Risks in Business Operations

There are risks likely to impact significantly judgements made by our investors as described below. 
Please note that future-related remarks in the descriptions are based upon adjudications made by the Group as of the end of March 2025.

[1] Risks from Economic Trends and the Market Environment

We will likely have our Group performance and financial positions impacted in the event of our business environments being harmed through changes in the financial and capital markets, a downturn of overseas economies, economic environments undermined by trade policies taken by the United States, customers revisiting the investment strategies partly through reducing investments in the IT assets, and fiercer business competitions arising when companies in the Group’s market from other business sectors. 
Furthermore, we will likely revise our business strategies if we are faced with the concept of ESG (environment, society and governance) sinking in with environmental awareness becoming heightened and social awareness becoming drastically transformed, globally entailing enhancement of various types of rules and regulations as well as changes in various government-led policies. We will strive to respond promptly every time upon detecting changes in the external environments that we always monitor.

[2] Procurement Risks

We procure hardware, software, and services from suppliers in Japan and overseas, and provide them to customers. 
There is a possibility that our Group’s business results can eventually be undermined through the social credibility and brand image exposed to changes in product specifications, delays or suspensions of products/services supply, problems in target services that we procure, or occurrences of significant troubles caused by security incidents, partly due to unforeseen changes in business strategies or deteriorations of business conditions of the supplier companies. Furthermore, products and services provided from specific regions can be delayed or completely suspended in the event of geopolitical risks emerging from terrorism arising from conflicts among nations, insecure energy supply, and disrupted supply chains. With an eye on avoiding the situations, we will strive to assess suppliers periodically and control quality of services/products which we deal in pursuant to guidelines about procurement and purchase. Also, we will continuously endeavor to collect information about geopolitical risks, assess procurement risks arising therefrom, and select measure to take. 

[3] Risks of Intellectual Property

The Group has been executing business with the utmost care about intellectual property rights. We have been making efforts to protect our intellectual properties by obtaining intellectual property rights such as patent rights and trademark rights for our technologies as well as products and services. Furthermore, we have been exercising extreme caution not to infringe upon third parties’ intellectual property rights. However, there are possibilities that any third parties may infringe upon our intellectual property rights. Also, there is a likelihood that third parties’ claiming that our products and services infringe upon their intellectual property rights may be developed into lawsuits, and costs may be incurred on our side.
Furthermore, there are risks that the Group may not be able to provide specific products or services in the event that we unexpectedly fail to obtain licenses of intellectual property rights necessary for our business execution from holders, or in the event of intellectual property disputes occurring with third parties. 
In addition, we are aware of risks that we cannot unexpectedly use intellectual property rights held by start-up companies that enter into capital or business tie-ups with us aiming for open innovation, if the companies fail to establish intellectual property rights partly due to a procedural defect. These possibilities are likely to impact business results of the Group. Therefore, the Group has made efforts to screen thoroughly alliance partners from the viewpoint of intellectual property rights, ensure our rights that we expect from alliance agreements with them, as well as obtain intellectual property rights. 

[4] Project Management Risks

The Group has been engaged in a swath of projects about the outsourcing business, etc. in addition to system development as before. Customers, amid intensifying market competition, put more sophisticated demands that could furthermore complicate projects. If a problem arises in a project, amending means more costs and time than expected. We will be faced with a high risk of cost overruns and postponing a release date. Furthermore, we will have to manage risks of safety and security throughout a project about products and services that diversify more. Therefore, the Group has consistently worked on operations to implement actual vs. budget variance management through the Project Review Committee judging the propriety of projects about system development as well as outsourcing business through assessing risk contents of projects from multifaceted viewpoints.
In addition, the Group has continuously implemented measures such as those about systematizing and standardizing system development methods for the purpose of increasing productivity as well as checking projects for detecting problems at the earliest possible time. The Group has been striving to prevent cost overruns and detect early signs of issues through implementing the plan-do-check-act cycle of improvement predicated upon reviewing problematic projects, ascertaining true causes and implementing fundamental countermeasures and recurrence prevention measures. 

[5] System Failure Risks

The Group has provided diverse systems and services. Our solutions are integrated into the core systems of our customers' businesses as well as social infrastructures for operating financial activities and power grids. Also, the solutions serve consumers through payment solutions and Electronic Commerce (EC) solutions. In the event of the systems and services suffering a significant trouble caused partly by system problems and cyber-attacks, a large swath of customers including end users beyond the Group’s customers will be faced with impacts. The Group will possibly be exposed to reputation risks from deteriorating social reputation and brand image, and will likely pay compensation for damages that occurred, with the business performance likely to be impacted eventually. 
In this regard, the Group set quality targets for unplanned service downtime caused by system failures. The Group has strived to improve quality characteristics such as confidentiality, fault tolerance, recovery, and stability partly through quality assurance reviews during system development. In the event of a system failure after a production operation starting, relevant departments in the company are communicated to accordingly through a failure management system so that they can deal with the issue quickly, and they can prevent risks from materializing.

[6] Information Security Risks

The Group likely remains exposed to confidential information of many customers and personal information held by customers through developing, providing and operating information systems as part of the business activities, to say nothing of the information of the Group. For this reason, we recognize that information management, including personal information, is the most important issue facing our Group that operates in the ICT industry.  On the other hand, cyber-attacks continuously become more sophisticated and elaborate on a daily basis. Cyber security risks constitute a material management issue. Under such circumstances, if cyber-attacks partly through malware or unauthorized access, or human errors result in information system’s shutdown, information leakage, falsification, or unauthorized use, the Group will be exposed to risks of harming reputation through deteriorating the credibility in society and brand image. The Group will be to deal with an occurrence of incident also in light of costs. Eventually, the Group will be subject to impacts upon business performance. 
For this reason, the Group has worked on maintaining and reviewing its information management system partly in light of personal information. 
Also, the Group has strived to provide training and guidance to subcontractors as well as all executives and employees of the Group. In addition, we position cyber-attacks as a significant management risk in our Basic Information Security Policy. We established a project framework to prepare strategies to work on cybersecurity risks and promote the strategies. This project structure is positioned under the Comprehensive Security Committee that supervises the information security management for the entire Group. The Group's cybersecurity strategy defines a vision, goals, and action plans for continuously implementing cybersecurity management, and implements a wide range of diverse security measures, including strengthening the infrastructure for security measures based on the concept of a zero-trust architecture. We regularly conduct assessments using the National Institute of Standards and Technology (NIST) cybersecurity framework with an eye on responding better to changes in the environments from a cybersecurity perspective, and reflect results in our action plans. Furthermore, we have attempted to strengthen our incident detection and response capabilities by conducting cybersecurity exercises for the Computer Security Incident Response Team (CSIRT), which specializes in preventing cyber-attacks and responding to incidents, and expanding the scope of surveillance by the Security Operation Center (SOC) for the Group, which monitors and analyzes threats to networks and servers within the Group.
In addition, we have an insurance coverage of up to a certain amount that helps us pay for any financial losses that may be incurred in the event of a data breach due to unforeseen circumstances.

[7] Human Resources Risks

Competition for IT-skilled human resources is intensifying due to intensifying international competition, a shrinking labor force due to a rapidly declining birthrate, an aging population, and the advancement of digital transformation. Moreover, the external environments surrounding the businesses and what companies are requested to do are changing dramatically, and in addition to technological capabilities, securing human resources capable of continuously generating innovation and responding to diversifying social issues and customer needs constitutes a material issue. Failure to secure the human resources needed by our Group will likely affect our sustained growth potential.
Accordingly, in order to acquire and nurture human resources based on our management strategies, we have been hiring potential human resources, such as new graduates and second-time graduates, and work-ready experienced personnel partly through mid-career recruitment. We are also developing a variety of human resource development measures, such as enhancing training and systems to enable employees to acquire more advanced skills. In addition, we have been promoting the diversification of human resources such as women, seniors, foreign nationals and persons with disabilities. We have been improving the working environment through the use of personnel systems and technologies that enable flexible working styles. Also, we established the intra-personal diversity of officers and employees based on the ROLES (roles from the viewpoint of proceeding with assignments) definition. We have promoted the mobility of human resources based on the data.
We also conduct periodic surveys of executives and regular employees to improve engagement through analyses and feedback-based actions.
We have also established the Social Committee as a decision-making body for materiality in social fields, including human resources. We have implemented measures conducive to reducing risks related to human resources and promoting sustainability management.

[8] Investments Risks

The Group has actively invested in providing new products and new services with an eye on delivering developments conducive to enhancing customer value and establishing new earnings base. 
The Group has continued and even enhanced investments into start-ups and funds as well as the business initiatives at home and abroad through investments (or M&A) into business partners that hold advanced technologies and expertise.
Sufficient returns from these investments are not always guaranteed. Business performance will likely be subject to adverse impacts coming from the business strategies of business partners proving to be inconsistent with ours and investees failing to grow business in accordance with the expectations in the beginning. 
In this regard, the Group has strived to carefully minimize risks associated with investment decisions through the Investment Committee and the Management Committee (the senior organization) carefully examining the appropriateness of business plans for each investment project.

[9] Compliance Risks

Compliance risks entailed partly from creating new businesses are expected to become diversified and complicated. In the event of inadequate data handling or other serious compliance violations being committed amid an increase in our businesses that we operate on the basis of data use and services provision, with the credibility of the Group in society undermined, with payments of compensation for damages entailed, and with key business partners reexamining business relations with us, our business performance will no less likely be compromised than it will be owing to personnel and labor issues such as working long hours, power harassment and sexual harassment. 
With an eye on avoiding the risks, the Group has ensured through developing a compliance promotion system that all Group executives and employees comply with laws, social norms, and internal rules, and implement ethical activities, pursuant to the Charter of Corporate Behavior, the Basic Rules for Group Compliance, and the Code of Conduct for Group Executive Officers and Employees that it formulated.

[10] Risks from Disasters and infectious diseases, etc.

In the event that an occurrence of natural disaster such as an earthquake or terrorist attack damages devastatingly social infrastructures or the Group’s major business bases, the Group will be forced to bear a significant amount of costs in order to cope with the situation. Similarly, in the event that the Group must limit activities of many of our employees and business partners with an eye on securing their safety, maintaining health, and well-being in the wake of an outbreak of infectious disease, as well as preventing a spread, our business activities such as service provision will be impacted enormously, which may eventually be reflected in the business results. 
The Group aims to cope with business continuity risks partly caused by earthquakes and infectious diseases. In this regard, we established a business continuity plan (BCP). We have implemented a Business Continuity Project to review and improve the plan continuously from the viewpoint of ensuring safety, resuming internal businesses, and serving customers. The Group has planned and implemented training sessions such as safety confirmation drills and comprehensive simulation-based training sessions in order to make preparations against disaster occurrences. The training drills and sessions are designed for employees, organization leaders, and disaster control headquarters members.
Comprehensive simulation-based training sessions are organized in accordance with scenarios of specific event occurrence in order to train participants to play individual roles about damage situation reports, response instructions, and feedback reports. 
In the event of an outbreak or spread of a new infectious disease, the Group will endeavor to enable business continuity, with the greatest priority given to ensuring the safety of customers, partner companies and employees of the Group, pursuant to the ‘New Infectious Diseases Action Plan’ formulated on the basis of knowledge and expertise that we obtained through responding to the Novel Coronavirus (COVID-19).

[11] Risks of Innovation in Technology

We have seen ways and methods to solve issues at customers and in society evolving every day by the minute, be they related to IT or otherwise. If we are delayed in acquiring new technologies and knowledge & expertise, or we let our internal assets and our know-how become outdated, we may be faced with a decline in our market competitiveness and customer satisfaction.
The Group will rebuild the technology portfolio based upon the Group’s accumulated strengths and from the viewpoint of business timelines, promote digital transformation of development in core businesses, and strengthen technology for accelerating high-value-added and sophisticated solutions in the market development area. We also aim to achieve sustained business growth by identifying, acquiring, and implementing advanced and next-generation digital technologies. Through these activities, we have strategically promoted initiatives to catch up with new technologies, acquire knowledge and expertise, and optimize the use of existing technologies. At the same time, we have been keen on promoting efforts to develop employees needed for the initiatives and those in cooperation with start-up companies. 

[12] Climate Change Risks

Composite climate change impacts are highly likely to expand and have significant impacts on operating bases of companies. In this circumstance, the Group's business performance could be affected by an intensification of extreme weather and occurrences of water-related disasters such as droughts and floods. Also, our business performance will be impacted through our market competitiveness and reputation being undermined by our failing to appropriately comply with or cope with environmental regulations that are inevitably part of the transition to a low-carbon economy and growing demands for information disclosure from investors and communities.
To address these issues, we have established the BIPROGY Group Environmental Policy and are strengthening our environmental management to realize the zero-emission society set forth in our Long-Term Environmental Vision 2050. We have been attempting to enhance the quality and quantity of information subject to disclosure as well as reduce risks and increase opportunities through working on initiatives in light of materiality operated through promotion arrangements that we developed under the supervision of the Board of Directors.
We have assessed risks and opportunities through implementing risk scenarios across the Group. We evaluate impacts from the viewpoint of all the items indicated in the Task Force on Climate-related Financial Disclosures (TCFD) Recommendations about risks (Transition Risks and Physical Risks) and opportunities. We reflect the results upon our strategies and policies as well as our materiality understandings in the order of the severity. In particular, we integrate climate-related risks identified through the scenario analyses into the Group’s Risk Management System, and manage the risks as part of the System. We have been endeavoring to enable agile responses based upon our monitoring climate change situations and changes in the business environment. 

[13] Human Rights Risks

Businesses are responsible for respecting human rights pursuant to the Guiding Principles on Business and Human Rights of the United Nations and need to deal appropriately with negative impacts on human rights in their supply chains. Against this backdrop, companies’ human rights initiatives have attracted public attention. If companies fail to perform appropriately, they will be faced with legal and reputational risks arising partly from litigation that can undermine the social credibility and affect the business performance.
If they fail to give due consideration to human rights through working on research and development in as well as use of AI, a hot topic in recent years, companies will face scrutiny regarding their social responsibility, with their business operations likely to be impacted by the expectations. 
The Group established the ‘BIPROGY Group Human Rights Policy’ in order to deal with these issues. Pursuant to the Policy, the Group has continuously worked on conducting human rights due diligence (HRDD) through business operations, as well as specifying, avoiding, reducing, and amending negative impacts upon supply chains in light of human rights.
Furthermore, the Group established the ‘BIPROGY Group’s AI Ethical Guidelines’ conducive to the Group addressing human rights issues related to advanced technologies and data. The Group aims to provide safe and reliable products and services throughout the supply chains pursuant to the ‘BIPROGY Group Sustainable Procurement Guidelines’ that we established.