Preserve Corporate Value through Safe and Reliable Business Operation
The ANA Group takes steps to identify, analyze, and appropriately address risks with the potential to severely impact management. In addition, we have developed groupwide frameworks to minimize the impact of risks and prevent reoccurrence in case risks materialize.
Risk Management System
The ANA Group Total Risk Management Regulations set out the basic terms of the Group's risk management system.
Under these regulations, the secretariat of the Group CSR / Risk Management / Compliance Committee (Corporate Brand & CSR Promotion, General Administration, and Legal & Insurance), CSR Promotion Officers assigned to companies and divisions, and CSR Promotion Leaders facilitate risk management activities.
The role of CSR Promotion Leaders is to promote risk management in each group company and department by executing risk countermeasures according to plans and to take swift action while contacting the secretariat in the event of a crisis.
The ANA Group's Risk Management
The ANA Group takes a two-pronged approach toward managing risk comprised of risk management measures conducted from a preventive perspective and crisis management in the event of materialization of a risk. Given the Group's role as a provider of social infrastructure, business continuity management and information security are areas of particular importance. We prioritize initiatives in these areas accordingly.
Risk Management from a Preventive Perspective
Each group company implements autonomous risk management activities that include identifying risks, analyzing and evaluating these risks, formulating and implementing countermeasures, and monitoring the results of these activities.
The group companies confirm and evaluate the progress, effectiveness, and level of achievement of the measures taken with respect to significant risks identified in each organization.The Company also takes the lead in implementing measures to address issues faced by the entire Group and confirms progress through the Group CSR / Risk Management / Compliance Committee.
Crisis Management in the Event of Materialization of a Risk
The ANA Group has constructed a crisis management system based on detailed manuals in order to minimize damage and ensure safe and reliable future operations by investigating the causes of crises.
The Emergency Response Manual (ERM) sets out responses to incidents with a direct impact on operation of the ANA Group's aircraft including accidents and hijacks, and the Crisis Management Manual (CMM) provides responses to other crises including system failures, information leaks, and risks from external sources.
To preserve information assets, such as the personal information of customers, the ANA Group implements measures in compliance with technical standards, including ISO 27001 and other global standard guidelines, as well as various laws and regulations.
To ensure effective information security, the Group conducts annual Control Self Assessments (CSA) of the status of compliance with the ANA Group Information Security Management Regulations at all group companies and departments. The Group also consistently implements awareness-raising activities to firmly entrench information security rules throughout the organization.
Steps were also taken to increase our resilience to ever diversifying cyberattacks. In addition to reinforcing network monitoring precautions, awareness was promoted by regularly sending emails simulating targeted email attacks to all group employees.
We are revising our internal rules to respond to laws and regulations related to personal information in Japan and overseas.
- To counter the increasing risk of public controversy on social networking sites (SNS), we have established the SNS Guidelines with precautions for Group employees using social media both personally and professionally, and executed awareness campaigns
- A self-check system for information security rules compliance was implemented, and is executed annually with the entire Group
- To ensure information security knowledge is conveyed, easy-to-understand training using e-learning is regularly provided (four times in fiscal year 2014)
- Beginning in fiscal year 2013, a dedicated team has conducted site inspections and interviews centering on our Group company departments handling customer information, to understand issues from a third-party perspective and implement improvements
- Beginning in fiscal year 2014, Information Security Centers were established in Group companies that have acquired skills and knowledge, to engage in various initiatives to improve information security of the Group as a whole
ANA will continue with Group-wide initiatives to further enhance our personal information protection framework.
Security Trade Control
The parts, chemicals, apparatuses, and other articles necessary for aircraft maintenance are exported to overseas airports and aircraft maintenance centers. Certain articles employ technologies that could be adapted to create weapons. Accordingly, we practice rigorous security trade control* of exported articles.
A stringent security trade control structure is maintained through once-annual audits and trainings. These activities target divisions that are considered exporters for being directly involved in exporting as well as divisions that are not considered exporters but are still involved due to handling customs clearance and other transportation- related processes.
* Security trade control is a term that refers to all regulations placed on exports from Japan by the Foreign Exchange and Foreign Trade Act.
Business Continuity Management
The ANA Group has prepared a business continuity plan (BCP) that details policies and procedures for responding to large-scale natural disasters, such as an earthquake directly under the Tokyo metropolitan area or in the Nankai Trough, that render ANA Group flight control facilities unusable. The provisions of this plan include measures for ensuring the health and safety of customers and all ANA Group employees, minimizing the impact on group management and on society as a whole, and resuming normal operation as quickly as possible.
We plan to develop and distribute education and training materials teaching employees how to protect themselves while engaged in the safety evacuation of customers in the immediate aftermath of a large-scale disaster.
Information Technology Business Continuity Plan (IT-BCP)
The ANA Group uses many systems for business management.
Establishing an information technology business continuity plan (IT-BCP) is essential for safe and stable continuation of our business.
The ANA Group is engaged in a five-year project to build an IT-BCP environment for all systems. This project takes into account the damage projections for an earthquake occurring directly under the Tokyo metropolitan area, as estimated by the Central Disaster Prevention Council operated by Japan's Cabinet Office. We plan to reconstruct multiple lifeline systems in stages in a highly seismically isolated data center by the end of fiscal 2018.
In parallel, we are preparing a backup data center in a remote location as part of disaster recovery (DR) plans that will allow us to continue business operations by switching to a backup data center from our main data center during a disaster.
The system platform of the new data center will make use of virtualization and other advanced IT technologies, contributing to both enhanced system resilience and cost reductions.
The ANA Group will continue to accurately and promptly assess IT risks that pose potentially severe risks to our business. We will make ongoing improvements in both hard and soft aspects of our systems, including processes and trainings allowing for a proper response during emergencies. These efforts will allow us to continue to provide safe and reliable service to our customers, and to fulfill our responsibilities as a critical part of social infrastructure.