Nomura Group promotes integrated risk management as part of the firm's management strategy to control various risks inherent in daily operations, secure capital soundness in any economic environment, achieve business plans, protect customers and comply with laws and regulations.
Risk Management Policy
All executives and employees of Nomura Group, irrespective of their function, actively engage in risk management.
Nomura Group aims to identify the risks that could lead to significant losses by categorizing the types of risks associated with its business activities, as well as the impacts of risks and their likelihood of occurrence. In principle, Nomura Group avoids risks that are difficult to identify and manage.
Nomura Group recognizes that there are risks that cannot be identified at present. As financial professionals, all executives and employees of Nomura Group must expand their knowledge of risks, and foster a corporate culture that appropriately recognizes, evaluates and manages risks.
Fostering a sound risk culture is essential for Nomura Group to maintain its social credibility and sustain its business activities. At Nomura Group, all employees, irrespective of their function or geographic location, must understand their specific responsibilities related to risk management, and actively work to manage risks.
The Three Lines of Defense in Risk Management
Nomura Group has adopted the following layered structure on the grounds that all employees are accountable for proactively managing risk.
First Line of Defense: Departments Engaged in Trading and Sales
As the first line of defense, departments engaged in sales and trading manage the risks associated with their own business activities.
For example, trading departments do business within predetermined risk limits, and proactively identify and address any issues they find.
Second Line of Defense: Departments Engaged in Risk Management
Departments engaged in risk management establish frameworks to manage each type of risk, and support risk management measures taken by the First Line of Defense, such as sales and trading departments.
Second line of defense independently monitor risks, and keep trading and sales departments in check as needed.
Third Line of Defense: Internal Audit
Internal Audit reviews and provides consulting from an independent, objective position, with the aim of adding value by improving the organization's operations and frameworks, including risk management.
Risk Management Activities
Based on the concept of PDCA cycle (Plan, Do, Check and Action), all executives and employees of Nomura Group conduct risk management activities as three defensive lines to ensure that the various risks inherent in daily operations do not exceed the level of risk appetite.
In order to realize Nomura Group's corporate philosophy, the Executive Management Board formulates business plans and establishes risk appetite taking into account the business environment and the state of management resources. These are reviewed annually or as needed.
Each business division carries out its business plans in accordance with the risk appetite and the Code of Conduct.
The first line of defense identifies, assesses and manages risks that may exceed the risk appetite, and the second line of defense advises, supports and checks the first line of defense through monitoring, analysis, stress testing and predictive management. The third line of defense examines and advises on these from an independent position.
Each business division works to improve risks that may exceed the risk appetite, as well as carries out activities based on the advice, support and checks received from the second line of defense.
Risk Appetite Statement
Risk appetite statement documents Nomura's fundamental understanding and approach toward various risks. It defines the types of risk that Nomura Group choose to take and not to take under any circumstances when executing our business strategy in order to achieve our business goal.
Our Risk Appetite Statement is approved by the Executive Management Board, and risks are monitored daily against the risk appetite. If by any chance risk levels exceed the risk appetite, senior management consults with those directly involved and takes actions to eliminate excessive risk as necessary.
In 2021, Risk Appetite Statement upgraded to recognize that ESG factors, including climate change, have a significant impact on various risk categories.
Categories for Which Risk Appetite is Established
|Capital Adequacy and Liquidity||Nomura Group defines the level of capital adequacy and sound liquidity as risk appetite, taking into account the regulatory requirements, funding capacity, and business environment.|
|Financial Risk||Nomura Group allocates financial resources to each business in order to achieve corporate strategies and business plans, while remaining within the bounds of the risk appetite for capital adequacy and liquidity. Nomura Group defines the types and levels of financial risks that each business takes within its allocated resources as financial risk appetite.
In setting the financial risk appetite, Nomura Group classifies market and credit risks into segments according to the nature of business, and uses quantitative metrics or qualitative indicators as well as processes to capture these characteristics.
|Non-Financial Risk||Non-financial risks exist in daily activities and processes, and can result in a financial loss or significant adverse impact on Nomura Group, our clients and financial markets. It is therefore everyone's responsibility to manage non-financial risks in line with Nomura Group's risk appetite.|
Financial risk is the possibility of losses arising from Nomura Group's portfolio of financial instruments and financial transactions due to various factors. It consists of the following risks.
Nomura Group manages these risks by (1) setting limits, imposing risk charges, and limiting holdings; (2) managing the concentration risk of the obligor group and portfolio through individual review and approval processes; (3) determining the feasibility and terms of new transactions through individual deliberations; and (4) establishing a robust framework through requirements definition and process building.
|Mark to Market Risk||Risk of incurring losses due to a change in the value of assets or liabilities resulting from movements in interest rates, currencies, and prices of stocks and other securities.|
|Market Liquidity Risk||Risk that trading costs will increase due to the time taken to close positions, or that trading will become unfeasible due to rapid changes in the market.|
|Default Risk||Risk of incurring losses when a counterparty or issuer fails to meet its obligations.|
|Event Risk||Risks inherent in specific financial transactions, such as losses from events caused by discontinuous changes in the market. Events may or may not result from fluctuations in financial markets.|
|Model Risk||Nomura Group uses models for valuation of financial instruments, for measurement of key risks including Value at Risk and counterparty exposure, for estimating liquidity, and for asset price verification.
Model uncertainty due to simplification, incorrect use of a model, or reduced model suitability in the current market environment can lead to financial losses and failure to satisfy regulatory requirements. This is called model risk.
Non-financial risk includes Operational Risk and Reputational Risk.
Risk of financial loss or non-financial impact arising from inadequate or failed internal processes, people and systems, or from external events. Nomura Group's approach to operational risk management includes four core processes: operational risk event reporting, risk and control self assessment (RCSA), monitoring using key risk indicators (KRI), and scenario analysis. Managed operational risks are divided into the 10 categories below.
Compliance risk also includes conduct risk, which is the risk that the conduct of any member of Nomura Group deviates from the social norms and ethics required of a financial institution, and, as a result, adversely affects client protection and the soundness of the market.
|Compliance Risk||Risk of financial loss or reputational damage due to violations of financial services laws, rules or regulations, and improper conduct which disrupts the integrity of the financial markets and causes unfair client treatment.|
|Legal Risk||Risk of financial loss or reputational damage due to (i) ambiguity and/or insufficiency in contractual terms to secure Nomura's legal rights and/or enforceability of the contractual terms; (ii) failure to comply with applicable laws and regulations; and/or (iii) failure to adopt to changes in laws and regulations.|
|IT and Cyber Security||Risk of financial loss or reputational damage due to (i) poor performance or unavailability of IT systems; (ii) data corruption and/or; (iii) unauthorised or improper access to IT systems and data from within or outside the institution.|
|Business Resilience||Risk of financial loss or reputational damage due to inability to resume normal business operations during a business disruption event and damage to or unavailability of physical assets from natural disasters and other events.|
|Third-Party||Risk of financial loss or reputational damage due to failure of third-party to perform in line with expectations|
|Financial Reporting & Tax||Risk of financial loss or reputational damage due to material misstatement or omission in the firm's (i) external financial reporting, regulatory reporting or internal financial management reporting; and/or (ii) external tax reporting or payments.|
|People||Risk of financial loss, staff impact or reputational damage due to acts inconsistent with employment or health and safety laws or employment norms and agreements.|
|Transaction Lifecycle||Risk of financial loss or reputational damage due to failures in transaction processing and/or process management.|
|Prudential Risk Frameworks||Risk of financial loss or reputational damage due to inadequate prudential risk management frameworks.|
|Fraud||Risk of financial loss or reputational damage due to intent to defraud, misappropriate property or conduct unauthorized activity by an internal or third party.|
The possible damage to Nomura's reputation and associated risk to earnings, capital or liquidity arising from any association, action or inaction which could be perceived by stakeholders to be inappropriate, unethical or inconsistent with Nomura Group's values and corporate philosophy. All personnel must consider the impact of their actions or inactions on Nomura's reputation and apply high standards to their behavior as set out in the Nomura Group Code of Conduct.
Risk Management Governance and Oversight
Nomura has established an organizational structure to facilitate effective business operations and management of risks.
Executive Management Board (EMB)
Executive Management Board deliberates on and determines the Risk Appetite, in addition to the Business Plan and budget.
Group Risk Management Committee (GRMC)
Group Integrated Risk Management Committee establishes a policy and a framework of our risk management.
Chief Risk Officer(CRO)
Chief Risk Officer is responsible for supervising the Risk Management division and maintaining the effectiveness of the financial risk management framework.
Chief Financial Officer (CFO)
Chief Financial Officer is responsible for supervising Finance division, and overall financial strategy and liquidity management.
Chief Compliance Officer (CCO)
Chief Compliance Officer is responsible for supervising the Legal, Compliance and Controls division ("LCC") and maintaining the effectiveness of the non-financial risk management framework.
Risk Management, Finance and LCC divisions
Risk Management, Finance and LCC divisions comprise various departments established independently from Nomura's business divisions. These three divisions are responsible for establishing and enforcing risk management policies and regulations, establishing and operating risk management processes, verifying the effectiveness of risk management methods, and reporting to Officers and Group Integrated Risk Management Committee.
Nomura Group regards natural disasters such as earthquakes and typhoons, manmade disasters such as fires and terrorism, infectious diseases like coronavirus, system failures, and information asset leaks as the key types of crises that must be prepared for. In the event for such crisis, we have established a global business continuity framework and work on a wide range of measures, including educating our people about our disaster response measures.
Business Continuity Structure
The Group Crisis Management Committee is tasked with preparing for crises, and under the committee's leadership the Group has been continually strengthening the crisis management program and the business continuity framework both in Japan and overseas. The Group Crisis Management Committee is chaired by the Representative Executive Officer, Deputy President of Nomura Holdings appointed by the Group CEO, and comprises senior officers from Group companies. Resolutions passed by the committee are reported to the Executive Management Board. In the event of a major disaster, the chair establishes a command center which takes appropriate measures to confirm and ensure the safety of employees and their families, prevents the spread of damage and maintains the system for business continuity.
As a specific example of this business continuity framework, a system has been enforced so that operations can be continued at backup offices in the event that key offices are rendered unusable due to an earthquake or other disaster. We also have a remote backup data center that protects critical data and applications in the event of a data center failure. Furthermore, we have bolstered our infrastructure, which includes power generators, so that in the event of a power down affecting a wide area, such as a powerful earthquake directly beneath the Tokyo metropolitan area, we can continue our critical functions to avoid systemic risk and to protect our clients from being impacted.
Similar infrastructure have also been put in place at our key overseas offices.
In response to the coronavirus pandemic, and in accordance with Group guidelines, we worked to prevent the spread of the virus before significant outbreaks occurred in Japan and overseas by restricting travel and other activities that could accelerate its spread. When the Japanese government declared a state of emergency we temporarily suspended business operations at domestic branches. We have also enhanced the remote work capability and established a work system that has allowed us to both continue our business operations and prevent the spread of coronavirus. At our key overseas offices, we have ensured business continuity through remote work.
In Japan, the Crisis Management Committee Office regularly conducts employee safety confirmation drills, disaster prevention drills, and business continuity drills to ensure that we are able to respond quickly should a crisis occur. At overseas offices, these exercises are carried out by the Business Continuity Management Team in each location. Through these and other efforts, we aim to become more proficient at handling crises and strengthen our systems for managing them.
Business Continuity Initiatives
- 1Strengthen the business continuity framework
- Maintain / enhance backup offices / Secure emergency response personnel / Maintain/enhance emergency communication equipment / Enhance telework environment
- 2Periodic drills and training
- Employee safety confirmation drills / Drills based on business continuity plan (BCP) / Initial response training and drills simulating earthquake with epicenter directly under Tokyo or other massive earthquake / Nankai Trough earthquake response training at branch offices
- 3Strengthen collaboration between Group companies in Japan and overseas
- Enhance information-sharing with Group companies in Japan / Enhance information-sharing framework with overseas Group companies
- 4Business Continuity Plan
- Review and revise the Business Continuity Plan for the scenarios of a massive natural disaster or a massive system failure
Cyber Security Measures
Nomura Group has for some time been undertaking security measures to protect systems against cyber-attacks. However, in light of the increasingly serious cyber security threats throughout the world, we recognize that our current countermeasures may not be sufficient in the future. In addition, in the financial sector, digitalization is proceeding at an accelerating pace. The connection of all financial systems to networks may increase the cyber security risk. In order to ensure that clients' information and assets are securely protected from these increasingly challenging cyber security threats, and to enable clients to conduct transactions with peace of mind, Nomura Group is working to strengthen its cyber security platform, using the Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc. of the Financial Services Agency, and the Cybersecurity Management Guidelines of the Ministry of Economy, Trade and Industry based on ISO27001 and ISO27002, as references.
Cyber Security System
Nomura Group, as a whole, has established a global organizational structure to deal with incidents stemming from cyber-attacks and to minimize potential damage. The Nomura Group Computer Security Incident Response Team (CSIRT), formed within Nomura Holdings, has spearheaded the formation of a CSIRT in Nomura Securities and other Group companies, and governs the CSIRT in each Group company. Each CSIRT works to protect its company's operational and information assets, as well as systems, promoting cyber security measures from four vantagepoints: organizational management, system security measures, human-level response, and coordination with outside organizations.
|Organization Management||At normal times, we take part in cyber security drills, conduct Threat-Led Penetration Test, assess cyber risks and monitor actions taken by overseas subsidiaries and outside contractors in a constant effort to heighten our readiness. In the case of an incident such as obtaining dangerous vulnerability information or detecting a cyber-attack, the CSIRT leads the efforts to analyze the cause, minimize damage, and quickly restore systems.|
|System Security Measures||We adopt a multi-layered defense system, which includes multiple detection and defense mechanisms against unauthorized access and malicious programs such as computer viruses. We review these countermeasures as appropriate to deal with new threats|
|Human-Level Response||In accordance with the Nomura Group Information Security Policy, relevant seminars and training programs are regularly provided to all executives and employees and they are kept alert in order to raise their awareness and knowledge about cyber security.|
|Cooperation With Outside Organizations||Nomura is cooperating with information sharing organizations such as Financial ISAC Japan and FS-ISAC and cyber security vendors to gather and share information on the cyber attackers and their approaches.|
Social and Environmental Risk Management
We believe that considering the social and environmental risks that may arise from various transactions is key to managing our reputational risk. As such, in executing our business operations, we focus on these risks in the same way we are careful about legal compliance. For example, for equity underwriting businesses, we review and confirm the issuer's awareness of any associated potential risks to society and the environment and that the issuer has taken appropriate steps to address such risks, including the disclosure of information about those risks. Impact on the environment and society as well as financial condition, operating results, and other aspects are included in the overall guidelines applied by relevant departments during the assessment process as vital items that must be confirmed when taking on underwriting deals.