The Z Holdings Group pursues risk management activities under three pillars: ERM (Enterprise Risk Management), BCP and awareness raising in the whole group. We have established the Regulations on Risk Management as basis to these activities and framework, and a Risk Management Committee is established based on these Regulations. Our Security & Risk Management Division is entrusted with the roles of secretariat for the Risk Management Committee and promotion of risk management, and is placed directly under the management.
■ERM：We have a companywide ERM framework to appropriately recognize, identify and respond to wide-ranging risks associated with our business activities.
■BCP：In addition to preparing ourselves to withstand massive accesses and cyberattacks, we have a business continuity plan (BCP) in place according to priority, so that we can continue our necessary services when a large-scale disaster strikes.
■Awareness raising in the whole group：Risk management is not closed to a few related persons. Instead, we endeavor to raise and renew awareness on risk management by sharing policies related to the companywide risk management and views on latest situations with all employees.
In order to become aware, specify and respond to risks in various business fields encountered in a constantly changing business environment, we have identified 28 critical risk categories and conduct ERM for each category. The process, analyses and results of ERM are directly reported to the management through the Risk Management Committee, etc.
We have identified 28 critical risk categories in the four realms of environment (E), social (S), governance (G) and business (B), and conduct risk assessment that is not influenced by changes in the business environment.
- Environmental burden
- Human rights, diversity
Personal information, privacy
Antisocial forces, money laundering, bribery
- Corporate ethics
Laws, regulations, approvals/licenses
System failures, power outages
Business continuity, crisis response
Compliance, intellectual property
Accounting, taxes, finance
- Quality, security/safety
Business models, designs
Supply chains, procurement
Human resources, operations
ERM Promotion Framework
Z Holdings Corporation ensures appropriate ERM under the framework shown below.
Provisions on Risk Management and Divisions Responsible for Managing Specific Risks
Our Regulations on Risk Management stipulates that the President and Representative Director serves as the chief executive of risk management in the Z Holdings Group. The Regulations also specify the structure and roles of the Risk Management Committee, risk evaluation and response processes, establishment of an ERM operation structure in each group company, and reporting processes in the event of incidents.
In addition, the Regulations stipulate risks pertaining to specific fields out of the risk items listed above, and the division responsible for supervising each risk. The responsible divisions work together with the supervisory organization of risk management to evaluate and prepare plans for the risks under their charge for the entire Z Holdings Group.
Examples of Specific Risks
■Information security risk: Information security risk refers to the risk of damage to our information security structure in terms of matters such as integrity, confidentiality, and availability, as well as risk of cyberattacks, etc. These risks are covered by the Security Department (division in charge of supervising and managing security), etc.
■Physical security risk: Physical security risk refers to the risk arising from physical attacks that can affect the lives of employees and related persons, company assets and business continuity.
■Risks arising from regulations and abuse: These risks refer to risks arising from drastic change in business environment due to changes in laws and regulations, and risks that impair the trust and sense of safety entrusted to us due to abuse. These risks are covered by the Public Affairs Division (division in charge of legal matters).
■Risk on hiring: Hiring appropriate and diverse talents and having them exert their abilities is an important factor in our corporate activities. This risk refers to impairment of this factor and the resulting effects on our business activity. The Personnel & General Affairs Division (division in charge of human resources) is in charge of this risk.
■Risk related to natural environment, disasters, and emergencies: Today’s business faces the environmental issue of CO2 emissions resulting from electricity and other energy consumption, as well as the possibility of failing business continuity/resumption plans due to earthquakes, fires, infections, etc. There are also risks of restricted business operations or decreased revenues due to conflicts, coup d'état, and terrorism, etc.
BCP (Business Continuity Plan)
Continuance of Services in Emergency
One of our missions is to provide necessary news and disaster information to our users without interruption especially at times of emergency, such as large-scale earthquakes. For this, we provide services that utilize multiple data centers and backbones so that we can disperse the effect of natural disasters.
Furthermore, we have editing offices in Osaka, Fukuoka and Aomori, which were established in geographically distant areas from our Kioicho Office in Tokyo. From normal times, we are prepared for emergencies by building a system so that services such as Yahoo! JAPAN top page and Yahoo! JAPAN News can be continuously updated in multiple bases. In addition to this mission as an Internet media, we have a social responsibility in having various services that encompass areas such as payment, distribution, and information sharing. In light of such social aspect, we also review BCP according to the characteristics of each service.
Response to Climate Change
The Z Holdings Group has several work systems in place that allow working out of office or working at home. Infrastructures such as VPN connection are prepared and many employees use these systems on a daily basis. These systems not only allow various workstyles but also act as one form of BCP at emergencies such as earthquakes and pandemics. In particular, these work systems take into account situations whereby employees are not able to come to the office for an extensive period due to climate change such as global warming: weather disasters are expected to intensify and so are water damages resulting from rising sea levels.
Disaster Action Headquarter and Disaster Prevention Meeting
In order to facilitate decision making by the management and communication at times of emergency, we periodically conduct drills to set up a Disaster Action Headquarter. We established Regulations on Emergency Responses as basis of the Disaster Action Headquarter and clarified the roles to be assumed by the management and each department at times of emergency. At normal times, we hold Disaster Prevention Meeting based on these regulations and prepare for emergencies, review BCP as needed and create disaster prevention plans.
Awareness Raising in the Whole Group
As part of our ERM activities, we conduct interviews with the management in order to confirm their awareness on the changes in the business environment and significant risks. Every year, we edit this interview into an article and disclose it to the whole company. Reading about the risk awareness spoken in the management’s own words and sharing it throughout the Z Holdings Group largely contribute to raising the awareness towards risk management.
Training and Use of Internal Community
We conduct various trainings related to risks. In addition to internal lectures, we actively participate in trainings held outside of the company such as visits to other companies’ facilities. In our bulletin boards for internal communication, information on actual cases and incidents in our company as well as in other companies is shared extensively and active discussions are held on a daily basis. Risks and risk management are not regarded as taboos or as somebody else’s problem. Such perception is naturally being formed within the employee community.
Incident Reporting System
When an incident or a situation occurs in various internal processes such as in relation to Yahoo! JAPAN services, a report is filed in our incident reporting system within one hour of discovering such a situation or an incident. The details are shared immediately with all relevant departments, and the progress of incident response, such as understanding of the situation, initial action taken, causal analysis, and fundamental response measures, is managed closely in a database with the goal of preventing recurrence of a similar incident in the future.
Collaboration with the Society
Online abuse is becoming increasingly complex and sophisticated, and it is clear that there is a limit to what a single service providing company can do alone against such abuse. Also, although social networking services play a certain role in enhancing public benefit, inappropriate posts posted in these services have the possibility of infringing the human rights of others. Therefore, we are involved in various measures in collaboration with investigative agencies, public agencies and other companies as well as through organizations that we have established ourselves. In particular, awareness-raising activities and literacy education to prevent our users from becoming victims are important, and we have been active in these initiatives for a long time.