Preserve Corporate Value through Safe and Reliable Business Operation
The ANA Group takes steps to identify, analyze, and appropriately address risks with the potential to severely impact management. In addition, we have developed groupwide frameworks to minimize the impact of risks and prevent reoccurrence in case risks materialize.
Risk Management Structure
The ANA Group Total Risk Management Regulations set out the basic terms of the Group's risk management system. Under these regulations, the secretariat of the Group CSR / Risk Management / Compliance Committee (CSR Promotion, General Administration, and Legal & Insurance), CPOs assigned to companies and divisions, and CPLs facilitate risk management activities. The role of CPLs is to promote risk management in each group company and department by executing risk countermeasures according to plans and to take swift action while contacting the secretariat in the event of a crisis.
The ANA Group Risk Management
The ANA Group takes a two-pronged approach toward managing risk comprised of risk management measures conducted from a preventive perspective and crisis management in the event of materialization of a risk. Given the Group's role as a provider of social infrastructure, business continuity management and information security are areas of particular importance. We prioritize initiatives in these areas accordingly.
Risk Management from a Preventive Perspective
Each group company implements independent risk management activities that include identifying risks, analyzing and evaluating these risks, formulating and implementing countermeasures, and monitoring the results of these activities.
The group companies confirm and evaluate the progress, effectiveness, and level of achievement of the measures taken with respect to significant risks identified in each organization. The Company implements measures to address issues faced by the Group and confirms progress through the Group CSR / Risk Management / Compliance Committee.
Crisis Management in the Event of Materialization of a Risk
The ANA Group has constructed a crisis management system based on detailed manuals in order to minimize damage and ensure safe and reliable future operations by investigating the causes of crises.
The Emergency Response Manual (ERM) sets out responses to incidents with a direct impact on operation of the ANA Group's aircraft including accidents and hijacks, and the Crisis Management Manual (CMM) provides responses to other crises including system failures, information leaks, and risks from external sources.
Recent cyberattacks via the internet have become more advanced across the globe. Today, cyberterrorism via computer viruses, large-scale information leakage incidents, business email fraud, and other vectors have become much more potent threats.
As a corporate group responsible for important air transportation infrastructure, the ANA Group has created an information security management system based on the ANA Group Information Security Management Regulations. Through this system, we strive every day to improve information systems functions and take measures by defense in depth.
We work with outside entities to train our security specialists and actively participate in information sharing with other corporate groups. In this way, we are raising the level of our expertise, preparing against incidents, and structuring a prompt initial response system. Other measures include response exercises coordinated with each department as a means to minimize the impact of an incident. We communicate the importance of information security to employees by distributing an IT security system handbook and providing related e-learning courses. We also conduct seminars for overseas branches and group companies.
Security Export Control*1
The ANA Group export the parts, chemicals, apparatuses, and other articles necessary for aircraft maintenance to overseas airports and aircraft maintenance centers.
Certain articles employ have the potential to be adapted to create weapons. Accordingly, we practice rigorous security export control*1 of exported articles. A stringent security export control structure is maintained through annual once-annual audits and trainings. These activities target divisions that are considered exporters for being directly involved in exporting as well as divisions that are involved due to handling customs clearance and other transportation-related processes.
- *1.Security export control is a term that refers to all regulations placed on exports from Japan by the Foreign Exchange and Foreign Trade Act.
Business Continuity Management
The ANA Group has prepared a business continuity plan (BCP) that details policies and procedures for responding to large-scale natural disasters, such as an earthquake directly under the Tokyo metropolitan area or in the Nankai Trough, that render ANA Group flight control facilities unusable. The provisions of this plan include measures for ensuring the health and safety of customers and all ANA Group employees, minimizing the impact on group management and on society as a whole, and resuming normal operation as quickly as possible.
Improve, reinforced communication networks
- Deploy emergency use radios and satellite telephones
- Conduct regular employee safety confirmation drills
Backup facility construction,functional improvement
- Implement regular joint drills and training at backup facilities
- Ensure equipment and software are up-to-date at all times
- Conduct equipment operation drills at backup facilities
We plan to develop and distribute education and training materials teaching employees how to protect themselves while engaged in the safety evacuation of customers in the immediate aftermath of a large-scale disaster.
Information Technology Business Continuity Plan (IT-BCP)
The ANA Group uses many systems for business management. Establishing an information technology business continuity plan (IT-BCP) is essential for safe and stable continuation of our business.
The ANA Group is engaged in a five-year project to build an IT-BCP environment for all systems. This project takes into account the damage projections for an earthquake occurring directly under the Tokyo metropolitan area, as estimated by the Central Disaster Prevention Council operated by Japan's Cabinet Office. We plan to reconstruct multiple lifeline systems in stages in a highly seismically isolated data center by the end of fiscal 2018.
In parallel, we are preparing a backup data center in a remote location as part of disaster recovery (DR) plans that will allow us to continue business operations by switching to a backup data center from our main data center during a disaster.
The system platform of the new data center will make use of virtualization and other advanced IT technologies, contributing to both enhanced system resilience and cost reductions.
The ANA Group will continue to accurately and promptly assess IT risks that pose potentially severe risks to our business. We will make ongoing improvements in both hard and soft aspects of our systems, including processes and trainings allowing for a proper response during emergencies. These efforts will allow us to continue to provide safe and reliable service to our customers, and to fulfill our responsibilities as a critical part of social infrastructure.