Compliance / Risk management

The Group is enhancing its compliance training programs to inspire greater interest in compliance among officers and employees and to strengthen understanding of compliance organization-wide. Training efforts include reviews of real-world case studies and preparation of content and teaching materials tailored to specific employee levels. Discussions are intended to deepen understanding of compliance.
Since September 2023, the Risk Control Department has undertaken individual compliance interviews with Japanese employees at all facilities in Japan and overseas. As of the end of July 2025, interviews had been conducted with 524 individuals,around 30% of the total number of approx. 1,700 eligible persons. Through person to person discussions with employees, we seek to quickly identify any issues that might lead to compliance violations and to follow up as necessary. Since FY2024, to raise awareness of compliance and compliance issues, we have distributed compliance letters (both monthly and weekly) by email to all employees. This is intended to strengthen thorough compliance and ethical behavior further.
A survey of all employees performed following employee harassment training showed that 90% of respondents believed the training improved their understanding of harassment. A separate survey of employees in positions to guide subordinates or junior colleagues indicating conflicting opinions with regard to the need to change guidance methods and differences from individual to individual with regard to confidence in providing effective guidance.

 

Internal whistleblowing systems have been established at all Group facilities in Japan and overseas. In light of the few reports received to date, we saw the need to promote awareness and use of the systems.
Since FY2023, we’ve interviewed individual Japanese employees during compliance training to determine what psychological barriers might prompt hesitation to use the system. In June 2024, based on employee opinions gathered through these interviews, we renamed the internal whistleblowing system the Hotline, based on our belief that this gives it a more approachable name.
We promoted expanded use of the Hotline by incorporating descriptions of the system structure and whistleblower protections in compliance training. These efforts have lowered psychological barriers to using the system, with numbers of reports growing steadily from FY2023 through FY2024. We are also analyzing the reports received to help improve workplace environments.
A look at matters reported shows that many concerned labor management, rules and regulations, and harassment.There were no reports of serious compliance violations.
Whistleblowing reports from domestic subsidiaries are made through the hotline for Mitsubishi Steel, the parent company. Overseas subsidiaries in China, the Philippines, Thailand, and India operate hotlines similar to that of the Company. We are building a system for sharing reports from these companies with the Japan side. This year, the subsidiary in Indonesia introduced a system similar to that of other overseas subsidiaries. Subsidiaries in North America (USA, Canada, Mexico) already had systems in place; preparations are underway for sharing information between them and the hotline in Japan.

Whistleblowing reports

As stated in the "Mitsubishi Steel Group's Business Conduct Guidelines," our Group is firmly opposed to antisocial forces and has established that we will have no relations with them. Based on this, we have concluded a memorandum with our business partners regarding the exclusion of antisocial forces. In addition, as part of our employee education, we strive to comply with the "Mitsubishi Steel Group's Business Conduct Guidelines," including instructing employees to cut off relations with antisocial forces and to deal firmly with threats and unreasonable demands without yielding.

The Group has established the Risk Management Rules to fulfill our social responsibilities through sustained growth. We define risks as various circumstances and events that could have negative effects such as harming or disadvantaging Group business activities. We ascertain and manage risks appropriately to prevent such effects. In the event of a serious incident, we employ appropriate crisis management to minimize the damage.
The risk management system is based on a three-line model to ensure division of responsibilities and independence by making organizational roles clear.

■ Risk management structure

We carry out multilayered and effective risk management through this clear division of responsibilities and independence.

We ascertain potential risks and perform annual evaluations (accompanied by intermediate reviews) of the risks identified.Based on residual risks after excluding the effects of responses, we implement preventive measures and preparatory measures to ensure readiness for any incidents.
Previously, the Risk Management Office responded to corporate risks, while business risks were managed independently by the business sections. However, there is a pressing need to enhance organizational response capabilities in response to rapid changes in the business environment and increasingly diverse values. To adapt to this changing environment, in April 2025, we established the Risk Control Department. Under this structure, we carry out integrated management of corporate risks and business risks from an enterprise risk management (ERM) perspective, to adapt to environmental changes and make the risk management process more efficient.
We also incorporated legal functions into the Legal Group in the Risk Control Department as part of the new system. This is intended to centralize our ability to respond to legal risks, enhance Groupwide governance, and continuously improve risk management capabilities.
In the event of a serious incident that could have a strong impact on business activities, we will promote risk response and progress management by swiftly convening the Risk Management Committee (Crisis Response) as needed.

Risk map

The risk map plots unaddressed risks (endemic risks) by their severity on the vertical axis and degree of responding to risks (controls) on the horizontal axis.
Each risk is color coded by the scale of residual risks after control. The extent of external effects from social, market, and other factors is shown by the colors of the circles.

 

Information security risks continue to proliferate around the world. To ensure preparedness for such risks, based on our Corporate Philosophy and the Mitsubishi Steel Group Code of Conduct, the Group has established a Basic Policy for Information Security, as well as associated regulations and associated information security management structures. These measures focus on establishing an Information Security Committee whose members consist of the individuals responsible from the Company’s sections and the Group companies. The committee is charged with drafting and promoting measures to monitor and respond to major risks.
The Information Security Secretariat, under joint management by the Risk Control Department and the Systems Department, trains officers and employees and holds drills on targeted email attacks and conducts internal auditing of matters such as the states of retention and control of important confidential information and the state of information security management, as the Line two of defense. It also works to improve information security literacy. Furthermore, to be able to respond swiftly to any serious incidents, we are strengthening the security structure through regular securityincident drills by CSIRT.
In recent years, to raise the level of security, we have prompted measures based on the security guidelines of the Japan Automobile Manufacturers Association (JAMA) and the Japan Auto Parts Industries Association (JAPIA) since FY2021. This year, we introduced the Security Operation Center (SOC), capable of constantly monitoring networks and devices 24 hours/day, 365 days/year, to strengthen our preparedness for cyberattacks.
As a result of these measures, we have reached a current level of 91% achievement of JAMA/JAPIA security guideline level 1/2 responses. Seeking to reach 100%, we will swiftly address remaining issues such as BCP measures for a crisis.
We also have taken out cyber-risk insurance as we strive for multifaceted enhancement of information security.

Information security management structure (overview)

The Investment and Credit Committee closely examines, from a neutral perspective, the business potential and risks of investments and finance measures Groupwide. It is responsible for initial decisions concerning the feasibility of investments and finance. For capital increases, loans, capital investments, mergers and acquisitions, and other such matters, it monitors investment results and progress made on approved measures and shares its findings with management. The Investment and Credit Committee also links the findings therefrom to the measures needed to realize timely and appropriate risk management. For the sale and disposal of assets, business withdrawal decisions, and other such matters, it increases the speed and efficacy of related measures through transparent review based on qualitative and quantitative indicators, to help increase corporate value continuously. It also strives to enhance governance and internal controls through swift detection, avoidance, and mitigation of risks.

We have taken measures to ensure that expatriate staff, accompanying families, and business travelers living in environments completely different from the safe and sanitary conditions in Japan can live overseas with peace of mind in case of emergencies.
In collaboration with a specialist company for overseas crisis management, we have a system in place to provide advice and assistance in Japanese 24/7, 365 days a year, in terms of medical care and security (crime, disasters, etc.), no matter where in the world they are.
In addition, whenever there is cautionary information due to climate or protest activities, we share information between the headquarters and overseas bases, and value international communication on a daily basis.

As part of its safety measures, each manufacturing facility in the Group strives to enhance fire prevention measures. Together with regular follow-up on the Groupwide fire risk checks launched two years ago, we are taking action to prevent fires by deploying Groupwide measures based on the lessons of past fires.
We are also promoting fire prevention awareness through continual monitoring, improvements, and periodic patrols to highlight fire risks.

Among its disaster prevention measures, the Company provides regular lifesaving courses for employees at the Head Office. Lifesaving has been a particular focus especially in the past few years, for example by adopting a basic goal of having all employees at the Head Office earn lifesaving qualifications and encouraging those already qualified to participate in repeat training once every three years to keep their qualifications valid. These courses continued even during the COVID-19 pandemic, with appropriate safety measures. As a result, a total of more than 180 persons (including those taking repeat training) completed the course during the six years since 2017, and the Tokyo Fire Department presented us with a letter of thanks reflecting its high regard for our contributions to lifesaving activities in the community.

We will continue these regular courses to improve employees' knowledge and skills regarding lifesaving.

The Mitsubishi Steel Personal Information Protection Policy is available on our website.
https://www.mitsubishisteel.co.jp/english/privacy/index.html