Corporate Obligations and ResponsibilitiesRisk Management

Corporate Obligations and ResponsibilitiesRisk Management

The Yahoo Japan Group pursues risk management activities under three pillars: ERM (Enterprise Risk Management), BCP and awareness raising in the whole group. We have established the Regulations on Risk Management as basis to these activities and framework, and a Risk Management Committee is established based on these Regulations. Our Risk Management Office is entrusted with the roles of secretariat for the Risk Management Committee and promotion of risk management, and is placed directly under the management.

  • ERMWe have a companywide ERM framework to appropriately recognize, identify and respond to wide-ranging risks associated with our business activities.
  • BCPIn addition to preparing ourselves to withstand massive accesses and cyberattacks, we have BCP in place according to priority, so that we can continue our necessary services when large-scale disaster strikes.
  • Awareness raising in the whole groupRisk management is not closed to a few related persons. Instead, we endeavor to raise and renew awareness on risk management by sharing policies related to the companywide risk management and views on latest situations with all employees.

ERM

Basic Policy

In order to become aware, specify and respond to risks in various business fields encountered in a constantly changing business environment, we conduct ERM for each business and work field. The process and results of ERM are directly reflected in management through the Risk Management Committee.

Risk Items

ERM handles various risk items, which we have classified into 16 categories. This enables the related persons and the whole company to have a common understanding of the risks. In response to the changes in the business environment, these items are periodically reviewed and revised (almost every year).

Risk assessment – Fields covered Business incidents, Information leakage, Information leakage, Financial reporting/Accounting, Service/system failure, Distribution of false information, Abuse/Reputation, Loss of assets, Creation and provision of service, Climate change, Management strategy/administration, Management of labor/human resources, Loss/falsification of data, Human rights/Anti-corruption/Compliance, Safety management, Sales structure/Business management, Employees’misconduct

ERM Promotion Framework

We ensure appropriate ERM under the framework shown below. We have introduced a “Captain Community Program” in order to further improve the effectiveness and agility of the activities. A Captain is selected from persons responsible for ERM promotion in multiple business fields, and the Captains hold face-to-face meetings every week to confirm the situations and progress.

ERM promotion system

Yahoo! JAPAN ERM Process Diagram

Yahoo! JAPAN ERM Process Diagram

Departments Responsible for Managing Specific Risks

To enhance the effectiveness of risk management, we define the departments responsible for managing specifics risks within our Regulations on Risk Management, thereby clarifying responsibilities and roles. Some of the risks mentioned before in the Risk Items are allocated and supervised by each of the department responsible for managing specific risks.
These departments support the risk management in the frontline based on their expertise. In addition, they handle the management of risks which encompass various divisions and which cannot be handled by the frontline alone as well as risks that involve the whole group.

Examples of Specific Risks

  • Information security riskInformation security risk refers to the risk of damage to our information security structure in terms of matters such as integrity, confidentiality, and availability, as well as risk of cyber attacks, etc. These risks are covered by the CISO Office (division in charge of supervising and managing security), etc.
  • Physical security riskPhysical security risk refers to the risk arising from physical attacks that can affect the lives of employees and related persons, company assets and business continuity.
  • Risks arising from regulations and abuseThese risks refer to risks arising from drastic change in business environment due to changes in regulations, and risks that impair the trust and sense of safety entrusted to us due to abuse. These risks are covered by the Policy Planning Division (division in charge of legal matters).
  • Risk on hiringHiring appropriate and diverse talents and having them exert their abilities is an important factor in our corporate activities. This risk refers to impairment of this factor and the resulting effects on our business activity. People Development Group (division in charge of human resources) is in charge of this risk.

BCP (Business Continuity Plan)

Continuance of Services in Emergency

One of our missions is to provide necessary news and disaster information to our users without interruption especially at times of emergency, such as large-scale earthquakes. For this, we provide services that utilize multiple data centers and backbones so that we can disperse the effect of natural disasters.
Furthermore, we have editing offices in Osaka, Fukuoka and Aomori, which were established in geographically distant areas from our Kioicho Office in Tokyo. From normal times, we are prepared for emergencies by building a system so that services such as Yahoo! JAPAN top page and Yahoo! News can be continuously updated in multiple bases. In addition to this mission as an Internet media, we have a social responsibility in having various services that encompass areas such as payment, distribution, and information sharing. In light of such social aspect, we also review BCP according to the characteristics of each service.

Response to Climate Change

Yahoo Japan Corporation (“Yahoo! JAPAN”) and its group companies have several work systems in place that allow working out of office or working at home. Infrastructures such as VPN connection are prepared and many employees use these systems on a daily basis. These systems not only allow various workstyles but also act as one form of BCP at emergencies such as earthquakes and pandemics. In particular, these work systems take into account situations whereby employees are not able to come to the office for an extensive period due to climate change such as global warming: weather disasters are expected to intensify and so are water damages resulting from rising sea levels.

Disaster Action Headquarter and Disaster Prevention Meeting

In order to facilitate decision making by the management and communication at times of emergency, we periodically conduct drills to set up a Disaster Action Headquarter. We established Regulations on Emergency Responses as basis of the Disaster Action Headquarter and clarified the roles to be assumed by the management and each department at times of emergency. At normal times, we hold Disaster Prevention Meeting based on these regulations and prepare for emergencies, review BCP as needed and create disaster prevention plans.

Awareness Raising in the Whole Group

Disclosure of Top Interviews

As part of our ERM activities, we conduct interviews with the management at fiscal year-end in order to confirm their awareness on the changes in the business environment and significant risks. Every year, we edit this interview into an article and disclose it to the whole company. Reading about the risk awareness in the management’s own words and sharing it company-wide largely contribute to raising the awareness towards risk management.

Training and Use of Internal Community

We conduct various trainings related to risks. In addition to internal lectures, we actively participate in trainings held outside of the company such as visits to other companies’ facilities. In our bulletin boards for internal communication, many information on cases and incidents in our company as well as other companies are shared and active discussions are held almost every day. Risks and risk management are not regarded as taboos or as somebody else’s problem. Such perception is naturally being formed within the employee community.

Incident Reporting System

When an incident or a situation occurs in relation to our services or the various internal businesses, including those of Yahoo! JAPAN and its subsidiaries, a report is filed in our incident reporting system within one hour of discovering such situation or incident. The details are shared immediately with all relevant departments and the incidents are then classified into three severity levels to be recorded in the database. For each incident, the specific circumstances, responses, and causes are recorded and analyzed and the progress of fundamental response measures is managed with the goal of preventing recurrence of a similar incident in the future.

Collaboration with the Society

Online abuse is becoming increasingly complex and sophisticated, and it is clear that there is a limit to what a single service providing company can do alone against such abuse. Therefore, we are involved in various measures in collaboration with investigative agencies, public agencies and other companies as well as through organizations that we have established ourselves. In particular, awareness-raising activities and literacy education to prevent our users from becoming victims are important, and we have been active in these initiatives for a long time.