We are committed to accurately identifying and assessing the complex and diverse risks inherent in our business environment and establishing appropriate risk prevention and mitigation measures and systems to manage these risks. In addition to preparing for large-scale natural disasters and epidemics, we also address risks related to the business environment—such as changes to economic and social conditions or laws and regulations—as well as risks that exist in each process of our business, including in the areas of exploration, production, transportation, and sales.
We have established internal controls under Japan’s Financial Instruments and Exchange Act—known as “J-SOX”—based on the COSO1 framework, and each business division also conducts risk management related to occupational health, safety, and environmental protection under our HSE2 Management System.
Additionally, we analyze the impact of fluctuations in oil prices and foreign exchange rates on our net income and disclose this information at every financial result briefing.
1 COSO: The Committee of Sponsoring Organization of the Treadway Commission
2 HSE: Health, safety, and environment
Risk Management System
We strive to continuously improve our risk management structure, which is designed to appropriately identify and manage the risks associated with our business operations. We have established a structure that aims most importantly to prevent or otherwise mitigate adverse impacts to people, the environment, our assets, or our reputation. This helps us to maintain and reinforce the trust of our customers, business partners, investors, and other key internal and external stakeholders, and maximize our corporate value.
We have adopted a divisional system and assigned Directors and Executive Officers as the head of each division to establish a system of responsibility and efficiently manage business operations. The divisions work closely together to conduct risk identification, analysis, and evaluation in accordance with our internal regulations, guidelines, and other rules. Material risks associated with individual projects are reported to the Executive Committee and/or the Board of Directors for comprehensive review and determination of risk management action plans.
As an example, when considering the acquisition of concessions or formulating development plans for exploration and production (E&P) activities, material risks are identified, analyzed, and assessed based on guidelines related to economic assessment and risk assessment.
To ensure the risk management system pertaining to day-to-day operations is functioning effectively, in addition to continuous monitoring by each division in charge and collaboration with relevant divisions, regular audits are conducted either by the internal audit department reporting directly to the President & CEO or by external experts. By providing feedback from these audits to each division in charge, we can review our risk management system and respond to changing conditions in the business environment in a timely manner.
Further to this, to realize the Company’s Medium-term Business Plan and other key business objectives, annual plans and targets are developed for each department such that they support our medium- to long-term goals. This process incorporates identified material risks and associated mitigation/management plans and is approved by the Executive Committee. Each department subsequently carries out initiatives to achieve its targets and manage any risks and reviews its progress at the midterm and end of each fiscal year.
In accordance with our internal rules on group management, we conduct Group-wide risk management of our subsidiaries in collaboration with each subsidiary. In particular, to verify and assess the management of risks related to daily operations, our subsidiaries must cooperate in audits carried out by the internal audit department under the direct control of the President & CEO and other relevant departments or an external expert. Based on audits results, we have our subsidiaries review their risk management activities in response to changes in the business environment.
We have established our Standards for Evaluation and Selection of Independent Auditors, which establish the criteria for the Audit & Supervisory Board to follow when evaluating the quality control, independence, and audit fees of independent auditors. The Audit & Supervisory Board evaluates independent auditors annually, based on these standards.
Operational Risk Management
To manage the diverse risks related to our business, we have introduced guidelines for economic assessment and risk assessment for individual projects. We analyze and evaluate the feasibility of potential new projects based on identified material risks, and respond to these risks. For existing projects, we convene the INPEX Value Assurance System (IVAS) Committee as a mechanism for cross-organizational technical evaluation in each phase. We additionally conduct economic assessments and risk assessments in principle at least once a year, and provide an annual summary report of risk assessment results for major projects to the Board of Directors.
To enhance our ability to respond to emergencies caused by large-scale incidents or disasters, we have established an Emergency and Crisis Response Plan and conduct regular emergency response drills to proactively manage risks related to our business. To prevent suspension of important business operations, we have established our Business Continuity Plan (BCP),3 which is reviewed as necessary. Our Information Security Committee also meets regularly or as needed to implement both coordinated and systematic information security measures, as well as education and training activities, including initiatives to prevent data breaches.
With respect to HSE risks, we identify, analyze, and assess risks for each business location based on the HSE Risk Management Procedure established under the HSE Management System to promote continuous improvement activities in occupational health and safety management, environmental management, and security in our business activities—including new projects. In addition to formulating and implementing risk control measures, the risk management status of each business location is regularly reported to our headquarters to allow HSE risks to be monitored. We are also working on Company-wide security risk management based on related guidelines and policies.
For our non-operator projects, we actively promote HSE management based on the risk of the project.
We manage financial risks presented by fluctuations in crude oil and natural gas prices, foreign exchange rates, interest rates, and securities prices by identifying the risk of fluctuations in each of these areas and establishing methods for managing and hedging these risks. We have also established guidelines for managing risks specific to the countries and regions where we operate, and manage those risks by setting target limits on the cumulative investment balance in countries with high risk.
To manage legal risks, we have established the Legal Unit as an independent body to provide appropriate legal advice to divisions and management on major contracts and lawsuits. We are also enhancing our legal support functions for projects both in Japan and overseas.
3 Business Continuity Plan (BCP): A proactive plan outlining the priority operations and steps to be taken in the event of a disaster to avoid or mitigate the risk of interruption to business activities
We manage climate-related risks in line with TCFD4 recommendations. Please refer to the “Assessment and Management of Climate-related Risks and Opportunities”5 section of this report for more information on this approach.
We include policy and legal transitions, technology and market transitions, and reputation as transition risk areas. For physical risks, we identify acute and chronic risks. We also apply short-, medium-, and long-term classifications to each of these risk categories. The Climate Change Strategy Group within the Corporate Strategy & Planning Unit acts as the secretariat and conducts risk assessment and management on an annual cycle. Company-wide workshops are conducted given the importance of the development process for assessing, preventing, and mitigating climate-related risks. The Climate Change Strategy Working Group—an advisory body to the Sustainability Committee (chaired by the President & CEO)—participates in these workshops. Discussions, studies, and proposals from each division are integrated into the Company-wide risk assessment process.
We use the following two methods to assess the potential financial impact of climate-related risks. The first method is an economic assessment of projects using our internal carbon price. We review our internal carbon price each year with reference to the carbon prices in the IEA6 World Energy Outlook (WEO) Stated Policies Scenario (STEPS). Starting in FY2023, we reflect the IEA WEO carbon price forecast, and reference relevant policy cost forecasts if there is a carbon price system in countries in which we operate; and if not, we reference variable prices linked to the STEPS EU prices (2030: US$90/tCO2-e; 2040: US$98/tCO2-e; 2050: US$113/tCO2-e).
The second method is to assess the financial impact on our business portfolio. This is an assessment of the financial impact of the market risks to our portfolio resulting from the oil and carbon prices in the IEA WEO Announced Pledges Scenario (APS) and the Net Zero Emissions by 2050 Scenario (NZE). Changes in the oil and carbon prices shown by the IEA WEO APS and NZE are applied to the net present value (NPV) calculation for a given project, and the percentage of change from the NPV for the base case is calculated as the impact on our portfolio. Despite difficulties in formulating assumptions, we adopt this as one of the methods to assess the financial impact on our portfolio. We will continue to refine the implementation standards for this method and to improve the competitiveness of our portfolio as we factor in changes in the business environment.
Physical risk assessments are regularly carried out by a cross-organizational team. In FY2019, we identified risks at major facilities in Japan and Australia during a physical risk assessment trial at our operator facilities. In FY2021, we verified the status of physical risk assessments performed on the major projects for which we hold non-operator status.
In FY2022, we re-conducted a physical risk assessment at one of our major facilities, the Naoetsu LNG Terminal, due to an update to the scenario on which a FY2019 assessment was based. Moreover, we have revised our HAZID (Hazard Identification) guidelines—an HSE management system document—to add a new section on the effects of climate change to the guide work when holding a HAZID workshop. Physical risk assessment is thus being incorporated into our risk management approach throughout the lifecycle of our business activities.
The cross-organizational team will continue to conduct periodic physical risk assessments and make appropriate disclosures regarding physical risks. At the same time, we will diversify our analysis methods to carry out more multifaceted assessments.
4 Task Force on Climate-related Financial Disclosures: Task Force on Climate-related Financial Disclosures
6 IEA: International Energy Agency
Supply Chain Risk Management
Each year, our Group procures approximately 260 billion yen in goods and services from about 2,000 suppliers, and we take appropriate prevention, detection, and correction actions to manage risks within our supply chain.
As a preventive control, we require suppliers to comply with labor and environmental laws and regulations and respect the INPEX Group Human Rights Policy. These requirements are built into our standard contracts.
Furthermore, we strive to provide fair opportunities to all suppliers in the selection process, and award supplier contracts based on fair, impartial, and transparent assessments. During the bidding process for overseas operator projects, we conduct comprehensive assessments of bidding companies’ compliance with local laws and regulations, the INPEX ABC Policy, and INPEX Group Human Rights Policy. We have also established prequalification criteria regarding HSE requirements. In Japan, during the bidding process for large-scale construction projects, we conduct prior screening in accordance with our ABC Policy and incorporate HSE criteria in our assessments to ensure fair and impartial procurement.
As for detective controls7 we have established a supply chain risk assessment system, and since FY2018 required our major suppliers to complete a self-assessment survey that enables us to assess the compliance structure of our suppliers and identify any risks. A total of 30 supplier companies have completed the survey over the past three years.
Key items monitored:
- Human rights and labor
- Health and safety
- Fair business practices
- The environment
- Contribution to local communities
- Approach to business partners
Monitoring is additionally conducted through grievance mechanisms as well as HSE and CSR audits.
We also work to strengthen risk management in our supply chain through engagement with our suppliers.
In Japan, we strive to improve HSE in supplier operations by holding HSE Liaison Meetings with our major suppliers. Activities include: i) explanation and dissemination of our HSE objectives and activity programs; ii) explanation and sharing of information about incidents and near misses; and iii) introduction and sharing of HSE-related information from these suppliers and hearing their thoughts on HSE.
In addition, in FY2021, we held a seminar on human rights inviting external presenters.
In Australia, we have opportunities for engagement with our major suppliers by meeting regularly with them to review their performance in terms of HSE, quality, and service content, as well as by exchanging views in a timely and appropriate manner on risks to our business and corresponding mitigation measures.
As for corrective controls, we take corrective actions against suppliers assessed as high risk through detective controls, including: i) improvement activities through HSE and CSR audits; and ii) avoidance and mitigation of risks, including through review of contracts.
7 Detective controls: Measures to prevent processing errors or improprieties in operations
Large-scale Natural Disaster and Pandemic Countermeasures
Large-scale Natural Disaster Countermeasures
We assess the risk of natural disasters that may occur at each of our business locations and implement appropriate prevention and mitigation measures for each natural disaster, such as earthquakes, heavy rainfall, and flooding. In addition, for unexpected events, we have prepared an emergency response plan and a business continuity plan (BCP) to protect lives in the event of damage and to quickly restore business operations.
We also have a BCP and an initial response manual in place for our headquarters area, designed for the scenario of an earthquake centered directly under the Tokyo metropolitan area, and prepared based on the damage assumptions made by the Cabinet Office of Japan’s Central Disaster Management Council.
Our policy on business continuity clearly expresses Company-wide values prioritizing the maintenance of stable energy supply while ensuring human safety and environmental preservation. The BCP and other manuals stipulate not only the establishment of provisional offices but also how our employees should react in the event of an earthquake on a holiday or at night, and procedures for returning home from the office. We conduct an annual crisis response drill for the aforementioned earthquake scenario, as outlined by our BCP and other manuals. We use the lessons learned from the drill to continuously strengthen our disaster preparedness, including by improving our manuals and reviewing our materials, equipment, and reserves.
Responses to COVID-19 and Risk Management for the Pandemic
We have long had in place an infection prevention manual for implementation against pandemics of any infectious disease. We have also developed a BCP for handling related crises during the pandemic. This commitment to pandemic preparedness is a necessary part of fulfilling our responsibility as an infrastructure company that continuously supplies crude oil and natural gas even during crisis situations.
In response to the global COVID-19 pandemic that started in 2020, we established a Corporate Crisis Management Team headed by the Representative Director, President & CEO. The team met regularly to ensure that countermeasure policies were implemented thoroughly, and that pandemic-related information was shared throughout the Company. Moreover, we established local crisis response teams at each of our domestic and overseas offices and sites. These teams were headed by the manager in charge at each site and systems put in place to respond to the unique circumstances at each site.
By applying our aforementioned BCP, we were able to smoothly handle major situational changes—such as a government declaration of a state of emergency—while maintaining stable supplies of crude oil and natural gas.
Information Management and Cyber Security Management
We have established our Basic Policy for Information Security to maintain the confidentiality, integrity, and availability of information that we hold, and our Basic Policy for the Appropriate Handling of Individual Numbers and Personally Identifiable Information to protect personal information. Furthermore, under the supervision of the Information Security Committee established as a Company-wide supervisory body, we formulate information security policy measures, establish related rules and management systems, and systematically implement systems-related, physical, and personnel-related measures necessary to protect our information assets. This Committee is chaired by the Senior Vice President of the Logistics & IMT Division—who is also a member of the Executive Committee—and made up of the Senior Vice Presidents of the General Administration, Corporate Strategy & Planning, Finance & Accounting, Technical, and New Ventures & Global Exploration divisions, as well as the General Managers of the Audit and Legal units. Director who has extensive experience and knowledge in digital transformation (DX), was appointed as a member. The matters resolved by this Committee are reported to and deliberated by the Executive Committee, and results then reported to the Board of Directors as needed.
Information security strategies and measures are developed following resolutions by the Executive Committee during annual budget deliberations. We aim to prevent information leaks from within the Company by taking actions to raise employee awareness of information security and to more firmly implant the values and culture essential for proactively safeguarding our information assets. Our efforts include not only system enhancements, but also educational initiatives such as regular e-learning courses and targeted email drills and circulating our monthly Information Security News. We also strive to defend our information assets from external attacks through systems-related countermeasures as well as regular security assessments performed by an external security vendor.
In FY2022, we carried out penetration tests of our IT environment, and to counter the cyberattacks that have become a major threat including those that target operations-related systems, we carried out a security assessment of operations systems at our LNG terminals and pipelines in Japan. We additionally implemented monitoring and countermeasures to promptly detect and manage any attacks should they occur.
Also in FY2022, we carried out targeted email drills twice and e-learning once to boost awareness of information security across the Group.