Risk Management

Our software is cloud-based, so the management and business risks we face primarily relate to information security and technological innovation. Yet we also face risks in areas of high uncertainty, such as changing business practices and user trends due to the COVID-19 pandemic. We strive to stay aware of potential risks that could severely impact our business's management and to either prevent them from manifesting or respond to them if they become a reality. We, therefore, maintain a risk management system and risk response frameworks.

Risks Management

Identification and analysis of risks

We make an internal audit plan in accordance with the internal audit regulations, and regularly identifies and analyzes risks in the internal audit process. We assess risks extracted at each department from the perspective of the frequency of occurrence and impact level, and strives to prevent and early detect risks.

Incident guidelines

In case of any occurrence of incidents related to provision of services such as disasters, accidents, unauthorized access and vulnerability matters, each department has established guidelines on structure, chain of command, judgment criteria and response procedures for incidents. Specifically, incidents are classified from three perspectives of confidentiality, integrity and availability, and a degree of priority is given to responses to each risk. Then a decision-maker for judgment on and responses to incidents at each department is appointed.

Major Risks and Responses

Classification Item Details Response
Information security risks (1) Handling of personal information
  • Leaks, loss, falsification, or unauthorized use of customer information due to natural disasters, accidents, malicious and/or unauthorized access by external parties, and intentional acts or negligence by inside parties
  • Establish and operate a system for protecting and managing personal information
  • Privacy Mark certification
  • ISMS, ISO27017 certification and SOC2 reports
  • Require all employees to acquire certification in protection of personal information
  • Gather information on new legal regulations in Japan and overseas, and implement necessary responses
  • Ensure compliance with laws and regulations and manage contractors' safety
(2) Equipment and network stability
  • System failures due to natural disasters such as fires and earthquakes, external damage, human error, or other unexpected events that interfere with the use of our equipment and network
  • Conduct load balancing and periodic backups across multiple servers
  • Set up real-time access log checking functions and an immediate notification system for software failures
  • Conduct recovery training based on failure scenarios
Risks to services (3) Service failures, etc.
  • Problems arising in our applications, software, and systems
  • Major defects identified that could interfere with our business operations
  • Build and maintain a highly reliable development system
  • Develop and implement incident guidelines for services
Risks from external environment (4) Internet access environments
  • New internet usage regulations being introduced and having adverse effects
  • Gather information on internet-related legal regulations, identify issues, and implement solutions
(5) Cloud business
  • Demand for our cloud services falling significantly below our expectations
  • Create new value
  • Proactively introduce new technologies
  • Protect our intellectual property rights by obtaining patents, etc.
  • Promote M&A, and capital and business alliances
(6) Responding to technological innovations
  • Slow responses to technological innovations, etc.
  • Unexpected development costs, etc.
(7) Competition
  • Increased competition from existing operators and new entrants
  • Increased competition due to the emergence of groundbreaking services from other companies
Investment risks (8) Upfront investments in advertising and promotions
  • Significantly increased expenditures due to changes in advertising policies and plans
  • Monitor cost effectiveness of advertising activities
(9) Investments such as corporate acquisitions
  • Delayed business planning after an acquisition or investment
  • Conduct sufficient due diligence on target companies
  • Carefully monitor and follow up with target companies
(10) System infrastructure investments
  • Unexpected additional investments in hardware and software to ensure stable operation of services
  • Carefully monitor external access
  • Design appropriate system infrastructure investments to accommodate business expansion
Human risks (11) Establishment of management control system
  • Delays in building a business structure and internal management system to accommodate expansion of the scale of our business
  • Develop rigorous internal control systems in line with business and employee growth
(12) Training and securing human resources
  • Lack of qualified personnel
  • Delays in securing sales personnel for Sansan/Bill One, and loss of sales personnel
  • Actively recruit human resources
  • Strengthen systems through internal training, etc.
  • Improvement of working environments
(13) Dependence on specific individuals
  • Occurrence of any event that makes it difficult for Representative Director Chika Terada to continue working for any reason
  • Ensure company structure is not overly reliant on the Representative Director
  • Strengthen information sharing among board members and the managing organization
Legal risks (14) Laws and regulations
  • Impacts of new privacy-related laws and regulations in Japan and abroad, as well as laws regulating internet-related businesses, etc.
  • Gather information on legal regulations, etc., identify issues, and implement solutions
(15) Intellectual property right infringement, etc.
  • Claims for damages or injunctions from third parties for patent or trademark infringement
  • Third-party infringement of our intellectual property
  • Conduct patent infringement searches through patent firms
  • Apply for and register trademarks
  • Implement legal measures
Overseas risks (16) Launching overseas
  • Difficult to address risks specific to foreign countries
  • Delays in monetizing overseas businesses
  • Gather information and identify issues in regions where business is to be developed, and formulate appropriate business plans
Others (17) Granting incentives
  • Dilution of existing shareholders' shares from exercising issued stock options
  • Design stock options with due consideration of market conditions and impacts on existing shareholders