Compliance and Risk Management

Compliance and Risk Management Structure

Compliance and risk management in the Shiseido Group is led by the Risk Management Department established at the Company’s global headquarters, which reports into the Office of Chief Legal Officer (CLO) of the Group. Additionally, a Risk Management Officer (RMO) is assigned in each regional headquarters, ensuring compliant and fair business activities and implementation of risk countermeasures across the Group.
To oversee compliance and risk management of the Shiseido Group, a Global Risk Management & Compliance Committee chaired by the Global CEO and composed of Regional CEOs and HQ Executive Officers has been established at the global headquarters.
Significant matters and progress related to compliance and risk management, including major incidents and responses, are reported/proposed to the Board of Directors through the Global CEO or the management team.

Compliance

We have established the Shiseido Code of Conduct and Ethics, which define the actions that must be taken and shared by all Shiseido Group employees.
It stipulates adherence not only to the laws of each country and region and internal rules and regulations of the Shiseido Group, but also to the highest ethical standards in business conduct.
Additionally, we have established a basic policy and rules in line with the Shiseido Code of Conduct and Ethics, by which the whole Shiseido Group is required to comply. Alongside THE SHISEIDO PHILOSOPHY, we strive to promote awareness at each Group company and business site. This enables the formulation of detailed internal regulations at every Group company and business site.
In addition, to increase employees' knowledge and awareness regarding compliance and risk management, the Risk Management Department and RMO have regularly conduct trainings and awareness-raising activities related to the “Compliance Rules Regarding Prevention of Bribery” and the “Compliance Rules Regarding Prevention of Cartels,” which are detailed rules within the Shiseido Code of Conduct and Ethics.
Furthermore, by having the CLO coordinate with the legal managers in each region, we are strengthening our compliance system with laws and regulations.

Whistleblowing System

To detect and remedy any type of conduct within the Shiseido Group that violates laws, the Articles of Incorporation, or internal regulations, we have established a hotline for whistle-blowers in every Group company so that we may receive reports of all types of misconduct, including harassment and bribery, as well as any potential misconduct. Additionally, employees will have access to a hotline where employees can directly report to the officer in charge of risk management. In the Japan region, we have established hotlines staffed by both internal and external personnel and counselors. The hotlines enable anonymous reporting.
Additionally, we have established a method through which corporate executive officers and employees, including those of all Group companies, can directly inform the Audit Committee of issues, and has made this method known throughout the Group companies.
All Shiseido Group companies have developed internal regulations to ensure that the said corporate executive officers and employees are not dismissed, discharged from service, or subject to any other disadvantageous treatment as a result of reporting to hotlines or the Audit Committee or informing them of issues, and have made these regulations known.

Incident Response

Shiseido has established the Shiseido Group Crisis Management Policy, a guide for incident response to enable swift and appropriate actions, effective damage control, and early recovery. In Japan, departments in which an incident occurs take initial actions to understand the situation and prevent damage from spreading while promptly reporting to the Risk Management Department. After determining the incident level from the perspectives of severity of damage, possibility of spread, social impact, and other factors, the Risk Management Department assigns members from necessary functions to organize a task force. The task force examines a range of actions to prevent damage from spreading, respond to those affected, and disclose information, while continuously monitoring the status of the investigation into the cause, the advancement of countermeasures, and details of reoccurrence prevention measures. Outside of Japan, regional CEOs and RMOs take the lead in establishing an incident response system. Significant incidents, such as those which pose a high risk of affecting operations in other regions, are immediately reported to the Risk Management Department at headquarters to enable quick action.

＜Shiseido Group Crisis Management Policy＞

1. Ensure the safety of employees and their families
2. Preserve company assets
3. Continue operations
4. Earn the trust of stakeholders

Enterprise Risk Management

As part of our Enterprise Risk Management activities, we annually identify and assess group material risks. These material risks are incorporated into the Group's business plan. In addition, in order to mitigate the impact of each material risk, we have also established a system in which countermeasures are implemented with risk owners assigned to each risk, and the status of their progress is monitored and discussed with members of the Global Risk Management & Compliance Committee and Directors on a regular basis.

In fiscal year 2023, the Risk Management Department interviewed and discussed with HQ Executive Officers, Regional CEOs and Directors for their perception of risks. Regional risk assessments and input from relevant functions, as well as insight from external advisors, were also taken into consideration. As a result, the Risk Management Department identified material risks that may impact the key areas of our medium-term strategy, SHIFT 2025 and Beyond. As shown in the table below, the identified risks were evaluated using three metrics: “Impact on business,” “Likelihood,” and “Vulnerability.” Subsequently, prioritization and countermeasures were confirmed through the above aforementioned committee meetings and additional individual meetings.

＜Risk Evaluation Methodology＞

Impact on business	・Quantitative impact on business performance (e.g. topline sales) in case of manifestation ・Qualitative impact on our corporate/brand image and culture
Likelihood	・Likelihood and timing of risk manifestation
Vulnerability	・Preparedness to the risk ・Controllability of the manifestation of the risk due to external factors

Total 20 material risks identified through our risk assessment have been organized into three risk categories: “Consumer & Social-related Risks,” “Operation & Fundamental Risks,” and “Other Risks.”
As a noteworthy point of the risk assessment results, the individual risks identified are more interlinked than in the past and the interdependency of the countermeasures is increasing. In addition to that, we have identified risks that have increased in their risk levels compared to the previous fiscal year: “Changes in Consumer Values,” “New Technology and Speed of Digital Acceleration,” “Pace of Cutting-Edge Innovation,” “Corporate and Brand Reputation,” “Geopolitical Tensions,” “Corporate Culture and Acquisition/Securing Outstanding People,” “Business Structure Transformation,” “Operating Infrastructure,” and “Information Security.” We are strengthening our implementation of countermeasures for these risks.