Risk Management

The Z Holdings Group pursues risk management activities under three pillars: ERM (Enterprise Risk Management), BCP and awareness raising in the whole group. We have established the Regulations on Risk Management as basis to these activities and framework, and a Risk Management Committee is established based on these Regulations. Our Security & Risk Management Division is entrusted with the roles of secretariat for the Risk Management Committee and promotion of risk management, and is placed directly under the management.

■ERM:We have a companywide ERM framework to appropriately recognize, identify and respond to wide-ranging risks associated with our business activities.
■BCP:In addition to preparing ourselves to withstand massive accesses and cyberattacks, we have a business continuity plan (BCP) in place according to priority, so that we can continue our necessary services when a large-scale disaster strikes.
■Awareness raising in the whole group:Risk management is not closed to a few related persons. Instead, we endeavor to raise and renew awareness on risk management by sharing policies related to the companywide risk management and views on latest situations with all employees.

ERM

Basic Policy

In order to become aware, specify and respond to risks in various business fields encountered in a constantly changing business environment, we have identified 28 critical risk categories and conduct ERM for each category. The process, analyses and results of ERM are directly reported to the management through the Risk Management Committee, etc.

Risk Items

We have identified 28 critical risk categories in the four realms of environment (E), social (S), governance (G) and business (B), and conduct risk assessment that is not influenced by changes in the business environment.

Environment
Environmental burden
Environmental impact
Social
Human rights, diversity
Labor
Personal information, privacy
Cyber security
Antisocial forces, money laundering, bribery
Abuse
Communication
Governance
Corporate ethics
Competitive behavior
Laws, regulations, approvals/licenses
System failures, power outages
Business continuity, crisis response
Management strategy
Countries, regions
Compliance, intellectual property
Accounting, taxes, finance
Business
Quality, security/safety
Business models, designs
Supply chains, procurement
Outsourcing
Market, competition
Human resources, operations
Group governance
Dependence
Litigation
Stakeholders

ERM Promotion Framework

Z Holdings Corporation ensures appropriate ERM under the framework shown below.

ERM promotion system
Yahoo! JAPAN ERM Process Diagram 1. Risk Management Committee. Determines activity guidelines (critical risk items), ERM General Meeting. Explains policies and critical risk items to group companies, 3. Risk Assessments at Each Group Company. Identify risks, evaluate, develop response plans, promote responses, 4. Reporting of Risk Management Activities. ・In collaboration with the divisions responsible for specific risks, understand/analyze risks for the whole group ・Report to Risk Management Committee and management through supervisory organization of risk management, 5. Formulation of Activity Guidelines for Next Fiscal Year. Examine critical risk items

Provisions on Risk Management and Divisions Responsible for Managing Specific Risks

Our Regulations on Risk Management stipulates that the President and Representative Director serves as the chief executive of risk management in the Z Holdings Group. The Regulations also specify the structure and roles of the Risk Management Committee, risk evaluation and response processes, establishment of an ERM operation structure in each group company, and reporting processes in the event of incidents.
In addition, the Regulations stipulate risks pertaining to specific fields out of the risk items listed above, and the division responsible for supervising each risk. The responsible divisions work together with the supervisory organization of risk management to evaluate and prepare plans for the risks under their charge for the entire Z Holdings Group.

Examples of Specific Risks

■Information security risk: Information security risk refers to the risk of damage to our information security structure in terms of matters such as integrity, confidentiality, and availability, as well as risk of cyberattacks, etc. These risks are covered by the Security Department (division in charge of supervising and managing security), etc.

■Physical security risk: Physical security risk refers to the risk arising from physical attacks that can affect the lives of employees and related persons, company assets and business continuity.

■Risks arising from regulations and abuse: These risks refer to risks arising from drastic change in business environment due to changes in laws and regulations, and risks that impair the trust and sense of safety entrusted to us due to abuse. These risks are covered by the Public Affairs Division (division in charge of legal matters).

■Risk on hiring: Hiring appropriate and diverse talents and having them exert their abilities is an important factor in our corporate activities. This risk refers to impairment of this factor and the resulting effects on our business activity. The Personnel & General Affairs Division (division in charge of human resources) is in charge of this risk.

■Risk related to natural environment, disasters, and emergencies: Today’s business faces the environmental issue of CO2 emissions resulting from electricity and other energy consumption, as well as the possibility of failing business continuity/resumption plans due to earthquakes, fires, infections, etc. There are also risks of restricted business operations or decreased revenues due to conflicts, coup d'état, and terrorism, etc.

BCP (Business Continuity Plan)

Continuance of Services in Emergency

One of our missions is to provide necessary news and disaster information to our users without interruption especially at times of emergency, such as large-scale earthquakes. For this, we provide services that utilize multiple data centers and backbones so that we can disperse the effect of natural disasters.
Furthermore, we have editing offices in Osaka, Fukuoka and Aomori, which were established in geographically distant areas from our Kioicho Office in Tokyo. From normal times, we are prepared for emergencies by building a system so that services such as Yahoo! JAPAN top page and Yahoo! JAPAN News can be continuously updated in multiple bases. In addition to this mission as an Internet media, we have a social responsibility in having various services that encompass areas such as payment, distribution, and information sharing. In light of such social aspect, we also review BCP according to the characteristics of each service.

Response to Climate Change

The Z Holdings Group has several work systems in place that allow working out of office or working at home. Infrastructures such as VPN connection are prepared and many employees use these systems on a daily basis. These systems not only allow various workstyles but also act as one form of BCP at emergencies such as earthquakes and pandemics. In particular, these work systems take into account situations whereby employees are not able to come to the office for an extensive period due to climate change such as global warming: weather disasters are expected to intensify and so are water damages resulting from rising sea levels.

Disaster Action Headquarter and Disaster Prevention Meeting

In order to facilitate decision making by the management and communication at times of emergency, we periodically conduct drills to set up a Disaster Action Headquarter. We established Regulations on Emergency Responses as basis of the Disaster Action Headquarter and clarified the roles to be assumed by the management and each department at times of emergency. At normal times, we hold Disaster Prevention Meeting based on these regulations and prepare for emergencies, review BCP as needed and create disaster prevention plans.

Awareness Raising in the Whole Group

Top Interviews

As part of our ERM activities, we conduct interviews with the management in order to confirm their awareness on the changes in the business environment and significant risks. Every year, we edit this interview into an article and disclose it to the whole company. Reading about the risk awareness spoken in the management’s own words and sharing it throughout the Z Holdings Group largely contribute to raising the awareness towards risk management.

Training and Use of Internal Community

We conduct various trainings related to risks. In addition to internal lectures, we actively participate in trainings held outside of the company such as visits to other companies’ facilities. In our bulletin boards for internal communication, information on actual cases and incidents in our company as well as in other companies is shared extensively and active discussions are held on a daily basis. Risks and risk management are not regarded as taboos or as somebody else’s problem. Such perception is naturally being formed within the employee community.

Incident Reporting System

When an incident or a situation occurs in various internal processes such as in relation to Yahoo! JAPAN services, a report is filed in our incident reporting system within one hour of discovering such a situation or an incident. The details are shared immediately with all relevant departments, and the progress of incident response, such as understanding of the situation, initial action taken, causal analysis, and fundamental response measures, is managed closely in a database with the goal of preventing recurrence of a similar incident in the future.

Collaboration with the Society

Online abuse is becoming increasingly complex and sophisticated, and it is clear that there is a limit to what a single service providing company can do alone against such abuse. Also, although social networking services play a certain role in enhancing public benefit, inappropriate posts posted in these services have the possibility of infringing the human rights of others. Therefore, we are involved in various measures in collaboration with investigative agencies, public agencies and other companies as well as through organizations that we have established ourselves. In particular, awareness-raising activities and literacy education to prevent our users from becoming victims are important, and we have been active in these initiatives for a long time.