Operational Risk Management
Basic Approach
We define operational risk as the risk of losses that may be incurred resulting from inadequate or failed internal processes or systems, human error, or external events. We control operational risk management for the Mizuho group as a whole. Considering that operational risk includes information technology risk, operations risk, legal risk, human capital risk, tangible asset risk, and regulatory risk, we have separately determined the fundamental risk management policies for these different types of risk. We manage the operational risk associated with our principal banking subsidiaries and other core group companies while monitoring the state of group-wide operational risk.
| Definition | Principal risk management methods | ||
| Information technology risk |
Risk that customers may incur losses or our group companies may incur losses due to problems (e.g. malfunctions, disruptions, etc.) with the computer systems or improper use of the computers in these systems, which cause disruptions of the services provided to customers, or have significant impact on settlement systems, etc. |
|
|
| Cybersecurity risk | Risk that the group may incur losses due to the problems caused by a cyberattack, such as leakage or falsification, etc. of electronic data or the failure of the expected system functions. | ||
| Operations risk | Risk that customers may incur losses or the group may incur losses due to the disruption of services to customers or major incidents affecting settlement systems, etc., as a result of inadequate operations caused by fraudulent acts, errors or negligence, etc., of senior executives or employees, or inadequacies in the operational structure itself. |
|
|
| Legal risk | Risk that the group may incur losses due to violation of laws and regulations, breach of contract, entering into improper contracts or, other legal factors. |
|
|
| Human capital risk | Risk that the group may incur losses due to turnover or loss of personnel, deterioration of morale, inadequate development of personnel, inappropriate working schedules, inappropriate working and safety environment, inequality or inequity in human resource management, or discriminatory conduct. |
|
|
| Tangible asset risk | Risk that the group may incur losses from damage to tangible assets or a decline in the quality of the working environment as a result of disasters, criminal actions, or defects in asset maintenance. |
|
|
| Regulatory risk | Risk that the group may incur losses due to changes in various regulations or systems, such as those related to law, taxation, and accounting. |
|
|
We also recognize and manage information security risk and compliance risk, which constitute a combination of more than one of the above components, as operational risk.
Operational Risk Management Structure
Our Board of Directors determines basic matters pertaining to operational risk management policies. The Risk Management Committee of Mizuho Financial Group broadly discusses and coordinates matters relating to basic policies in connection with operational risk management, operational risk operations, and operational risk monitoring. The Group CRO is responsible for matters relating to operational risk management planning and operations. The Risk Management Department of Mizuho Financial Group is responsible for monitoring market risk, reporting and analyzing, making proposals, setting limits and guidelines, and formulating and implementing plans relating to operational risk management.
The Mizuho Financial Group manages the operational risk conditions of the entire group based on reports from the core group companies regarding their operational risk management. In particular, companies for which the impact of operational risk is deemed to be high set their own basic policies, similar to the Mizuho Financial Group itself, and the board of directors of the individual company determines important matters regarding operational risk management.
Operational Risk Management Method
To manage operational risk, we set common rules for data gathering to develop various databases shared by the group and measure operational risk as operational VAR on a regular basis, taking into account possible future loss events and changes in the business environment and internal management.
We have established and are strengthening management methods and systems to appropriately identify, assess, measure, monitor, and control the operational risks that arise from the growing sophistication and diversification of financial operations and developments relating to information technology by utilizing control self-assessments and improving measurement methods.
Control Self-assessments
An autonomous method of risk management in which risk inherent in operations is identified and, after evaluating and monitoring risks that remain despite implementing risk control, the necessary measures are implemented to reduce risk.
Definition of Risks and Risk Management Methods
As shown in the table on the previous page, we have defined each component of operational risk, and we apply appropriate risk management methods in accordance with the scale and nature of each risk.
Measurement of Operational Risk Equivalent
1. Implementation of the Advanced Measurement Approach (AMA)
We have adopted the AMA for the calculation of operational risk equivalent in association with capital adequacy ratios based on the Basel Accords. However, we use the Basic Indicator Approach for entities that are deemed to be less important in the measurement of operational risk equivalent.
The measurement results under the AMA are used not only as the operational risk equivalent in the calculation of capital adequacy ratios but also as Operational VAR for internal risk management purposes for implementing action plans to reduce operational risk, and other countermeasures.
2. Outline of the AMA
Outline of the Measurement System
We have established our model by taking into account four elements: internal loss data; external loss data; scenario analysis and business environment; and internal control factors (BEICFs). We calculate the operational risk amount by estimating the maximum loss, using a 99.9th percentile one-tailed confidence interval and a one-year holding period as operational risk equivalent, employing both internal loss data (i.e., actually experienced operational loss events), and scenario data to reflect unexperienced potential future loss events in the measurement.
In the measurement of operational risk equivalent as of March 31, 2023, we did not exclude expected losses and also did not recognize the risk mitigating impact of insurance. In addition, we did not take into account the events related to credit risk in measuring operational risk equivalent.
Outline of Measurement Model
Operational risk equivalent is calculated as a simple sum of those risk amounts related to the seven loss event types defined in the Capital Adequacy Notice from Japan's Financial Services Agency, large-scale natural disasters, and litigation. In the measurement of operational risk equivalent as of March 31, 2023, we did not reflect the correlation effects among operational risk related to each of the seven loss event types.
Operational Risk by Loss Event Type
Loss Distribution (Compound Poisson Distribution) Approach (LDA) is adopted for the calculation of operational risk. LDA is based on the assumption that Poisson Distribution applies to the occurrence frequency of operational risk events, and loss severity is expressed through a separate distribution. Operational risk is calculated for each of the seven loss event types employing both internal loss data, based on our actual experience as operational loss events, and scenario data. Scenario data, expressed as numerical values of occurrence frequency and loss severity, reflects external loss data and BEICFs, in order to estimate unexperienced potential future loss events (of low frequency and high severity).
Frequency Distribution and Severity Distribution are estimated employing the above mentioned internal loss data and scenario data, and Monte-Carlo simulations are then applied to these distributions to measure operational risk. The detailed steps of creation of scenario data are explained later in the Scenario Analysis.
Estimation of Frequency Distribution and Loss Severity Distribution
Frequency Distribution is estimated by applying information on occurrence frequency of both internal loss data and scenario data to Poisson Distribution. Loss Severity Distribution is generated as the result of combining, through a statistical approach (Extreme Value Theory), of the actual distribution for the low severity distribution portion created by internal loss data and another loss distribution (Log-normal Distribution or Generalized Pareto Distribution) for the high severity distribution portion created by scenario data.
Operational Risk of Large-scale Natural Disasters
Monte-Carlo simulation is applied to the datasets expressed as a combination of the probability of occurrence of large-scale natural disasters and the probable loss amount in case of such occurrence, as opposed to estimating Frequency Distribution and Loss Severity Distribution.
Operational Risk of Litigation
Each litigation is converted into data according to the profile of the individual litigation to which Monte-Carlo simulation is applied, as opposed to estimating Frequency Distribution and Loss Severity Distribution.
Verification
We confirm the appropriateness of the measurement model by verifying it, in principle, semi-annually.
3. Scenario Analysis
Outline of Scenario Analysis
In the process of scenario analysis, scenario data is created as numerical values of occurrence frequency and loss severity reflecting external loss data and BEICFs, in order to estimate unexperienced potential future operational risk events (of low frequency and high severity).
As for external loss data, we refer to data publicly reported by domestic and overseas media, and such data are reflected in the estimation of occurrence frequency and Loss Severity Distribution in the process of scenario analysis. In addition, BEICFs are utilized as indices to adjust occurrence frequency and Loss Severity Distribution in the process of scenario analysis.
We categorize scenario analysis into four approaches in accordance with the characteristics of each loss event type and risk management structures.
| Approach | Loss event type(s) to be applied |
| A | Internal fraud / external fraud / clients, products, and business practices / execution, delivery, and process management |
| B | Employment practices and workplace safety |
| C | Damage to physical assets |
| D | Business disruption and system failure |
At Mizuho Financial Group, loss event types to which Approach A is applied account for a considerable amount of operational risk. The detailed process of Approach A is explained here as a typical example of scenario analysis.
Setting Units for Scenario Analysis
In order to ensure completeness and sufficiency, we set units that are commonly applied across group entities that adopt AMA (the "Group Entities") by referencing and categorizing risk scenarios recognized through control self-assessment, internal loss data of the Group Entities, external loss data, etc. Then each of the Group Entities selects the unit on which scenario analysis is conducted from the units established on a group-wide basis in accordance with its business activities and operational risk profile.
Estimation of Occurrence Frequency
Basic occurrence frequency (once a year) is calculated for each scenario analysis unit. If a certain scenario analysis unit has relevant internal loss data of a pre-determined threshold amount or above, its basic occurrence frequency is calculated based on such data, and if not, the basic occurrence frequency (the occurrence frequency per year of losses at or above a pre-determined threshold) is calculated with reference to the situation of occurrence of internal loss data of less than the threshold amount and/or external loss data. The basic occurrence frequency is then adjusted within a pre-determined range for the purpose of reflecting the most recent BEICFs to determine the final occurrence frequency.
Estimation of Loss Severity Distribution
In order to estimate Loss Severity Distribution, we use a pre-determined series of severity ranges. Basic Loss Severity Distribution is calculated for each scenario analysis unit as an occurrence ratio (in percentile figures) of loss at each severity range when losses at or above a pre-determined threshold occurred, with reference to transaction amount data, external loss data, etc. Then the basic severity distribution is adjusted, if necessary, from the viewpoint of statistical data processing to determine the final Loss Severity Distribution.
Creation of Scenario Data
For each scenario analysis unit, scenario data is generated as a series of combinations of occurrence frequency per year at each severity range, based on the final occurrence frequency and the final Loss Severity Distribution.
Example of Scenario Data
