In order to foster and spread a risk culture, the Group conducts risk management based on the following basic policies.
- To minimize the negative impact of economic fluctuations, and to provide stable and continuous financial services as a financial group trusted by the community, the Group will conduct appropriate risk management.
- The Company ensures sound management by identifying, assessing, monitoring, and controlling the risks of the entire Group as comprehensively as possible, and strives to secure stable earnings commensurate with the risks through the appropriate allocation of management resources.
- In order to ensure objectivity and account for the interaction between risks, we strive to quantify and manage various risks in an integrated manner.
Risk Management System
In Concordia Financial Group, the subsidiaries (the Bank of Yokohama and Higashi-Nippon Bank) manage risk by setting up risk management and control departments for each type of risk, while the holding company manages the risks of the Group as a whole in an integrated manner. Specifically,the subsidiaries manage risks appropriately in accordance with their risk profiles and report to the holding company on the status of risks. The holding company provides the subsidiaries with necessary guidance, and the ALM and Risk Management Committee (Management Conference) monitors,discusses, and decides on various types of risks and risks for the entire Group.
Risk Appetite Framework
Introduction of the Risk Appetite Framework (RAF)
The Concordia Financial Group is introducing a Risk Appetite Framework (RAF) to monitor and clarify the type and amount of risk taken on during operations, while taking into account the balance of earnings, risk, and our capital buffer. In formulating the mediumterm management plan and the budget for each financial year, a Risk Appetite Statement (RAS), which defines the types and amounts of risks that management should willingly accept or avoid, is adopted at a Board of Directors' meeting. We plan to optimize risk-return, using the RAF to constantly monitor the risk assets and their relationship to return, which are incorporated in the budget.
Overview of Risk Appetite Framework (RAF) Management System
A. Capital allocation and risk capacity based capping
The potential maximum loss (risk amount) of each risk is measured using value-atrisk (VaR) and other measures, and capital is allocated to each risk type in order to keep the risk amount within the range of the equity capital available for risktaking. For risk-weighted assets, the risk appetite is determined within the measured risk capacity.
B. Stress testing
The Company verifies the appropriateness of risk-taking by estimating losses for each type of risk and measuring the impact on capital, earnings, risk-weighted assets, and risk volume using group-wide stress scenarios to confirm the adequacy of capital in budgetary plans and to ensure that management has an acceptable level of profit in times of stress.
C. Top Risk Management
In order to manage top management risks,as much as possible, we set up Key Risk Indicators (KRI) as warning indicators to detect the possibility of risks materializing in the future. We continuously monitor these KRIs to understand the signs and prepare to respond flexibly in the event that risks do materialize.
Overview of Risk Appetite Framework (RAF) Management System
Concordia Financial Group defines the risk events that are important to management and that it should manage as "top management risks".
We continuously monitor our top management risks and strive to perceive the signs and are prepared to respond flexibly in the event that a risk manifests.
Main Top Management Risks
- Additional monetary easing by the Bank of Japan
- Large-scale losses caused by cyberattacks
- Natural disasters
- Sanctions due to inadequate anti-money laundering measures
- Significant deterioration in business conditions and bankruptcies of certain large clients
- Spread of the novel coronavirus, etc.
- *These are some of the risks that the Company has recognized, but risks other than those mentioned above may have a particularly significant adverse effect on our business.
The Group has a crisis management system in place to ensure the safety of its customers and employees, the smooth execution of financial operations, and the protection of customers' assets in the event of an earthquake or other large-scale disaster, system failure, or spread of infectious diseases etc. In the event of a crisis, the Crisis Management Committee chaired by the president and representative director instructs companies within the Group to set up an emergency headquarters to centrally manage the response to the situation.
In response to the novel coronavirus, we are working to thoroughly prevent infection by installing alcohol, acrylic panels and other countermeasure equipment in stores and asking customers to maintain social distance. Employees strive to avoid 'dense' workplaces through telework and staggered work schedules, in addition to taking basic infection prevention measures. We have also introduced split operations for key operations at the head office to ensure that we have the personnel necessary to continue operations.
The Group will work to prevent the spread of COVID-19, placing the highest priority on the health and safety of its customers and related parties, and will strive to maintain and continue its financial functions as a financial infrastructure essential to the maintenance of social functions.
Integrated Risk Management
The Group classifies and manages Group risks in the following categories: credit risk, market risk, liquidity risk, operational risk, and reputational risk. In addition, we ensure the soundness of management by identifying, evaluating, monitoring, and controlling risks in an integrated manner to the greatest extent possible, including risks related to the development, provision and revision of products and services, as well as risks related to outsourcing of operations. We are also prepared to secure stable earnings through the appropriate allocation of management resources, commensurate with the risks involved.
- Credit risk
- Risk of loss due to a decline in the value of assets due to deterioration of the financial condition of the borrower
- Market risk
- Risk of loss due to fluctuations in the value of assets and liabilities held resulting from changes in various market risk factors, such as those for interest rates and securities
- Liquidity risk
- Risk of losses due to unexpected outflows of funds (cash flow risk and market liquidity risk)
- Operational risk
- Risk of losses due to inadequate administration, inadequate systems, violations of laws or regulations, natural disasters, and health hazards for executives and employees
- Reputational risk
- Risk of incurring losses due to negative external publicity as a result of the words, actions and behavior of the Group, its officers, employees, etc.
Ⅱ. Integrated Risk Management Framework
Ensuring soundness through capital allocation
The Group measures the potential maximum loss (risk amount) for each risk using value-at-risk (VaR) and other measures, and allocates capital by risk type in order to keep the amount of risk within the range of real equity capital (the risk tolerance limit, which is defined as common equity Tier 1 less deferred tax asset equivalents etc.) When allocating capital, we check the sufficiency of the buffer (unallocated capital) to ensure that our real equity capital is not exceeded in times of stress.
Ensuring soundness through stress testing
In order to assess the adequacy of the buffer (unallocated capital) and to confirm the appropriateness of risk-taking, the Group conducts stress tests in which stress scenarios are established and the amount of loss and risk in the event of such a stress event is estimated across the risk categories.
The stress scenarios have been established for the Group taking into consideration past sharp economic downturns and future environmental changes.
Concordia Financial Group has positioned cyberattacks as one of the top risks in protecting the property of its customers and ensuring the stable operation of the financial system as part of the nation's important infrastructure, and is therefore under management leadership. We continuously monitor and strive to understand the signs, and prepare a response in the event of cyber risks appearing.
Concordia Financial Group has established cybersecurity measures based on the Cybersecurity Framework set forth by the US National Institute of Standards and Technology (NIST), which is an international standard guideline, and is formulating strategies, building organizational structures, and promoting initiatives to strengthen security.
In addition to the assessment, we conduct the Threat Led Penetration Test (TLPT), in which white hackers actually penetrate internal systems to assess vulnerabilities, to identify issues, and to strengthen countermeasures.
As an organizational structure, we have established the Cybersecurity Response Group, a specialized cybersecurity organization within the ICT Management Department, which reports to the Board of Directors and the Management Conference on threats and regulatory trends, security measures taken in light of these trends, and the current status, as appropriate, in order to make appropriate management decisions.
In addition, because cybersecurity operations require specialized knowledge and skills, we have hired several experts in mid-career to strengthen security measures for the entire Group.
Ⅱ.Incident Response System
In order to respond to the evolving threat of cyber attacks, we have formed the Concordia Financial Group-CSIRT, which consists of CSIRT members from each Group company. In addition to collecting and disseminating threat information on a daily basis, and investigating and responding to attacks when they are detected, we prepare for emergencies by regularly participating in drills organized by the Cabinet Cybersecurity Center (NISC), the Financial Services Agency (FSA), and the Financial ISAC in order to verify cooperation with government agencies, industry organizations, and Group companies.
In addition, we have formed the MEJAR-CSIRT with regional financial institutions and NTT DATA, which operates the MEJAR core system, to regularly exchange information, confirm systems, and conduct joint training.
Ⅲ.Education and Training for Group Executives, Employees, and Customers
Concordia Financial Group believes that in addition to technical responses to cyberattacks, it is essential to improve cybersecurity literacy of all Group executives and employees, and conducts training and e-mail drills for all Group executives and employees on a regular basis. We invite external experts to conduct study sessions for management and encourage CSIRT members to participate in external specialized training and acquire specialized qualifications.
In addition, in response to the recent increase in the number of fraudulent remittances through phishing and other means, in order to alert customers when a phishing site is detected, we have posted information on our website about fraudulent remittance methods, examples of suspicious e-mails and SMS (short messages) that have exploited our company name, and information.