before implementing them.
When outsourcing the handling of personal information, we carefully check the security system of each contractor in advance, and only outsource handling to a contractor that satisfies the conditions required by Lawson. We also conduct annual inspection on-site or in writing to ensure that the conditions are maintained.
We also conduct checks in various aspects to prevent fraying of the information security system, including information security audit by the internal audit department and vulnerability assessment of information systems by an external specialized company.

* CR Manager: Persons responsible for the development and implementation of a framework for identifying misconduct and problems concerning legal compliance and preventing risks from arising in the group where they belong, to support CRO