Risks in Business Operations
Risks that have the possibility of having a material impact on the decisions of investors are as follows.
Please note that any remarks concerning the future indicated in the descriptions have been made based on the adjudications made by the BIPROGY group as of the end of March 2024.
Risks in Business Operations
[1] Risks from Economic Trends and the Market Environment
We are faced with risks of exposing our Group performance and financial situations to impacts in our business environments in an event where the environments are harmed through: economic conditions becoming worsened partly due to changes in the financial and capital markets and a downturn of overseas economies; customers reducing investments in and changing investment strategies about IT assets; and competitions becoming even toughened due to participants in our industry from other business sectors.
Furthermore, we keep in mind possibilities of revising our business strategies as we are faced with the concept of ESG (environment, society and governance) sinking in with: environmental awareness becoming heightened; social awareness becoming drastically transformed; tough regulations becoming globally entailed; and changes in various types of governmental policies such as those for disaster countermeasures. We will be watchful and perform promptly in response to each trends and each changes in external environments.
[2] Procurement
We procure hardware, software and services from suppliers in Japan and overseas, and provide them to customers. There is a possibility that our Group’s business results could be impacted by changes in product specifications or delays or suspensions of products/services supply (as a result of unforeseen changes in business strategies or deteriorations of business conditions of the supplier companies). Also, we are aware of possible impairment of our social credibility and brand image (owing to occurrences of catastrophic system failures induced by problems of services that we procure and security incidents). We have been endeavoring to avoid such risks through measures to assess suppliers periodically and control qualities of service products that we deal in.
[3] Intellectual Property Rights
The Group has been executing business with the utmost care about intellectual property rights. We have been making efforts to protect our intellectual properties by obtaining intellectual property rights such as patent rights and trademark rights for our technologies as well as products and services. Furthermore, we have been exercising extreme caution not to infringe upon third parties’ intellectual property rights. However, there is a possibility that any third parties may infringe upon our intellectual property rights. Also, there are risks that third parties’ claiming that our products and services infringe upon their intellectual property rights may be developed into lawsuits, and costs may be incurred on our side.
Furthermore, there are risks that the Group may not be able to provide specific products or services in an event that we unexpectedly fail to obtain licenses of intellectual property rights necessary for our business execution from holders.
In addition, we are aware of risks that we cannot unexpectedly use intellectual property rights held by start-up companies that agree to join us in promoting open innovation by entering into capital or business tie-ups, if the companies fail to establish intellectual property rights due to a procedural defect.
These possibilities are likely to impact business results of the Group.
Therefore, our company group has made efforts to screen thoroughly alliance partners from the viewpoint of intellectual property rights, ensure our rights that we expect from alliance agreements with them, as well as obtain intellectual property rights.
[4] Project Management
The Group has worked on many projects such as those of outsourcing business in addition to those of its robust system development business as before. Amid intensified market competition we have been facing customers who continually demand more sophisticated systems. As a result, system development projects have become increasingly complex. If a problem arises in the projects, there is a risk that the problem would require greater-than-expected costs and time to fix, which could incur a cost overrun and a delay of release date. Furthermore, we may face growing risks of safety and security that should be managed in projects as a result of diversification of products and services which we deal in. The Group has been enforcing operations to implement actual vs. budget variance management through the Project Review Committee authorizing whether or not system development projects or outsourcing projects can be operated based upon assessing risk contents contained therein from multifaceted viewpoints.
In addition, the Group has been working to increase productivity by systematizing and standardizing system development methods and continuously implement measures such as the project check system (which detects problems in a project at the development stage). The Group also implements the plan-do-check-act cycle of improvement predicated upon reviewing problematic projects, ascertaining true causes and implementing fundamental countermeasures and recurrence prevention measures. The Group has been making these efforts to detect problems early and prevent cost overruns.
[5] System Failure
The Group has come to deliver diversified systems and services that include mission-critical systems for customers’ businesses, financial and electricity systems/services in light of social infrastructure, and consumer services such as payment/settlement services and EC (electronic commerce). In the event of serious failures caused by system faults and cyberattacks, the Group may cause a broad range of impacts on our customers and consumers who use our systems/services provided via our customers. We will be exposed to the reputation risk of having our own social credibility and brand image damaged with compensation payments for such damages entailed. Eventually, we may have our Group business performance impacted.
Thus, the Group has been working to improve system/service quality measured in the metrics such as confidentiality, fault tolerance, resilience, and stability through setting recovery time targets after an unplanned service suspension that a system trouble should entail, and implementing quality assurance reviews in the system development phases. Furthermore, the Group has been making efforts to enable rapid responses in an event of an occurrence of system trouble after a system begins operations and stave off facing imminent risk by sharing information with related in-house departments through a system trouble management system.
[6] Information Security
The Group has opportunities to access many customers’ confidential personal and corporate information, as well as that of the Group itself, through business activities related to the development, provision and operation of information systems. Therefore, the Group operating business in the ICT industry recognizes and positions management of information such as personal information as a highest-priority issue.
On the other hand, cyberattacks have been sophisticated and elaborated every day, and thus cybersecurity risks have become a key management issue. In an event where we experience disruptions of services through or even data leaks from information systems, due to cyberattacks such as malware attacks and irregular accesses or human errors in this circumstance, the Group will likely have the performance impacted from running reputational risks partly through losing social credibility and damaging the brand image as well as bearing costs to cover an incident that occurred. In this connection, the Group has been making efforts to maintain and revise the arrangements for managing information such as personal information as well as provide training to and guidance for all officers and employees of and subcontractors for the Group. The Group has positioned cyberattacks as serious management risks in the information security basic policy. We established a project system through which we formulate and promote strategies to cope with cybersecurity risks under the aegis of Information Security Committee that oversees information security management for the entire Group. As indicated in the cybersecurity strategies, the Group has implemented a broad range of diverse security measures (such as strengthening security measures platforms predicated upon the Zero Trust Architecture concept) based on visions, goals and activity plans to enable continuous awareness of cybersecurity in business management.
The Group has been endeavoring to strengthen the capabilities to detect and cope with incidents mainly through cybersecurity training for the techno-clad Computer Security Incident Response Team (CSIRT) dedicated for preventing cyberattacks and coping with incidents. Also, the Group has broadened the subject areas monitored by our internal Security Operation Center (SOC) teams engaged in monitoring and analyzing threats against the networks and servers in the Group.
Due to concerns about a data leak caused in unexpected situations, the Group has insurance contracts to address the situation up to a certain extent.
[7] Human Resources
We face an intensified IT talent war due to fiercer business competitions in the global arena, where companies further earnestly take on digital transformation amidst their suffering a global shortage of skilled information technology experts who are aging more rapidly than the small young workforce are matured and gain mastery. Furthermore, given that we witness significant changes in the industrial structures and business environment, it is material to secure proven engineers who continue to be innovative and further satisfy diversified social issues and customer needs. If the Group is unable to secure those personnel that we need, the Group’s ability to maintain continuous growth potential would be impacted.
The Group has employed new graduates from the mid-and long-term viewpoint as well as candidates with work experience such as semi-recent graduates from the viewpoint of prioritizing potential abilities and mid-career recruits who can hit the ground running, in light of employing and developing personnel pursuant to the management strategies. Furthermore, we have implemented various types of workforce development measures based on training and system improvements to help workforce learn and master higher skills. In addition, we have promoted diversification of workforce and work styles and visualization of human capital through: helping various types of employees such as women, seniors, foreign nationals, and disabled play active roles; developing a personnel system to enable flexible work styles and workplace environments upon the strength of technologies; establishing “intrapersonal diversity” of executives and employees in light of the definition of ROLES (roles for business performance); and promoting workforce flowability on the basis of that data.
Also, we have attempted to improve engagement in the executives and employees through regular survey-based research composed of analysis and feedback.
Furthermore, we established the Social Committee as a decision-making organization about materiality issues on the social front including human assets. We have taken measures to promote sustainability management through reducing risks related to human assets.
[8] Investments
The Group intends to enable developments that improve customer value and establish new revenue bases. Thus, we make aggressive investments with the aim of providing new products and services.
The Group has continued and expanded investments in and M&A targeted at partner companies who own advanced technologies and expertise, partly on a global basis, as well as investments in start-up companies and funds.
We make these investments without necessarily having sufficient returns guaranteed. The investments may impact the Group performance results in an event of discrepancies from partner companies in business strategies or from our initial assumptions about business growth.
Thus, the Group entrusts with individual investment projects the R&D/Investment Committee and the Project Review Committee as well as their overseer, the Executive Council. The internal bodies carefully determine the appropriateness of business plans and other factors in order to minimize risks from investment decisions.
[9] Compliance
Compliance risks entailed partly in creating new businesses are expected to get diversified and complicated. We are watchful of personnel and labor issues such as working long hours, power harassment and sexual harassment. Also, we are aware of possibilities of our committing inadequate data handling and other material compliance violations in our operating furthermore data utilization businesses and service-based type businesses in the future. In an event where the situations occur, the Group may have the social credibility harmed, pay damage compensation, and have business relationships re-examined by our key business partners. Eventually, our Group’s business results could be impacted.
The Group aims to stave off such risks through formulating the Charter of Corporate Behavior, the Group Compliance Basic Regulations, and the Group Code of Conduct and establishing compliance promotion systems. We have endeavored to ensure that all of the Group’s executives and employees comply with laws and regulations, social norms, and in-house regulations and perform ethical behavior.
[10] Natural Disasters and Infectious Diseases
In an event that an occurrence of natural disaster such as an earthquake or terrorist attack damages devastatingly social infrastructure or the Group’s major business bases, the Group will be forced to bear a significant amount of costs in order to cope with the situation. Similarly, in an event that the Group must restrict activities of many of our employees and business partners in order to secure their safety and well-being in the wake of an outbreak of infectious disease, as well as prevent a spread, our business activities such as service provision will be impacted enormously, which may eventually be reflected in the business results.
The Group aims to cope with business continuity risks partly caused by earthquakes and infectious diseases. Thus, we established a business continuity plan (BCP). We have implemented Business Continuity Project to review and improve the plan continuously from the viewpoints of ensuring safety, resuming internal businesses, and serving customers. The Group has planned and implemented training sessions such as safety confirmation drills and comprehensive simulation-based training sessions in order to make preparations against disaster occurrences. The training drills and sessions are designed for employees, organization leaders, and disaster control headquarters members. Comprehensive simulation-based training sessions are organized in accordance with scenarios of specific event occurrence in order to train participants to play individual roles about damage situation reports, response instructions, and feedback reports.
In response to COVID-19 that spread, the Group worked on ensuring business continuity with an eye on preventing the spread of the infectious disease in the entirety of society with the priority given to our Group employees, partner companies and customers, in line with the Novel Influenza Response Action Plan which had been formulated previously. The Group will endeavor to enable business continuity in light of new infectious diseases spreading, on the basis of using knowledge that we acquired from responding to COVID-19, with the greatest priority given to ensuring the safety of customers, partner companies and employees.
[11] Technological innovation
IT and other means used to solve issues at customers and in society are evolving every day. If we are late in acquiring new technologies and knowledge & expertise, or we let our internal assets and our know-how become outdated, we may be faced with a decline in our market competitiveness and customer satisfaction.
We will rebuild our technology portfolio based on the Group’s accumulated strengths and business timelines, promote digital transformation of development in core businesses, and strengthen technology for accelerating high-value-added proposals and advances in the market development area.
We also aim to achieve sustainable business growth by identifying, acquiring, and implementing frontier and next-generation digital technologies. Through these activities, we have strategically promoted initiatives to catch up with new technologies, acquire knowledge and expertise, and optimize the use of existing technologies. At the same time, we have been keen on promoting efforts to develop employees needed for the initiatives and those in cooperation with start-up companies.
[12] Climate Change
In an event of our failing to act appropriately in light of complying with global environmental regulations, responding to innovations against the backdrop of increasingly worsening climate change, and meeting stronger demands from investors and society for information disclosure, eventually we could suffer a deterioration of our service development capabilities, market competitiveness, and reputation. As a result, we might see our performance results thus impacted.
In response to these climate change risks, the Group has implemented a company-wide project to assess impacts of all the items of "transition risks" and "physical risks" indicated in the TCFD proposal, through a scenario analysis. Furthermore, we have integrated and managed the climate-related risks identified in the scenario analysis into the Group's risk management system in order to enable prompt responses, with trends related to climate change and changes in the business environment kept on the radar.