Governance | Risk Management

Nomura Group implements processes to properly identify the possibility of potential losses arising from various operations and transactions, and seeks to establish a framework for assessing all risks and enforcing appropriate controls.

Risk culture

Fostering a sound risk culture is essential for Nomura Group to maintain its social credibility and sustain its business activities.

At Nomura Group, all employees, irrespective of their function or geographic location, must understand their specific responsibilities related to risk management, and actively work to manage risks. We aim to embed this risk culture throughout the firm through various training courses, a as well as company rules and regulations.

Risk management policy

Our business activities are exposed to various risks including market risk, credit risk, operational risk and liquidity risk. Properly managing these risks is one of management's top priorities.

It is important for us to maintain capital adequacy and achieve business plans under any type of economic environment, to protect our clients, and to comply with laws and regulations.

Nomura Group has defined the types and maximum levels of risk that the firm is willing to take, as documented in the Risk Appetite Statement.

Our Risk Appetite Statement and risk appetite are approved by the Executive Management Board, and the risk is monitored daily against a set of risk appetite. If by any chance risk amount exceed risk appetite, the senior management consults with stakeholders and takes actions to solve such excess.

Key risk types

Risks taken by Nomura Group differ by divisions or businesses. We have established a risk management framework based on risk profiles. Nomura Group has adopted a multi-faceted risk evaluation process to avoid risks that may be damaging to our reputation.

Image: Key risk types

Selective risk taking

Market risk Risk of loss in the value of financial assets and liabilities, as a result of market move in risk factors including interest rates, foreign exchange, and price of securities.
Credit risk Risk of suffering losses when a borrower is unable to make payment and fail to meet a contractual obligation.

Unavoidable risks

Operational risk Risk of suffering losses due to internal administrative processes, people, or systems being either inappropriate or not functioning properly.
Model risk Risk of loss arising from model errors, incorrect or inappropriate model application with regard to valuation models and risk models.
Liquidity risk Risk of losses arising from a potential lack of access to funds or higher cost of funding than normal levels due to deterioration in Nomura's creditworthiness or deterioration in market conditions.

Risks that must not be taken

Compliance risk Risk that can lead to administrative punishment, economic losses, and reputational damage when Nomura executives or employees violate laws and regulations. Compliance risk also includes risk of losses caused by violating Nomura Group's Code of Ethics and other internal policies and guidelines, including harassment.

Risk management approach at Nomura Group

Setting risk appetite and guidelines for:

Capital adequacy and balance sheet measures to comply with capital regulations imposed on financial institutions and to maintain a strong financial base in continuing to conduct businesses under various economic conditions.
Liquidity risk to maintain sufficient liquidity to survive a severe liquidity situation and to comply with regulatory requirements.
Market risk and credit risk to manage market risk and credit risk within wholesale businesses.
Operational risk to understand and mitigate the impact and likelihood of operational risk events assumed in the course of conducting business.
Compliance risk to promote proper understanding and compliance with the letter and spirit of all applicable laws, rules and regulations and avoid misconduct.

Risk Management Systems

Risk management oversight is carried out by the committees comprising members of senior management. The Group Integrated Risk Management Committee* (GIRMC) and the Global Risk Management Committee (GRMC), for example, deliberate and decide on risk management issues material to the firm.

Risk Management Structure

Image: risk management structure

The Group Integrated Risk Management Committee is chaired by the Group CEO and comprised of Vice Chairman, Deputy President, the Group Co-COO, business division CEOs, the Chief Risk Officer, the Chief Financial Officer, the Chief Legal Officer, the Co-CRO, and other members appointed by the chairman.

The three lines of defense in risk management

Nomura Group has adopted the following layered structure on the grounds that all employees are accountable for proactively managing risk.

Image: The three lines of defense in risk management

First line of defense Departments engaged in trading and sales

As the first line of defense, departments engaged in sales and trading manage the risks associated with their own business activities.
For example, trading departments do business within predetermined risk limits, and proactively identify and address any issues they find.

Second line of defense Departments engaged in risk management

Departments engaged in risk management establish frameworks to manage each type of risk, and support risk management measures taken by the First Line of Defense, such as sales and trading departments.
Second line of defense independently monitor risks, and keep trading and sales departments in check as needed.

Third line of defense Internal Audit

Internal Audit reviews and provides consulting from an independent, objective position, with the aim of adding value by improving the organization's operations and frameworks, including risk management.

Ensuring Financial Soundness and Transparency

Responding to Increasingly Sophisticated Financial Regulation

To respond to higher-level financial regulations under Basel III, Nomura Group has applied its own internal models for measuring general market risk, specific risk, incremental risk, and comprehensive risk with the aim of more accurately calculating increasingly complex and diverse risks. To measure the amounts corresponding to counterparty transactions, the Group applies the expected exposure method. These sophisticated risk measurement methods apply cutting-edge risk management methodologies and are supported by large-scale computer systems that process the vast volumes of data related to risk management on a daily basis. In addition, in order for Nomura to be in compliance with the strict regulatory governance requirements, independently from the Risk Methodology Group, which is responsible for risk model development, Nomura's Model Validation Group conducts periodic validations to ensure that the models are functioning properly.

Risk measurement data, which has been quantified in the exacting processes previously described, is used in computing the Group's capital adequacy ratio, thus ensuring a high degree of reliability and transparency regarding the soundness of Nomura Group's financial position.

Annual Report (June 25, 2018) (PDF 1,413KB)

Enhancing and Strengthening Risk Management Systems

Nomura Group is always working to further enhance and strengthen risk management systems from a full range of perspectives. To give a specific example, in addition to the credit risk management methods applied thus far to counterparties in derivative transactions, Nomura has introduced a "single name limit" approach that sets an overall limit on risks arising from issuers of bonds, equities, and other securities as well as on counterparties, while also identifying groups of bond issuers from a comprehensive perspective. In addition, Nomura is also structuring a system to identify and manage so-called "wrong way risk" which arises when there is a strong correlation between deterioration in the creditworthiness of a counterparty and the size of credit extended to that party.

Stress Tests

Nomura Group periodically conducts stress tests to calculate the size of losses and the volume of risk that may emerge for the Group as a whole under assumptions of extremely difficult economic conditions. The results of these stress tests are reported to the Group Integrated Risk Management Committee. In these tests covering the Group as a whole, risks that cannot be fully calculated by the most-sophisticated and precise risk models are taken into account, and the results are a substantially better measure of the sufficiency of the Group's capital for maintaining financial soundness.

In addition, among inherent risks of businesses and transactions at the detailed business and trading desk level, there may be risks that are difficult to ascertain with existing risk models. Therefore, stress scenarios are developed to focus on and capture these risks and determine the size of potential losses under these various scenarios. As a result of conducting these tests based on stress scenarios, Nomura is able to supplement information developed by risk models and obtain valuable information on the impact on its income of specific stress scenarios.

Image: Examples of stress scenarios

Risk Management in New Businesses Transactions

Nomura Group has established a strict approval process for new products and new individual transactions. Decisions on whether to provide these new products and individual transactions are made after a review that covers all perspectives, including reputational risk, legal risk, accounting risk, and financial risk.

Internal Controls

Moreover, to increase the effectiveness of internal controls, including the risk management systems, the Internal Audit Department, which is independent from business lines, conducts audits and makes assessments and then makes recommendations and proposals.

Annual Report (June 25, 2018) (PDF 1,413KB)

Cyber security measures

Nomura Group has for some time been undertaking security measures to protect systems against cyber-attacks. However, in light of the increasingly serious cyber security threats throughout the world, we recognize that our current countermeasures may not be sufficient in the future.

In order to ensure that clients' information and assets are securely protected from these increasingly challenging cyber security threats, and to enable clients to conduct transactions with peace of mind, Nomura Group is working to strengthen its cyber security platform, using the Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc of the Financial Services Agency, the Cybersecurity Management Guidelines of the Ministry of Economy, Trade and Industry based on ISO27001 and ISO27002 as a reference.

Cyber security system

Nomura Group, as a whole, has established a global organizational structure to deal with incidents stemming from cyber-attacks and to minimize potential damage. The Nomura Group Computer Security Incident Response Team (CSIRT), formed within Nomura Holdings, has spearheaded the formation of a CSIRT in Nomura Securities and other Group companies, and governs the CSIRT in each Group company. Each CSIRT works to protect its company's operational and information assets, as well as systems, promoting cyber security measures from four factors: organizational management, system security measures, human-level response, and coordination with outside organizations.

Organization management We continuously strive to enhance our cyber security platform at "normal times" by taking measures such as participating in drills to protect against cyber-attacks, by having the effectiveness of our measures evaluated by outside cyber security experts, and by knowing the status of measures taken by outside vendors. In the case of an incident such as dangerous, vulnerability information or detection of a cyber-attack, the CSIRT leads the efforts to analyze the cause, minimize damage, and quickly restore systems.
System security measures We adopt a multi-layered defense system, which includes multiple detection and defense mechanisms against unauthorized access and malicious programs such as computer viruses. We review these countermeasures as appropriate to deal with new threats.
Human-level response Based on the Nomura Group Information Security Policy, relevant seminars and training programs are regularly provided to all executives and employees in order to raise their awareness and knowledge.
Cooperation with outside organizations Nomura Group has established information collection and sharing systems related to cyber-attackers and attack methods, through information sharing organizations such as Financials ISAC Japan and Nippon CSIRT Association, as well as FS-ISAC (U.S.) and other overseas organizations.

Missions of business continuity

The impacts of earthquakes, typhoons, and other natural disasters as well as the threats of terrorism and other malicious acts are increasing in Japan and around the world. In light of this situation, Nomura Group has established a global business continuity management structure and is continuously enhancing its program through implementations of numerous measures and awareness programs.

Business continuity structure

Nomura Group has established the Crisis Management Committee, which is comprised of officers responsible for crisis management from Group companies worldwide, to prepare for major natural and manmade disasters. With this committee in place, we have developed a business continuity and crisis management structure to cover aforementioned disasters globally.

Should a major office be rendered unable to continue its operations due to disasters, we have set up backup offices allowing us to continue our operations from these alternate locations. Similarly, we have built redundancy into our datacenters so that, in the event of a datacenter outage, critical data and applications will be protected in a backup datacenter located in a different location. Additionally, we have reinforced our infrastructures, for example, such as installing the power generators. Accordingly, these infrastructures can be used in the event of a single building failure or a wide area disaster, such as a Tokyo Inland Earthquake, to avoid systemic risks and continue or quickly recover high-priority operations that are crucial to the lives of our clients. Similar measures and infrastructure have also been placed at our major overseas offices.

The Office of Crisis Management Committee regularly conducts employee safety confirmation drills, disaster prevention drills, and business continuity drills in Japan to ensure that we are able to respond immediately during the crisis situation. For overseas offices, these activities are carried out by the Business Continuity Management Team. Through these efforts, we are working to foster greater awareness of crisis management and strengthen our ability to respond to emergencies. These structures and measures are stipulated in Nomura Group Crisis Management Regulations.

Activities of crisis and business continuity management

1Strengthening structure for business continuity
  • Establishment and reinforcement of backup offices
  • Establishment of datacenter redundancy
  • Identification of critical resources
  • Enhancement of emergency communication equipment
2Drills and training
  • Emergency Command Center activation drills
  • Employee safety confirmation drills
  • Drills based on business continuity plan
  • Initial response drills simulating Tokyo Inland Earthquake
  • Nankai Trough earthquake response training at branch offices
3Strengthening collaboration between Group companies in Japan and overseas
  • Enhancing information sharing between domestic Group companies
  • Enhancing information sharing among overseas Group companies
4Enhancing business continuity plan
  • Review and revision of business continuity plan
  • Review and revision of business continuity plan for datacenter outage scenario
  • Review and revision of business continuity plan for Tokyo Inland Earthquake scenario
5Others
  • Stockpiling of water, food, and other emergency supplies at headquarters, branch offices, and backup offices

Social and Environmental Risk Management

We believe that considering the social and environmental risks that may arise from various transactions is key to managing our reputational risk. As such, in executing our business operations, we focus on these risks in the same way we are careful about legal compliance. For example, for equity underwriting businesses, we review and confirm the issuer's awareness of any associated potential risks to society and the environment and that the issuer has taken appropriate steps to address such risks, including the disclosure of information about those risks. Impact on the environment and society as well as financial condition, operating results, and other aspects are included in the overall guidelines applied by relevant departments during the assessment process as vital items that must be confirmed when taking on underwriting deals.

Assessment process

Image: Assessment process
Connecting Markets East & West