Risk Management

The Ricoh Group’s risk management systems can be divided into two main levels, as shown in Figure 1 below.
1. Managerial risks, which are selected and managed autonomously by the GMC for management items of particular importance, within the management of the Ricoh Group. 2. Division risks and Business unit risks that each business organization is responsible for managing its own business. These two levels exist for the purpose of clarifying bodies responsible for risk management so as to facilitate agile decision-making and swift action in response to each level of risk, and together form an integrated risk management system. The management of some risks may be transferred from one level to the other, due to changes in the level of impact caused by environmental changes.The reevaluation and replacement of risks addressed at each level, based on changes in the level of impact due to environmental changes, are carried out at a frequency of at least twice a year.
The role of each risk management body is shown on the right-hand side of Figure 1.

The Risk Management Committee was established as an advisory body to the Group Management Committee (GMC) with the aim of enhancing the overall risk management process within the Ricoh Group. The committee is supported by a separate risk management support department, independent of the business divisions, which serves as the secretariat. The committee is chaired by the Risk Management Officer and includes experts from various organizational units. This composition ensures comprehensive risk coverage and facilitates in-depth discussions, enabling the committee to propose to the GMC the risks that should be addressed and prioritized in the management of the Ricoh Group. Additionally, as part of strengthening the practicality of risk management within the Ricoh Group, the risk management system, as shown in Figures 1 and 2, is periodically reviewed and reconstructed as needed.

Furthermore, to establish a more effective and cohesive risk management system that aligns with the management and various business execution units, risk management responsible officers and promoters are appointed from each organizational unit. This enables the development of autonomous risk management structures within each organization.

Moreover, the Risk Management Support Department organizes a "Risk Management Collaboration Enhancement Meeting" targeting risk management promoters. In this meeting, study sessions and information sharing related to risk management are conducted to foster a risk-resilient organization. Continuous efforts are being made to become an organization that is robust in managing risks.

The GMC and Risk Management Committee determine managerial risks based on a comprehensive recognition of risks, through activities such as stress tests, that exert a significant impact on management, in light of the Company’s management philosophy and business purpose, and are actively involved in countering these risks. (Figure 2: Process of determining managerial risks)

In the event of an incident that adversely affects the corporate activities of the Ricoh Group, the president, internal control committee, and disclosure control department of Ricoh Co., Ltd. will promptly treat the incident as a "serious incident" from the outbreak area through the supervising area for each incident. , We have established a system to report to officers, corporate auditors, etc. related to the case, and take measures based on the president's policy and prevent recurrence.

The summary of significant incidents that occurred in the past six months, including their responses and measures for prevention of recurrence, as well as the trend of incident occurrence by incident category, are reported to the Board of Directors on a semi-annual basis. Please refer to the table below for the significant incidents reported to the Board of Directors and their corresponding status of handling for the fiscal year up to 2022.

Please note that the reported details of significant incidents, the trend and patterns of incident occurrence, are taken into consideration as a reference during the management risk review in the following fiscal year by the GMC.

The following items had a high percentage of incidents in the fiscal year 2022:

Malpractice in business operations includes fraudulent activities related to documents such as receipts. Embezzlement and theft include incidents involving the theft of inventory and internal company property. Many of these incidents in both categories were brought to light as remote work became more prevalent, and internal rules and business processes adapted to remote work environments. Our company has been rigorously and appropriately addressing these incident cases. So far, we have taken disciplinary actions against 16 individuals in accordance with internal regulations. Additionally, we have implemented preventive measures to ensure similar incidents do not occur again. Examples of these measures include the installation of security cameras, strengthening the approval process for procurement and delivery tasks, sharing information about fraudulent activities within the organization, and providing ethics education in the workplace.

Furthermore, in the fiscal year 2022, there was one serious violations of law that required external disclosure.

This incident occurred in August 2022 and pertained to the biomedical business. A corrective order was issued, leading to external disclosure. We conducted an internal investigation involving external experts to develop preventive measures. By implementing these measures, we aim to enhance compliance.

Ricoh Group established 4 basic policies to ensure all Ricoh Group Company to take necessary actions promptly in event of serious crisis.

（1）Ricoh Group places the highest priority on life, safety and health of its employees, executives, their families, customers, and business partners.
（2）We will strive to provide the services and products required by society and customers, prioritizing who are in essential business.
（3）We will strive to fulfill our corporate roles and responsibilities with the local community, government, and society.
（4）Ricoh Group shall make sufficient preparations and responses in advance to the possible damage to our business to minimize the impact and responding promptly and appropriately in the event of such damage.

In the event of a crisis, task force will be set up based on level of the crisis (if multiple businesses or regions are affected, Group Task Force will be in charge; otherwise within each organization) and will carry out emergency response in accordance with crisis management response standards.
Once safety and necessary work environment is ensured, each organization will make decision to activate their own BCP (Business Continuity Plan) and correspond to ensure business continuity of important business.

Serious crisis which has impact to affect whole Ricoh Group performance, require different knowledge and responses depending on the type of crisis. Therefore, Ricoh appoints main organization to take in charge of each serious crisis and creates Emergency Response Plan (ERP) based on business effect simulation. We also conduct training and exercises in accordance with the created ERP.
Currently, we have selected below as serious crisis that could affect whole Ricoh Group performance and they are described in Ricoh internal standards. Risk Management Department will review and make necessary revisions as necessary.

（1）Large Scale Natural Disaster （a）Large Scale Earthquakes/ Tsunami/ Storm Surge （b）Volcanic Eruptions （c）Heavy Storm / Heavy Snow/ Floods （2）Severe Accident/ Fires at Ricoh Group’s facility
（3）Spread of serious infectious diseases (Pandemic)
（4）Severe system failure
（5）Severe Information security related incidents/accidents

Each organization in Ricoh Group identifies important businesses/operations that cannot be stopped or that require immediate recovery in the event of crisis and develops Business Continuity Plan (BCP).

In the first stage of developing BCP, we created BCP based on assumption of “Spread of New influenza” and “Large scale disaster such as a serious earthquake in Japan”. However, risks have become more diverse, and it has become difficult to quickly respond to unexpected events by responding to each risk. Therefore, as a second stage, we have adopted the concept of "all-hazards response" which will not limit our responses to each crisis. We will continue to develop BCP that follow this concept and strengthen our resilience.

Ricoh has “Crisis Response Standard for Natural Disaster, Accident and Instance (Outside Japan)” for our overseas group companies, and it clarifies roles and responsibilities of each organization/company.

Ricoh Group Headquarter are working together with overseas group companies by giving additional instructions when there is gap between the natural disaster risks provided by each group company and third-party information, confirming reporting route in event of serious crisis and supporting to create BCP to strengthen crisis response as a whole Ricoh Group.

To minimize impact of natural disaster such as large scale earthquake etc, Ricoh conduct joint disaster response drills within group companies in Japan. We also conduct disaster prevention drills in each office which includes night evacuation drills. Group Task Force who takes in charge of the whole group conducted training in a remote environment, taking into consideration of new work style. In recent years, we have strengthened our efforts to address flood risks and volcanic eruptions. Also, conducting tabletop and hands on training based on created plans.
In various training exercises, we verify whether our systems and operations are working and continue to make improvements. By doing so, we are preparing to ensure the safety of our employees and to quickly restore the office and business.

Regarding overseas, Ricoh Group Headquarters have distributed “Crisis Response Standard for Natural Disaster, Accident, and Instance (Outside Japan)”and at the same time shared “BCP creation manual” to deepen understanding of BCP and to promote review of plans to strengthen responses in all region and businesses.
Training and exercises of serious crisis are conducted on regional basis, depending on the local risk situation.