Risk Management

Our Policy

INPEX strives to continuously improve its risk management structure, which is designed to appropriately identify and manage the risks associated with its business operations, including sustainability-related risks. We have established a structure to prevent, or otherwise mitigate, adverse impact. This helps us to maintain and reinforce the trust of our customers, business partners, investors, and other stakeholders, and maximize our corporate value.

Risk Management Structure

We have adopted a divisional system and assigned Directors and other officers as the Senior Vice President of each division. This system ensures responsibility and efficient management of business operations. This enables the divisions to work closely together to conduct risk identification, specification, analysis, and assessment in accordance with our internal regulations and guidelines. The Executive Committee discusses and determines comprehensive management and action plans for material operational risks associated with individual projects. The Committee also reports the above to the Board of Directors as necessary to exercise adequate supervisory functions and ensure fairness and transparency in management. As an example, when acquiring a new oil and natural gas E&P project, the Corporate Strategy & Planning Division centrally analyzes and considers whether to adopt the project based on guidelines related to economic and risk assessments and works with relevant departments to deal with any risks. Our internal audit department under the direct control of the President & CEO, and other relevant internal departments or external experts, also conduct audits to verify and assess management of risks related to daily operations, and then constantly review risk management activities in response to changes in the business environment. Every year, we select departments for audit and ensure exhaustive audits of each relevant department. In FY2024, we conducted an internal audit of our information security management structure. We conducted the audit with the support of an outside third-party organization, which is independent of the Group and has specialist knowledge of information security. We confirmed appropriateness and other aspects of our information security management structure in light of the Cyber Security Framework (CSF v2.0), an international standard framework formulated by the U.S. National Institute of Standards and Technology (NIST).

Furthermore, to realize our Mid-term Business Plan and other key business objectives, annual plans and targets are developed for each department, aligning with our mid- to long-term goals. These plans incorporate identified material risks and associated mitigation/management plans and are determined by the Executive Committee. Each department subsequently carries out initiatives to achieve its targets and manage any risks and reviews its progress at the mid-term and end of each fiscal year.

In accordance with our internal regulations on Group management, we conduct Group-wide risk management in collaboration with each subsidiary. We also ask our subsidiaries to cooperate in audits conducted by the internal audit department under the direct control of the President & CEO, and other relevant internal departments or external experts. We use the results of the audits to verify and assess the subsidiaries’ management of risks related to their daily operations. Based on the verification and assessment results, we then ask them to constantly review their risk management activities in response to changes in the business environment.

Risk Governance Structure

Business Risk

The following is a list of key items that can be considered potential risk factors relating to the business operations of the INPEX Group. From the standpoint of information disclosure to investors and shareholders, we actively communicate matters that are not necessarily the business risks but can be considered to have important effects on the investment decisions of investors. The following discussion does not completely cover all risks relating to the Group’s businesses.

1. Characteristics and risks of the oil and natural gas development business
   • Risk of disasters, accidents, system failures, etc.
   • Risks of failure in exploration, development, or production
   • Dependence of production volume on specific regions and mining areas
   • Contract period
   • Risks of change in reserves of oil, condensate, LPG, and gas
   • Operatorship
   • Joint Venture
   • Risks attributable to a large capital investment and a lengthy period of recovery of funds for the oil and natural gas development business
   • Risks related to future abandonment.
2. Impact on financial results from fluctuations in oil and natural gas prices, foreign exchange rates, and interest rates
   • Impact on financial results from fluctuations in oil and natural gas prices
   • Impact on financial results from fluctuations in foreign exchange rates
   • Impact on financial results from fluctuations in interest rates
3. Climate change-related risks
4. Country risks in overseas business

Business Risk Management

To manage the diverse risks related to our business, we have introduced guidelines for economic and risk assessments for each project. We evaluate the feasibility of potential new projects based on identified material risks and respond to these risks accordingly. When acquiring a new oil and natural gas E&P project, the Corporate Strategy & Planning Division centrally analyzes and considers whether to adopt the project. We also convene the IVAS Committee as a mechanism for cross-organizational technical evaluation in each phase, including exploration, evaluation, and development. We conduct economic and risk assessments in principle at least once a year, regularly review risks and action plans for each project, and provide an annual summary report on major projects to the Board of Directors.

The Renewables, Power & Energy Solutions Division and Low Carbon Solutions Division comprehensively coordinate projects under their control in the renewable energy business and CCS and hydrogen business. In addition to the IVAS Committee and external experts conducting verifications, we also report on important projects to the Board of Directors.

To enhance our ability to respond to emergencies caused by large-scale incidents or disasters, we also formulate and maintain emergency and crisis response plans, and regularly conduct emergency response drills, to proactively manage Group-wide risks. Additionally, we establish a business continuity plan (BCP) to ensure continuity of critical operations and review it as necessary.

With respect to HSE risks, we identify, analyze, and assess those risks for each site based on the HSE Risk Management Procedure established under the HSE Management System. This aims to promote continuous improvement in our business activities in terms of health and safety, process safety, and environmental conservation. While establishing and implementing measures to address risks, we monitor HSE risks by ensuring that headquarters regularly receive and reviews risk management status reports. We are also working on the Group-wide management of security-related risks based on the relevant guidelines and standards. For HSE management of our non-operator projects, we also actively promote HSE involvement based on the risks of each project.

We have also developed guidelines for managing risks specific to the countries and regions in which we operate and mitigate these risks by setting target limits on the cumulative investment balance within high-risk countries.

We manage financial risks by identifying the individual risk of fluctuations in foreign exchange rates, interest rates, oil and natural gas prices, securities prices, and by establishing methods for managing and hedging those risks.

Furthermore, we have established the Legal Unit as an independent body and enhanced our legal risk management to create an organization able to provide appropriate legal advice to divisions and senior management executives on major contracts and lawsuits, and to further enhance our legal support functions for businesses in Japan and overseas.

Information Security and Digitalization

We also consider it important to respond to information security risks and utilize digital technologies, so we have included maximizing use of digital technology in the 2025–2027 Mid-term Business Plan as well. The INPEX business has long benefited from the widespread use of digital technology in the oil and gas industry. In recent years, cutting-edge digital technology has made data processing faster and more sophisticated, enabling us to utilize large volumes of diverse data. We are actively working to transform the energy landscape to help achieve a net-zero carbon society by 2050, while meeting the energy demands of Japan and the world. The use of new digital technology centered on AI is positioned as an important pillar of these efforts. Making use of digital technologies can help eliminate labor shortages and lead to new business opportunities. At the same time, failure to implement sufficient information security measures can increase the likelihood of various risks materializing from suspension of Group business activities to leaks of private and confidential information. For these reasons, we implement the following initiatives.

Information Security

Our information security initiatives are as follows. We have established our Basic Policy for Information Security to uphold confidentiality, integrity, and availability of information. Similarly, our Basic Policy for the Appropriate Handling of Individual Numbers and Personally Identifiable Information is implemented to protect personal information. Furthermore, under the supervision of the Information Security Committee established as a Group-wide supervisory body, we establish related regulations and management structures, and systematically implement systems-related, physical, and personnel-related measures necessary to protect our information assets. The Committee normally meets twice a year and is chaired by the Senior Vice President, Technical Headquarters – who is also a member of the Executive Committee – and consists of the Senior Vice Presidents of the General Administration, Corporate Strategy & Planning, Finance & Accounting, and Technical divisions, as well as the Group General Counsel of the Legal Unit. The matters determined by the Committee are reported to and deliberated by the Executive Committee. Results are then reported to the Board of Directors as needed.

Information security strategies and measures are developed following determinations by the Executive Committee during annual budget deliberations. We aim to prevent information leaks from within the Company by raising employee awareness of information security. We also firmly embed the values and culture essential for the proactive safeguarding of our information assets. These efforts include not only system enhancements but also information security briefings for new employees and mid-career hires, monthly publication of Information Security News, regular e-learning courses, and targeted email drills. We collect and analyze the latest threat information, provided from time to time by public institutions, police authorities, and information security vendors in Japan and overseas, and implement system-related measures for detecting and preventing external attacks. We also monitor 24 hours a day, 365 days a year to promptly address and deal with incidents and have created and utilize a Computer Security Incident Response Team (CSIRT) to respond to incidents. Furthermore, an external security vendor performs periodic assessments is conducted.

In FY2024, there were zero incidents caused by major cyberattacks requiring public disclosure.

Also in FY2024, as in FY2023, we carried out two targeted email drills and one e-learning session to boost awareness of information security across the Group. In addition to that, we established a hotline in preparation for incidents, should they occur, and we raised awareness of contact information and how to use the hotline through the e-learning session, information security briefings, and regular publications.

Digitalization

We established the AIR structure for promoting internal use of artificial intelligence (AI), and while we are driving the use of AI-based services under the concept of “Where AI naturally belongs in the workplace, like the air we breathe,” we are also working to raise awareness of associated risks. At INPEX Australia, which is operating Ichthys LNG , we launched an advisory group focused on generative AI-related governance and developed documentation for responding to AI risks to ensure employee understanding.

Digital data management: We operate a data platform called AI-land for our seismic exploration data and well data, which are particularly important technical data for us, and we use the platform for managing various access rights and for approvals for data viewing. We also catalogue this data, manage related ownership rights and expiration dates, and use the data under appropriate access rights.

Risk Maps

The main risks in our business operations are outlined below, and basic measures for dealing with each are defined. Furthermore, we utilize risk maps to analyze specific and current risks affecting our financial effects in terms of magnitude of financial effects and likelihood. These risks include those that have already manifested themselves in our business strategy. We define our response policies based on the urgency and impact of these risks, and promptly implement countermeasures.