Head on this page.

Operational Risk Management

Print this page

Basic Approach

We define operational risk as the risk of loss that we may incur resulting from inadequate or failed internal processes, people and systems or from external events. We recognize that operational risk includes information technology risk, operations risk, legal risk, human resources risk, tangible asset risk, regulatory change risk and reputational risk. We have determined risk management policies for each kind of risk. MHBK, MHTB, MHSC, TCSB, Mizuho Americas, etc., respectively manage operational risk in an appropriate manner pursuant to risk management policies determined by MHFG.

Operational Risk Management Structure

MHFG, MHBK, MHTB, MHSC, TCSB, etc., share common rules for data gathering, and we measure operational risk on a regular basis, taking into account possible future loss events and the changes in the business environment and internal management.

We have established and are strengthening management methods and systems to appropriately identify, assess, measure, monitor and control the operational risks which arise from the growing sophistication and diversification of financial operations and developments relating to information technology by utilizing control self–assessments and improving measurement methods.

  • *Control Self–Assessments
    An autonomous method of risk management in which risk inherent in operations is identified and, after evaluating and monitoring risks that remain despite implementing risk control, the necessary measures are implemented to reduce risk.

Definition of Risks and Risk Management Methods

As shown in the below table, we have defined each component of operational risk and we apply appropriate risk management methods in accordance with the scale and nature of each risk.

  Definition Principal Risk Management Methods
Information Technology Risk Risk that customers may suffer service disruptions, or that customers or the Group may incur losses arising from system defects such as failures, faults, or incompleteness in computer operations, or illegal or unauthorized use of computer systems.
  • Identify and evaluate the risk by setting specific standards that need to be complied with and implementing measures tailored based on evaluation results to reduce the risk.
  • Ensure ongoing project management in systems development and quality control.
  • Strengthen security to prevent information leaks.
  • Improve effectiveness of emergency responses by improving backup systems and holding drills.
Operations Risk Risk that customers may suffer service disruptions, as well as the risk that customers or the Group may incur losses because senior executives or employees fail to fulfill their tasks properly, cause accidents or otherwise act improperly.
  • Establish clearly defined procedures for handling operations.
  • Periodically check the status of operational processes.
  • Conduct training and development programs by headquarters.
  • Introduce information technology, office automation and centralization for operations.
  • Improve the effectiveness of emergency responses by holding drills.
Legal Risk Risk that the group may incur losses due to violation of laws and regulations, breach of contract, entering into improper contracts or other legal factors.
  • Review and confirm legal issues, including the legality of material decisions, agreements and external documents, etc.
  • Collect and distribute legal information and conduct internal training programs.
  • Analyze and manage issues related to lawsuits.
Human Resources Risk Risk that the Group may incur losses due to drain or loss of personnel, deterioration of morale, inadequate development of human resources, inappropriate working schedule, inappropriate working and safety environment, inequality or inequity in human resource management or discriminatory conduct.
  • Conduct employee satisfaction surveys.
  • Understand the status of vacation days taken by personnel.
  • Understand the status of voluntary resignations.
Tangible Asset Risk Risk that the Group may incur losses from damage to tangible assets or a decline in the quality of working environment as a result of disasters, criminal actions or defects in asset maintenance.
  • Manage the planning and implementation of construction projects related to the repair and replacement of facilities.
  • Identify and evaluate the status of damage to tangible assets caused by natural disasters, etc., and respond appropriately to such damage.
Regulatory Change Risk Risk that the Group may incur losses due to changes in various regulations or systems, such as those related to law, taxation and accounting.
  • Understand important changes in regulations or systems that have significant influence on our business operations or financial condition in a timely and accurate manner.
  • Analyze degree of influence of regulatory changes and establish countermeasures.
  • Continuously monitor our regulatory change risk management mentioned above.
Reputational Risk Risk that the Group may incur losses due to damage to our credibility or the value of the Mizuho brand when market participants or others learn about, or the media reports on, various adverse events, including actual materialization of risks or false rumors.
  • Establish framework to identify and manage, on an integrated basis, information that may have a serious impact on group management and respond to such risk in a manner appropriate to its scale and nature.
  • Swiftly identify rumors and devise appropriate responses depending on the urgency and possible impact of the situation to minimize possible losses.

We also recognize and manage Information Security Risk and Compliance Risk, which constitute a combination of more than one of the above components of operational risk, as operational risk.

Measurement of Operational Risk Equivalent

Implementation of the AMA

We have adopted the AMA from September 30, 2009, for the calculation of operational risk equivalent in association with capital adequacy ratios based on Basel Ⅱ. However, we use the Basic Indicator Approach (BIA) for entities that are deemed to be less important in the measurement of operational risk equivalent and for entities that are preparing to implement the AMA. The measurement results under the AMA are used not only as the operational risk equivalent in the calculation of capital adequacy ratios but also as Operational VaR for internal risk management purposes for implementing action plans to reduce operational risk, etc.

Outline of the AMA

Outline of Measurement System

We have established the model by taking account of four elements: internal loss data; external loss data; scenario analysis and business environment; and internal control factors (BEICFs). We calculate the operational risk equivalent amount by estimating the maximum loss using a 99.9th percentile one–tailed confidence interval and a one–year holding period etc.,employing both internal loss data (i.e., actually experienced operational loss events) and scenario data to reflect unexperienced potential future loss events in the measurement.

In the measurement of operational risk equivalent as of March 31, 2016, we did not exclude expected losses and also did not recognize the risk mitigating impact of insurance. In addition, we did not take into account the events related to credit risk in measuring operational risk equivalent.

Outline of Measurement Model

Operational risk equivalent is calculated as a simple sum of those related to the seven loss event types defined by Basel Ⅱ, large–scale natural disasters and litigation. In the measurement of operational risk equivalent as of March 31, 2016, we did not reflect the correlation effects among operational risk related to each of the seven loss event types.

Outline of Measurement Model
Image: Outline of Measurement Model

Operational Risk by the Loss Event Type

Loss Distribution (Compound Poisson Distribution) Approach (LDA) is adopted for the calculation of operational risk. LDA is based on the assumption that Poisson Distribution applies to the occurrence frequency of operational risk events, and loss severity is expressed through a separate distribution. Operational risk is calculated for each of the seven loss event types employing both internal loss data, based on our actual experience as operational loss events and scenario data. Scenario data, expressed as numerical values of occurrence frequency and loss severity, reflects external loss data and BEICFs, in order to estimate unexperienced potential future loss events (of low frequency and high severity).

Frequency Distribution and Severity Distribution are estimated employing the above mentioned internal loss data and scenario data, and Monte–Carlo simulations are then applied to these distributions to measure operational risk. The detailed steps of creation of scenario data are explained later in Scenario Analysis.

Estimation of Frequency Distribution and Loss Severity Distribution

Frequency Distribution is estimated by applying information on occurrence frequency of both internal loss data and scenario data to Poisson Distribution. Loss Severity Distribution is generated as the result of combining, through a statistical approach (Extreme Value Theory), of the actual distribution for the low severity distribution portion created by internal loss data and another loss distribution (Log–normal Distribution or Generalized Pareto Distribution) for the high severity distribution portion created by scenario data.

Operational Risk of Large–scale Natural Disasters

Monte–Carlo simulation is applied to the datasets expressed as a combination of the probability of occurrence of large–scale natural disasters and the probable loss amount in case of such occurrence, as opposed to estimating Frequency Distribution and Loss Severity Distribution.

Operational Risk of Litigation

Each litigation is converted into data according to the profile of the individual litigation to which Monte–Carlo simulation is applied, as opposed to estimating Frequency Distribution and Loss Severity Distribution. In the measurement process, we assume that final decisions will be made on all litigation within one year.

Verification

We confirm the appropriateness of the measurement model by verifying it, in principle, semi–annually.

Scenario Analysis

Outline of Scenario Analysis

In the process of scenario analysis, scenario data is created as numerical values of occurrence frequency and loss severity reflecting external loss data and BEICFs, in order to estimate unexperienced potential future operational risk events (of low frequency and high severity).

As for external loss data, we refer to data publicly reported by domestic and overseas media, and such data are reflected in the estimation of occurrence frequency and loss severity distribution in the process of scenario analysis. In addition, BEICFs are utilized as indices to adjust occurrence frequency and loss severity distribution in the process of scenario analysis.

We categorize scenario analysis into four approaches in accordance with the characteristics of each loss event type and risk management structures.

Approach Loss event type(s) to be applied
A Internal fraud/External fraud/Customers, products & business practices/Execution, delivery & process management
B Employment practices and workplace safety
C Damage to physical assets
D Business disruption and system failure

At MHFG, loss event types to which Approach A is applied account for a considerable amount of operational risk. The detailed process of Approach A is explained below as a typical example of scenario analysis.

Setting Units for Scenario Analysis

In order to ensure completeness and sufficiency, we set units that are commonly applied across group entities that adopt AMA (hereinafter, the “Group Entities”) by referencing and categorizing risk scenarios recognized through control self–assessment, internal loss data of the Group Entities and external loss data, etc. Then each of the Group Entities selects the unit on which scenario analysis is conducted from the units established on a group–wide basis in accordance with its business activities and operational risk profile.

Estimation of Occurrence Frequency

Basic occurrence frequency (once a year) is calculated for each scenario analysis unit. If a certain scenario analysis unit has relevant internal loss data of a pre–determined threshold amount or above, its basic occurrence frequency is calculated based on such data, and if not, the basic occurrence frequency (the occurrence frequency per year of losses at or above a pre–determined threshold) is calculated with reference to the situation of occurrence of internal loss data of less than the threshold amount and/or external loss data. The basic occurrence frequency is then adjusted within a pre–determined range for the purpose of reflecting the most recent BEICFs to determine the final occurrence frequency.

Estimation of Loss Severity Distribution

In order to estimate loss severity distribution, we use a pre–determined series of severity ranges. Basic loss severity distribution is calculated for each scenario analysis unit as an occurrence ratio (in percentile figures) of loss at each severity range when losses at or above a pre–determined threshold occurred, with reference to transaction amount data, external loss data, etc. Then the basic severity distribution is adjusted, if necessary, from the viewpoint of statistical data processing to determine the final loss severity distribution.

Creation of Scenario Data

For each scenario analysis unit, scenario data is generated as a series of combinations of occurrence frequency per year at each severity range, based on the final occurrence frequency and the final loss severity distribution.

Example of Scenario Data
Image: Example of Scenario Data

(As of Jul 1, 2016)

Top of Page