Basic Policy on Risk Management

In order to ensure sound management, secure revenue through risk taking based on management strategies, and achieve sustainable growth, the Group follows a basic policy of accurately assessing risk conditions and implementing necessary risk-related measures through a series of risk management activities, including risk identification, evaluation, monitoring, control and mitigation, validation for advancement, and review, based on the Group's management policy and basic policy on the internal control system.

The Group's risk management framework encompasses the Risk Appetite Framework, and integrates it to function organically within the Group.

The Group's Risk Characteristics

Based on a fiduciary spirit, and leveraging its significant expertise and comprehensive capabilities, the Group, as a financial group specialized in trust banking, strives to create distinct value through a total solution business model that combines its banking, asset management and administration, real estate businesses and others.

The Group faces various risks, including credit risk, market risk, funding liquidity risk, and operational risk, which vary depending on the business characteristics of each of the Group's businesses.

As a basis for improving management of risks related to trust business operations, we have established Group-wide Trust Business Guidelines to provide information about basic matters that warrant caution. SuMi TRUST Bank primarily manages these risks in the operational risk category, particularly in terms of its duty of due care as a prudent manager, duty of loyalty, and duty to segregate property as a trustee.

Reporting is regularly performed regarding whether the overall risk of the Group, combining the risks of each business, is within the limits of risk capacity (soundness and liquidity) that have been determined by the Board of Directors.

Risk Definition

Risk Category Definition
Credit Risk Risk that the Group may incur losses due to a decrease or impairment of the value of assets (including off-balance sheet assets), for reasons such as deterioration of the financial condition of obligors. In this regard, "country risk" in particular refers to the risk that the Group may incur losses on credit provided overseas, due to the foreign exchange, political, or economic conditions in the countries where our clients operate.
Market Risk Risk that the Group may incur losses due to fluctuations in the value of assets/liabilities (including off-balance sheet assets/liabilities), or in the earnings generated from assets/liabilities, due to fluctuations in various market risk factors, such as interest rates, foreign exchange rates, stocks, commodities, and credit spreads. In this regard, "market liquidity risk" in particular refers to the risk that the Group may incur losses due to a situation in which it becomes impossible to conduct transactions in the market, or becomes obligatory to trade at prices that are significantly more disadvantageous than usual, due to market turmoil.
Funding Liquidity Risk Risk that the Group may incur losses in a situation where it becomes impossible to secure necessary funds, or becomes obligatory to raise funds at interest rates significantly higher than usual.
Operational Risk
(Below are "risk sub-categories" within Operational Risk)
Risk that the Group may incur losses due to inadequate or failed bussiness processes, the activities of executives or employees, computer systems, or due to external events.
Operational Risk Business Processing Risk Risk that the Group may incur losses due to inappropriate business procedures arising from executives or employees neglecting to engage in proper business activities, or other incidents such as accidents or fraud.
Operational Risk System Risk Risk that the Group may incur losses due to reasons such as computer system failures, malfunctions, and defects, as well as the risk that the Group may incur losses due to unauthorized computer usage.
Operational Risk Information Security Risk Risk that the Group may incur losses due to the improper management or maintenance of information assets. This includes information leaks, information errors, and misuse of information, as well as an inability to use the information system.
Operational Risk Legal & Compliance Risk Risk that the Group may incur losses due to uncertainty regarding the legal aspects of transactions, or due to insufficient compliance with laws, regulations, etc.
Operational Risk Human Resource Risk Risk that the Group may incur losses due to personnel and labor management issues, such as unequal or unfair management of personnel, and harassment.
Operational Risk Event Risk Risk that the Group may incur losses due to external events that impair business, such as natural disasters, crimes such as terrorism, damage to public infrastructure that prevents its functioning, and the spread of infectious diseases, or due to the inappropriate use or management of tangible assets.
Operational Risk Reputational Risk Risk that the Group may incur losses as a result of a deterioration of the reputation of SuMi TRUST Holdings or its subsidiaries, due to reasons such as mass media reports, rumors, or speculation.

Risk Governance System

For the group-wide risk governance system, the Group has developed a Three Lines of Defense system consisting of risk management by individual businesses (first line of defense), risk management by the Risk Management Department and individual risk management-related departments (second line of defense), and validation by the Internal Audit Department (third line of defense).

Risk Governance System

(As of June 30, 2020)

(1) First Line of Defense

Each Group business identifies and gains an understanding of the risk characteristics involved in carrying out its own business, based on knowledge of the services and products in that business.

Each business engages in risk taking within the established range of risk appetite, and, when a risk materializes, promptly implements risk control at the on-site level.

(2) Second Line of Defense

The Risk Management Department performs overall risk management, identifies and evaluates group-wide risks, creates a risk management process, and sets risk limits in accordance with the group-wide risk management policy determined by the Board of Directors. In addition, it formulates group-wide recovery strategies, in advance, to prepare for cases when risks materialize.

The Risk Management Department and risk management-related departments act as a restraint function for the risk taking of the first line of defense, and supervise and provide guidance regarding the risk governance system.

The Risk Management Department reports on the status of risk management to the Executive Committee and the Board of Directors.

(3) Third Line of Defense

The Internal Audit Department verifies the effectiveness and appropriateness of the group-wide risk governance system and processes from an independent standpoint.

(4) Executive Committee

The Executive Committee is composed of representative executive officers and executive officers designated by the President. It makes decisions on matters concerning risk management and undertakes preliminary discussions regarding matters to be resolved by and reported to the Board of Directors.

(5) Board of Directors

The Board of Directors is composed of all of the directors. It decides on the Group's management policy and strategic goals for risk taking, formulates a risk management policy, etc. that reflects these strategic goals based on a solid understanding of the location and nature of risks, and develops an appropriate risk governance system and supervises its implementation. The Board of Directors has voluntarily established the Risk Committee and the Conflicts of Interest Committee, as advisory bodies, based on the business strategies and risk characteristics of the Group.

Risk Committee

The Risk Committee receives requests for consultation from the Board of Directors on matters concerning the business circumstances surrounding the Group and the effectiveness of its risk management, etc., reviews their appropriateness, and reports its findings.

Conflicts of Interest Committee

The Conflicts of Interest Committee receives requests for consultation from the Board of Directors on matters concerning the Group's fiduciary duties and conflict of interest management, which are the foundation on which the Group seeks to become the "Best Partner" of its clients based on a fiduciary spirit, reviews their appropriateness, and reports its findings.

Risk Management Process

In the Group, the Risk Management Department and individual risk management-related departments act as the second line of defense, performing risk management using the following procedure. This risk management process, along with its associated systems, undergoes regular auditing by the Internal Audit Department, which acts as the third line of defense.

(1) Risk Identification

The risks faced by the Group are comprehensively identified, while ensuring the comprehensiveness of the Group's operations, and the risks to be managed are identified based on the scale and characteristics of the identified risks. Of note, risks that are particularly important are managed as material risks.

(2) Risk Evaluation

The risks identified as requiring management undergo analysis, assessment, and measurement in a manner appropriate for the business scale, characteristics, and risk profiles.We periodically evaluate material risks in terms of frequency of occurrence, degree of impact, and severity to determine whether they can be classified as top risks or emerging risks. The former are risks that have the potential to significantly affect the Group's capacity to execute business and achieve earnings targets within one year, while the latter are risks that have the potential to have a significant effect over the medium to long term.

(3) Risk Monitoring

Risk conditions are monitored with appropriate frequency, given the conditions of the Group's internal environment (risk profiles, allocated capital usage status, etc.) and external environment (economy, markets, etc.). Recommendations, guidance, and advice are given to each of the Group's businesses based on the risk conditions. Monitoring contents are reported and submitted to the Board of Directors, the Executive Committee, and other bodies regularly or as needed.

Risk predictor management for top risks, etc.

Risk appetite indicators are defined for risks resulting from internal factors, based on the features of the Group's business model and risk characteristics, and these management indicators are monitored. Regarding risks resulting from external factors, the top risks are selected, and risk predictors are monitored. Countermeasures are implemented based on the monitoring results for both types of risks.

The top risks at present include "the global spread of COVID-19," "falling prices for strategic shareholdings, etc." "concentration of credit to large obligors in the credit portfolio," and "cyber attacks." Along with countermeasures, these risks are reported to the Board of Directors and the Executive Committee.

Emerging risks at present include "climate change," "innovation," and "Japan's declining birthrate and aging population." We are analyzing these risks and considering necessary countermeasures.

(4) Risk Control and Mitigation

If any incidents that could have a significant impact on the soundness of management occur, such as the risk amounts exceeding the risk limits, or the existence of concerns that it might do so, appropriate reports are presented to the Board of Directors, the Executive Committee, and other bodies, and the necessary countermeasures are implemented according to the severity of the risk.

Enterprise Risk Management

(1) Enterprise Risk Management System

We manage risks by comprehensively grasping the risks faced by the Group, which are evaluated on an individual risk category basis, and comparing and contrasting them against our corporate strength (enterprise risk management).

Among the risks we manage through our enterprise risk management, we combine the risk values for risks that can be quantitatively measured using a single standard, such as VaR*, and compare the combined value against our corporate strength (capital position), thereby managing risks (integrated risk management).

*VaR = Value at Risk

(2) Capital Allocation Operations

For the purpose of the Group's capital allocation operations, SuMi TRUST Holdings allocates capital to each business, including the Group companies, based on each risk category (credit risk, market risk, and operational risk) in consideration of the external environment, risk-return performance status, scenario analysis, and the results of assessments of capital adequacy levels. The capital allocation plan is subject to the approval of the Board of Directors. Capital allocation levels are determined based on the Group's risk appetite.

Each business is operated within both the allocated amount of risk capital and its risk appetite. The Risk Management Department measures the risk amount on a monthly basis, and reports regularly on the risk conditions, compared to the allocated capital and risk appetite, to the Board of Directors, and others.

(3) Stress Tests and Assessment of Capital Adequacy Level

The Risk Management Department performs three types of stress tests (hypothetical scenario stress testing, historical scenario stress testing, and examination of probability of occurrence) each time a capital allocation plan is formulated or reviewed, with the aim of ensuring capital adequacy from the standpoint of depositor protection. Based on the results of these stress tests, it assesses the level of capital adequacy, and reports to the Board of Directors, and others.

Crisis Management

The Group has developed systems to swiftly and appropriately implement emergency and crisis response measures in the event of natural disasters, computer system failures, outbreaks of new infectious diseases, and the like, which are rooted in its public mission and social responsibilities as a financial institution, and strives to disseminate information regarding these systems throughout the organization.

Specifically, we have developed BCPs (business continuity plans) for continuing business in the event of a crisis, after securing the safety of our clients, directors, officers, employees, and their families. In order to ensure the effectiveness of our BCPs, we periodically conduct exercises and revise their content. In addition, we have created a response system in which, in the event of a crisis, an emergency response headquarters is created, which is headed by the President.

For large-scale natural disasters such as earthquake, which are envisioned as having a significant impact, we are enhancing our response system through the preparation of backup offices and backup systems.

We are also strengthening our security measures at the initiative of management to respond to cyber attacks, which are causing damage throughout society, through the formulation of the "Cyber Security Management Declaration." Specifically, the Group has established SuMiTRUST-CSIRT as an internal organization for gathering information, conducting analysis, implementing measures concerning cyber attacks, and allocating necessary staffing. The Group also works to continuously strengthen human resources and to enhance the management system through collaboration with external specialized agencies. In addition, we are endeavoring to strengthen our ability to respond to incidents through the creation and improvement of manuals, etc. for use in both normal times and emergencies, and periodic training and drills.

In responding to the COVID-19 pandemic, our basic stance is to ensure the health and safety of employees and their families, ensure business continuity as a key piece of social infrastructure, and to prevent the spread of infection in society. We are striving to balance the maintenance of services with safety considerations by establishing an emergency response headquarters, activating our BCPs, and actively encouraging telework.

New Product and New Operation Examination System

When introducing a new product or new operation, it is necessary to develop various systems in order to continue offering the product or running the operation, including making an advance determination regarding the existence of any inherent risks and identifying their types, evaluating and managing such risks, and providing explanatory materials and methods to clients. To that end, we have developed a new product and new operation examination system. In the product examination process, multiple departments carry out verification from various angles, with an emphasis on introducing products and operations that will earn the trust of clients. We also conduct validation through regular monitoring after a new product or new operation has been introduced.

Product Examination Process(SuMi TRUST Bank)

(As of June 30, 2020)

Page Top