Governance | Risk Management
Nomura Group implements processes to properly identify the possibility of potential losses arising from various operations and transactions, and seeks to establish a framework for assessing all risks and enforcing appropriate controls.
The business activities of Nomura Group are exposed to various risks such as market risk*1, credit risk*2, operational risk*3, model risk*4, and other risks caused by external factors.
We are working to further upgrade and strengthen our risk management systems, and we position the appropriate management of these risks as a management issue with the highest priority. Nomura Group has prepared its Risk Appetite Statement. This statement sets forth the content of risks that the Group can undertake, and it takes account of the Group's business strategy and business targets, including the amount of capital and liquidity required under regulations, and the business environment.
Fostering a sound risk culture is essential for Nomura Group to maintain its social credibility and sustain its business activities.
At Nomura Group, all employees, irrespective of their function or geographic location, must understand their specific responsibilities related to risk management, and actively work to manage risks. We aim to embed this risk culture throughout the firm through various training courses, a as well as company rules and regulations.
Risk Management Systems
The Risk Appetite Statement is proposed by the Chief Risk Officer (CRO) and the Chief Financial Officer (CFO), and submitted for final approval to the Executive Management Board. The statement covers all types of risk that the Group is exposed to, including capital adequacy and balance sheet measures, liquidity risk, market and credit risk, operational risk, and model risk. With a basic policy of controlling risks that arise in the course of operations within the limits of the Group's risk appetite, the Executive Management Board or the Group Integrated Risk Management Committee,*5 which has been delegated responsibility by the Executive Management Board, is responsible for deliberating and determining important matters pertaining to risk management.
Risk Management Structure
1 Market risk: Risk of losses arising from fluctuations in values of financial assets and debt due to fluctuations in interest rates, foreign exchange rates, and securities prices
2 Credit risk: Risk of losses arising from the decrease of asset values (including off-balance sheet items) due to deterioration in creditworthiness or default of an obligor or counterparty
3 Operational risk: Risk of losses arising from inadequate or failed internal processes, people, and systems or from external events
4 Model risk: Risk of losses arising from errors in the model or from illicit or inappropriate use of the model
5 The Group Integrated Risk Management Committee is chaired by the Group CEO and comprised of the Group COO, business division CEOs, the Chief Risk Officer, the Chief Financial Officer, the Chief Legal Officer, the Co-CRO, and other members appointed by the chairman.
Ensuring Financial Soundness and Transparency
Responding to Increasingly Sophisticated Financial Regulation
To respond to higher-level financial regulations under Basel III, Nomura Group has applied its own internal models for measuring general market risk, specific risk, incremental risk, and comprehensive risk with the aim of more accurately calculating increasingly complex and diverse risks. To measure the amounts corresponding to counterparty transactions, the Group applies the expected exposure method. These sophisticated risk measurement methods apply cutting-edge risk management methodologies and are supported by large-scale computer systems that process the vast volumes of data related to risk management on a daily basis. In addition, in order for Nomura to be in compliance with the strict regulatory governance requirements, independently from the Risk Methodology Group, which is responsible for risk model development, Nomura's Model Validation Group conducts periodic validations to ensure that the models are functioning properly.
Risk measurement data, which has been quantified in the exacting processes previously described, is used in computing the Group's capital adequacy ratio, thus ensuring a high degree of reliability and transparency regarding the soundness of Nomura Group's financial position.
Enhancing and Strengthening Risk Management Systems
Nomura Group is always working to further enhance and strengthen risk management systems from a full range of perspectives. To give a specific example, in addition to the credit risk management methods applied thus far to counterparties in derivative transactions, Nomura has introduced a "single name limit" approach that sets an overall limit on risks arising from issuers of bonds, equities, and other securities as well as on counterparties, while also identifying groups of bond issuers from a comprehensive perspective. In addition, Nomura is also structuring a system to identify and manage so-called "wrong way risk" which arises when there is a strong correlation between deterioration in the creditworthiness of a counterparty and the size of credit extended to that party.
Nomura Group periodically conducts stress tests to calculate the size of losses and the volume of risk that may emerge for the Group as a whole under assumptions of extremely difficult economic conditions. The results of these stress tests are reported to the Group Integrated Risk Management Committee. In these tests covering the Group as a whole, risks that cannot be fully calculated by the most-sophisticated and precise risk models are taken into account, and the results are a substantially better measure of the sufficiency of the Group's capital for maintaining financial soundness.
In addition, among inherent risks of businesses and transactions at the detailed business and trading desk level, there may be risks that are difficult to ascertain with existing risk models. Therefore, stress scenarios are developed to focus on and capture these risks and determine the size of potential losses under these various scenarios. As a result of conducting these tests based on stress scenarios, Nomura is able to supplement information developed by risk models and obtain valuable information on the impact on its income of specific stress scenarios.
Risk Management in New Businesses Transactions
Nomura Group has established a strict approval process for new products and new individual transactions. Decisions on whether to provide these new products and individual transactions are made after a review that covers all perspectives, including reputational risk, legal risk, accounting risk, and financial risk.
Moreover, to increase the effectiveness of internal controls, including the risk management systems, the Internal Audit Department, which is independent from business lines, conducts audits and makes assessments and then makes recommendations and proposals.
Cyber security measures
Nomura Group has for some time been undertaking various security measures to protect systems against cyber-attacks. However, in light of the growing cyber security threat worldwide, we recognize that our current countermeasures may be insufficient.
Faced with this growing cyber security threat, Nomura Group is working continuously to strengthen its cyber security platform to ensure that clients' information and assets are secure, and to enable clients to conduct transactions with peace of mind.
Nomura Group, along with Nomura Securities and other Group companies, has established an organizational structure, centered on the Nomura Group Computer Security Incident Response Team (CSIRT), to work together to deal with events stemming from cyber-attacks and to minimize the damage they may cause.
Recognizing the importance of cyber security amid increasingly sophisticated and cunning cyber-attacks, we established CSIRTs with the aim of further improving our response capability. We are promoting measures to enhance cyber security centering on the way the organization operates, system security measures, executive and employee training, and cooperation with external organizations.
With respect to the organization, we participate in drills to protect against cyber-attacks, and have outside cyber security experts evaluate the effectiveness of our cyber security measures. In addition, when we obtain information on dangerous vulnerabilities or detect cyber security events, the CSIRT leads the response effort to analyze the cause, minimize damage, and quickly restore systems.
In terms of system security measures, we have put in place a multi-layered defense system, which includes multiple detection and defense mechanisms against unauthorized access and malicious programs such as computer viruses. We review these countermeasures as appropriate to deal with new threats.
As a human-level response, the Group has prepared the Nomura Group Information Security Policy and regularly conducts relevant training for all executives and employees in order to raise awareness among executives and employees.
Nomura Group has established information collecting and sharing systems relating to cyber attacks and attack methods through informationsharing organizations such as Financial ISAC Japan and Nippon CSIRT Association.
Missions of business continuity
The impacts of earthquakes, typhoons, and other natural disasters as well as the threats of terrorism and other malicious acts are increasing in Japan and around the world. In light of this situation, Nomura Group has established a global business continuity management structure and is continuously enhancing its program through implementations of numerous measures and awareness programs.
Business continuity structure
Nomura Group has established the Crisis Management Committee, which is comprised of officers responsible for crisis management from Group companies worldwide, to prepare for major natural and manmade disasters. With this committee in place, we have developed a business continuity and crisis management structure to cover aforementioned disasters globally.
Should a major office be rendered unable to continue its operations due to disasters, we have set up backup offices allowing us to continue our operations from these alternate locations. Similarly, we have built redundancy into our datacenters so that, in the event of a datacenter outage, critical data and applications will be protected in a backup datacenter located in a different location. Additionally, we have reinforced our infrastructures, for example, such as installing the power generators. Accordingly, these infrastructures can be used in the event of a single building failure or a wide area disaster, such as a Tokyo Inland Earthquake, to avoid systemic risks and continue or quickly recover high-priority operations that are crucial to the lives of our clients. Similar measures and infrastructure have also been placed at our major overseas offices.
The Office of Crisis Management Committee regularly conducts employee safety confirmation drills, disaster prevention drills, and business continuity drills in Japan to ensure that we are able to respond immediately during the crisis situation. For overseas offices, these activities are carried out by the Business Continuity Management Team. Through these efforts, we are working to foster greater awareness of crisis management and strengthen our ability to respond to emergencies. These structures and measures are stipulated in Nomura Group Crisis Management Regulations.
Activities of crisis and business continuity management
- 1Strengthening structure for business continuity
- Establishment and reinforcement of backup offices
- Establishment of datacenter redundancy
- Identification of critical resources
- Enhancement of emergency communication equipment
- 2Drills and training
- Emergency Command Center activation drills
- Employee safety confirmation drills
- Drills based on business continuity plan
- Initial response drills simulating Tokyo Inland Earthquake
- Nankai Trough earthquake response training at branch offices
- 3Strengthening collaboration between Group companies in Japan and overseas
- Enhancing information sharing between domestic Group companies
- Enhancing information sharing among overseas Group companies
- 4Enhancing business continuity plan
- Review and revision of business continuity plan
- Review and revision of business continuity plan for datacenter outage scenario
- Review and revision of business continuity plan for Tokyo Inland Earthquake scenario
- Stockpiling of water, food, and other emergency supplies at headquarters, branch offices, and backup offices
Social and Environmental Risk Management
We believe that considering the social and environmental risks that may arise from various transactions is key to managing our reputational risk. As such, in executing our business operations, we focus on these risks in the same way we are careful about legal compliance. For example, for equity underwriting businesses, we review and confirm the issuer's awareness of any associated potential risks to society and the environment and that the issuer has taken appropriate steps to address such risks, including the disclosure of information about those risks. Impact on the environment and society as well as financial condition, operating results, and other aspects are included in the overall guidelines applied by relevant departments during the assessment process as vital items that must be confirmed when taking on underwriting deals.