Risk Management

Basic Concepts

In order to foster and spread a risk culture, the Group conducts risk management based on the following basic policies.

  • To minimize the negative impact of economic fluctuations, and to provide stable and continuous financial services as a financial group trusted by the community, the Group will conduct appropriate risk management.
  • The Company ensures sound management by identifying, assessing, monitoring, and controlling the risks of the entire Group as comprehensively as possible, and strives to secure stable earnings commensurate with the risks through the appropriate allocation of management resources.
  • In order to ensure objectivity and account for the interaction between risks, we strive to quantify and manage various risks in an integrated manner.

Risk Management System

At the Concordia Financial Group, subsidiaries (the Bank of Yokohama and Higashi-Nippon Bank) manage risk by setting up risk control and management departments for each risk type, while the holding company manages risk for the entire group in an integrated manner, and a risk officer independent of the Audit Department reports regularly to the Board of Directors on the status of risk.

Specifically, subsidiaries apply appropriate risk management that accords with their risk profiles and report to the holding company on the status of risks. The holding company provides subsidiaries with necessary guidance, while entities such as the Board of Directors and the ALM and Risk Management Council (Top Management Council) provide supervision by monitoring, discussing, and making decisions related to the various types of risks and the risk for the Group as a whole.

Risk Appetite Framework

Introduction of the Risk Appetite Framework (RAF)

As a risk governance framework, the Concordia Financial Group has introduced a Risk Appetite Framework (RAF) to monitor and clarify the types and amounts of risk taken on during operations, taking into consideration a balance between earnings, risk, and capital. When formulating the medium-term management plan and budget for each financial year, a risk appetite statement (RAS), which defines the types and amounts of risks that management should willingly accept or should avoid, is adopted at a Board of Directors' meeting. We plan to optimize risk-return, using the RAF to constantly monitor risk assets and their relationship to return, which are incorporated in the budget.

In addition, to foster and instill the risk culture embodied in the RAF, risk management workshops are held as needed for officers, including directors. (In FY2021, such a workshop was held in November).

1.RAF Regulations 2.Medium-Term Management Plan RAS 3.Fiscal year RAS 4.Monitoring 5.Internal Controls

Overview of Risk Appetite Framework (RAF) Management System

A. Capital allocation and risk capacity based capping

The potential maximum loss (risk amount) for each risk is measured using value-atrisk (VaR) and other measures, and capital is allocated to each risk type in order to limit the amount of risk to the amount of equity capital available for risk-taking. For risk assets, the risk appetite is set so as not to exceed measured risk capacity.

B. Stress testing

The Company verifies the appropriateness of risk-taking by estimating losses for each type of risk and measuring the impact on capital, earnings, risk-weighted assets, and risk volume using group-wide stress scenarios to confirm the adequacy of capital in budgetary plans and to ensure that the profit level is acceptable to management in times of stress.

C. Top Risk Management

In order to manage top risks, we set key risk indicators (KRI) as warning indicators to detect, as far as possible, what risks might materialize in future. We continuously monitor these KRIs to detect early indications of problems and prepare to respond flexibly in the event that risks do materialize.

Top Management Risks

Concordia Financial Group defines the risk events that are important to management and that it should manage as "top management risks".
We continuously monitor our top management risks and strive to perceive the signs and are prepared to respond flexibly in the event that a risk manifests.

Main Top Management Risks

  • Economic downturn due to spread of COVID-19
  • Due to soaring energy and raw material prices, etc.
  • Deterioration in business conditions for companies
  • Changes in monetary policy
  • Stalling of China's domestic policies
  • Major damage due to system problems
  • Major natural disasters
  • Transition to a decarbonized society etc.
  • *
    These are some of the risks that the Company has recognized, but risks other than those mentioned above may have a particularly significant adverse effect on our business.

Crisis Management

The Group has a crisis management system in place to ensure the safety of its customers and employees, the smooth execution of financial operations, and the protection of customers' assets in the event of an earthquake or other large-scale disaster, system failure, or spread of infectious diseases etc. In the event of a crisis, the Crisis Management Committee chaired by the president and representative director instructs companies within the Group to set up an emergency headquarters to centrally manage the response to the situation.

In response to COVID-19, we are working to thoroughly prevent infections by offering alcohol disinfectants, installing acrylic panels and other preventive equipment in offices, and asking customers to maintain social distance. For our employees, in addition to implementing basic infection prevention measures, we strive to avoid crowded workplaces through telework and staggered work hours, and in the event of an outbreak, we introduce split operations mainly for important operations at headquarters to ensure that personnel are available to continue operations.

Furthermore, we prevent system problems that could have a serious impact on customers and have put in place a problem response system.

Placing the highest priority on the health and safety of its customers and related parties, the Group works to prevent the spread of COVID-19 and strives to continue to fulfill its financial functions as part of the financial infrastructure essential to maintaining social functions.

Integrated Risk Management

Basic Concepts

The Group classifies and manages Group risks in the following categories: credit risk, market risk, liquidity risk, operational risk, and reputational risk. In addition, we ensure the soundness of management by identifying, evaluating, monitoring, and controlling risks in an integrated manner to the greatest extent possible, including risks related to the development, provision and revision of products and services, as well as risks related to outsourcing of operations. We are also prepared to secure stable earnings through the appropriate allocation of management resources, commensurate with the risks involved.

Credit risk
Risk of loss due to a decline in the value of assets due to deterioration of the financial condition of the borrower
Market risk
Risk of loss due to fluctuations in the value of assets and liabilities held resulting from changes in various market risk factors, such as those for interest rates and securities
Liquidity risk
Risk of losses due to unexpected outflows of funds (cash flow risk and market liquidity risk)
Operational risk
Risk of losses due to inadequate administration, inadequate systems, violations of laws or regulations, natural disasters, and health hazards for executives and employees
Reputational risk
Risk of incurring losses due to negative external publicity as a result of the words, actions and behavior of the Group, its officers, employees, etc.

Integrated Risk Management Framework

Ensuring soundness through capital allocation

The Group measures the potential maximum loss (risk amount) for each risk using value-at-risk (VaR) and other measures, and allocates capital by risk type in order to keep the amount of risk within the range of real equity capital (the risk tolerance limit, which is defined as common equity Tier 1 less deferred tax asset equivalents etc.) When allocating capital, we check the sufficiency of the buffer (unallocated capital) to ensure that our real equity capital is not exceeded in times of stress.

Ensuring soundness through stress testing

In order to assess the adequacy of the buffer (unallocated capital) and to confirm the appropriateness of risk-taking, the Group conducts stress tests in which stress scenarios are established and the amount of loss and risk in the event of such a stress event is estimated across the risk categories.

Stress scenarios have been established for the Group taking into consideration past sharp economic downturns and future environmental changes.

Cybersecurity

Cybersecurity Governance

External audit system

The Concordia Financial Group has been strengthening its cybersecurity measures not only through external audits based on the Cybersecurity Framework international standard guidelines developed by the National Institute of Standards and Technology (NIST), but also through threat-led penetration tests (TLPT), in which ethical hackers from a specialized security firm actually penetrate internal systems to assess vulnerabilities and identify issues. From FY2021, in addition to conducting the annual TLPT, we also began conducting external audits using the FFIEC (Federal Financial Institutions Examination Council) "Cybersecurity Assessment Tool", which is widely used by financial institutions in the U.S., with the aim of achieving the security standards of global financial institutions, and we will continue to strengthen our efforts to address the issues identified.

Involvement of Top Management

To clarify that we implement management-driven cybersecurity measures, we formulated the "Cybersecurity Management Declaration(Download PDF File)" in April 2022. In terms of the system, our security policy stipulates that the director in charge of the ICT Management Department is the security officer in charge of security for the entire Group. In addition, at regular ALM and Risk Management Meetings and President Reporting and CSIRT Meetings, which are composed mainly of directors, threats and regulatory trends, security measures based on these trends, and the current status are reported on as agenda items, and management provides appropriate guidance for and checks on the contents of the reports.

Management of contractors etc.

When using cloud services or entrusting the Group's information to contractors, we assess the compliance of the contractor (contract counterparty) with the Group's security standards not only when the contract is entered into but also periodically afterward. Specifically, we evaluate the security of the systems of contractors and subcontractors and such things as the state of their training of employees (including those of their contractors and subcontractors) about information management systems. When standards are not met, we request improvements or change the subcontractor.

Incident Response Posture

In order to respond to the evolving threat of cyberattacks, we have formed the Concordia Financial Group-CSIRT, which consists of CSIRT members from each Group company. In addition to collecting and disseminating routine threat information and investigating and responding to attacks when they are detected, we prepare for emergencies by regularly participating in training organized by the National center of Incident readiness and Strategy for Cybersecurity (NISC), the Financial Services Agency (FSA), and Financials ISAC Japan in order to verify cooperation with government agencies, industry organizations, and Group companies. We have also formed the MEJAR-CSIRT with regional financial institutions and NTT DATA, which operates the MEJAR core system, in order to regularly exchange information, confirm systems, and conduct joint training.

In addition to establishing an organizational structure, we have formulated response plans for different types of incidents, such as ransomware infection, DDoS attacks, information leaks, etc., in case a security incident should occur. This response plan is continuously improved based on the results of the various drills mentioned above. Starting in FY2022, we will establish an in-house "Cyber Defense Center," which will utilize the latest integrated log monitoring and automation tools to quickly detect and respond to security incidents.

Education and training

Education and training exercises for Group executives and staff

It is our opinion that education and training for group executives and employees is essential in order to improve the cybersecurity literacy of all executives and employees. To ensure that we can respond quickly and smoothly in the event of an incident, we conduct suspicious e-mail drills and other drills multiple times a year for executives and employees, including temporary and contract employees, and we run e-learning training sessions at least twice a year using subject matter optimized for us by a specialized vendor. By continuously conducting suspicious e-mail drills, we have been able to maintain a low click rate for URLs in the bodies of e-mail. We also provide level-specific training for new employees, newly appointed and existing managers, and supervisors and hold seminars for management-level employees that are taught by outside experts. Through these efforts, we maintain our cybersecurity skills and further improve our response procedures for each particular type of incident (ransomware infection, DDoS attack, information leak, etc.)

List of Trainings Participated in and Run

  • Cyber security exercises across the financial industry (Delta Wall)
  • Training for Top Management
  • NISC Cross-Disciplinary Exercises
  • MEJAR-CSIRT Exercises
  • Financials ISAC Joint Training
  • Financials ISAC Cyber Quest
  • Suspicious e-mail drills

More than half of the CSIRT's full-time employees hold the Certified Information Systems Security Professional (CISSP) advanced cybersecurity certification and have the Registered Information Security Specialist qualification (including those who have passed the certification exam). From FY2022, we will endeavor to further increase the knowledge and skills of those employees by having them gain more specialized international qualifications, undertake training, and participate in security governance. In addition to this, we continue to recruit and train highly specialized human resources, which includes not only setting but also meeting targets for hiring mid-career specialists.

Customer education

In response to the high frequency of fraudulent remittances caused by phishing and other scams, we have joined the Japan Cyber Crime Center (JC3) and are working to collect information on Internet-based financial crimes. When we obtain information during these activities about things such as fraudulent remittance methods, cases of suspicious e-mails or SMS (text) messages that fraudulently use our name, or the launch of phishing sites, we post such information on our website to alert our customers.
In addition, the Bank of Yokohama has been working to improve and promote cybersecurity measures among enterprises in the prefecture. These efforts have included holding the Kanagawa Cybersecurity Forum, a cybersecurity educational event for enterprises in Kanagawa Prefecture in March 2022. In June 2022, the bank joined the Kanagawa Prefecture Enterprise Cybersecurity Public-Private Joint Project, which aims to raise cybersecurity levels among companies in the prefecture. By joining this project, the bank is working to improve its own technology through information sharing with companies that have cutting-edge technology and expertise and is supporting efforts to improve the level of cybersecurity at companies in the prefecture.