Governance Risk Management
Main risks and the management of them
OAM defines and recognizes the risks related to the business of OJR and OAM in the “Risk Management Implementation Guidelines,” which are the internal rules of OAM, and performs risk management according to these characteristics. For example, to lower the risks related to human resources, OAM is implementing measures to provide a healthy and secure work environment by enhancing the vacation system and work style reforms. Other examples of the main risk and their management methods from the risks defined and recognized by OAM in question are listed below.
| Risk Categories | Type of Risks |
|---|---|
| Environmental risk | Climate change risk, Resource/waste risk, Toxic substance risk, Risk related to the natural environment and biodiversity |
| Societal risk | Disaster risk, Human resources risk, Labor risk, Risk related to human rights violations/unfair labor practices, Risk related to handling complaints, Risk to customer satisfaction, Disclosure risk |
| Gevernance-related risk | Governance risk, Organizational/corporate culture risk, Compliance/legal risk, Information asset risk, IT/system risk, Tax accounting risk, Business partner risk, Risk related to office functions, Audit risk |
| Economic risk | Market/liquidity risk, Investment/operational risk, Strategic risk |
Risk Management System
Risk Management Structure
OAM has established a Compliance Department to oversee risk management. In addition, the Compliance Committee is chaired by Compliance Officer, and is composed of the President and CEO, the external committee member (attorney with no interest in OAM), and Director in charge of Compliance Department. This committee receives reports on the status of risk management and formulates risk and compliance programs, etc. In addition, the Board of Directors approves the Risk and Compliance Program as discussed by the Compliance Committee. The approved Risk and Compliance Program is monitored, and once every six months, its progress is reported to the Board of Directors. OAM has enhanced its risk management through this multi-layered system.
Risk Assessment Method
OAM’s “Risk Management Rule” as its internal rule stipulates the basic risk management policies. The executive officer in charge of each department, including all directors and each department in OAM, identifies the content and occurrence frequency of the risks that should be managed, their degrees of impact, the specifics of the current status of management, their management level and responses to these, and put all of this information together as a risk library (hereafter, “library”). After doing this, the director in charge of the Compliance Department examines the content of the library put together by the executive officer in charge of each department, including all directors and each department, selects the necessary items from a company-wide perspective and formulates an annual Risk and Compliance Program. Based on this, we have established the PDCA cycle for risk management, which consists of risk inventory, recognition, and categorization (Plan) ⇒ selection of controls according to risk management policies (Do) ⇒ monitoring of residual risks (Check) ⇒ evaluation and improvement of controls (Action), and Compliance Department evaluates whether or not the PDCA cycle is functioning properly.
When a risk becomes apparent, the necessary internal reports are made promptly according to the level of impact to minimize the damage and loss incurred by OJR and OAM.
In the event of a crisis, the OAM will consider whether to establish a crisis management headquarters. If it is deemed necessary, the crisis management headquarters will be established, and based at the crisis management headquarters, it will collect and analyze information on the crisis; consider, decide on, and implement countermeasures; investigate the causes of the crisis; and consider, decide on, implement, and verify corrective measures and measures to prevent a recurrence.
Information Security Risk Management
ORIX Group recognizes that information security-related risks are an important management issue and strives to protect information and safely manage information assets appropriately.
Crises Management System
Incident Management System
The ORIX Group has rules in place for addressing operational risk incidents and manages operational risk according to the degree of managerial impact.
Disaster Risk Management
BCP (Business Continuity Planning)
ORIX Group has established the Disaster Risk Management Rules, which define the basic approach, activities, and framework for systematic risk management in the event of a disaster, accident, or other unforeseen event.