Risk Management

Rakuten's Approach

Being a company with over 70 businesses traversing the world, it is extremely important that we are always prepared for any uncertainties. Companies could face various threats and risks with ongoing changes in society due to natural catastrophes, accidents, financial uncertainty, or macroeconomic affairs. To nullify the impact of even a minor event and to avoid a catastrophic outcome and maximize opportunities, we have established a robust management system to identify potential threats and address risks.

Management System

Under the Group-wide regulations on risk management, we have developed a risk management system consisting of a PDCA cycle for identifying risks, formulating, and implementing countermeasures in accordance with their significance, and monitoring the results. The Group Risk Compliance Committee meets four times a year to discuss the status of implemented measures for cross-group risks. The major issues addressed in the Committee meetings are reported to the management through the important meetings. Particularly critical risks are reported to the Board of Directors.
Our risk management system stands on three key pillars: Enterprise Risk Management (ERM), Incident Management, and Business Continuity Management (BCM). A broad three-pillar framework are supported by a strong risk culture and monitoring mechanism that targets potential anomalies and malicious actors.

Enterprise Risk Management

Identify and assess actual and potential adverse human rights impacts we may cause in our operations. This is achieved by understanding the specific implications for people in particular contexts. The assessment covers our existing operations, value chain (suppliers, customers) and new business relations (M&A, joint ventures).

Incident Management

Systems and reporting procedures at the Group level for implementing measures that minimize the impact on various stakeholders in the event of an incident.

Business Continuity Management

Advanced planning and preparation to minimize the damage to our business assets in the event of an emergency while ensuring the continuity and early recovery of our core activities.

Enterprise Risk Management

Risks and uncertainties are unavoidable, but it doesn't mean we can't foresee and prevent incidents from happening. As our business expands, we encounter a plethora of potential risky events that may manifest into a full-blown catastrophe. Therefore, it is essential to integrate our identification, evaluation, and optimization of risk factors for the Rakuten Group as a whole, to ensure that we approach risk management holistically.
We define risk as "uncertainties that could affect our ability to achieve our business goals", and we manage them for the entire Rakuten Group by assessing the risk and the corresponding countermeasures taken at each organization and reporting to senior executive management. Click each step for more details.

Examples of Major Risks and Corresponding Responses

Below are examples of risks that are identified as top risk that may significantly impact Rakuten Group's business activities and their corresponding responses.

An entire list of risks could be found in our Annual Securities Report.

Incident Management

In the event of an incident, we have systems and reporting procedures in place at Group level for implementing measures that minimize the impact on various stakeholders by promptly identifying, assessing, and responding to the incident. Specifically, the type of incident and the degree of impact - such as financial losses, damages to users, and impact on business continuity and reputation - are evaluated, and responses are defined accordingly. Based on the information collected, we work to prevent the recurrence of incidents by investigating and examining the causes, planning, and implementing recurrence prevention measures, and monitoring their effectiveness.

Types of Incidents Managed
  • Information security, privacy
  • Information system
  • User communication
  • Campaign, Rakuten Points
  • Compliance
  • Accounting, finance
  • Personal and labor affairs
  • Damage to Rakuten property
  • Vandalism, life safety outside of Rakuten

Incident Management Process

  1. Incident Management
    Detect incident within organization and promptly prepare report
  2. Report
    Report within your organization and to GHQ based on severity of incident
  3. Resolve
    Implement appropriate measures to address incident; if necessary, work together with relevant headquarter departments
  1. Prevent
    The organization's incident management PIC/department shall cooperate with relevant GHQ departments to examine root causes, come up with recurrence prevention measures, and implement them
  2. Monitor
    After the incident has been resolved, track and record recurrence
  3. Yokoten
    Yokoten (best practice sharing) and knowledge relating to handling of incident to other organizations

Case Study

In 2021, we implemented an initiative called the Quality Control Circle, a bottom-up quality and productivity enhancement activity which empowers employees to take the initiative in solving problems on the front line. This has led to a reduction in incident recurrence thanks to analysis of causes, recurrence prevention plans and the strengthening of implementation processes.

Business Continuity Management

Our Business Continuity Management prepares ourselves in advance in the event of an emergency, aiming to build resilience against unprecedented threats and minimize the damage to our business assets while ensuring the continuity and early recovery of our core activities.
We have formulated our Business Continuity Plan (BCP) according to the steps outlined below.

  1. Risk Assessment
    Identify threats to consider
  2. Business Impact Analysis
    Identify priority businesses
  3. Operational Impact Analysis
    Identify the operations of priority and draft a list of operations which must be prioritized in emergencies
  4. Resource Analysis
    Identify resources to be delegated for priority operations
  5. Consideration of countermeasures and understanding issues
    Consider countermeasures (backup plans, etc.) and their effects on available resources
  6. Establishment of the Business Continuity Strategy
    Drafting the policy to address the issues identified during drafting the Business Continuity Plan (BCP)
  1. Consideration of structure and roles in times of crisis
    Create an emergency contact list and draft a list of bare minimum tasks to be done in the event of an emergency
  2. Establishment of the Annual Plan
    Clearly define the training phases, points to verify, training procedures, and the scope of the participants. Based on the results of the analysis in steps 3 through 5, identify matters that need to be addressed.Then draft a prospectus containing the reporting method used in evaluating these matters that need to be addressed and how often such reports should be submitted
  3. Documentation
    Document 1 through 8

Case Study

BCP against geopolitical risks

As our multinational business operates in unstable geopolitical circumstances, we must establish a robust crisis response system. In the case of the war in Ukraine, companies were encouraged to provide swift, humanitarian aid to employees in the disaster area and ensure business continuity in the midst of it. Having been on the front line of crisis response, we identified the importance of swift actions in unprecedented situations, as new idiosyncratic and unpredictable risks kept emerging while the situation escalated. The scenario of a geopolitical risk materializing led us to understand the need for preparatory actions.
As such, in 2022, we established a task force on geopolitical risks. Completed preparatory actions are below;

  • Emergency Supplies; We deployed emergency supplies (food, water, satellite phones) in various locations.
  • To-do List; We created and distributed a to-do list covering necessary actions to ensure employee safety and business continuity. The list includes the profile of the employees, their emergency contacts, the process of evacuation, etc.
  • Reporting Flow; We established a reporting flow to confirm employees' safety.
  • HR Guidelines; We prepared and distributed safety guidelines for all employees.
BCP against natural disasters

We reexamined our group-wide systems for information gathering and coordination to be able to respond swiftly to natural disasters, and we are continually assessing and improving these systems through the staging of regular drills.

BCP against COVID-19 pandemic

The Coronavirus Response Headquarters was promptly set up to collect and share information with our global offices in 2020. Each department had a clearly defined role in navigating through the uncertainties of the pandemic. Additionally, we formulated an Emergency Response Guideline at the Group level, which stipulates policies and responses per each phase of the pandemic.

Fostering Risk Culture

While an effective structure for risk management is essential, Rakuten believes that having a strong risk culture throughout the organization is critical. This starts with risk awareness among all employees, and to help promote a deeper understanding of unexpected scenarios and incidents that might lead to business interruptions, we provide risk management training for all new employees at the onboarding orientation and for newly promoted managers for the particular role they play regarding, for example, labor practice risks and in the reporting line in case of a crisis.
Asakai (company-wide, weekly meetings) is another important opportunity where regular updates on important risks such as ethics and compliance, climate change, information security are shared throughout the company. These sessions are, above all, for raising awareness and the collective sharing of ongoing initiatives and progress, presented with concrete case studies and data for future reference. Beyond the mentioned sessions, the Risk Management Department holds periodical briefings to explain the risk management structure and process within Rakuten.
Risk management is essential not only from operation perspectives but also from product compliance and safety perspectives and is therefore integrated into the design and development process. Risk criteria are explicitly embedded in three steps of the product development and approval process: the “Requirements Definition Phase,” “Test Phase,” and “Release Phase.”

This process is described in detail in our internal policies and also made available in the form of a checklist which must be completed before a product can be approved for release