Head on this page.

Font size

Operational risk management

Basic approach

We define operational risk as the risk of losses that may be incurred resulting from inadequate or failed internal processes or systems, human error, or external events. We control operational risk management for the Mizuho group as a whole. Considering that operational risk includes information technology risk, operations risk, legal risk, human capital risk, tangible asset risk, regulatory risk, and reputational risk, we have separately determined the fundamental risk management policies for these different types of risk. We manage the operational risk associated with our principal banking subsidiaries and other core group companies while monitoring the state of group–wide operational risk.

Operational risk management structure

Our Board of Directors determines basic matters pertaining to operational risk management policies. The Risk Management Committee of Mizuho Financial Group broadly discusses and coordinates matters relating to basic policies in connection with operational risk management, operational risk operations, and operational risk monitoring. The Group Chief Risk Officer of Mizuho Financial Group is responsible for matters relating to operational risk management planning and operations. The Risk Management Department of Mizuho Financial Group is responsible for monitoring market risk, reporting and analysing, making proposals, setting limits and guidelines, and formulating and implementing plans relating to operational risk management.

Our principal banking subsidiaries and core group companies establish their basic policies on operational risk management, and their Boards of Directors determine important matters relating to operational risk management.

Operational risk management method

To manage operational risk, we set common rules for data gathering to develop various databases shared by the group and measure operational risk as operational VAR on a regular basis, taking into account possible future loss events and changes in the business environment and internal management.

We have established and are strengthening management methods and systems to appropriately identify, assess, measure, monitor, and control the operational risks that arise from the growing sophistication and diversification of financial operations and developments relating to information technology by utilizing control self–assessments and improving measurement methods.

Control self–assessments

An autonomous method of risk management in which risk inherent in operations is identified and, after evaluating and monitoring risks that remain despite implementing risk control, the necessary measures are implemented to reduce risk.

  Definition Principal Risk Management Methods
Information technology risk Information technology risk ("IT risk") shall refer to the risk that problems (e.g. malfunctions, disruptions, etc.) with the computer systems or improper use of the computers in these systems, which cause disruptions of the services provided to customers, or have significant impact on settlement systems, etc., will result in losses for customers, and the incurrence of losses (tangible or intangible) by our group companies.
  • Identify and evaluate the risk by setting specific standards that need to be complied with and implementing measures tailored based on evaluation results to reduce the risk.
  • Ensure ongoing project management in systems development and quality control.
  • Strengthen security to prevent information leaks.
  • Strengthen capabilities for rapidly and effectively dealing with cyberattacks.
  • Improve effectiveness of emergency responses by improving backup systems and holding drills.
Operations risk Risk that customers may suffer service disruptions, as well as the risk that customers or the group may incur losses because senior executives or employees fail to fulfill their tasks properly, cause accidents or, otherwise act improperly.
  • Establish clearly defined procedures for handling operations.
  • Periodically check the status of operational processes.
  • Conduct training and development programs led by Head Office.
  • Introduce information technology, office automation, and centralization for operations.
  • Improve the effectiveness of emergency responses by holding drills.
Legal risk Risk that the group may incur losses due to violation of laws and regulations, breach of contract, entering into improper contracts or, other legal factors.
  • Review and confirm legal issues, including the legality of material decisions, agreements and external documents, etc.
  • Collect and distribute legal information and conduct internal training programs.
  • Analyze and manage issues related to lawsuits.
Human capital risk Risk that the group may incur losses due to turnover or loss of personnel, deterioration of morale, inadequate development of personnel, inappropriate working schedules, inappropriate working and safety environment, inequality or inequity in human resource management, or discriminatory conduct.
  • Conduct employee satisfaction surveys.
  • Understand the status of working hours.
  • Understand the status of vacation days taken by personnel.
  • Understand the status of voluntary resignations.
  • Understand the status of the stress check system.
Tangible asset risk Risk that the group may incur losses from damage to tangible assets or a decline in the quality of the working environment as a result of disasters, criminal actions, or defects in asset maintenance.
  • Manage the planning and implementation of construction projects related to the repair and replacement of facilities.
  • Identify and evaluate the status of damage to tangible assets caused by natural disasters or other causes, and respond appropriately to such damage.
Regulatory risk Risk that the group may incur losses due to changes in various regulations or systems, such as those related to law, taxation, and accounting.
  • Understand important changes in regulations or systems that have significant influence on our business operations or financial condition in a timely and accurate manner.
  • Analyze degree of influence of regulatory changes and establish countermeasures.
  • Continuously monitor our regulatory risk management mentioned above.
Reputational risk Risk that the group may incur losses due to damage to our credibility or the value of the "Mizuho" brand when market participants or others learn about, or the media reports on, various adverse events, including actual materialization of risks or false rumors.
  • Establish framework to identify and manage, on an integrated basis, information that may have a serious impact on group management and respond to such risk in a manner appropriate to its scale and nature.
  • Swiftly identify rumors and devise appropriate responses depending on the urgency and possible impact of the situation to minimize possible losses.

We also recognize and manage information security risk and compliance risk, which constitute a combination of more than one of the above components, as operational risk.

Definition of risks and risk management methods

As shown in the above table, we have defined each component of operational risk, and we apply appropriate risk management methods in accordance with the scale and nature of each risk.

Measurement of operational risk equivalent

1. Implementation of the Advanced Measurement Approach(AMA)

We have adopted the AMA for the calculation of operational risk equivalent in association with capital adequacy ratios based on the Basel Accords. However, we use the Basic Indicator Approach for entities that are deemed to be less important in the measurement of operational risk equivalent. Entities within our group that use the AMA include the following: Mizuho Financial Group; Mizuho Bank, Ltd., Mizuho Trust & Banking Co., Ltd.; Mizuho Securities; Mizuho Information & Research Institute, Inc.; Mizuho Operation Service, Ltd.; Mizuho Credit Guarantee Co., Ltd.; Mizuho Business Service Co., Ltd.; Mizuho Trust Operations Co., Ltd.; Mizuho Trust Systems Co., Ltd.; Mizuho Trust Business Operations Co., Ltd.; Mizuho Trust Retail Support Co., Ltd.; Mizuho Bank Europe N.V.; and Mizuho International plc.

The measurement results under the AMA are used not only as the operational risk equivalent in the calculation of capital adequacy ratios but also as Operational VAR for internal risk management purposes for implementing action plans to reduce operational risk, and other countermeasures.

2. Outline of the AMA

Outline of the measurement system

We have established our model by taking account of four elements: internal loss data; external loss data; scenario analysis and business environment; and internal control factors (BEICFs). We calculate the operational risk amount by estimating the maximum loss, using a 99.9th percentile one–tailed confidence interval and a oneyear holding period as operational risk equivalent, employing both internal loss data (i.e., actually experienced operational loss events), and scenario data to reflect unexperienced potential future loss events in the measurement.

In the measurement of operational risk equivalent as of March 31, 2018, we did not exclude expected losses and also did not recognize the risk mitigating impact of insurance. In addition, we did not take into account the events related to credit risk in measuring operational risk equivalent.

Outline of measurement model

Operational risk equivalent is calculated as a simple sum of those risk amounts related to the seven loss event types defined in the Capital Adequacy Notice from Japan's Financial Services Agency, large–scale natural disasters, and litigation. In the measurement of operational risk equivalent as of March 31, 2018, we did not reflect the correlation effects among operational risk related to each of the seven loss event types.

Outline of measurement model
Image: Outline of measurement model

Operational risk by loss event type

Loss Distribution (Compound Poisson Distribution) Approach (LDA) is adopted for the calculation of operational risk. LDA is based on the assumption that Poisson Distribution applies to the occurrence frequency of operational risk events, and loss severity is expressed through a separate distribution. Operational risk is calculated for each of the seven loss event types employing both internal loss data, based on our actual experience as operational loss events, and scenario data. Scenario data, expressed as numerical values of occurrence frequency and loss severity, reflects external loss data and BEICFs, in order to estimate unexperienced potential future loss events (of low frequency and high severity).

Frequency Distribution and Severity Distribution are estimated employing the above mentioned internal loss data and scenario data, and Monte–Carlo simulations are then applied to these distributions to measure operational risk. The detailed steps of creation of scenario data are explained later in the Scenario Analysis.

Estimation of Frequency Distribution and Loss Severity Distribution

Frequency Distribution is estimated by applying information on occurrence frequency of both internal loss data and scenario data to Poisson Distribution. Loss Severity Distribution is generated as the result of combining, through a statistical approach (Extreme Value Theory), of the actual distribution for the low severity distribution portion created by internal loss data and another loss distribution (Log–normal Distribution or Generalized Pareto Distribution) for the high severity distribution portion created by scenario data.

Operational risk of large–scale natural disasters

Monte–Carlo simulation is applied to the datasets expressed as a combination of the probability of occurrence of large–scale natural disasters and the probable loss amount in case of such occurrence, as opposed to estimating Frequency Distribution and Loss Severity Distribution.

Operational risk of litigation

Each litigation is converted into data according to the profile of the individual litigation to which Monte–Carlo simulation is applied, as opposed to estimating Frequency Distribution and Loss Severity Distribution. In the measurement process, we assume that final decisions will be made on all litigation within one year.


We confirm the appropriateness of the measurement model by verifying it, in principle, semi–annually.

3. Scenario analysis

Outline of scenario analysis

In the process of scenario analysis, scenario data is created as numerical values of occurrence frequency and loss severity reflecting external loss data and BEICFs, in order to estimate unexperienced potential future operational risk events (of low frequency and high severity).

As for external loss data, we refer to data publicly reported by domestic and overseas media, and such data are reflected in the estimation of occurrence frequency and Loss Severity Distribution in the process of scenario analysis. In addition, BEICFs are utilized as indices to adjust occurrence frequency and Loss Severity Distribution in the process of scenario analysis.

We categorize scenario analysis into four approaches in accordance with the characteristics of each loss event type and risk management structures.

Approach Loss event type(s) to be applied
A Internal fraud / external fraud / clients, products, and business practices / execution, delivery, and process management
B Employment practices and workplace safety
C Damage to physical assets
D Business disruption and system failure

At Mizuho Financial Group, loss event types to which Approach A is applied account for a considerable amount of operational risk. The detailed process of Approach A is explained here as a typical example of scenario analysis.

Setting units for scenario analysis

In order to ensure completeness and sufficiency, we set units that are commonly applied across group entities that adopt AMA (the "Group Entities") by referencing and categorizing risk scenarios recognized through control self–assessment, internal loss data of the Group Entities, external loss data, etc. Then each of the Group Entities selects the unit on which scenario analysis is conducted from the units established on a group–wide basis in accordance with its business activities and operational risk profile.

Estimation of occurrence frequency

Basic occurrence frequency (once a year) is calculated for each scenario analysis unit. If a certain scenario analysis unit has relevant internal loss data of a pre–determined threshold amount or above, its basic occurrence frequency is calculated based on such data, and if not, the basic occurrence frequency (the occurrence frequency per year of losses at or above a pre–determined threshold) is calculated with reference to the situation of occurrence of internal loss data of less than the threshold amount and/or external loss data. The basic occurrence frequency is then adjusted within a pre–determined range for the purpose of reflecting the most recent BEICFs to determine the final occurrence frequency.

Estimation of Loss Severity Distribution

In order to estimate Loss Severity Distribution, we use a predetermined series of severity ranges. Basic Loss Severity Distribution is calculated for each scenario analysis unit as an occurrence ratio (in percentile figures) of loss at each severity range when losses at or above a pre–determined threshold occurred, with reference to transaction amount data, external loss data, etc. Then the basic severity distribution is adjusted, if necessary, from the viewpoint of statistical data processing to determine the final Loss Severity Distribution.

Creation of scenario data

For each scenario analysis unit, scenario data is generated as a series of combinations of occurrence frequency per year at each severity range, based on the final occurrence frequency and the final Loss Severity Distribution.

Example of scenario data
Image: Example of scenario data