The Z Holdings Group strives to reduce risk by conducting risk management activities under four pillars: ERM (Enterprise Risk Management), identification of the occurrence of incidents, risk intelligence activities, and the raising of risk management awareness throughout the Group. We have established regulations on risk management, and based on these regulations, we promote ERM activities at each Group company, as well as the activities of the Risk Management Committee and various working groups.
■ERM：By implementing risk management across all Group companies, we accurately recognize and identify wide-ranging risks related to our business activities, and implement countermeasures and responses.
■Identification of the occurrence of incidents: In the event of an incident, we take prompt and accurate initial action to prevent the situation from spreading and to bring it under control as soon as possible. We analyze the status of the incident response, and support the implementation of measures to prevent recurrence.
■Risk intelligence activities: We have established a department specializing in intelligence activities to collect and analyze changes in the business environment and social conditions, and directly link these activities to the Group's risk management and management strategies.
■Awareness raising in the whole group: In addition to communicating the importance of risk management to the management of the Group companies, we use all available channels to raise awareness of risk management among all Group personnel so that they can engage in their daily activities with an awareness of risk management.
FY2021 Top Risks for the Z Holdings Group
Identification of Top Risks and Sharing of Top Interviews
Risks that are of particular significance to the Z Holdings Group as a whole are selected from the daily risk management activities as Top Risks, and based on the Top Risks identified, risk management activities are undertaken at each Group company.
For fiscal 2021, nine risks have been identified as Top Risks by the Risk Management Committee (chaired by the Co-CEOs) consisting of the management members of Z Holdings Corporation. To get across the management’s views on these risks, a top interview with the Co-CEOs has been conducted and shared across the Group.
FY2021 Top Risks for the Z Holdings Group
|Risk to human life||0. Risk of endangering the safety of employees’ lives|
|Governance||l. Inadequate and unsuccessful governance within the Group|
|Inherent risks||2. Criticisms against and regulation of large-scale IT companies|
|3. Delay in technological development and human resource development within the Group|
|4. Failure to respond to changing global awareness|
|Emerging risks||5. Impact of increasing geopolitical and security risks|
|6. Increase in uncertainty about AI|
|Resilience-type risk||7. Major changes in the business environment|
|8. BCP risks of each Group company|
As the business environment continues to change, we recognize and identify risks regarding the impact of uncertainty on our business objectives. The process, analyses and results of ERM are directly reported to the management through the Risk Management Committee, etc.
ERM in the Group Companies
Each Group company promotes ERM based on the Z Holdings Group’s Top Risks and the content of the top interview, and the activities are shared with Z Holdings Corporation.
ERM Promotion Framework
The Z Holdings Group ensures appropriate ERM under the framework shown below.
- * The Risk Management Committee is chaired by the Co-CEOs, and is constituted by Senior Managing Corporate Officers, Managing Corporate Officers, etc. The Committee supervises the risk management of the entire Z Holdings Group.
Risk Assessment Items
In order to be able to respond flexibly to any changes in the business environment, we classify the impact of uncertainty (risk) on our business objectives into environmental (E), social (S), governance (G), and business and other (B) categories, which are further broken down into 32 medium subcategories and 122 smaller items. We conduct risk management based on this classification.
- Environmental burden
- Human rights, diversity
Personal information, privacy
Antisocial forces, money laundering, bribery
Personnel system (human resource strategy)
- Corporate ethics
Laws, regulations, approvals/licenses
Business continuity, crisis response
Compliance, intellectual property
- Quality, security/safety
Business models, designs
Supply chains, procurement
Human resources, operations
ERM Process Diagram
Provisions on Risk Management and Divisions Responsible for Managing Specific Risks
Our Regulations on Risk Management stipulates that the President and Representative Director serves as the chief executive of risk management in the Z Holdings Group. The Regulations also specify the structure and roles of the Risk Management Committee, risk evaluation and response processes, establishment of an ERM operation structure in each Group company, and reporting processes in the event of incidents.
In addition, the Regulations stipulate risks pertaining to specific fields out of the risk items listed above, and the division responsible for supervising each risk. The responsible divisions work together with the supervisory organization of risk management to evaluate and prepare plans for the risks under their charge for the entire Z Holdings Group.
Examples of Specific Risks
■Information security risk: Information security risk refers to the risk of damage to our information security structure in terms of matters such as integrity, confidentiality, and availability, as well as risk of cyberattacks, etc.
■Physical security risk: Physical security risk refers to the risk arising from physical attacks that can affect the lives of employees and related persons, company assets and business continuity.
■Regulatory risk and abuse risk: These risks refer to risks of loss of trust and sense of security due to major changes in the business environment caused by changes in regulations or due to unauthorized use.
■Risk on hiring: Hiring appropriate and diverse talents and having them exert their abilities is an important factor in our corporate activities. This risk refers to impairment of this factor and the resulting effects on our business activity.
■Risk related to natural environment, disasters, and emergencies: Today’s business faces the environmental issue of CO2 emissions resulting from electricity and other energy consumption, as well as the possibility of failing business continuity/resumption plans due to earthquakes, fires, infections, etc. There are also risks of restricted business operations or decreased revenues due to conflicts, coup d'état, and terrorism, etc.
For risks that pose a particular challenge across the Group, we have established working groups within the Risk Management Committee by inviting highly specialized members from each Group company. The working groups examine and mitigate risks and select countermeasures.
■ Data Governance Working Group
The Data Governance Working Group establishes a basic policy on data governance for the Group, examines the state of data governance from various perspectives, including the use and protection of data and research and development to realize the basic policy, and reflects the findings in the management of the Group.
■ Anti-Money Laundering Working Group
The Anti-Money Laundering Working Group establishes the Group's anti-money laundering policy and promotes effective anti-money laundering measures.
■ Human Rights Working Group
The Human Rights Working Group establishes the Group's countermeasure policy on human rights risks and promotes effective countermeasures on human rights risks.
Awareness Raising in the Whole Group
Major Incident Reporting System
In the risk management regulation, an incident is defined as "a situation in which a risk has materialized and the Group has suffered a loss or disadvantage, or the probability of such a loss or disadvantage has become extremely high.” In addition, the criteria for major incidents are clarified, and those that fall under the category of major incidents are to be promptly reported to the Risk Management Committee through the organization that supervises risk management. The content of the reports is shared with the divisions in charge of specific areas of risk and each working group, and a system is in place to enable a prompt understanding of the status of incidents within the Group. Moreover, we promote activities that contribute to risk management by sharing information on responses, analysis of causes, and formulation of measures to prevent reoccurrence at each Group company, among related parties.
Training and Use of Internal Community
We believe that building relationships with Group companies that facilitate the sharing of important information and communication is an important aspect of risk management within the Group. We therefore focus on building a community within the Group. We hold ERM General Assemblies* twice a year and ERM Lounges* as needed to promote information sharing and interaction among risk management staff from each company.
We hope that these events will have the effect of creating openness so that risks and risk management will not be regarded as taboos or as somebody else’s problem.
In addition, we proactively provide a variety of training activities within the Group to improve the risk management of the entire Group.
- * ERM General Assembly: Held twice a year as an official forum for communicating ERM's basic policies and intentions from the Co-CEO and reviewing activities.
- * ERM Lounge: Held regularly in a frank manner as a forum for information sharing among ERM staff.
Collaboration with the Society
Online unauthorized use is becoming increasingly complex and sophisticated, and it is clear that there is a limit to what a single service providing company can do alone against such abuse. Also, although social networking services play a certain role in enhancing public benefit, inappropriate posts posted in these services have the possibility of infringing the human rights of others. Therefore, we are involved in various measures in collaboration with investigative agencies, public agencies and other companies as well as through organizations that we have established ourselves. In particular, awareness-raising activities and literacy education to prevent our users from becoming victims are important, and we have been active in these initiatives for a long time.
BCP (Business Continuity Plan, in the case of Yahoo Japan Corporation)
Continuance of Services in Emergency
One of our missions is to provide necessary news and disaster information to our users without interruption especially at times of emergency, such as large-scale earthquakes. For this, we provide services that utilize multiple data centers and backbones so that we can disperse the effect of natural disasters.
Furthermore, we have editing offices in Osaka, Fukuoka and Aomori, which were established in geographically distant areas from our Kioicho Office in Tokyo. From normal times, we are prepared for emergencies by building a system so that services such as Yahoo! JAPAN top page and Yahoo! JAPAN News can be continuously updated in multiple bases. In addition to this mission as an Internet media, we have a social responsibility in having various services that encompass areas such as payment, distribution, and information sharing. In light of such social aspect, we also review BCP according to the characteristics of each service.
Flexible Work Systems for Emergencies
The Z Holdings Group has several work systems in place that allow working out of office or working at home. Infrastructures such as VPN connection are prepared and many employees use these systems on a daily basis. These systems not only allow various workstyles but also act as one form of BCP at emergencies such as earthquakes and pandemics. In particular, these work systems take into account situations whereby employees are not able to come to the office for an extensive period due to climate change such as global warming: weather disasters are expected to intensify and so are water damages resulting from rising sea levels.
Disaster Action Headquarter and Disaster Prevention Meeting
In order to facilitate decision making by the management and communication at times of emergency, we periodically conduct drills to set up a Disaster Action Headquarter. We established Regulations on Emergency Responses as basis of the Disaster Action Headquarter and clarified the roles to be assumed by the management and each department at times of emergency. At normal times, we hold Disaster Prevention Meeting based on these regulations and prepare for emergencies, review BCP as needed and create disaster prevention plans.