Governance | Risk Management
Nomura Group promotes integrated risk management as part of the firm's management strategy to control various risks inherent in daily operations, secure capital soundness in any economic environment, achieve business plans, protect customers and comply with laws and regulations.
Fostering a sound risk culture is essential for Nomura Group to maintain its social credibility and sustain its business activities.
At Nomura Group, all employees, irrespective of their function or geographic location, must understand their specific responsibilities related to risk management, and actively work to manage risks.
Risk management policy
All executives and employees of Nomura Group, irrespective of their function, actively engage in risk management. Nomura Group aims to identify the risks that could lead to significant losses by categorizing the types of risks associated with its business activities, as well as the impacts of risks and their likelihood of occurrence. In principle, Nomura Group avoids risks that are difficult to identify and manage.
Nomura Group recognizes that there are risks that cannot be identified at present. As financial professionals, all executives and employees of Nomura Group must expand their knowledge of risks, and foster a corporate culture that appropriately recognizes, evaluates and manages risks.
Three lines of defense
First line of defense Departments engaged in trading and sales
As a risk owner, the first line identifies, assesses, and manages risks arising in the course of daily operations in accordance with the Risk Appetite Statement, company policies, and procedures.
Second line of defense Departments engaged in risk management
The second line is responsible for establishing the risk management framework and supporting the first line. The second line independently monitors risks and reports to senior management. As necessary, the second line controls the first line's risk-taking activities.
Third line of defense Internal Audit Department
The third line examines the operations and governance of the first and second lines and advises on improvement.
Our business activities are exposed to various risks including market risk, credit risk, operational risk and liquidity risk. Properly managing these risks is one of management's top priorities.
It is important for us to maintain capital adequacy and achieve business plans under any type of economic environment, to protect our clients, and to comply with laws and regulations.
Nomura Group has defined the types and levels of risk (risk appetite) that the firm is to take, as documented in the Risk Appetite Statement.
Our Risk Appetite Statement is approved by the Executive Management Board, and risks are monitored daily against the risk appetite.
If by any chance risk levels exceed the risk appetite, senior management consults with those directly involved and takes actions to eliminate excessive risk as necessary.
Categories for which risk appetite is established
|Capital adequacy and liquidity||Nomura Group defines the level of capital adequacy and sound liquidity as risk appetite, taking into account the regulatory requirements, funding capacity, and business environment.|
|Financial risk||Nomura Group allocates financial resources to each business in order to achieve corporate strategies and business plans, while remaining within the bounds of the risk appetite forcapital adequacy and liquidity.
Nomura Group defines the types and levels of financial risks that each business takes within its allocated resources as financial risk appetite.
In setting the financial risk appetite, Nomura Group classifies market and credit risks into segments according to the nature of business, and uses quantitative metrics or qualitative indicators as well as processes to capture these characteristics.
|Non-financial risk||Non-financial risks exist in daily activities and processes, and can result in a financial loss or significant adverse impact on Nomura Group, our clients and financial markets. It is therefore everyone's responsibility to manage non-financial risks in line with Nomura Group's risk appetite.|
Nomura Group's major risk
Nomura Group's major financial risk
|Mark to market risk||Risk of incurring losses due to a change in the value of assets or liabilities resulting from movements in interest rates, currencies, and prices of stocks and other securities.|
|Market liquidity risk||Risk that trading costs will increase due to the time taken to close positions, or that trading will become unfeasible due to rapid changes in the market.|
|Default risk||Risk of incurring losses when a counterparty or issuer fails to meet its obligations.|
|Event risk||Risks inherent in specific financial transactions, such as losses from events caused by discontinuous changes in the market. Events may or may not result from fluctuations in financial markets.|
|Model risk||Nomura Group uses models for valuation of financial instruments, for measurement of key risks including Value at Risk and counterparty exposure, for estimating liquidity, and for asset price verification.
Model uncertainty due to simplification, incorrect use of a model, or reduced model suitability in the current market environment can lead to financial losses and failure to satisfy regulatory requirements.
This is called model risk.
Non-financial risk includes Operational Risk and Reputational Risk.
Risk of financial loss or non-financial impact arising from inadequate or failed internal processes, people and systems, or from external events. Nomura Group's approach to operational risk management includes four core processes: operational risk event reporting, risk and control self-assessment (RCSA), monitoring using key risk indicators (KRI), and scenario analysis. Managed operational risks are divided into the 10 categories below.
|Compliance||Risk of financial loss or reputational damage due to violations of financial services laws, rules or regulations, and improper conduct which disrupts the integrity of the financial markets and causes unfair client treatment.|
|Legal||Risk of financial loss or reputational damage due to (i) ambiguity and/or insufficiency in contractual terms to secure Nomura's legal rights and/or enforceability of the contractual terms; (ii) failure to comply with applicable laws and regulations; and/or (iii) failure to adopt to changes in laws and regulations.|
|IT and Cyber Security||Risk of financial loss or reputational damage due to (i) poor performance or unavailability of IT systems; (ii) data corruption and/or; (iii) unauthorised or improper access to IT systems and data from within or outside the institution.|
|Business Resilience||Risk of financial loss or reputational damage due to inability to resume normal business operations during a business disruption event and damage to or unavailability of physical assets from natural disasters and other events.|
|Third-Party||Risk of financial loss or reputational damage due to failure of third-party to perform in line with expectations.|
|Financial Reporting & Tax||Risk of financial loss or reputational damage due to material misstatement or omission in the firm's (i) external financial reporting, regulatory reporting or internal financial management reporting; and/or (ii) external tax reporting or payments.|
|People||Risk of financial loss, staff impact or reputational damage due to acts inconsistent with employment or health and safety laws or employment norms and agreements.|
|Transaction Lifecycle||Risk of financial loss or reputational damage due to failures in transaction processing and/or process management.|
|Prudential Risk Frameworks||Risk of financial loss or reputational damage due to inadequate prudential risk management frameworks.|
|Fraud||Risk of financial loss or reputational damage due to intent to defraud, misappropriate property or conduct unauthorized activity by an internal or third party.|
The possible damage to Nomura's reputation and associated risk to earnings, capital or liquidity arising from any association, action or inaction which could be perceived by stakeholders to be inappropriate, unethical or inconsistent with Nomura Group's values and corporate philosophy. All personnel must consider the impact of their actions or inactions on Nomura's reputation and apply high standards to their behavior as set out in the Nomura Group Code of Conduct.
Risk Management Governance and Oversight
Risk management oversight is carried out by the committees comprising members of senior management. The Global Integrated Risk Management Committee (GIRMC) for example, deliberate and decide on risk management issues material to the firm.
|Group Integrated Risk Management Committee (GIRMC)||
|Asset Liability Committee (ALCO)||Upon delegation from the EMB and the GIRMC, the ALCO deliberates on, based on Nomura's risk appetite determined by the GIRMC, balance sheet management, financial resource allocation, liquidity management and related matters.|
|Global Portfolio Committee (GPC)||Upon delegation from the GIRMC, the GPC deliberates on or determines all matters in relation to the management of a specific portfolio, for the purpose of achieving a risk profile consistent with the risk allocation and risk appetite of Nomura. The portfolio consists of businesses and products that fall within at least one of the three following categories: event financing, term financing and asset-based financing.|
|Global Transaction Committee (GTC)||Upon delegation from the GPC, the GTC deliberates on or determines individual transactions in line with Nomura's risk appetite determined by the GIRMC and thereby assures the sound and effective management of Nomura's businesses.|
|Collateral Steering Committee (CSC)||The CSC deliberates on or determines Nomura's collateral risk management, including concentrations, liquidity, collateral re-use, limits and stress tests, provides direction on Nomura's collateral strategy and ensures compliance with regulatory collateral requirements.|
|Global Risk Analytics Committee (GRAC) and Model Risk Analytics Committee (MRAC)||The GRAC and the MRAC deliberate on or determine matters concerning the development, management and strategy of risk models and valuation models, respectively. The primary responsibility of these committees is to govern and provide oversight of model management, including the approval of new models and significant model changes.|
Risk management activities
Based on the concept of PDCA cycle (Plan, Do, Check and Action), all executives and employees of Nomura Group conduct risk management activities as three defensive lines or committees to ensure that the various risks inherent in daily operations do not exceed the level of risk appetite.
In order to realize Nomura Group's corporate philosophy, the Executive Management Board formulates business plans and establishes risk appetite taking into account the business environment and the state of management resources. These are reviewed annually or as needed.
Each business division carries out its business plans in accordance with the risk appetite and the Code of Conduct.
The first line of defense identifies, assesses and manages risks that may exceed the risk appetite, and the second line of defense advises, supports and checks the first line of defense through monitoring, analysis, stress testing and predictive management. The third line of defense examines and advises on these from an independent position.
Each business division works to improve risks that may exceed the risk appetite, as well as carries out activities based on the advice, support and checks received from the second line of defense.
Ensuring Financial Soundness and Transparency
Responding to Increasingly Sophisticated Financial Regulation
To respond to higher-level financial regulations under Basel III, Nomura Group has applied its own internal models for measuring general market risk, specific risk, incremental risk, and comprehensive risk with the aim of more accurately calculating increasingly complex and diverse risks. To measure the amounts corresponding to counterparty transactions, the Group applies the expected exposure method. These sophisticated risk measurement methods apply cutting-edge risk management methodologies and are supported by large-scale computer systems that process the vast volumes of data related to risk management on a daily basis. In addition, in order for Nomura to be in compliance with the strict regulatory governance requirements, independently from the Risk Methodology Group, which is responsible for risk model development, Nomura's Model Validation Group conducts periodic validations to ensure that the models are functioning properly.
Risk measurement data, which has been quantified in the exacting processes previously described, is used in computing the Group's capital adequacy ratio, thus ensuring a high degree of reliability and transparency regarding the soundness of Nomura Group's financial position.
Enhancing and Strengthening Risk Management Systems
Nomura Group is always working to further enhance and strengthen risk management systems from a full range of perspectives. To give a specific example, in addition to the credit risk management methods applied thus far to counterparties in derivative transactions, Nomura has introduced a "single name limit" approach that sets an overall limit on risks arising from issuers of bonds, equities, and other securities as well as on counterparties, while also identifying groups of bond issuers from a comprehensive perspective. In addition, Nomura is also structuring a system to identify and manage so-called "wrong way risk" which arises when there is a strong correlation between deterioration in the creditworthiness of a counterparty and the size of credit extended to that party.
Nomura Group conducts stress testing to address risks that may spread globally, and to identify risks that are difficult to recognize with statistical methods alone, as well as to prepare for unprecedented risk events. Stress testing uses stress scenarios to assess the impact on our business and financial soundness should those adverse events occur. These scenarios may include severe deterioration in the economic environment, geopolitical conflicts and natural disasters.
How Stress Testing Works
Case Scenario:Serious global financial crisis triggered by the failure of a major financial institution.
Impact on the market is estimated by referring to past cases; i.e., "flight to quality" causing stock prices to plunge, government bond yields to fall, the appreciation of the Japanese yen and depreciation of currencies from emerging economies in FX market. In order to increase the feasibility of the scenario, the latest market environment is reflected.
Based on the assumption that the case scenario has just occurred, the amount of potential losses from trading activities, unrealized losses on investment securities, significant decline in profits due to the loss of business opportunities, and losses caused by counterparty defaults are calculated.
Examine if the minimum capital adequacy ratio is maintained under the stressed conditions;
also consider the level of capital buffers need to be maintained in normal times.
Risk Management in New Businesses Transactions
Nomura Group has established a strict approval process for new products and new individual transactions. Decisions on whether to provide these new products and individual transactions are made after a review that covers all perspectives, including reputational risk, legal risk, accounting risk, and financial risk.
Moreover, to increase the effectiveness of internal controls, including the risk management systems, the Internal Audit Department, which is independent from business lines, conducts audits and makes assessments and then makes recommendations and proposals.
Nomura Group regards natural disasters such as earthquakes and typhoons, manmade disasters such as fires and terrorism, infectious diseases like coronavirus, system failures, and information asset leaks as the key types of crises that must be prepared for. In the event for such crisis, we have established a global business continuity framework and work on a wide range of measures, including educating our people about our disaster response measures.
Business continuity structure
The Group Crisis Management Committee is tasked with preparing for crises, and under the committee's leadership the Group has been continually strengthening the crisis management program and the business continuity framework both in Japan and overseas. The Group Crisis Management Committee is chaired by a senior officer appointed by the Group CEO, and comprises senior officers from Group companies. Resolutions passed by the committee are reported to the Executive Management Board. In the event of a major disaster, the committee functions as the Command Center to lead the Group's response.
As a specific example of this business continuity framework, a system has been enforced so that operations can be continued at backup offices in the event that key offices are rendered unusable due to an earthquake or other disaster. We also have a remote backup data center that protects critical data and applications in the event of a data center failure. Furthermore, we have bolstered our infrastructure, which includes power generators, so that in the event of a power down affecting a wide area, such as a powerful earthquake directly beneath the Tokyo metropolitan area, we can continue our critical functions to avoid systemic risk and to protect our clients from being impacted.
Similar infrastructure have also been put in place at our key overseas offices.
In response to the coronavirus pandemic, and in accordance with Group guidelines, we worked to prevent the spread of the virus before significant outbreaks occurred in Japan and overseas by restricting travel and other activities that could accelerate its spread. When the Japanese government declared a state of emergency we temporarily suspended business operations at domestic branches. We have also enhanced the remote work capability and established a work system that has allowed us to both continue our business operations and prevent the spread of coronavirus. At our key overseas offices, we have ensured business continuity through remote work.
In Japan, the Crisis Management Committee Office regularly conducts employee safety confirmation drills, disaster prevention drills, and business continuity drills to ensure that we are able to respond quickly should a crisis occur. At overseas offices, these exercises are carried out by the Business Continuity Management Team in each location. Through these and other efforts, we aim to become more proficient at handling crises and strengthen our systems for managing them.
Business continuity initiatives
- 1Strengthen the business continuity framework
- Maintain / enhance backup offices / Secure emergency response personnel / Maintain/enhance emergency communication equipment / Enhance telework environment
- 2Periodic drills and training
- Employee safety confirmation drills / Drills based on business continuity plan (BCP) / Initial response training and drills simulating earthquake with epicenter directly under Tokyo or other massive earthquake / Nankai Trough earthquake response training at branch offices
- 3Strengthen collaboration between Group companies in Japan and overseas
- Enhance information-sharing with Group companies in Japan / Enhance information-sharing framework with overseas Group companies
- 4Business Continuity Plan
- Review and revise the Business Continuity Plan for the scenarios of a massive natural disaster or a massive system failure
Cyber security measures
Nomura Group has for some time been undertaking security measures to protect systems against cyber-attacks. However, in light of the increasingly serious cyber security threats throughout the world, we recognize that our current countermeasures may not be sufficient in the future. In addition, in the financial sector, digitalization is proceeding at an accelerating pace. The connection of all financial systems to networks may increase the cyber security risk. In order to ensure that clients' information and assets are securely protected from these increasingly challenging cyber security threats, and to enable clients to conduct transactions with peace of mind, Nomura Group is working to strengthen its cyber security platform, using the Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc. of the Financial Services Agency, and the Cybersecurity Management Guidelines of the Ministry of Economy, Trade and Industry based on ISO27001 and ISO27002, as references.
Cyber security system
Nomura Group, as a whole, has established a global organizational structure to deal with incidents stemming from cyber-attacks and to minimize potential damage. The Nomura Group Computer Security Incident Response Team (CSIRT), formed within Nomura Holdings, has spearheaded the formation of a CSIRT in Nomura Securities and other Group companies, and governs the CSIRT in each Group company. Each CSIRT works to protect its company's operational and information assets, as well as systems, promoting cyber security measures from four vantagepoints: organizational management, system security measures, human-level response, and coordination with outside organizations.
|Organization management||At normal times, we take part in cyber security drills, conduct Threat-Led Penetration Test, assess cyber risks and monitor actions taken by overseas subsidiaries and outside contractors in a constant effort to heighten our readiness. In the case of an incident such as obtaining dangerous vulnerability information or detecting a cyber-attack, the CSIRT leads the efforts to analyze the cause, minimize damage, and quickly restore systems.|
|System security measures||We adopt a multi-layered defense system, which includes multiple detection and defense mechanisms against unauthorized access and malicious programs such as computer viruses. We review these countermeasures as appropriate to deal with new threats|
|Human-level response||In accordance with the Nomura Group Information Security Policy, relevant seminars and training programs are regularly provided to all executives and employees and they are kept alert in order to raise their awareness and knowledge about cyber security.|
|Cooperation with outside organizations||Nomura is cooperating with information sharing organizations such as Financial ISAC Japan and FS-ISAC and cyber security vendors to gather and share information on the cyber attackers and their approaches.|
Social and Environmental Risk Management
We believe that considering the social and environmental risks that may arise from various transactions is key to managing our reputational risk. As such, in executing our business operations, we focus on these risks in the same way we are careful about legal compliance. For example, for equity underwriting businesses, we review and confirm the issuer's awareness of any associated potential risks to society and the environment and that the issuer has taken appropriate steps to address such risks, including the disclosure of information about those risks. Impact on the environment and society as well as financial condition, operating results, and other aspects are included in the overall guidelines applied by relevant departments during the assessment process as vital items that must be confirmed when taking on underwriting deals.