Governance | Global Enterprise Risk Management
Business Continuity (BCP), Risk Management

To achieve its vision of providing social and customer value, safety and security of employees and the continuity of business operations are top priorities of the Bridgestone Group. By sensing, assessing, prioritizing, and managing potential risks, the Group protects its employees while also positively driving business success. To advance this knowledge organization-wide, the Group conducts regular training and frequently reviews risk management and business continuity plans (BCPs) and controls.

This mission is an important aspect of ERM (enterprise risk management) which is an increasing focus area as the world grapples with natural disasters, climate change and the effects of geopolitical conflicts. The Bridgestone Group is actively engaged in addressing these challenges.

The Bridgestone Group holds a bi-annual, group-wide process to identify potential risks facing the overall organization as well as each Strategic Business Unit (SBU). Once risks are identified, the Group names individuals responsible, and the risk leaders collaborate to drive and coordinate risk mitigation and management activities at the global, SBU, and department levels. The Group has set up an approach under the direction of the Global CEO to manage business risks.

The Global ERM Department is responsible for the oversight and implementation of the enterprise risk management, crisis management, and business continuity programs. The Global ERM Department is comprised of members globally and from each SBU, including risk leaders and enterprise risk management professionals, and aligns on the Bridgestone Group’s Global Risk Management Standards.

All deliberations and efforts are guided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, and also by ISO 31000, the international risk management standard.

The Bridgestone Group is continuously working toward goals to fulfill its enterprise risk management and business continuity mission, each with measurable KPIs. These include goals such as:

1. Implementing a globally aligned framework for the global and regional enterprise risk management programs. The framework defines the key elements of our programs and helps drive alignment between the global and regional enterprise risk management programs.
2. Conducting regular risk assessments to identify, assess, prioritize, and mitigate global and regional risks.
3. Continuing to develop and strengthen the global and regional programs, including enhancing business continuity planning (BCP), crisis management and executing on technology to support these programs.

The Bridgestone Group carries out a bi-annual, Group-wide process to identify potential business risks facing the overall Group and each SBU. Once risks are identified, the Group names individuals responsible for driving risk mitigation and management activities globally, SBU level, or at each functional department.

The Group also regularly reviews and updates its risk identification process globally, including conducting proactive sensing, to identify and mitigate risks more effectively and efficiently. This information, along with best practices, is shared with all SBUs around the world to further improve processes. Information is also shared with employees, so they understand how their actions best contribute to preventing and mitigating risks. The risks identified and addressed include ESG risks as follows:

- Occupational health and safety
- Environmental protection
- Sustainable business operations (e.g., climate change, water intake)
- Supplier management and compliance programs
- Ethics and compliance

The Group is focused on instituting a management system for addressing climate change risks and other strategic risks as part of the Mid-Long Term Business Strategy. It also enhanced the global approach to emergencies including Emergency Action Reports (EARs, the Group-wide internal quick-reporting system for significant incidents).

For major categories of risk identified, please see: Annual Securities Report

The Bridgestone Group supports the Task Force on Climate-related Financial Disclosure (TCFD) and has been participating in the Taskforce on Nature-related Financial Disclosures (TNFD) Forum since March 2022.

As the world becomes increasingly concerned about climate change and the loss of natural capital, there is a growing movement towards a decarbonized society, as exemplified by the Paris Agreement. Additionally, efforts to achieve a nature-positive world, as outlined in the Kunming-Montreal Global Biodiversity Framework, have gained momentum.

In this context, the Group is working to comprehensively assess and manage its dependencies, impacts, risks, and opportunities related to climate and natural capital. The Group is incorporating them into our business strategies and advancing information disclosure.

Based on the recognition of these risks and opportunities, the Group is working to establish its unique Sustainability Business Model that links its business with efforts to realize carbon neutrality and a circular economy across the value chain. Furthermore, the Group aims to evolve its Sustainability Business Model and transform it to a regenerative one to help realize a nature-positive world where we can help stop and reverse the loss of natural ecosystems.

Specifically, the Group is working on mitigating transition risks by implementing measures such as reducing greenhouse gas emissions across the entire value chain, while at the same time working to addressing physical risks through adaptive measures, such as diversifying natural rubber supply sources through efforts towards the commercialization of natural rubber derived from Guayule.

The table above outlines the climate change and nature-related physical and transition risks associated with the Group’s business and operations. Physical risks include stronger typhoons and increased frequency of flooding and droughts, which could interrupt business activities. Risks related to the procurement of raw materials include changing rainfall patterns, which could lead to poor harvesting of natural rubber. Furthermore, reduced snowfall poses the risk of lowering demand for winter tires. On the transition risk side, climate change has prompted － and could accelerate － the introduction of systems and regulations that impact the Group’s financial position, including obligations to reduce CO₂ emissions, carbon taxes and emissions trading schemes, fuel-efficient tires in Japan and the world, and sustainable natural rubber.

For the details of the disclosure information recommended by TCFD and TNFD, see “TCFD and TNFD Index.”

The Bridgestone Group has created a global IT security department and is taking measures based on the global IT security policy in collaboration with IT security teams in each SBU.

In 2020, the Group conducted an initial assessment of its IT digital maturity to identify its long-term cyber security risk. In the same year, the Group strengthened IT security with e-learning programs for employees that address business email compromise and other technologies. The Group also regularly conducts internal audits to raise awareness of IT security among employees.

To counter targeted attacks and other advanced cyber threats, the Group has established a global organizational structure to quickly respond to any IT security incidents. It has also been strengthening monitoring of its website security, networks, and other systems, and improving its ability to detect suspicious emails.

Additionally, in 2022, a Global Cyber Risk Committee was created, led by the global IT security leader, and is comprised of senior IT executives and teammates, as well as other ancillary departments and functions, as a cross-functional team to address cyber resiliency and globally align on strategy and execution of IT programs and systems.

In Japan, Bridgestone Corporation and its group companies take a systematic approach to IT security under the direction of the Chief Information Officer (CIO) to prevent IT security incidents, including leaks of customer data and other confidential information. The company formulates corporate standards and rules on IT security, which are reviewed and revised to stay abreast of technological advancements and changes in IT risks. The company sets particularly strict standards for information systems that handle personal information.

A prompt initial response is essential for business continuity. In preparing for this response, the Bridgestone Group gives top priority to its employees’ health, security and safety, minimizing business losses, and anticipating business-impacting events that may occur in the supply chain. To achieve an early crisis recovery, the Group established a tiered response system based on the specific crisis situation and its severity and established a system of identifying and implementing countermeasures and protocols. This system enables a prompt initial response to assure business continuity/early recovery and drives initiatives for continuous improvement making use of past experiences and lessons learned.

In 2020, the Group launched a crisis management committee composed of the Global CEO, Joint Global COO, and key management to review emerging information on various changes associated with the spread of COVID-19 and to make swift decisions to protect employees’ health and safety and minimize business impact. The committee has continued to operate since then, sharing best practices to drive consistent responses to challenges faced in locations around the world.

To achieve these goals, the Group continues to improve risk-control processes that strengthen the management team’s ability to make informed, timely and widespread decisions. It also is implementing all-hazards BCP planning at each region. All-hazards BCP planning prepares the organization for all types of threats and vulnerabilities to prevent supply chain disruption, rather than planning for specific scenarios.

The Group has developed a common, aligned framework and standards for Enterprise Risk Management, Business Continuity, and Crisis Management. These standards address the governance and oversight of the programs, program framework, technology as well as the Group’s ability to identify, assess, mitigate, and respond to significant enterprise-wide risks.

Going forward, the Bridgestone Group will continue to improve its operational framework to strengthen enterprise risk management, crisis management and BCP.

The Business environment is becoming more complex, and uncertainties are increasing. Under these conditions, companies are expected to maintain and reinforce their ability to cope with the attendant risks and new business opportunities.

If a risk evolves into an actual event or problem, integrated teams of business units and staff functions already in place globally or in each SBU are poised to spring into action. These teams carry out and manage the company's response and ensure important information is immediately communicated to the SBU's senior leaders, as well as the Global Management Risk Committee (GMRC) and/or Global CEO, under the direction of the Chair of the GMRC & Global ERM Leader. Business continuity plans are also activated if needed. These plans identify potentially affected employees, establish alternate workplaces, document critical business processes and workarounds in case normal working methods are compromised, and ensure essential equipment is available for each employee to do their job.

In terms of key risks relating to the sustainable procurement of raw materials, the sufficient supply of natural rubber can be threatened by natural disasters, climate change, war, and political, civil and social unrest. Therefore, the emerging risk broadly incudes interrelated risks across multiple categories, including in procurement, logistics and supply chain management, geopolitical and societal conflicts, and sustainability, among others. The demand for tires is expected to expand in line with global population growth and motorization, increased need for a sustainable natural rubber supply chain. Any disruption in sustainable materials procurement, not only for natural rubber but also other critical raw materials, would adversely impact global tire supplies, as well as Bridgestone’s business performance and brand reputation.

With these risks in mind, the Group has reinforced its commitment to sustainability by adopting a Global Sustainable Procurement Policy and by reaffirming its corporate responsibility commitment. The Group will continue conducting business in ways that improve the natural rubber supply chain, supporting technological innovation and advancement that enhances the viability of the natural rubber economy. Additionally, the Group will take measures to mitigate negative impacts related to procurement, logistics, supply chain and processes for both natural rubber and other critical raw materials, ensuring sustainable procurement practices.

The Bridgestone Group sells products in more than 150 countries worldwide, and the potential of a data security incident or ransomware attack which may impact our business operations or privacy laws could vary considerably from region to region based on local laws and regulations. The impact of a data security incident could lead to significant operational disruption and / or if noncompliance with data laws may result in fines and penalties. A data security incident may also damage the Bridgestone brand now and in the future. Based on the complexity of cybersecurity threats, multiple categories are reviewed when evaluating this emerging risk such as data protection, threat and vulnerability management, security and control governance, as well as other information technology and information security categories.

As stated earlier, the Bridgestone Group has created a global IT security department to counter threats and targeted attacks and takes measures to maintain and strengthen our global information security program including incorporating the global IT policy enterprise-wide and enhancing awareness of information security among employees through e-learning programs.

Additionally, monitoring of its website security, networks, and other systems continues to be strengthened as well as email filtering and detection of suspicious emails.

The Bridgestone Code of Conduct contains a specific section on privacy and personal data. Furthermore, to comply with general data protection regulations, certain SBUs appointed a designated data protection lead (if required by law) or privacy officer and implemented and continue to implement and maintain robust privacy programs and associated policies. They further developed methods to identify and comply with the emerging privacy laws being adopted by an increasing number of governments in their territories.

The privacy professionals in the various Bridgestone Group companies have focused on compliance with the relatively new and developing privacy laws such as Europe’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), the U.S. State of California’s California Consumer Privacy Act (CCPA), the other U.S. state privacy laws going into effect in 2023, and various new data protection acts in the Asian countries.

Bridgestone Corporation and its group companies in Japan believe that protecting personal information is an important employee responsibility. Bridgestone Corporation in Japan formulated a Privacy Policy that reflects these principles. Based on this policy, the company conducts ongoing trainings for all its employees and its group companies’ employees in Japan and maintains a well-defined structure for information management.

The Group believes that proactively protecting corporate assets forms the basis of good corporate management. These initiatives also go toward mitigating risks to our employees and the communities to meet social responsibility requirements. Each region of the Group formulates a BCP in case of a natural disaster or extreme weather event and regularly conducts initial response training. The following are examples of, but not inclusive of all, natural disasters targeted by each region.

• Japan: Earthquake（including Tsunami）, Flood and Typhoon
• America: Hurricane
• Europe: Extreme heat
• Asia: Flood

The Bridgestone Group’s globally dispersed operations expose it to a broad range of risks. One of these is the risk of pandemics ― and not just the COVID-19 pandemic. Since 2013, Bridgestone Corporation has formulated business continuity plans (BCPs) to address the spread of all sorts of severe infectious diseases of potentially pandemic proportions.

The BCPs have effectively guided the response to the 2013 Avian Influenza in China and ensured the wellbeing of the employees and business operations there. In 2014 and 2015, the Group received global recognition for its successful efforts to control the spread of Ebola hemorrhagic fever at its Liberia-based natural rubber producing operation. Firestone Liberia not only saved lives, supported education and response efforts in surrounding communities, and partnered with the Government of Liberia and NGOs to detect and fight the disease, but also managed to keep its business running at the same time. This accomplishment was documented and published in a case study by Northwestern University's Kellogg School of Management, which is now a regular part of the crisis management curriculum for MBA students.

During the COVID-19 pandemic, the Bridgestone Group leveraged Business Continuity Risk Management Working Group (BCRM WG) to implement a unified, global crisis management and business continuity approach ensuring consistency of response, anticipating and preparing for coming risks and challenges, and sharing best practices on a global level.

Among other things, the WG drove prompt access in the different SBUs to critical personal protective equipment; implemented a common case-tracking and reporting protocol to identify trends and business impacts; established global policies on travel as well as meetings and events; monitored government regulations to ensure compliance; assessed the impact of compounding events such as holidays in Southeast Asia and civil unrest in the United States; and provided weekly updates to the Executive Committees of each SBU.