Risk Management

INPEX strives to continuously improve its risk management structure, which is designed to appropriately identify and manage the risks associated with its business operations, including sustainability-related risks. We have established a structure to prevent, or otherwise mitigate, adverse impacts. This helps us to maintain and reinforce the trust of our customers, business partners, investors, and other stakeholders, and maximize our corporate value.

We have adopted a divisional system with Directors and other officers serving as the Senior Vice Presidents of each division. This system ensures responsibility and efficient management of business operations. This enables the divisions to work closely together to conduct risk identification, classification, analysis, and assessment in accordance with our internal regulations and guidelines. The Executive Committee discusses and determines comprehensive management and action plans for material operational risks associated with individual projects. The Committee also reports such matters to the Board of Directors as necessary, thereby helping to enable adequate supervisory functions to be exercised and to ensure fairness and transparency in management. Our internal audit department under the direct control of the President & CEO, and other relevant internal departments or external experts, also conduct audits to verify and assess management of risks related to daily operations, and then constantly review risk management activities in response to changes in the business environment. Every year, we select departments for audit and ensure exhaustive audits of each relevant department. In FY2024, we conducted an internal audit of our information security management structure. We conducted the audit with the support of an outside third-party organization, which is independent of the INPEX Group and has specialist knowledge of information security. We confirmed the appropriateness and other aspects of our information security management structure in light of the Cybersecurity Framework (CSF) 2.0, an international standard framework formulated by the U.S. National Institute of Standards and Technology (NIST). Going forward, we will continue to consider implementing regular information security audits.

Furthermore, to realize our Medium-term Business Plan and other key business objectives, annual plans and targets are developed for each department, aligning with our medium- to long-term targets. These plans incorporate identified material risks and associated mitigation/management plans and are determined by the Executive Committee. Each department subsequently carries out initiatives to achieve its targets and manage any risks and reviews its progress at the mid-term and end of each fiscal year.

In accordance with our internal regulations on Group management, we conduct Group-wide risk management in collaboration with each subsidiary. We also ask our subsidiaries to cooperate in audits conducted by the internal audit department under the direct control of the President & CEO, and other relevant internal departments or external experts. We use the results of the audits to verify and assess the subsidiaries' management of risks related to their daily operations. Based on the verification and assessment results, we then ask them to constantly review their risk management activities in response to changes in the business environment.

The following is a list of key items that can be considered potential risk factors relating to the business operations of the Group. From the standpoint of information disclosure to investors and shareholders, we actively communicate matters that are not necessarily business risks but can be considered important to investors in making investment decisions. The following discussion does not completely cover all risks relating to the Group's businesses.

To manage the diverse risks related to our business, we have introduced guidelines for economic evaluation and risk assessment for individual projects. We analyze and consider the feasibility of acquiring new projects based on identified material risks and respond to these risks accordingly. When acquiring a new project, the Corporate Strategy & Planning Division undertakes coordination across the divisions and works together with them to analyze and consider whether to acquire the project. We also convene the INPEX Value Assurance System (IVAS) Committee as a mechanism for cross-organizational technical assessments in each phase, including exploration, appraisal, and development. The IVAS Committee also engages in cross-organizational assessments of ethical and social risks, such as the impacts on local communities. We also conduct economic and risk assessments in principle at least once a year, regularly review risks and action plans for each project, and provide an annual summary report on major projects to the Board of Directors.

The Renewables, Power & Energy Solutions Division and Low Carbon Solutions Division comprehensively coordinate projects under their control in the renewable energy business and CCS and hydrogen business. In addition to having the IVAS Committee and external experts conduct verifications, we also report on important projects to the Board.

To enhance our ability to respond to emergencies caused by large-scale incidents or disasters, we also formulate and maintain emergency and crisis response plans, and regularly conduct emergency response exercises, to proactively manage Group-wide risks. Additionally, we establish a business continuity plan (BCP) to ensure continuity of critical operations and review it as necessary.

With respect to health, safety, and environment (HSE) risks, we identify, analyze, and assess those risks for each site based on the HSE Risk Management Procedure established under the HSE Management System. This aims to promote continuous improvement in our business activities in terms of health and safety, process safety, and environmental conservation. While establishing and implementing measures to address risks, we monitor HSE risks by ensuring that the head office regularly receives and reviews risk management status reports. We are also working on the Group-wide management of security-related risks based on the relevant guidelines and standards. For HSE management of our non-operator projects, we also actively promote HSE involvement based on the risks of each project.

We have also developed guidelines for managing risks specific to the countries and regions in which we operate, and we mitigate these risks by setting target limits on the cumulative investment balance within high-risk countries.

We manage financial risks by identifying the risks of fluctuations in foreign exchange rates, interest rates, oil and natural gas prices, securities prices, and by establishing methods for managing and hedging those risks.

Furthermore, we have established the Legal Unit as an independent body and enhanced our legal risk management to create an organization able to provide appropriate legal advice to divisions and senior management on major contracts and lawsuits, and to further enhance our legal support functions for businesses in Japan and overseas.

We regard the management of information security risks and the utilization of digital technologies as extremely important to our business, and our Medium-Term Management Plan for FY2025 to FY2027 also identifies the full-scale use of digital technologies as a key initiative. The Group's business has long benefited from the widespread use of digital technologies in the oil and gas industry. In recent years, cutting-edge digital technologies have made data processing faster and more sophisticated, enabling us to utilize large volumes of diverse data. At the Group, we are actively working to transform the energy landscape to help achieve a net zero carbon society by 2050, while meeting the energy demands of Japan and the world. The use of new digital technologies centered on AI is positioned as an important pillar of these efforts. We make use of digital technologies to implement the following initiatives toward further reducing various risks, such as the suspension of the Group's business activities and leaks of private and confidential information.

We have established our Information Security Policy to maintain the confidentiality, integrity, and availability of the information that we hold. Similarly, our Basic Policy for the Appropriate Handling of Individual Numbers and Personally Identifiable Information is implemented to protect personal information. Furthermore, under the supervision of the Information Security Committee established as a Group-wide supervisory body, we establish related regulations and management structures, and systematically implement organizational, systemic, and personnel-related measures necessary to protect our information assets. The Committee normally meets twice a year and is chaired by the Executive Senior Vice President, Technical Headquarters—who is also a member of the Executive Committee—and consists of the Senior Executive Vice Presidents of General Administration Division, Corporate Strategy & Planning Division, and Executive Vice President of Finance & Accounting Division, as well as the Group General Counsel of the Legal Unit. The matters resolved by the Committee are reported to and deliberated by the Executive Committee. Results are then reported to the Board of Directors as needed.

Information security strategies and measures are developed following resolution by the Executive Committee during annual budget deliberations. Amid increasing risk of cyberattacks on operators of key infrastructure, we are advancing multilayered information security measures.
In the organizational aspect, we have established a Computer Security Incident Response Team (CSIRT) to enable prompt response and recovery from incidents when they occur, implementing a structure that carries out monitoring 24 hours a day, 365 days a year. We also seek to strengthen the Group-wide security management structure through regular reports to the Information Security Committee. We are also planning to establish a response structure to ensure business continuity even during cyberattacks. In the plan, we aim to improve our ability to respond to the risk of disruption to business continuity from cyberattacks by formulating recovery scenarios based on priorities, accounting for impacts on our business, and conducting regular exercises.
In the systemic aspect, we collect and analyze the latest threat information provided by public institutions, police authorities, and information security vendors in Japan and overseas, and implement measures for detecting and preventing external attacks. Furthermore, we strive to ensure and enhance the security of both information and control systems by engaging external security vendors to perform assessments as necessary. To prepare for cyberattacks, we apply measures to address vulnerabilities in servers and communication equipment as well as security updates provided by manufacturers as and when appropriate. In this way, we are strengthening security measures at the boundaries—which could become entry points for malicious third parties—and reducing the risk of them being used as stepping stones for attacks.
In the personnel-related aspect, we conduct regular education and exercises for officers and employees. Specifically, we strive to raise employee awareness about information security through means such as information security briefings, our information security newsletter published monthly, regular e-learning courses, and targeted email attack exercises. By continuously conducting such education and awareness-raising activities, we strive to firmly embed the values and culture essential for the proactive safeguarding of our information assets and minimize risk of information leaks from within the Group.
Through these measures, we aim to establish a strict governance structure and risk management process under the supervision of the Executive Vice President, Technical Headquarters, who is the Chief Information Security Officer, so that Group-wide digital transformation is undertaken safely and continuously.

In FY2025, there were no incidents caused by major cyberattacks requiring public disclosure.

The use of digital technologies serves as the foundation for the Group's overall business operations and competitiveness. At the same time, we recognize the possibility of security incidents, system fragmentation, and overreliance on individuals arising at Group companies as a key management issue. To reduce such risks, we are strengthening IT and digital governance not only for the Company itself but across the entire Group.
We develop and revise basic policies for managing IT and digital technology planning, implementation, operation, and maintenance in an integrated and systematic manner, and apply them not only to the Company itself but to the entire Group, including Group companies in Japan and overseas. These policies clarify our assessment criteria for IT and digital investment and system implementation, building a structure for proper decision-making that accounts for risks and impacts. In this way, we strive to reduce risks, such as those from variations in security levels between Group companies and inadequately managed cloud-service usage.
Furthermore, we are gaining visibility into issues faced by Group companies, working to improve the level of security and establish common rules across the Group. Through these initiatives, we facilitate knowledge sharing and improve operational efficiency, helping to strengthen Group-wide resilience.
In addition, at the Group, we have adopted responsible use of artificial intelligence (AI) as a basic policy for these initiatives. Under our information security governance framework, we ensure information security and respect data privacy in the use and/or development of AI, while keeping humans "in the loop" for critical decisions and allowing human intervention to ensure transparency of AI systems and explainability of AI-generated results/decisions.
Regarding the use of AI services, including generative AI, we adopted the concept of "Where AI naturally belongs in the workplace, like the air we breathe" and established the AIR structure to promote and manage internal use of AI and to drive the use of AI-based services. At the same time, we define clear boundaries for what AI can and cannot do, establishing internal rules and publishing them on our internal portal site. We also conduct training on the ethical use and/or security of AI covering the following topics in our information security education and e-learning for all officers and employees.

• Restrictions on entering confidential and personal information
• Thorough confirmation of appropriateness, potential bias, and legality of AI-generated content

At INPEX Australia, which operates the Ichthys LNG Project, we launched an advisory group focused on generative AI-related governance and developed documentation for responding to AI risks to ensure employee understanding.
Please refer to Digital Strategy for other details on our use of digital technologies.

The main risks in our business operations are detailed below, and basic measures for dealing with each are defined. Furthermore, we utilize a risk map to analyze specific and current risks affecting our financial outlook in terms of the likelihood and magnitude of the financial effects. We define our response policies based on the urgency and impacts of these risks, and promptly implement measures.