Compliance
Code of Conduct
PHC Group’s Code of Conduct applies to all countries and employees. It is organized by each of our values: “Diversity & Collaboration,” “Innovative Thinking,” “Challenging Spirit,” and “High Standards of Integrity.” We focus on the key risks to our business and key principles for acting ethically and in compliance with company policies.
In addition to our Code of Conduct, we also comply with applicable local, national, regional, and international laws, rules, regulations, and legal doctrines. If there is a conflict between our policies, standards and Code of Conduct, and applicable laws and regulations, we will follow the most stringent applicable regulation.
Please click here to learn more about our Code of Conduct:
https://www.phchd.com/global/sustainability/governance/code-of-conduct
Training and education
Continuous training and education activities are essential for promoting compliance with company policies. In fiscal 2023, we conducted training on the critical topic of preventing insider trading for all employees of the PHC Group. The attendance rate for the training was 100% (excluding employees who were unable to attend due to leave of absence, maternity leave, childcare leave, etc.).
We will continue to provide training necessary to ensure compliance.
Internal control systems
PHC Group has introduced a Group-wide compliance helpline for use by employees. Compliance issues, such as potential fraud or human rights violations, can be reported by phone and email. The helpline can be used anonymously. In addition to contact points at each company, third-party reporting points such as law firms are also available in various regions around the world, thereby creating an environment which facilitates consultation and reporting by employees. Each company responds to any reported cases of noncompliance, and PHC Group has an escalation policy in place to handle any serious cases.
Human Rights Policy
The PHC Group has established, based on its Mission, the “3 Rules of Compliance” (“Compliance with laws and regulations,” “Fair trade,” and “Respect for human rights”) as a guideline to be followed when conducting its business activities.
Please click here to learn more about our Human Rights Policy:
https://www.phchd.com/global/sustainability/social/humanrights
Risk Management
PHC Group identifies risks such as natural disasters, geopolitical risks, cybersecurity issues, and technology inheritance based on the “Basic Rules on Risk Management,” and has designated risk managers and implemented countermeasures.
The Group established a Risk Management Committee in fiscal 2023 and the COO serves as the Officer in charge of Risk Management. The Committee conducts Group-wide activities and creates and implements countermeasures to avoid occurrence of risks and mitigate the impact in case of occurrence based on the Rules. The Risk Management Committee meets regularly to evaluate risks and review the countermeasures, and reports to the Board of Directors.
Please click here for details about business risks:
https://www.phchd.com/global/ir/risk
Business Continuity Plan (BCP) Initiative
BCP for critical systems
PHC Group is preparing to establish the system at our backup center in the event of a large-scale disaster.
Evacuation drills
Evacuation drills for an event such as natural disaster are held once a year in the Matsuyama and Gunma areas in Japan.
Cybersecurity and Data Protection
Company-wide policy
PHC Group has prepared standard documents such as information security management standards for Group companies based on the framework of the international information security standard ISO 27001. We operate and manage these standards on a global scale by using a unified system and rules.
Please click here to learn more about our company’s cybersecurity efforts:
https://www.phchd.com/global/sustainability/governance/security
Training and education
As part of cybersecurity training in fiscal 2023, we conducted two e-learning training sessions for Group employees in Japan: (1) Information security training (general education) and (2) Targeted email attack countermeasures training. The training attendance rate was 100% for (1) and 100% for (2), excluding employees without email addresses.
From fiscal 2023, we provide training on data protection to employees globally across the entire Group. The training attendance rate was 100%, including workers without individual computer.
The attendance rate of training and education related to cybersecurity and data protection has increased due to the active participation of employees. This shows that our cybersecurity efforts are widely disseminated among our employees, and we will continue to work together to build a safe digital environment.
Vendor review
We aim to conduct cybersecurity reviews at 100% of our outsourced vendors, and conduct annual measures for management of vendors. Based on the degree of cybersecurity impact, we target high-risk outsourced vendors from the following three perspectives (the implementation rate in fiscal 2023 was 100% within the operational scope):
- Data: Vendors who receive, store, process and transmit “strictly confidential” or “confidential” information
- System/network access: Vendors who directly access the networks or systems of PHC Group
- Business processes: Vendors who support important business processes or require certain qualifications
Specifically, we investigate the status of ISO 27001 and Privacy Mark certifications for outsourced vendors. If vendors are not certified, we use a cybersecurity standard checklist and require that they have a score of 90 or higher, or that they have security standards that are equivalent to or higher than those of PHC Group. If compliance standards are not met, we consult with the outsourced vendors and take measures to avoid and reduce risks. We also conduct regular reviews and strive to maintain security standards.
Cybersecurity Committee
PHC Group convenes a Cybersecurity Committee to discuss the Group’s cybersecurity policy, KPI reviews, incident reports, and correction of security vulnerabilities. The meetings are attended by all Corporate Officers, including the President. At the meetings, members discuss any cybersecurity concerns and responses surrounding our business, and determine and implement necessary measures.