Risk Management
Rakuten's Approach
Being a company with over 70 businesses traversing the world, it is extremely important that we are always prepared for any uncertainties. Companies could face various threats and risks with ongoing changes in society due to natural catastrophes, accidents, financial uncertainty, or macroeconomic affairs. To nullify the impact of even a minor event and to avoid a catastrophic outcome and maximize opportunities, we have established a robust management system to identify potential threats and address risks.
Management System
At Rakuten Group, we are committed to risk management to achieve sustainable development amidst rapid changes in the business and social environment. Our risk management system is built on three key pillars: Enterprise Risk Management (ERM), Incident Management, and Business Continuity Management (BCM). Under the Group-wide regulations on risk management, we have developed a system that follows a PDCA cycle for identifying risks, formulating and implementing countermeasures based on their significance, and monitoring the results.
For cross-group risks, the status of countermeasures is reported and discussed at the Group Risk and Compliance Committee, chaired by the Group COO (Chief Operating Officer), which meets four times a year. Significant issues addressed in the Committee meetings are reported to management and particularly critical risks are reported to the Board of Directors. Additionally, the Internal Audit Department independently audits the compliance status of Rakuten Group, Inc., and its group companies with laws and internal regulations, periodically reporting its findings to the Rakuten Group, Inc. Board of Directors.
Enterprise Risk Management
Identify and assess actual and potential adverse human rights impacts we may cause in our operations. This is achieved by understanding the specific implications for people in particular contexts. The assessment covers our existing operations, value chain (suppliers, customers) and new business relations (M&A, joint ventures).
Incident Management
Systems and reporting procedures at the Group level for implementing measures that minimize the impact on various stakeholders in the event of an incident.
Business Continuity Management
Advanced planning and preparation to minimize the damage to our business assets in the event of an emergency while ensuring the continuity and early recovery of our core activities.
Enterprise Risk Management
Rakuten Group operates a wide range of businesses both domestically and internationally. As our business expands, we encounter numerous potential risks that could escalate into significant issues. We define risk as “uncertainty that may affect the achievement of management objectives” and we have implemented Enterprise Risk Management (ERM) to enhance the likelihood of achieving these objectives. We mitigate these risks across the entire Rakuten Group by identifying and assessing risks and the corresponding countermeasures taken at each organization, and reporting to management to facilitate accurate business decisions and operations. Click each step for more details.
Examples of Major Risks and Corresponding Responses
Below are examples of risks that are identified as top risk that may significantly impact Rakuten Group's business activities and their corresponding responses.
| Risk | Risk Scenario and Details | Likelihood | Impact |
|---|---|---|---|
| Legal Compliance | Our diverse businesses are subject to domestic and international laws and regulations, which may impact the Group's operational efficiency, financial results, cost-structure, or business framework in the region we operate.The Group Chief Compliance Officer (CCO) and the Company Compliance Officer appointed at each internal company promote Group-wide compliance initiatives.
Find out more |
Medium~High | Medium |
| Natural Disaster and Infectious Diseases | Natural disasters, such as earthquakes, typhoons, tsunamis and pandemics can significantly hinder our day-to-day operations and pose a threat to the health and well-being of our stakeholders.
We minimize these risks by formulating business continuity plans (BCP), further strengthened by safety drills and information system backups. Find out more |
Low~Medium | Large |
| Information Security | Providing a wide range of services online comes with the possibility of failing to ensure stable system connectivity, availability, or information integrity due to malicious attacks. We established an Information Security Management System (ISMS) and acquired ISO/IEC27001 certification. We comply with domestic and international laws and regulations on personal information protection. Find out more |
Medium~High | Medium |
Definitions of Likelihood / Impact
| Likelihood | |
|---|---|
| Label | Evaluation reference criteria : Frequency of occurrence |
| High | Occurs multiple times per year |
| Medium | Occurs approximately once per year |
| Low | Occurs approximately once every several years |
| Impact | |
|---|---|
| Label | Evaluation reference criteria : Impact on the business |
| Large | Critical and intolerable |
| Medium | Severe but tolerable |
| Small | Significant yet limited |
We have also implemented a system to identify emerging risks, which are potential risks that could have a significant impact on the Group from a medium- to long-term perspective due to environmental changes. We promptly take appropriate measures in response to any indications of changes in these risks. Here are some examples:
| Risk Name | Description | Mitigating Actions |
|---|---|---|
| Geopolitical Risks | Military conflicts or blockades in neighboring countries can broadly impact political and economic stability and supply chains. This can result in revenue losses, reduced market share in the region and threats to employee safety. |
In light of these geopolitical risks, we are preparing for emergency situations by diversifying suppliers, developing regional business continuity plans (BCP), and conducting crisis response drills.
Find out more |
| Emergence of New Technologies | Failure to respond appropriately to risks associated with cutting-edge technologies, such as uncontrollable systems or information leaks due to breaches of current data protection methods, could result in a loss of trust in the Rakuten Group and significantly impact business results. |
Similar to generative AI, while new technologies hold great potential for advancements in various fields, we must understand and mitigate the associated risks. We are implementing measures such as establishing guidelines and providing education to employees.
Find out more |
| Declining Workforce | If we fail to adequately adapt to demographic changes and the diversification of work styles and are unable to secure and retain human resources, it could lead to a decline in organizational performance and impact business growth. |
In addition to global talent recruitment efforts and company-wide AI-nization initiatives, we are implementing various measures to foster corporate culture and enhance employee engagement.
Find out more |
An entire list of risks can be found in our Annual Securities Report
Incident Management
In the event of an incident, we have systems and reporting procedures in place at Group level for implementing measures that minimize the impact on various stakeholders by promptly identifying, assessing, and responding to the incident. Specifically, the type of incident and the degree of impact - such as financial losses, damages to users, and impact on business continuity and reputation - are evaluated, and responses are defined accordingly. Based on the information collected, we work to prevent the recurrence of incidents by investigating and examining the causes, planning, and implementing recurrence prevention measures, and monitoring their effectiveness.
Types of Incidents Managed
- Information security, privacy
- Information system
- User communication
- Campaign, Rakuten Points
- Compliance
- Accounting, finance
- Personal and labor affairs
- Damage to Rakuten property
- Vandalism, life safety outside of Rakuten
Incident Management Process
-
Incident Management
Detect incident within organization and promptly prepare report -
Report
Report within your organization and to GHQ based on severity of incident -
Resolve
Implement appropriate measures to address incident; if necessary, work together with relevant headquarter departments
-
Prevent
The organization's incident management PIC/department shall cooperate with relevant GHQ departments to examine root causes, come up with recurrence prevention measures, and implement them -
Monitor
After the incident has been resolved, track and record recurrence -
Yokoten
Yokoten (best practice sharing) and knowledge relating to handling of incident to other organizations
Case Study
In 2021, we implemented an initiative called the Quality Control Circle, a bottom-up quality and productivity enhancement activity which empowers employees to take the initiative in solving problems on the front line. This has led to a reduction in incident recurrence thanks to analysis of causes, recurrence prevention plans and the strengthening of implementation processes.
Business Continuity Management
Our Business Continuity Management prepares ourselves in advance in the event of an emergency, aiming to build resilience against unprecedented threats and
minimize the damage to our business assets while ensuring the continuity and early recovery of our core activities.
We have formulated our Business
Continuity Plan (BCP) according to the steps outlined below.
- Risk Assessment
Identify threats to consider - Business Impact Analysis
Identify priority businesses -
Operational Impact Analysis
Identify the operations of priority and draft a list of operations which must be prioritized in emergencies - Resource Analysis
Identify resources to be delegated for priority operations -
Consideration of countermeasures and understanding issues
Consider countermeasures (backup plans, etc.) and their effects on available resources -
Establishment of the Business Continuity Strategy
Drafting the policy to address the issues identified during drafting the Business Continuity Plan (BCP)
-
Consideration of structure and roles in times of crisis
Create an emergency contact list and draft a list of bare minimum tasks to be done in the event of an emergency -
Establishment of the Annual Plan
Clearly define the training phases, points to verify, training procedures, and the scope of the participants. Based on the results of the analysis in steps 3 through 5, identify matters that need to be addressed.Then draft a prospectus containing the reporting method used in evaluating these matters that need to be addressed and how often such reports should be submitted - Documentation
Document 1 through 8
Case Study
BCP against geopolitical risks
As our multinational business operates in unstable geopolitical circumstances, we must establish a robust crisis response system. With geopolitical risks such as the Ukraine crisis, the worsening situation in the Middle East, and a potential emergency in Taiwan in mind, we are strengthening our overseas crisis information gathering and coordination systems, while also advancing the deployment of necessary emergency supplies. Additionally, through various training and drills, we are continuously working to establish and improve initial response processes overseas, striving to build a global system capable of responding to a wide range of unpredictable risks.
BCP against natural disasters
We are strengthening our BCP initiatives to respond to natural disasters, including frequent large-scale earthquakes, by reviewing our group-wide information gathering and coordination systems to ensure swift response during a crisis. Crisis response drills are conducted regularly to verify and improve these measures. Additionally, in preparation for a major disaster that could halt societal infrastructure in the Tokyo metropolitan area, we are advancing the establishment of systems to substitute headquarters functions from outside the metropolitan area and promoting BCP initiatives based on a wide range of scenarios. In recent efforts, we are enhancing our BCP/BCM systems to ensure appropriate decision-making at the Group level for the entire response process, from initial response at the time of the disaster to business continuity and early recovery.
Fostering Risk Culture
While an effective risk management structure is crucial, Rakuten recognizes the utmost importance of fostering a strong risk culture across the entire organization. This starts by cultivating risk awareness among all employees. To ensure a deep understanding of unexpected scenarios and incidents that might lead to business interruptions, we provide risk management training to all new employees during onboarding orientation. Newly promoted managers receive training tailored to their specific roles, such as addressing labor practice risks and understanding their reporting procedures in case of a crisis.
Additionally, the Board of Directors is regularly educated on developments on Rakuten's enterprise risk management methodology and major risks identified through its risk assessment.
Asakai (company-wide, weekly meetings) is another important opportunity to share regular updates on important risks such as ethics and compliance, climate change, and information security throughout the company. These sessions are primarily for raising awareness and collectively sharing ongoing initiatives and progress, presented with concrete case studies and data for future reference. Beyond these sessions, the Risk Management Department holds periodic briefings to explain the risk management structure and process within Rakuten.
Additionally, at Rakuten, elements of risk management are incorporated into the evaluation criteria, influencing the assessment and compensation of employees. Employees are evaluated twice a year based on their demonstrated competencies, and the results of their evaluation are reflected in their salary. For Rakuten Group, Inc, these competencies and examples of for each grade are presented in handbooks which mention risk management responsibilities such as identifying and mitigating risks in business operations. For employees and executives who have roles in addressing important risks as stated above, the achievement of risk-related goals is also included in their performance evaluations, which in turn influences their bonus amount.
Risk management is essential not only from operational perspectives but also from product compliance and safety perspectives and is therefore integrated into the design and development process. Risk criteria are explicitly embedded in three steps of the product development and approval process: the "Requirements Definition Phase," "Test Phase," and "Release Phase."
- Requirements Definition Phase:
Initial risk analysis - Test Phase:
Identification of any remaining risks and development of remediation plans with deadlines - Release Phase:
Clarification of anticipated risks upon product release
This process is described in detail in our internal policies and is also made available in the form of a checklist which must be completed before a product can be approved for release.