Risk Management
Rakuten's Approach
Being a company with over 70 businesses traversing the world, it is extremely important that we are always prepared for any uncertainties. Companies could face various threats and risks with ongoing changes in society due to natural catastrophes, accidents, financial uncertainty, or macroeconomic affairs. To nullify the impact of even a minor event and to avoid a catastrophic outcome and maximize opportunities, we have established a robust management system to identify potential threats and address risks.
Management System
Under the Group-wide regulations on risk management, we have developed a risk management system consisting of a PDCA cycle for identifying risks, formulating,
and implementing countermeasures in accordance with their significance, and monitoring the results. The Group Risk Compliance Committee meets four times a year
to discuss the status of implemented measures for cross-group risks. The major issues addressed in the Committee meetings are reported to the management through
the important meetings. Particularly critical risks are reported to the Board of Directors.
Our risk management system stands on three key pillars:
Enterprise Risk Management (ERM), Incident Management, and Business Continuity Management (BCM). A broad three-pillar framework are supported by a strong risk
culture and monitoring mechanism that targets potential anomalies and malicious actors.

Enterprise Risk Management
Identify and assess actual and potential adverse human rights impacts we may cause in our operations. This is achieved by understanding the specific implications for people in particular contexts. The assessment covers our existing operations, value chain (suppliers, customers) and new business relations (M&A, joint ventures).
Incident Management
Systems and reporting procedures at the Group level for implementing measures that minimize the impact on various stakeholders in the event of an incident.
Business Continuity Management
Advanced planning and preparation to minimize the damage to our business assets in the event of an emergency while ensuring the continuity and early recovery of our core activities.
Enterprise Risk Management
Risks and uncertainties are unavoidable, but it doesn't mean we can't foresee and prevent incidents from happening. As our business expands, we encounter a
plethora of potential risky events that may manifest into a full-blown catastrophe. Therefore, it is essential to integrate our identification, evaluation, and
optimization of risk factors for the Rakuten Group as a whole, to ensure that we approach risk management holistically.
We define risk as "uncertainties
that could affect our ability to achieve our business goals", and we manage them for the entire Rakuten Group by assessing the risk and the corresponding
countermeasures taken at each organization and reporting to senior executive management. Click each step for more details.

Examples of Major Risks and Corresponding Responses
Below are examples of risks that are identified as top risk that may significantly impact Rakuten Group's business activities and their corresponding responses.
-
Legal Compliance
-
Natural Disaster and Infectious Diseases
-
Information Security
An entire list of risks could be found in our Annual Securities Report.
Incident Management
In the event of an incident, we have systems and reporting procedures in place at Group level for implementing measures that minimize the impact on various stakeholders by promptly identifying, assessing, and responding to the incident. Specifically, the type of incident and the degree of impact - such as financial losses, damages to users, and impact on business continuity and reputation - are evaluated, and responses are defined accordingly. Based on the information collected, we work to prevent the recurrence of incidents by investigating and examining the causes, planning, and implementing recurrence prevention measures, and monitoring their effectiveness.
Types of Incidents Managed
- Information security, privacy
- Information system
- User communication
- Campaign, Rakuten Points
- Compliance
- Accounting, finance
- Personal and labor affairs
- Damage to Rakuten property
- Vandalism, life safety outside of Rakuten
Incident Management Process
-
Incident Management
Detect incident within organization and promptly prepare report -
Report
Report within your organization and to GHQ based on severity of incident -
Resolve
Implement appropriate measures to address incident; if necessary, work together with relevant headquarter departments
-
Prevent
The organization's incident management PIC/department shall cooperate with relevant GHQ departments to examine root causes, come up with recurrence prevention measures, and implement them -
Monitor
After the incident has been resolved, track and record recurrence -
Yokoten
Yokoten (best practice sharing) and knowledge relating to handling of incident to other organizations
Case Study
In 2021, we implemented an initiative called the Quality Control Circle, a bottom-up quality and productivity enhancement activity which empowers employees to take the initiative in solving problems on the front line. This has led to a reduction in incident recurrence thanks to analysis of causes, recurrence prevention plans and the strengthening of implementation processes.
Business Continuity Management
Our Business Continuity Management prepares ourselves in advance in the event of an emergency, aiming to build resilience against unprecedented threats and
minimize the damage to our business assets while ensuring the continuity and early recovery of our core activities.
We have formulated our Business
Continuity Plan (BCP) according to the steps outlined below.
- Risk Assessment
Identify threats to consider - Business Impact Analysis
Identify priority businesses -
Operational Impact Analysis
Identify the operations of priority and draft a list of operations which must be prioritized in emergencies - Resource Analysis
Identify resources to be delegated for priority operations -
Consideration of countermeasures and understanding issues
Consider countermeasures (backup plans, etc.) and their effects on available resources -
Establishment of the Business Continuity Strategy
Drafting the policy to address the issues identified during drafting the Business Continuity Plan (BCP)
-
Consideration of structure and roles in times of crisis
Create an emergency contact list and draft a list of bare minimum tasks to be done in the event of an emergency -
Establishment of the Annual Plan
Clearly define the training phases, points to verify, training procedures, and the scope of the participants. Based on the results of the analysis in steps 3 through 5, identify matters that need to be addressed.Then draft a prospectus containing the reporting method used in evaluating these matters that need to be addressed and how often such reports should be submitted - Documentation
Document 1 through 8
Case Study
BCP against geopolitical risks
As our multinational business operates in unstable geopolitical circumstances, we must establish a robust crisis response system. In the case of the
war in Ukraine, companies were encouraged to provide swift, humanitarian aid to employees in the disaster area and ensure business continuity in the
midst of it. Having been on the front line of crisis response, we identified the importance of swift actions in unprecedented situations, as new
idiosyncratic and unpredictable risks kept emerging while the situation escalated. The scenario of a geopolitical risk materializing led us to
understand the need for preparatory actions.
As such, in 2022, we established a task force on geopolitical risks. Completed preparatory
actions are below;
- Emergency Supplies; We deployed emergency supplies (food, water, satellite phones) in various locations.
- To-do List; We created and distributed a to-do list covering necessary actions to ensure employee safety and business continuity. The list includes the profile of the employees, their emergency contacts, the process of evacuation, etc.
- Reporting Flow; We established a reporting flow to confirm employees' safety.
- HR Guidelines; We prepared and distributed safety guidelines for all employees.
BCP against natural disasters
We reexamined our group-wide systems for information gathering and coordination to be able to respond swiftly to natural disasters, and we are continually assessing and improving these systems through the staging of regular drills.
BCP against COVID-19 pandemic
The Coronavirus Response Headquarters was promptly set up to collect and share information with our global offices in 2020. Each department had a clearly defined role in navigating through the uncertainties of the pandemic. Additionally, we formulated an Emergency Response Guideline at the Group level, which stipulates policies and responses per each phase of the pandemic.
Fostering Risk Culture
While an effective structure for risk management is essential, Rakuten believes that having a strong risk culture throughout the organization is critical. This
starts with risk awareness among all employees, and to help promote a deeper understanding of unexpected scenarios and incidents that might lead to business
interruptions, we provide risk management training for all new employees at the onboarding orientation and for newly promoted managers for the particular role
they play regarding, for example, labor practice risks and in the reporting line in case of a crisis.
Asakai (company-wide, weekly meetings) is another
important opportunity where regular updates on important risks such as ethics and compliance, climate change, information security are shared throughout the
company. These sessions are, above all, for raising awareness and the collective sharing of ongoing initiatives and progress, presented with concrete case
studies and data for future reference. Beyond the mentioned sessions, the Risk Management Department holds periodical briefings to explain the risk management
structure and process within Rakuten.
Risk management is essential not only from operation perspectives but also from product compliance and safety
perspectives and is therefore integrated into the design and development process. Risk criteria are explicitly embedded in three steps of the product
development and approval process: the “Requirements Definition Phase,” “Test Phase,” and “Release Phase.”
- Requirements Definition: initial risk analysis
- Test Phase: any remaining risks are identified, and remediation plans with deadlines are devised
- Release Phase: anticipated risks upon release of the product are clarified
This process is described in detail in our internal policies and also made available in the form of a checklist which must be completed before a product can be approved for release