Risk Management
Managing risks appropriately: Each employee of Nomura Group is a stakeholder in risk management, correctly understands risks and thinks about the best way to manage risks at any given time. This is what we believe it means to be "Managing risks appropriately," as management and each department work together towards common goals, providing high-quality services to customers and enhancing the corporate value of Nomura Group.
Nomura Group requires all staff, regardless of their positions, to proactively engage in risk management. The risk management activities in Nomura Group are based on the following principles.
- Establish and operate a robust governance system through risk management committees, appropriate organizational structures, and management systems based on Three Lines of Defense.
- Identify and evaluate risks and classify them into risk categories based on their characteristics. Establish appropriate risk management approaches and control frameworks.
- Develop and operate a framework for monitoring and reporting to manage risks appropriately within risk appetite.
- Develop policies and procedures on risk management and establish and operate an effective risk management framework.
Risk Management (Outline of Organizational Structure)
Nomura has established a committee structure to facilitate effective business operations and management of Nomura's risks. The formal governance structure for risk management within Nomura is as follows:
Management System Based on Three Lines of Defense
Nomura engages in the risk management through the Three Lines of Defense framework.
First Line of Defense
All executives and employees of the front office for Financial Risk and all executives and employees for Non-Financial Risk are primarily responsible for risk management and assume the consequences associated with business execution and to provide evidence and justify that the risk arising from their business activities is in line with risk appetite.
Second Line of Defense
The department responsible for risk management supports and monitors management activities on the First Line of Defense and reports to the boards and the senior management. In addition, the Second Line independently evaluates risk management governance established by the First Line.
Third Line of Defense
The Internal Audit function examines and evaluates the risk management from an independent standpoint, provides advice for improvement, and reports the examination and evaluation to the Audit Committee.
Risk Appetite Statement
To promote integrated risk management, Nomura Group defines the types and levels of risks that are acceptable to achieve management strategies and business plans, taking into account constraints from regulatory capital, liquidity, business conditions and other factors, as Risk Appetite. Risk Appetite Statement, which documents that definition, is reviewed at least annually and is subject to the approval of the Executive Management Board and the consent of the Board Risk Committee.
Risk Appetite is managed using various metrics. Nomura Group and all of its staff are responsible for conducting business in compliance with the Risk Appetite.
Financial Risk
Nomura categorizes and defines the Financial Risks as market risk, credit risk and model risk, and has established departments or units to manage each risk type. The Chief Risk Officer (CRO), upon delegation from the Board of Director or the Executive Management Board, is responsible for the risk management framework for financial risks as the Second Line of Defense.
Market Risk
Risk of loss arising from fluctuations in values of financial assets or debts (including off-balance sheet items) due to fluctuations in market risk factors (interest rates, foreign exchange rates, prices of securities and others).
Credit Risk
Risk of loss arising from an obligor's default, insolvency or administrative proceeding which results in the obligor's failure to meet its contractual obligations in accordance with agreed terms. It is also the risk of loss arising through a credit valuation adjustment (the "CVA") associated with deterioration in the creditworthiness of a counterparty.
Model Risk
Risk of financial loss, incorrect decision making, or damage to the firm's credibility arising from model errors or incorrect or inappropriate model application.
Non-Financial Risk
Nomura categorizes and defines Non-Financial Risk as operational risk and reputational risk and has established departments or units to manage each risk type. The CRO undertakes a role of assessing the non-financial risk management framework second line corporate functions create and ensuring the adequacy of the framework by providing challenge to the corporate functions, such as giving instructions on necessary actions to enhance the framework.
Operational Risk
Risk of financial loss or non-financial impact arising from inadequate or failed internal processes, people and systems, or from external events. Operational risk includes in its definition Compliance, Legal, IT and Information Security, Fraud, Third Party and other non-financial risks.
Operational Risk Taxonomy
| Risk Category | Definition |
|---|---|
| Compliance | Risk of financial loss or reputational damage due to violations of financial services laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to Nomura's financial services activities (together "financial services laws, rules and standards"); and improper conduct which disrupts the integrity of the financial markets and causes unfair client treatment. |
| Legal | Risk of financial loss or reputational damage due to (i) Nomura's breach of contractual obligations, or infringements of the rights of a third party; (ii) ambiguity and/or insufficiency in contractual terms to secure Nomura's legal rights or enforceability of contractual terms; (iii) violation of laws and regulations applicable to Nomura; and/or (iv) improper management of litigation or other contentious matters. |
| Information Tecnology (IT) and Information Security(IS) |
Risk of adverse financial, regulatory, customer or reputational impact to Nomura resulting from inadequate or failed Information Technology (IT) and Information Security (IS) processes and systems. |
| Business Continuity (Business Resilience) | Risk of financial loss or reputational damage due to inability to resume normal business operations during a business disruption event and damage to or unavailability of physical assets from natural disasters and other events. |
| Third Party | Risk of financial loss or reputational damage due to inadequate framework to properly manage third parties while outsourcing important business services or critical operations or rely on services provided by third parties. |
| Financial Reporting & Tax | Risk of financial loss or reputational damage due to material misstatement or omission in the firm's (i) extemal financial reporting, regulatory reporting or intemal financial management reporting; and/or (ii) extemal tax reporting or payments. |
| Transaction Lifecycle | Risk of financial loss or reputational damage due to failures over the lifecycle of a transaction. |
| People | Risk of financial loss, staff impact or reputational damage due to acts inconsistent with employment or health and safety laws or employment norms and agreements. |
| Prudential Risk Frameworks | Risk of financial loss or reputational damage due to inadequate prudential risk frameworks or non-compliance with prudential regulatory requirements. |
| Fraud | Risk of financial loss or reputational damage due to intent to defraud, misappropriate property or conduct unauthorized activity by an intemal or third party. |
Reputational Risk
Possible damage to Nomura's reputation and associated risk to earnings, capital or liquidity arising from any association, action or inaction which could be perceived by stakeholders to be inappropriate, unethical or inconsistent with Nomura Group's values and corporate philosophy.
Framework of Risk Management
In financial risk management, risks are quantified based on past market data and counterparty credit data, and appropriate limits are set to ensure that we do not exceed our Risk Appetite. In addition, we perform concentration risk management to prevent excessive concentration on a single risk or exposure. Furthermore, for risks that cannot be fully captured by past data quantification, we conduct stress tests based on potential future scenarios to prevent exceeding Risk Appetite under even more conservative risk estimations.
In Non-Financial Risk, such as operational risk, we evaluate the impact and likelihood of risks, as well as the effectiveness of controls, and we design countermeasures based on the results.
These basic frameworks are defined in internal policies, etc., and the detailed roles and responsibilities of staff are clarified in documents such as procedures.
Risk Culture
Nomura Group recognizes a Risk Culture as an essential foundation and source of competitiveness for maintaining and developing business. Risk management may require specialized knowledge and analysis, but the most important aspect is not just creating analytical methods and management frameworks, but also ensuring that every employee in the Nomura Group has the correct mindset towards risk and takes appropriate actions when they face the risk. We have distilled this into three key words, which are "Challenge," "Escalate," and "Respect," and positioned them as pillars that support Nomura Group's Risk Culture, that is, the mindset and behavior necessary for our employees to manage risk appropriately.
