Risk Management

SuMi TRUST Group follows a basic policy of accurately assessing risk conditions and implementing necessary measures through a series of risk management activities, including risk identification, evaluation, response and monitoring, based on the Group’s management policy and basic policy on the internal control system. Our Group’s risk management framework encompasses the Risk Appetite Framework and is linked to functions organically within the Group.

For the group-wide risk governance system, the Group has developed a Three Lines of Defense system consisting of risk management by individual Group businesses (first line of defense), risk management by the Risk Management Department and individual risk management-related departments (second line of defense) and validation by the Internal Audit Department (third line of defense).

Each Group business identifies and gains an understanding of the risk characteristics involved in carrying out its own business, based on knowledge of the services and products in that business. Each Group business takes risks within the scope of its risk appetite in accordance with its risk-taking policy, evaluates risks and swiftly implements risk control at the on-site level when risks that are outside of its risk appetite materialize. In addition, the status of risk management is reported to the second line of defense in a timely manner.

In accordance with the Group-wide basic policy on risk management approved by the Board of Directors, as control departments responsible for the management of each risk category, the Risk Management Department and risk management-related departments perform a check and balance function for the risk taking of the first line of defense, and supervise and provide guidance regarding the risk governance system from an independent standpoint. The Risk Management Department, as an enterprise risk management department, identifies and evaluates Group-wide risks, creates a risk management process and sets risk limits. In addition, it formulates Group-wide recovery strategies, in advance, to prepare for cases when risks materialize. Furthermore, it shares information with risk management-related departments appropriately, monitors the overall status of risks and risk management in an integrated manner, and the CRO reports the status to the Executive Committee and the Board of Directors.

The Internal Audit Department audits the effectiveness and appropriateness of the group-wide risk governance system and processes from a standpoint independent of the first and second lines of defense.

The Executive Committee is composed of representative executive officers and executive officers, including the CRO, designated by the President. It makes decisions on matters concerning risk management and undertakes preliminary discussions regarding matters to be resolved by and reported to the Board of Directors.

The Board of Directors is composed of all of the directors. It decides on the Group’s management policy and strategic goals for risk taking, formulates a risk management policy that reflects these strategic goals based on a solid understanding of where and what risks exist, and develops an appropriate risk governance system and supervises its implementation. The Board of Directors has voluntarily established the Risk Committee and the Conflicts of Interest Committee as advisory bodies based on the business strategies and risk characteristics of the Group.

Based on the features and risk characteristics of the Group’s business model, we select the top risks (risks that could have a material impact on the Group’s ability to execute business or on results targets within one year and that we should pay attention to in management) and emerging risks (risks that could have a material impact in the medium to long term beyond one year) and monitor them by setting “risk appetite indicators” for endogenous factor risks and “predictive indicators” for exogenous factor risks. Monitoring results are reported and submitted for proposal to the Board of Directors, the Executive Committee and other bodies regularly or as needed.

*For more information on the Group’s initiatives to address climate change-related risks, please refer to “Sustainability Promotion System” in the Integrated Report and the Climate Change Report.

The Risk Appetite Framework is a group-wide corporate management framework consisting of the process for determining risk appetite within the Group’s risk capacity, together with an internal control system that monitors the process and ensures its appropriateness and sufficiency, in order to achieve management strategies formulated based on the Group’s Purpose, Mission (management principles), materiality and others.

With the primary objective of balancing improvement in profitability with enhancement of risk management, our Group’s Risk Appetite Framework establishes communication processes through the setting, propagation, and monitoring of risk appetite and promotes the improvement of transparency in the decision-making process for risk-taking overall, the optimization of the allocation of management resources, and the strengthening of the monitoring system. Through the above, the Group is promoting the enhancement of risk governance, which forms a part of corporate governance, with the aim to achieve sound and sustainable development through the value creation process by implementing and enhancing the Risk Appetite Framework.

At the Group, we classify risks into two categories: risks to be taken (risks generated in association with activities that generate returns) and risks to be avoided (risks that are not taken under any circumstances such as compliance risks, and risks that cannot be eliminated completely but are minimized as much as possible in the course of business activities).

Under the Group’s Risk Appetite Framework, the Board of Directors establishes a risk-taking policy, based on Purpose and others, and sets risk appetite indicators taking the results of stress tests into account. In addition, the detailed risk-taking policy is determined by the Executive Committee within the scope of the policy determined by the Board of Directors. The Group maintains the Risk Appetite Statement to clarify the overall picture, policy, and indicators of the Risk Appetite Framework.

The risk-taking policy and risk appetite indicators are determined in a manner consistent with the management plan, and are reviewed at least once a year or when necessary.

Our Group sets risk appetite indicators from the three perspectives of return, risk, and cost, and regularly monitors and verifies that risk taking is conducted appropriately.

If the risk appetite indicators deviate from the set levels, the Group analyzes the cause and implements countermeasures or reconsiders the levels of risk taking.

At the SuMi TRUST Group, we define risk culture as “the mindset and mode of behavior within our corporate culture (the mindset and behavior that underlie the organization and behavior shared within the company) that underlie risk taking and risk management in particular.”

The Group will aim to contribute to enhancing corporate value and stakeholder value by building a sustainable business model, and positions the fostering and instilling of a sound risk culture as an important management issue.

All executives and employees actively identify the inherent risks in their own work, are aware of sound risk-taking and appropriate risk control, and encourage each other to foster a sound risk culture throughout the Group.

To that end, we are building an open and transparent organization and promoting the understanding and penetration of our risk culture through positive messaging by management and the ongoing implementation of e-learning-based and rank-specific training.

We manage risks by comprehensively ascertaining the risks faced by the Group, which are evaluated on an individual risk category basis, and comparing and contrasting them against our corporate strength, i.e., capital adequacy (enterprise risk management).

We evaluate the effectiveness of our risk management and risk control annually, and when a need arises due to changes in the business environment or other circumstances, we will consider revisions to our risk category system, risk management system and other policies.

Among the risks we manage through our enterprise risk management, we aggregate risks that can be quantitatively measured using a single yardstick, such as VaR*, and compare the aggregated risk value against our corporate strength, i.e., capital adequacy, thereby managing risks (integrated risk management).

*Value at Risk

For the purpose of the Group’s capital allocation operations, SuMi TRUST Group, Inc. allocates capital to each Group business for each risk category (credit risk, market risk and operational risk) in consideration of the external environment, risk-return performance status, scenario analysis and the results of assessment of capital adequacy level.

The capital allocation plan is subject to the approval of the Board of Directors. Capital allocation levels are determined based on the Group's risk appetite.

Each Group business is operated within both the allocated amount of capital and the risk appetite. The Risk Management Department measures risk amounts on a monthly basis, and reports regularly on the risk status compared to the allocated capital and risk appetite to the Board of Directors and others.

The Risk Management Department performs three types of stress tests (hypothetical scenario stress testing, historical scenario stress testing and examination of probability of occurrence) each time a capital allocation plan is formulated or reviewed, with the aim of ensuring capital adequacy from the standpoint of depositor protection. Based on the results of these stress tests, it assesses the level of capital adequacy, and reports to the Board of Directors and others.

Please refer to the Qualitative Disclosure Data for information on the risk management of SuMi Trust Group.