Risk management system

We have established, by resolution of the Board of Directors the Operational Risk Management Policy which sets forth the core principles regarding operational risk management, including the definition of operational risk, and the risk management system and processes.

Under the policy, the board of directors and the Executive Committee formulate fundamental principles of operational risk management and establish and maintain an appropriate risk management system.

A division in charge of operational risk management is responsible for recognizing, evaluating, and appropriately managing operational risk in accordance with the fundamental principles formulated by the board of directors and the Executive Committee.

A division in charge of operational risk management has been established independently from business execution divisions to manage overall operational risk in a comprehensive manner.

For the purpose of risk quantification, we adopt the Standardized Measurement Approach in accordance with Basel III. Under this methodology, the amount equivalent to operational risk is calculated based on financial data from the preceding three fiscal years, as well as internal loss data derived from actual incidents over the past decade.

(i) Operations Risk Management

At our company, Corporate Risk Management Division is charged with managing Operations Risk, Investor Services Planning Division is charged with Operations Management.

Both Division strive to improve the standards of operations and prevent inappropriate operation procedures by continuously establishing and enhancing manuals, ensuring thorough compliance with authority and rules when carrying out operation procedures and regularly conducting training and providing guidance.

In addition to analyzing the causes of individual administrative errors and formulating measures to prevent recurrence, we have introduced a Control Self-Assessment (CSA) system as a framework for proactively identifying issues and risks inherent in operations and implementing improvements based on their significance.

Under the CSA framework, each responsible division identifies potential issues and risks inherent in its operational processes and evaluates both their potential impact and the effectiveness of current control measures.

For significant issues and risks identified through this process, appropriate countermeasures are implemented, and improvement efforts are actively pursued.

In addition, as part of early warning management, we regularly conduct quantitative analyses of operations risks to monitor control effectiveness and prevent risk materialization.

Based on these analyses, we implement necessary measures to reduce Operations Risks.

(ii) IT Risk Management

At our company, Corporate Risk Management Division is charged with managing IT Risk, Investor Services Planning Division is charged with managing System.

We have established a robust governance framework for the effective management of IT risks, which includes the formulation of comprehensive regulations, detailed management standards, and structured response manuals addressing system failures and cyberattacks.

In the planning, development, and operation of systems, we strive to prevent system failures in advance through proper design and thorough testing, while also ensuring that information security is fully considered in system implementation.

System development projects are managed and overseen by a team dedicated to performing such management and oversight functions, and the development status of any mission-critical IT systems is reported regularly to senior management.

Investments for redundancy of the IT infrastructure are designed and emergency drills are conducted to minimize damage in the event of any system failure.

The risk of increasingly sophisticated cyber-attacks is a significant focus of the Board of Directors, We have appointed a Chief Information Security Officer (CISO) and are actively promoting cyber security measures under the leadership of senior management.

We continue to work to strengthen measures designed to address and mitigate the risk, including the establishment of CSIRT（Computer Security Incident Response Team）,implementation of multi-layered defense and detection measures,enhancement of monitoring systems.

We continue to develop our risk management capabilities for emerging technologies, such as artificial intelligence (AI) , and robotic process automation (RPA) , considering, among other things, the maturity and usage of such technologies.

Furthermore, to prevent information leaks caused by cyberattacks targeting third parties and disruptions to associated services, we are enhancing our third-party risk management framework and strengthening oversight of third parties from the perspectives of IT and cybersecurity.

(iii) Information Risk Management

We recognize that the proper handling of customer information is a vital social responsibility.

Accordingly, we continue to improve our risk control framework designed to appropriately manage such risk,with the Corporate Risk Management Division as the lead division responsible for Information risk management.

Specifically,complying with laws and regulations requiring proper handling of customer information, we implement information security management measures, including the establishment of an information risk management framework, enhancement of our internal operational procedures, and training courses mandatory for all officers and staff.

(iv) Incompliance with Laws and Regulations Risk

We recognize that the manifestation of Laws and Regulations Risks may result in significant economic loss and reputational damage, potentially having a serious impact on our management and business operations.

Accordingly, we have established a framework designed to appropriately manage such risks.

Specifically, we have established "Law and Compliance Group" within the Corporate Risk Management Division to centrally manage Laws and Regulations Risks, while also promoting thorough compliance with laws and regulations among all officers and employees.

(v) Legal Risk Management

Corporate Risk Management Division（Law and Compliance Group）,uniformly evaluates legal issues prior to entering into contracts or commencing new business operations, deals with legal disputes and manages other legal matters.

Through these efforts, we strive to implement effective legal risk management.

(vi) Personnel Risk Management

We recognize that the materialization of Personnel Risks－such as economic losses or reputational damage－could have a significant impact on our management and business operations.

Accordingly, we have designated theHuman Resources & Corporate Administration Division as the primary department responsible for these risks and are working to establish a framework for the appropriate management of Personnel Risks.

(vii) Tangible Asset Risk Management

We recognize that the materialization of Tangible Asset Risks—such as economic losses or reputational damage—could have a significant impact on our management and business operations.

Accordingly, we have designated the Human Resources & Corporate Administration Division as the primary department responsible for managing these risks and have established a framework to ensure the appropriate management of Tangible Asset Risks.

At our company, we recognize that the materialization of reputation risk could have a significant impact on our management and business operations.

Accordingly, we have established, and continue to maintain and enhance, a framework for the appropriate management of Reputation Risk.

Specifically,The Corporate Planning & Accounting Division is charged with managing reputation risk and establishing the necessary management procedures to ensure an understanding of them by officers and employees upon grasping the possibility of deterioration in reputation.

At our company, we have designated the Corporate Risk Management Division as the primary division responsible for risk and have established a framework for the integrated management of Credit Risk.

In accordance with established rules, we conduct credit rating management and credit limit control for each counterparty, and implement appropriate risk control by regularly reporting risk exposure to the Board of Directors.

The Corporate Risk Management Division is charged with managing market risk. We set market risk limits and loss limits so that we will not have excessive market risk by primarily using Value at Risk (VaR) to monitor market risk exposure on a daily basis, ensuring that market risk remains within acceptable levels.

As part of our interest rate risk monitoring, we measure and monitor various indicators based on Pillar 2 of the Basel III framework.

We organizationally separate the division managing funding liquidity (Corporate Risk Management Division) from the division managing cash flow (Securities Lending and Treasury Division) and Corporate Risk Management Division regularly conduct monitoring on the funding status and the market environment.

We also conduct liquidity stress tests and have established a management framework to address potential concerns regarding cash flow.