Risk Management Framework
Our group aims to prevent the occurrence of risks and minimize losses in case risks do occur by establishing risk management regulations and setting up a Risk Management Committee.
The core entity responsible for our risk management is the Risk Management Committee. The Committee, chaired by the President, meets in principle once every quarter. It examines and deliberates on policies, measures, and the current state of group risk management as well as causes and recurrence prevention when risks occur while consolidating risks discussed in each internal committee and other risks reported by group companies. Results of the discussion are submitted and reported to the Board of Directors as necessary. The Committee periodically evaluates risk factors according to the established process and constantly reexamines the risk management process itself to reflect current changes in the social and business environment.
Risk Management Process
The Risk Management Committee has established the following process to periodically evaluate risk factors. This risk management process is constantly reexamined to reflect current changes in the social and business environment.
Process | Explanation |
---|---|
1Risk identification | Business risk factors of the SHO-BOND Group are divided into Risk Categories and specific potential problems are identified for each risk factor. Magnitude of risk is defined as “the impact of an incident” multiplied by “the probability of the incident happening.” |
2Risk analysis and monitoring |
Studies to determine numerical and other indicators for individual risk factors and the methods for monitoring them. Monitoring for changes in “the impact of an incident” and “the probability of the incident happening.” Estimates of changes in risk exposure by using a qualitative analysis of changes in regulations, amendments to laws, government financial policies and other items that are difficult to measure numerically. |
3Risk control |
Prepare lists of business tasks that every business unit performs periodically in order to measure and monitor risk factors. Next, check to confirm that risk factors are being controlled by these business tasks. |
4Risk evaluation | By using the reports from business units, the executive in charge of risk management assesses the magnitude of every risk factor and submits a report to the Risk Management Committee. The Risk Management Committee determines priorities concerning the magnitude and categories of risk factors and discusses methods for the efficient management of risk. |
5Responses to incidents |
Emergency response manuals to be prepared for incidents. Perform studies concerning crisis management activities, such as direct responses to incidents, crisis management meetings, reports to government offices and agencies, public announcements about emergencies, and other responses to incidents. |
Risk Categories and Internal Committees
Each internal committee is responsible for collecting information from Group companies on the risks under their jurisdiction, examining them, and reporting them to the Risk Management Committee as necessary. The table shows the relationships between risk categories and internal committees. Risks without a “responsible internal committee” are directly discussed in the Risk Management Committee.
Information Security Measures
With the acceleration of DX and changes in the usage environment of information systems, information security risk has been increasing these days, such as the growing sophistication of external cyberattacks. We have established basic policies and regulations regarding information security and are thoroughly managing risks against threats to information security. Additionally, we work to raise information security awareness throughout the entire Group through e-learning courses, spoofed e-mail training, and lectures in rank-specific training sessions. Additionally, we are working to improve our business continuity capabilities by developing response manuals and conducting training to deal with cyber attacks.
Business Continuity Plan
The Group has a business continuity plan (BCP) to address disaster risks including great earthquakes. We strive to improve our capability to continue business operations based on the BCP on a regular basis to avoid the disruption of key operations as much as possible in the event of a major disaster and to return to normal operations early if disrupted.
As part of our BCP, we conduct an annual emergency drill, with the participation of bases other than the head office, assuming a large-scale disaster at the head office. We also conduct training to switch to backup servers in the event of a system failure, and other measures to check important elements for carrying out business operations in the event of a disaster and build a system for business continuity.