(1) Risk management system
The NEC Group has a company-wide risk management system, an overview of which is provided below, centered on the Risk Control and Compliance Committee and the Chief Risk & Compliance Officer (CRCO) to accurately identify and respond appropriately to both internal and external risks related to NEC Group’s businesses.
In NEC Corporation (hereinafter the “Company”), important matters related to company-wide risk management, including a risk management policy and selection of and response policies to “Priority Risks” that requires countermeasures across the NEC Group, as well as measures to address risks that require company-wide management in response to changes in risk environment during the fiscal year, are discussed at the Risk Control and Compliance Committee and then reported to the Business Strategy Committee and the Board of Directors on a regular basis.
The Company has appointed the CRCO to oversee risks across the entire NEC Group, respond to them in a central and cross-functional manner, and control the potential for losses. The CRCO takes a lead in the company-wide risk management by detecting and analyzing risks that are diversifying and becoming more complex in constantly changing social and business environments, and evaluating impacts, while prioritizing countermeasures and closely collaborating with other chief officers in charge of each risk.
(2) Policies, processes, and operational status in risk identification
a. Policy
The NEC Group refers to the Enterprise Risk Management - Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and ISO31000 which is an international standard that provides principals and guidelines for risk management. On this basis, the NEC Group, in order to pursue returns through appropriate risk management, has categorized the risks associated with the NEC Group’s businesses into the Risk Total Picture and has decided on responsible divisions and response policies for each risk. In the Risk Total Picture, integrity is recognized as the foundation of all risk management activities and risks are classified into three categories according to their nature. The Company has developed a response flow where such risk materialize, particularly in preparation for crises that may threaten the viability of the NEC Group companies.
b. Process
Based on a comprehensive list of risks that the NEC Group should be aware of, the CRCO engages in dialogue with the other chief officers in charge of managing each risk and conducts risk assessments. The CRCO creates a risk map that visualizes risk priorities by evaluating impact on five levels and urgency on three levels taking into consideration changes in the external and internal environment and the status of countermeasures for each risk.
The CRCO updates the risk map through the review of the Risk Control and Compliance Committee on a quarterly basis, and regularly reports to the Business Strategy Committee and the Board of Directors.
c. Operational status
Through the process described in paragraph b above, the NEC Group has prioritized risks that may affect the NEC Group, as presented in the following risk map.
Among these, the NEC Group considers “provision of appropriate products and services” to be particularly important, and “cybersecurity,” “human capital,” “respect for human rights,” and “occurrence of serious misconduct” to be the next most important risks, designating as the priority risk and significant risks, respectively, as described below.
(3) Priority risk and significant risks
a. Priority risk
Accordingly, ensuring quality and safety and properly managing projects are essential factors in maintaining the trust of customers and market competitiveness.
A serious incident caused by a quality problem or inadequate project management, whether within the NEC Group or its supply chain, may affect customers’ business continuity and socially important systems.
If such an event occurs, it will be necessary to take measures to recall products and services, compensate customers, respond to the government, and make external explanations. In addition, it may cause a loss of trust from stakeholders and have a significant impact on the NEC Group's corporate value. The operational status of systems related to quality, safety and project management is closely linked to the NEC Group's business continuity and social reputation, and inadequate management of these systems could create risks for NEC Group`s management.
The NEC Group considers ensuring the quality and safety of products, systems, and services and preparing for related risks as an important management challenge.
The Chief Business Process Transformation Officer (CBXO) takes responsibility for quality control and safety management. The Business Process Transformation division, the quality promotion organizations established in related divisions and consolidated subsidiaries, and the quality and safety management officers appointed in each operating division and consolidated subsidiary are playing key roles in improving quality and safety.
In the event of a serious problem with a customer’s system or a system that may have an impact on society, a serious product safety incident, a technical regulatory violation etc., the NEC Group will promptly initiate a swift escalation process, hold discussions with the divisions concerned, and decide on response policies for the customer, the competent authorities, and public relations.
Project risk management
The NEC Group sets company-wide targets for improving project quality, shares issues and measures to achieve them, and implements and promotes them. When implementing projects, the NEC Group conducts reviews at each stage of process from the pre-order stage and identifies potential project risks, including technical and safety risks, development scale and implementation period, and project execution structure, from multiple perspectives in advance, and works with customers to resolve them at an early stage.
In order to ensure that quality control is built into the process, the NEC Group uses its own quality-related accounting and other quality control methods and holds review meetings attended by in-house experts to prevent the leakage of defects.
In addition, the NEC Group analyzes the causes of problematic projects and improves the project risk management process to solve the problems and prevent recurrence.
b. Significant risks
In addition, if a serious incident occurs in the products, systems, and services provided by the NEC Group, it could have a material impact on customers’ business continuity or on the social infrastructure. Furthermore, from an economic security perspective, inadequate responses in areas where strict information management is required may lead directly to administrative action or loss of trust.
Such incidents could damage trust in the NEC Group and have a major impact on its corporate value.
In line with the “Cybersecurity Management Guidelines Ver. 3.0” by the Ministry of Economy, Trade and Industry (METI) and the “Cybersecurity Framework 2.0” by the National Institute of Standards and Technology (NIST), the NEC Group has established a framework to strengthen and implement cyber threat intelligence capabilities (preventive defense) and resilience capabilities (capabilities to recover from cyberattacks) in response to intensifying cyberattacks.
The NEC Group is promoting a data-driven cybersecurity initiative by providing all employees with information for cybersecurity risks through an internal dashboard. This supports rapid data-driven management decisions and autonomous action by members of the workforce.
The NEC Group has structured a security implementation promotion framework for secure development and operation of the products, systems and services it provides to customers. This framework involves the Cyber Security Division and security managers in each business division, and the details and security implementation processes of which are stipulated in the “Cybersecurity Management Rules.”
The NEC Group is working to strengthen measures, including those involving the supply chain, to provide high-quality and secure services, such as ensuring security in the phases from the planning and proposal to the operation and maintenance based on the concept of “Security by Design (SBD)” to ensure security.
Human resource acquisition, development, and retention
In terms of recruitment, NEC Group is working to enhance its ability to acquire talent through measures such as strengthening scouting and branding. In fiscal year ended March 31, 2025, the NEC Group has hired 1,041 mid-career employees in the IT services sector. In terms of development, the NEC Group has a set of specialized training programs in areas such as cloud computing, data science, and cybersecurity, and are promoting skill advancement through the visualization of skills. As a result, the retention rate of human resource in the IT services sector remains high at 97%. Furthermore, in terms of retention, the NEC Group is implementing measures such as strategic development for high performers, highly specialized personnel, and future leaders.
Impact of AI on employment
While the advancement of AI presents opportunities for increased productivity, the NEC Group recognizes that it is also the risk of changes in work content and skills. Therefore the NEC Group aims for value creation through collaboration between human and AI, rather than AI replacing human resource. Specifically, the NEC Group is promoting the sophistication of routine tasks through AI and focusing on high-value-added tasks, and managing the risk of labor shortages due to delays in acquiring necessary skills as a key issue.
Long working hours that harm safety and health
Through monitoring working hours regularly and analyzing the causes of overtime in divisions with excessive overtime hours, the NEC Group takes measures from the perspectives of both individual workstyle and cross-organizational approach.
Occupational safety and harassment
The NEC Group identifies and takes measures for risks based on the “NEC Group Occupational Health and Safety Management System” practiced under the “NEC Group Safety and Health Policy,” which defines the basic philosophy and code of conduct for occupational health and safety (OH&S) in the NEC Group. The NEC Group provides online training for all employees, and also provides training in the form of workshops for managers.
The initiatives aimed at creating opportunities are as follows:
Introduction of a job-based human resource management system and flexible personnel allocation linked to business strategy
Under a job-based human resource management system, the NEC Group is strengthening its strategic execution capabilities by realizing an optimal talent portfolio and "right person in the right place at the right time" system through flexible personnel allocation linked to business strategy.
Promotion of Inclusion & Diversity
The NEC Group considers diversity to be a source of innovation, and aims to transform into "strong individuals and organizations that are constantly changing," transforming individual differences into strengths, responding flexibly to change, and continuously transforming itself, as well as realizing an inclusive organization based on psychological safety and diversity.
Improving Employee Engagement
The NEC Group aims to be a company that attracts diverse talent under the NEC Way, pursues innovation, and is a company of choice for its employees. To achieve this, based on the results of the engagement score conducted annually, the NEC Group reviews the results of past measures, identifies challenges, and considers additional measures for the future.
In particular, if it is deemed that the NEC Group is not sufficiently addressing these prominent human-rights issues, it may not only provoke social criticism, but also pose a risk that has a significant impact on the NEC Group’s social value and its corporate value through a suspension of business transactions and damage to its reputation.
The NEC Group respects fundamental human rights in every aspect of its corporate activities and does not tolerate acts of discrimination for any reason, nor does it tolerate acts that damage the dignity of individuals. The NEC Group formulated the NEC Group Human Rights Policy in 2015. Subsequently, in June 2022, the NEC Group revised it to clarify the commitment of top management to respect human rights as well as the governance system required by the United Nations “Guiding Principles on Business and Human Rights (UNGPs).” Furthermore, in response to the addition in 2023 by the International Labour Organization (ILO) of the concept of a “safe and healthy working environment” to its “Core Labour Standards,” the NEC Group revised the policy accordingly.
Initiatives to salient human rights issues taken during the fiscal year ended March 31, 2026 are as follows.
New technology, such as AI, and human rights
In executing AI business, the NEC Group has formulated the “NEC Group AI and Human Rights Principles” for appropriate protection of basic human rights, such as privacy. The NEC Group has also formulated regulations for the system, planning, implementation, inspection, and review for responding to AI and human rights risks, and is working to disseminate the implementation and operation of these regulations.
Human rights risks related to geopolitical situations and conflicts
In conflict zones, the way products and services are used can lead to human rights violations. For this reason, the Company uses the “States of Fragility 2025 list” published by the Organization for Economic Cooperation and Development (OECD) to identify regions from a human-rights perspective and, if business partners are in these high-risk regions, checks their attributes, information concerning human rights and corruption, and intended use of products and services, prior to engaging in transactions with them. The Company also checks sanctions lists related to human rights. Furthermore, if business partners do not have human rights policies, the NEC Group requires them to implement measures equivalent to the “NEC Group Human Rights Policy” to prevent human rights risks.
Labour in supply chains
Based on the “OECD Due Diligence Guidance for Responsible Business Conduct,” the NEC Group assesses and identifies human rights risks in the supply chain, conducts on-site audits of suppliers identified as having human rights risks, and takes corrective measures to mitigate risks as necessary as a risk-based approach.
Employee safety and health
Based on the “NEC Group Occupational Health and Safety Management System,” the NEC Group identifies risks and implements countermeasures. The NEC Group also prohibits all forms of harassment, including power harassment and sexual harassment, and aims to foster a culture of mutual acceptance of diversity. The Corporate Human Rights Promotion Committee, established in 1997, continues its activities to promote human rights awareness activities, including the prohibition of discrimination and the prevention of harassment.
For this reason, the NEC Group believes that any deficiency in compliance could pose a risk of fundamentally undermining the NEC Group’s social value and stakeholders’ trust.
The NEC Group positions compliance at the foundation of management and subscribes to “Uncompromising Integrity and Respect for Human Rights” in its “Principles” and conducts continuous company-wide initiatives involving all members of the NEC Group, from officers to employees.
Compliance system
The NEC Group has formulated the NEC Group Compliance Policy, and the CRCO comprehensively oversees compliance issues as a whole and, through the Risk Control and Compliance Committee, deliberates on and promotes countermeasures to address specific issues.
The NEC Group also plans and implements various measures to ensure thorough compliance, including the dissemination of the “NEC Group Code of Conduct.” The NEC Group also provides the necessary support, adjustments, and instructions to ensure that risk management is carried out systematically and effectively by each division.
Prevention of violations of the Act on the Protection of Personal Information
The NEC Group has appointed a Chief Legal Officer (CLO) as the officer in charge of personal information protection and has established a Personal Information Protection Administrator, a Personal Information Protection Promotion Office, and a Chief Personal Information Protection Auditor to promote personal information protection as a company.
In addition, the Personal Information Protection Administrator serves as the person in charge of implementing the personal information protection management system and is also responsible for protecting specific personal information (Individual Numbers to identify a specific individual in administrative procedures).
In October 2005, the Company obtained Privacy Mark certification, recognizing it as a business operator with systems in place to ensure appropriate protection measures for personal information in conformance with JIS Q 15001. Since then, the NEC Privacy Policy has stipulated that personal information must be handled in accordance with JIS Q 15001.
Prevention of bribery and corruption
The NEC Group Code of Conduct sets forth action guidelines on the “prohibition of actions contrary to the company’s interests,” “prevention of bribery and corruption,” and “entertainment, gifts, donations and political activities.” Through these and other measures, the NEC Group is working to prevent bribery and corruption in all its forms.
Specifically, the NEC Group has formulated and implemented the “Guidelines for Managing Conflicts of Interest” to prohibit actions against the interests of the NEC Group and the guidelines for anti-bribery and the provision of gifts, hospitality, travel expenses and donations, based on the “Anti-Bribery Policy.”
The NEC Group endeavors to avoid risks other than those described above and to take measures in the event they materialize. However, the business, results of operations, and financial position of the NEC Group may be affected by risks that are difficult to predict or that are considered to be of low materiality.
The forward-looking statements herein are based on the judgments of the NEC Group as of the end of the fiscal year ended March 31, 2025.
(Note) The names of organizations and positions mentioned above are as of April 1, 2026.