1. Home
  2. Governance
  3. Risk Management

Risk Management

Basic Stance

We place a high priority on risk management and are taking steps to refine our sophisticated framework for risk management, including the identification and control of the risks associated with our operational activities.
Our basic policy is to appropriately manage risks in view of our management strategies and risk characteristics and most effectively utilize our capital. By doing so, we are able to increase enterprise value while maintaining sound finances and appropriate operations.

Risk Categories and Definitions

We define our risks and classify them into the following categories, and manage these risks based on the unique characteristics of each type of risk.

Risk Category Risk Definition
Market risk Market risk is the risk of loss resulting from changes in the value of assets and liabilities (including off-balance sheet assets and liabilities) due to fluctuations in risk factors such as interest rates, foreign exchange rates and stock prices and the risk of loss resulting from changes in earnings generated from assets and liabilities.
Market liquidity risk Market liquidity risk is the risk that a financial institution will incur losses because it is unable to conduct market transactions or is forced to conduct transactions at far more unfavorable prices than under normal conditions due to a market crisis and the like.
Funding liquidity risk Funding liquidity risk is the risk that a financial institution will incur losses because it finds it difficult to secure the necessary funds or is forced to obtain funds at far higher interest rates than under normal conditions due to a mismatch between the maturities of assets and liabilities or an unexpected outflow of funds.
Credit risk Credit risk is the risk that a financial institution will incur losses from the decline or elimination of the value of assets (including off-balance sheet assets) due to deterioration in the financial condition of an entity to which credit is provided.
Operational risk Operational risk is the risk of loss resulting from inadequate operation processes, inadequate activities by officers and employees and inadequate systems or from external events.

Risk Management System

The Bank has identified certain risk categories outlined in the table below. Various entities have been established to manage each risk category. In addition, we have put in place the Risk Management Department, which is responsible for monitoring each risk category in an integrated manner in order to ensure the effectiveness of our comprehensive risk management. The Risk Management Department operates independently from other departments.
We have established special advisory committees to the Executive Committee to handle risk management responsibilities:the Risk Management Committee and the ALM Committee.These advisory committees submit risk management reports based on risk characteristics and hold discussions about risk management policies and systems.
Meanwhile, officers in charge of the Risk Management sections also report on such matters as the status of risk management to the Board of Directors, the Audit Committee and the Risk Committee on a periodic and as-needed basis.
Prior to launching new products, services, or businesses, we assess potential risks and select appropriate methods to measure risks.

Risk Management System (As of July 1, 2022)

Risk Management System

Integrated Risk Management

We broadly classify and define risks into five categories and manage risk by using both quantitative and qualitative approaches.
In our quantitative approach, we have introduced integrated risk management that quantifies and controls risk. Specifically, we establish in advance a total amount of equity capital that is available to take on risk, or risk capital. Risk capital is then allocated to each business (allocation of risk capital) in accordance with the type of expected risk and nature of the business activities. To quantify market risk and credit risk and control risk exposure, we use value at risk (“VaR”) techniques. VaR is a statistical method used to compute the maximum expected loss based on assets and liabilities held at given probabilities and for given periods of time.
In addition, we perform stress tests based on multiple stress scenarios that assume deterioration in macroeconomic conditions to assess the impact on our financial condition and capital adequacy ratio, for the purpose of verifying the appropriateness of business plans from the forward-looking standpoint of business sustainability.

Performing Stress Tests

Performing Stress Tests Flow Overview

In our qualitative approach, which is used in conjunction with the quantitative methodology, we assess the nature of the risks. For instance, for operational risk we have established a plan, do, check, action (“PDCA”) cycle that recognizes, evaluates, manages, and mitigates risk across our business activities.
Subject to the total amount of allocated capital approved by the Board of Directors, the allocation of risk capital is determined by the president and Representative Executive officer following discussions in the ALM Committee and the Executive Committee.

Risk Appetite Framework

The Bank introduced a Risk Appetite Framework (RAF)*1 to ensure profitability over the medium to long term and financial soundness. Based on the RAF, risk appetite policies and indicators as well as top risks are discussed in conjunction with the formulation of management plans.

*1:
A business management framework used as common language between banks pertaining to all aspects of risk-taking policies, including the capital distribution and profit maximization of risk appetites (the type and total quantity of risks a company should willingly take on to fulfil its business plans after taking into account the unique aspects of the company’s own business model).

Risk Appetite Framework Management Process

Risk Appetite Framework Management Process

Selection of Top Risks

Within the RAF framework, Japan Post Bank selects the top risks that we recognize as potentially having a particularly significant impact on our business, performance, and financial position. These risks are selected following deliberation by the Board of Directors and Executive Committee and in consideration of their degree of impact and probability.
Moreover, we reflect the actions we take against the selected risks in our management plans and take additional action as necessary following regular checks of the control status.

Top risks and measures

Top risk Main measures
Market/Credit/Liquidity risk, etc.,
Stronger financial regulations
  • Developing a stress-resistant portfolio
  • Sophistication of stress testing
  • Improve specialized human resources in investing and risk management
  • Improve internal control systems from the standpoint of being an internationally active bank
Cyber attacks
  • Implement and establish cyber-security action plans, and continue measures against phishing fraud, etc.
System disruptions
  • Internal verifications of examples from other companies
  • Implementation of contingency plan training
  • Promote steady responses to renewals of core systems
Major disasters, pandemics
  • Develop emergency response plans
  • Establish remote environments
Delayed response to DX, etc.
  • Steady advancement of DX as set forth in the Medium-term Management Plan
Incidence of legal violations
  • Ensure thorough measures to prevent recurrence of scandals and to prevent leaks and losses of personal information, based on past incidents
Insufficient customer-oriented business operations
  • Quality controls for customer-oriented business operations
  • Improve second-line*2 functions, deeper discussions in Special Committees, double tracking of information transmission, etc.
Money laundering/Terrorist financing
  • Systematic advancement of various responsive measures that are in accordance with guidelines put out by relevant authorities
Inhibited execution of strategies due to insufficient personnel shortages
  • Continuous hiring of professional personnel, etc.
  • Training of personnel based on training programs
Climate change risks, etc.
  • Advanced measures corresponding to changes in the outside environment,implemented monitoring, and provided disclosures as appropriate based on the basic sustainability policy
*2:
Management divisions such as the Risk Management and Compliance Division, etc.

Response to Cybersecurity*3

In addition to our banking-related systems, the communication network systems we use for the performance of business operations play a vital role in our business. While transactions using the internet and smartphones have increased with the remarkable development of digital technology in recent years, the advance in sophistication and skill in methods of cyberattacks has brought increasing risk to financial institutions.
As a result of this, the Bank regards the risk of cyberattacks as one of the top risks in management and works to continuously improve cybersecurity through management leadership.

To reduce cyber risks the Bank has put in place a dedicated department for cybersecurity and assigned a CISO (Chief Information Security Officer). It has also appointed personnel with expertise, and it is collaborating with external specialized organizations to analyze and respond to new methods of attack, while maintaining defense in depth and detection measures.
To provide safer and more secure services to our customers, we will continue to advance improvements in our cybersecurity system.

*3:
To make sure that no problems arise, including the leakage of or tampering with electronic data, failure of IT and control systems to perform their expected functions.

Outline of the Initiative

・The Bank works to strengthen its cybersecurity system in accordance with third party assessments and recommendations based on the FFIEC-CAT,*4 which is used internationally as a tool to evaluate the cyber threat management systems of financial institutions.

*4:
A tool designed by the Federal Financial Institutions Examination Council (FFIEC) to assess the maturity of cybersecurity in financial institutions.

FFIEC-CAT evaluations

  1. Cyber Risk Management and Oversight (governance, risk management, resources, training and culture)
  2. Threat Intelligence and Collaboration (threat intelligence, monitoring and analyzing, information sharing)
  3. Cybersecurity Controls (preventative controls, detective controls, corrective controls)
  4. External Dependency Management (connections, relationship management)
  5. Cyber Incident Management and Resilience (incident resilience planning and strategy, detection, response, and mitigation, escalation and reporting).

・In an effort to enhance our expertise, we assign cyber talents, systematically organize the required skills, and premeditatedly promote human resource development in accordance with the duties and skills of those in charge, to implement our plan "strengthening the management base to become a more trusted bank".
In addition, each and every employee, including management, is actively cultivating cybersecurity awareness and acquiring the fundamental knowledge, etc. required to implement controls.

JAPAN POST GROUP Executive Declaration on Cybersecurity

The Japan Post Group recognizes that cybersecurity measures are a priority issue in management and has formulated the JAPAN POST GROUP Executive Declaration on Cybersecurity.

Group Cyber Security System

Under governance of the holding company Japan Post Holdings, we have been developing a cybersecurity management system for the Japan Post Group.

Cyber Security Measures (PDF/109KB)

Strengthening Security for Yucho Direct

We are strengthening the security of Yucho Direct as a measure to protect our customers’ important savings from illegal transactions.