Governance | Global Enterprise Risk Management
Business Continuity (BCP), Risk Management

To achieve its vision of providing social and customer value, the continuity of business operations and safety and security of employees are top priorities of the Bridgestone Group. By anticipating, mitigating and appropriately managing potential risks, the Group positively drives business success while also protecting its employees. To advance this knowledge organization-wide, the Group conducts regular training and frequently reviews risk management and business continuity plans (BCPs) and controls.

This mission is an important aspect of ERM (enterprise risk management) which is an increasing focus area as the world grapples with the COVID-19 pandemic, natural disasters, climate change and the effects of geopolitical conflicts. The Bridgestone Group is actively engaged in addressing these challenges.

The Bridgestone Group holds an annual, group-wide process to identify potential risks facing each Strategic Business Unit (SBU) and the overall organization. Once risks are identified, the Group names individuals responsible, and the Chief Risk Officers (CRO) of each SBU cooperate to drive and coordinate risk mitigation and management activities at the department and SBU levels. The Group has set up an approach under the direction of the Global CEO to deal with the most important business risks.

The Business Continuity & Risk Management Working Group (BCRM WG) was established in 2016 as one of the working groups under the Global Sustainability Committee. It is comprised of members from each SBU, manages and updates the Bridgestone Group’s Global Risk Management Policy, and oversees a part of enterprise risk management, crisis management, and business continuity systems.

All deliberations and efforts are guided by ISO 31000, the international standard for risk management.

To fulfill its BCP/Risk Management mission, the Bridgestone Group is working toward three goals, each with measurable KPIs. These include:

1. Assessing the Group’s capability of responding to a crisis by conducting a global crisis management exercise by the end of 2023, aiming for 100% compliance with established crisis management/BCP components.
2. Finalizing the established risk management process by the end of 2022 by ensuring that the Group’s risk identification and mitigation process is 100% formally documented.
3. Integrating climate change into the Group’s risk identification and management processes by the end of 2022. The Group will continue to monitor its ESG ratings to gauge risk from and response to climate change.

The Bridgestone Group carries out an annual, Group-wide process to identify potential business risks facing the overall Group and each SBU. Once risks are identified, the Group names individuals responsible for driving risk mitigation and management activities at each functional department and SBU level.

The Group also regularly reviews and updates its risk identification process globally to more effectively and efficiently identify and mitigate risks. This information, along with best practices, is shared with all SBUs around the world to further improve processes. Information is also shared with employees, so they understand how their actions best contribute to preventing and mitigating operational risks. The operational risks identified and addressed include ESG risks as follows:

- Occupational health and safety
- Environmental protection
- Sustainable business operations (e.g., climate change, water intake)
- Supplier management and compliance programs
- Ethics and compliance

The Group is focused on instituting a management system for addressing climate change risks and other strategic risks as part of the Mid-Long Term Business Strategy. It also enhanced the global approach to emergencies including Emergency Activity Reports (EARs, the Group-wide internal quick-reporting system for significant incidents).

For major categories of risk identified, please see: Annual Report Financial Review

The Bridgestone Group supports the Task Force on Climate-related Financial Disclosure (TCFD) as well as its recommendations and is working to address and disclose climate change risks and opportunities identified in line with the TCFD framework

In light of its long-term climate-related risks and opportunities, the Group has formulated its goal toward carbon neutrality by mitigating transition risks, such as reducing greenhouse gas emissions, while at the same time working to reduce physical risks through adaptive measures, such as diversifying natural rubber supply sources.

The table above outlines the climate-related physical and transition risks associated with the Group’s business and operations. Physical risks include stronger typhoons and increased frequency of flooding and droughts, which could interrupt business activities. Risks related to the procurement of raw materials include changing rainfall patterns, which could lead to poor harvesting of natural rubber. Furthermore, reduced snowfall poses the risk of lowering demand for winter tires. On the transition risk side, climate change has prompted － and could accelerate － the introduction of systems and regulations that impact the Group’s financial position, including obligations to reduce CO₂ emissions, carbon taxes and emissions trading schemes, and fuel-efficient tires in Japan and the world.

For the details of the disclosure information recommended by TCFD, see “TCFD Index.”

The Bridgestone Group has formulated a global IT security policy and is taking measures based on this policy in collaboration with IT security teams in each SBU.

In 2020, the Group conducted an initial assessment of its IT digital maturity to identify its long-term cyber security risk. In the same year, the Group strengthened IT security with e-learning programs for employees that address email and other technologies. The Group also regularly conducts internal audits to raise awareness of IT security among employees.

In 2021, there were no information security incidents that resulted in any damage. During the year, the Group enhanced cyber security based on the digital maturity assessment conducted in 2020. The WG also addressed cyber risks with the IT function and updated the cybersecurity criteria triggering reportable EARs.

To counter targeted attacks and other advanced cyber threats, the Group has established a global organizational structure to quickly respond to any IT security incidents. It has also been strengthening monitoring of its website security, networks and other systems, and improving its ability to detect suspicious emails.

In February 2022, Bridgestone Americas (BSAM) detected an IT security incident. The SBU responded by disconnecting affected systems from its network and working with external security advisors to identify the threat. As of March 17, it is understood that the incident was the result of an untargeted ransomware attack. Once BSAM was confident that it had contained the threat, it reconnected affected systems and resumed operations. The SBU has since been reinforcing its IT security to prevent recurrence.

In Japan, Bridgestone Corporation and its group companies take a systematic approach to IT security under the direction of the Chief Digital Officer (CDO) to prevent IT security incidents, including leaks of customer data and other confidential information. The company formulates corporate standards and rules on IT security, which are reviewed and revised to stay abreast of technological advancements and changes in IT risks. The company sets particularly strict standards for information systems that handle personal information.

A prompt initial response is essential for business continuity. In preparing for this response, the Bridgestone Group gives top priority to its employees’ health, security and safety, minimizing business losses, and anticipating business-impacting events that may occur in the supply chain. To achieve an early crisis recovery, the Group established a tiered response system based on the specific crisis situation and its severity, and established a system of identifying and implementing countermeasures and protocols. This system enables a prompt initial response to assure business continuity/early recovery, and drives initiatives for continuous improvement making use of past experiences and lessons learned.

In 2020, the Group launched a crisis management committee composed of the Global CEO, Joint Global COO and key management to review emerging information on various changes associated with the spread of COVID-19 and to make swift decisions to protect employees’ health and safety and minimize business impact. The committee has continued to operate since then, sharing best practices to drive consistent responses to challenges faced in locations around the world.

To achieve these goals, the Group continues to improve operational risk-control processes that strengthen the management team’s ability to make informed, timely and widespread decisions. It also is undertaking all-hazards BCP planning at either each region or global level depending on the type of the risks. All-hazards BCP planning prepares the organization for all types of threats and vulnerabilities to prevent supply chain disruption, rather than planning for specific scenarios. In 2021, the Global Principle, a common definition and framework for crisis management/BCP, and the updated SBU Assurance Policy were developed and rolled out to SBUs, along with project milestones. The Group also addressed cyber risks with the Information Technology function and updated the criteria for emergency action reports.

Going forward, the Bridgestone Group will continue to improve its operational framework to strengthen risk management, crisis management and BCP.

The Bridgestone Group identified two emerging long-term risks: compliance with emerging privacy laws and the sustainable procurement of raw materials.

If a risk evolves into an actual event or problem, integrated teams of business units and staff functions already in place in each SBU are poised to spring into action. These teams carry out and manage the company's response and also ensure important information is immediately communicated to the SBU's own CEO, COO, and CRO, as well as the Global CEO, Joint Global COO, and CRO. Business continuity plans are also activated if needed. These plans identify potentially affected employees, establish alternate workplaces, document critical business processes and workarounds in case normal working methods are compromised, and ensure essential equipment is available for each employee to do their job.

The Bridgestone Group sells products in more than 150 countries worldwide, and the potential business impact of privacy laws could vary considerably from region to region based on local laws and regulations. The impact of noncompliance or of a data breach could lead to significant fines and penalties or damage to the Bridgestone brand now and in the future .

The Bridgestone Code of Conduct contains a specific section on privacy and personal data. Furthermore, to comply with general data protection regulations, certain SBUs appointed a designated data protection lead (if required by law) or privacy officer and implemented and continue to implement and maintain robust privacy programs and associated policies. They further developed methods to identify and comply with the emerging privacy laws being adopted by an increasing number of governments in their territories.

The privacy professionals in the various Bridgestone Group companies have focused on compliance with the relatively new and developing privacy laws such as Europe’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), the U.S. State of California’s California Consumer Privacy Act (CCPA), the other U.S. state privacy laws going into effect in 2023, and various new data protection acts in the Asian countries.

Bridgestone Corporation and its group companies in Japan believe that protecting personal information is an important employee responsibility. Bridgestone Corporation in Japan formulated a Privacy Policy that reflects these principles. Based on this policy, the company conducts ongoing trainings for all of its employees and its group companies’ employees in Japan and maintains a well-defined structure for information management.

In terms of key risks relating to the sustainable procurement of raw materials, the sufficient supply of natural rubber can be threatened by natural disasters, climate change, war and political, civil and social unrest. The demand for tires is expected to expand in line with global population growth and motorization, increased need for a sustainable natural rubber supply chain. Any disruption in sustainable materials procurement would adversely impact global tire supplies, as well as Bridgestone’s business performance and brand reputation.

With these risks in mind, the Group has reinforced its commitment to sustainability by adopting a Global Sustainable Procurement Policy and by reaffirming its corporate responsibility commitment. The Group will continue conducting business in ways that improve the natural rubber supply chain and that support technological innovation and advancement that enhances the viability of the natural rubber economy.

The Group believes that proactively protecting corporate assets forms the basis of good corporate management. These initiatives also go toward mitigating risks to our employees and the communities to meet social responsibility requirements. Each region of the Group formulates a BCP in case of a natural disaster and regularly conducts initial response training. The following are examples of natural disasters targeted by each region.

• Japan: Earthquake
• America: Hurricane
• Europe: Extreme heat
• Asia: Flood

The Bridgestone Group’s globally dispersed operations expose it to a broad range of risks. One of these is the risk of pandemics ― and not just the COVID-19 pandemic. Since 2013, Bridgestone Corporation has formulated business continuity plans (BCPs) to address the spread of all sorts of severe infectious diseases of potentially pandemic proportions.

The BCPs have effectively guided the response to the 2013 Avian Influenza in China and ensured the wellbeing of the employees and business operations there. In 2014 and 2015, the Group received global recognition for its successful efforts to control the spread of Ebola hemorrhagic fever at its Liberia-based natural rubber producing operation. Firestone Liberia not only saved lives, supported education and response efforts in surrounding communities, and partnered with the Government of Liberia and NGOs to detect and fight the disease, but also managed to keep its business running at the same time. This accomplishment was documented and published in a case study by Northwestern University's Kellogg School of Management, which is now a regular part of the crisis management curriculum for MBA students.

During the COVID-19 pandemic, the Bridgestone Group leveraged BCRM WG to implement a unified, global crisis management and business continuity approach ensuring consistency of response, anticipating and preparing for coming risks and challenges, and sharing best practices on a global level.

Among other things, the WG drove prompt access in the different SBUs to critical personal protective equipment; implemented a common case-tracking and reporting protocol to identify trends and business impacts; established global policies on travel as well as meetings and events; monitored government regulations to ensure compliance; assessed the impact of compounding events such as holidays in Southeast Asia and civil unrest in the United States; and provided weekly updates to the Executive Committees of each SBU.