Governance | Risk Management
Nomura Group implements processes to properly identify the possibility of potential losses arising from various operations and transactions, and seeks to establish a framework for assessing all risks and enforcing appropriate controls.
The business activities of Nomura Group are exposed to various risks such as market risk*1, credit risk*2, operational risk*3, model risk*4, and other risks caused by external factors.
We are working to further upgrade and strengthen our risk management systems, and we position the appropriate management of these risks as a management issue with the highest priority. Nomura Group has prepared its Risk Appetite Statement. This statement sets forth the content of risks that the Group can undertake, and it takes account of the Group's business strategy and business targets, including the amount of capital and liquidity required under regulations, and the business environment.
Risk Management Systems
The Risk Appetite Statement is proposed by the Chief Risk Officer (CRO) and the Chief Financial Officer (CFO), and submitted for final approval to the Executive Management Board. The statement covers all types of risk that the Group is exposed to, including capital adequacy and balance sheet measures, liquidity risk, market and credit risk, operational risk, and model risk. With a basic policy of controlling risks that arise in the course of operations within the limits of the Group's risk appetite, the Executive Management Board or the Group Integrated Risk Management Committee,*5 which has been delegated responsibility by the Executive Management Board, is responsible for deliberating and determining important matters pertaining to risk management.
Risk Management Structure
1 Market risk: Risk of losses arising from fluctuations in values of financial assets and debt due to fluctuations in interest rates, foreign exchange rates, and securities prices
2 Credit risk: Risk of losses arising from the decrease of asset values (including off-balance sheet items) due to deterioration in creditworthiness or default of an obligor or counterparty
3 Operational risk: Risk of losses arising from inadequate or failed internal processes, people, and systems or from external events
4 Model risk: Risk of losses arising from errors in the model or from illicit or inappropriate use of the model
5 The Group Integrated Risk Management Committee is chaired by the Group CEO and comprised of the Group COO, business division CEOs, the Chief Risk Officer, the Chief Financial Officer, the Chief Legal Officer, the Co-CRO, and other members appointed by the chairman.
Ensuring Financial Soundness and Transparency
Responding to Increasingly Sophisticated Financial Regulation
To respond to higher-level financial regulations under Basel III, Nomura Group has applied its own internal models for measuring general market risk, specific risk, incremental risk, and comprehensive risk with the aim of more accurately calculating increasingly complex and diverse risks. To measure the amounts corresponding to counterparty transactions, the Group applies the expected exposure method. These sophisticated risk measurement methods apply cutting-edge risk management methodologies and are supported by large-scale computer systems that process the vast volumes of data related to risk management on a daily basis. In addition, in order for Nomura to be in compliance with the strict regulatory governance requirements, independently from the Risk Methodology Group, which is responsible for risk model development, Nomura's Model Validation Group conducts periodic validations to ensure that the models are functioning properly.
Risk measurement data, which has been quantified in the exacting processes previously described, is used in computing the Group's capital adequacy ratio, thus ensuring a high degree of reliability and transparency regarding the soundness of Nomura Group's financial position.
Enhancing and Strengthening Risk Management Systems
Nomura Group is always working to further enhance and strengthen risk management systems from a full range of perspectives. To give a specific example, in addition to the credit risk management methods applied thus far to counterparties in derivative transactions, Nomura has introduced a "single name limit" approach that sets an overall limit on risks arising from issuers of bonds, equities, and other securities as well as on counterparties, while also identifying groups of bond issuers from a comprehensive perspective. In addition, Nomura is also structuring a system to identify and manage so-called "wrong way risk" which arises when there is a strong correlation between deterioration in the creditworthiness of a counterparty and the size of credit extended to that party.
Nomura Group periodically conducts stress tests to calculate the size of losses and the volume of risk that may emerge for the Group as a whole under assumptions of extremely difficult economic conditions. The results of these stress tests are reported to the Group Integrated Risk Management Committee. In these tests covering the Group as a whole, risks that cannot be fully calculated by the most-sophisticated and precise risk models are taken into account, and the results are a substantially better measure of the sufficiency of the Group's capital for maintaining financial soundness.
In addition, among inherent risks of businesses and transactions at the detailed business and trading desk level, there may be risks that are difficult to ascertain with existing risk models. Therefore, stress scenarios are developed to focus on and capture these risks and determine the size of potential losses under these various scenarios. As a result of conducting these tests based on stress scenarios, Nomura is able to supplement information developed by risk models and obtain valuable information on the impact on its income of specific stress scenarios.
Risk Management in New Businesses Transactions
Nomura Group has established a strict approval process for new products and new individual transactions. Decisions on whether to provide these new products and individual transactions are made after a review that covers all perspectives, including reputational risk, legal risk, accounting risk, and financial risk.
Moreover, to increase the effectiveness of internal controls, including the risk management systems, the Internal Audit Department, which is independent from business lines, conducts audits and makes assessments and then makes recommendations and proposals.
From the perspective of providing services to customers and ensuring the stability of business processes, Nomura takes a wide range of measures. Nomura is working to maintain and strengthen its resiliency against number of emergencies, such as natural disasters, system outages, and cyber attacks.
Ability of an organization to continue, recover and resume from emergencies
Nomura Group has established the Crisis Management Committee, comprised of crisis management officers from each Group companies worldwide, to address any crisis that may occur. Chaired by an Executive Officer appointed by the Group CEO, this committee has developed a structure to manage crises and ensure the continuity of business in the event of an emergency.
Under the crisis management structure, the Crisis Management Committee reports to the Executive Management Board. The Crisis Management Committee's secretariat regularly conducts employee safety confirmation drills, disaster prevention drills, and business continuity drills, in order to be prepared for an actual emergency. Additionally, the secretariat promotes crisis management awareness. These crisis management structures and measures are stipulated in Nomura Group Crisis Management Policy. In this policy, major risks are defined as natural disasters, fires, serious crimes committed against employees, system outage, infectious disease, and the leakage of information assets. We have delegated significant authority to crisis management officers to ensure they can promptly make decisions on the ground should a crisis occur.
Strengthening Measures against Major Earthquakes
Nomura Group has implemented measures against natural and other disasters. Some of the measures came from lessons learned from the Great East Japan Earthquake. After the release of studies by Japan's Central Disaster Prevention Council in 2013, regarding the impact of earthquakes that might occur directly beneath the Tokyo metropolitan area and along the Nankai Trough, we have reviewed our disaster risk scenarios. As we consider such earthquake impacts our continuity of business in great magnitude, Nomura Group is continuing to strengthen its measures in collaboration with Nomura Group companies.
Key Area of Focuses:
- Strengthening systems for business continuity
- Continuing drills and training
- Strengthening collaboration between Group companies in Japan and overseas
- Enhancing Business Continuity Plan
To accommodate the diverse needs of its clients, Nomura Group provides a wide range of its services over the Internet. These services use the latest, most-advanced encryption technologies to ensure that important client information is always safeguarded.
In recent years, cyber attacks have been on the increase, and their methods are more sophisticated and artful to disrupt systems and steal customer data by gaining improper access through the Internet.
To deal with cyber attacks, Nomura is taking further measures to enhance system security, and, by forming a specialized unit, is working to strengthen its organizational response. Nomura is also endeavoring to further improve the capabilities of its management and employees to handle cyber attacks through training and practice drills, along with enhancing cooperation on information sharing with external organizations.
Our Cyber security strategy is regularly reviewed and updated at the joint meeting of Nomura Group CSIRT and NSC CSIRT. The matters regarding cyber security are reported at the Crisis Management Committee.
System Security Measures
In addition to previously existing measures, including putting firewalls in place and installing antivirus software, Nomura is strengthening its system surveillance capabilities and introducing security systems to improve detecting and handling capabilities for these incidents.
Formation of the CSIRTs
Nomura Group and its major companies have formed the Computer Security Incident Response Teams (CSIRTs). Nomura shares information through CSIRTs within the Group as well as with external organizations such as the Financial Information Sharing and Analysis Center (F-ISACjp*) to prevent computer-security related damage before it occurs, and, when threats to security arise, to respond quickly.
Financial ISAC Japan: An organization set up by Japanese financial institutions to share information with regard to cyber security.
Management and Employee Training
In many cases, the entrances of cyber attacks are "targeted attacks" against management and employees. Nomura provides training and practice against these attacks regularly. We call employees' attention to various cyber threats and disseminate processes in case of cyber attacks. Going forward, Nomura will work to raise the capabilities of management and employees through offering these kinds of training and opportunities for practice drills.
Social and Environmental Risk Management
We believe that considering the social and environmental risks that may arise from various transactions is key to managing our reputational risk. As such, in executing our business operations, we focus on these risks in the same way we are careful about legal compliance. For example, for equity underwriting businesses, we review and confirm the issuer's awareness of any associated potential risks to society and the environment and that the issuer has taken appropriate steps to address such risks, including the disclosure of information about those risks. Impact on the environment and society as well as financial condition, operating results, and other aspects are included in the overall guidelines applied by relevant departments during the assessment process as vital items that must be confirmed when taking on underwriting deals.