Risk Management

Our software is cloud-based, so the management and business risks we face primarily relate to information security and technological innovation. Yet we also face risks in areas of high uncertainty, such as changing business practices and user trends. We strive to stay aware of potential risks that could severely impact our business's management and to either prevent them from manifesting or respond to them if they become a reality. We, therefore, maintain a risk management system and risk response frameworks.

Risks Management

Identification and analysis processes of risks

We make an internal audit plan in accordance with the internal audit regulations, and each department regularly reviews risks in the internal audit process and prepares risk assessment matrix that complies assessment of risks extracted annually and its countermeasure plan. The Internal Audit Department aggregates data of the risk assessment matrix prepared by each department and reports to the representative director. The representative director and a responsible person at each department discusses the countermeasure plans for the risks as necessary.

Incident guidelines

In case of any occurrence of incidents related to provision of services such as disasters, accidents, unauthorized access and vulnerability matters, each department has established guidelines on structure, chain of command, judgment criteria and response procedures for incidents. Specifically, incidents are classified from three perspectives of confidentiality, integrity and availability, and a degree of priority is given to responses to each risk. Then a decision-maker for judgment on and responses to incidents at each department is appointed.

Major Risks and Responses

Category Item Description of risks Responses
Information security risk (1) Handling of personal information
  • Natural disasters, accidents, unauthorized access from the outside with a malicious intention, and internal leak, loss, alteration or abuse of customer information by intention or negligence
  • Establishment and operation of a personal information protection management system
  • Obtaining PrivacyMark certification
  • Obtaining ISO/IEC 27001 and ISO/IEC27017 certifications
  • Requiring all officers and employees to obtain the qualification of Personal Information Protection Specialist
  • Collection of information on new legal regulations in Japan and overseas, and implementation of necessary countermeasures
  • Thorough legal compliance, and safe management of outsourcing contractors
(2) Equipment and network stability
  • Obstacles posed to the Group’s equipment and use of network due to natural disasters such as fire and earthquake, external breakage, system failures due to human errors, or any other unanticipated events
  • Distribution of load to multiple servers and regular backups
  • Establishment of a real-time access log check function and a system to immediately give notice of any software failure
  • Recovery training assuming the time of failure occurrence
Service risk (3) Service failures, etc.
  • Occurrence of various bugs in the Group’s applications, software and systems
  • Detection of any critical bug that poses an obstacle to the operation of the Group’s businesses
  • Building and maintenance of the highly reliable development structure
  • Formulating and implementing of incident guidelines for services
External environment risk (4) Internet access environments
  • Introduction of new regulations on Internet use, and occurrence of an adverse effect
  • Collection of information on Internet-related legal regulations, etc. as well as extraction of issues and implementation of solutions
(5) Cloud business
  • Significant downturn in demand for cloud services themselves
  • Creation of new value offered
  • Proactive adoption of new technologies
  • Protection of intellectual property rights through patent acquisition, etc.
  • Promotion of M&A, and capital and business alliances
(6) Responding to technological innovations
  • Delay in responding to technological innovations, etc.
  • Incurrence of unexpected development expenses, etc.
(7) Competition
  • Intensified competition with existing business operators and new entrant operators
  • Intensified competition due to appearance of any other company’s service with a revolutionary concept
(8) Natural disasters
  • Delay or suspension of business due to largescale natural disasters including earthquakes and typhoons
  • Establishment of BCP manual
Investment risk (9) Upfront investments in advertising and promotions
  • Large increase in expenditures due to changes in the policy and plans for advertising and promotions
  • Monitoring of cost-effectiveness of advertising and promotions
(10) Investments such as corporate acquisitions
  • Delay in a business plan after an acquisition or investment
  • Implementation of sufficient due diligence for target companies
  • Thorough monitoring and follow-ups for target companies
(11) System infrastructure investments
  • Unexpected additional investment in hardware and software for stable operation of services
  • Thorough monitoring of access from the outside
  • Design of appropriate system infrastructure investment according to the business expansion
Personal risk (12) Establishment of management control system
  • Delay in establishment of the business structure and the internal management structure according to the business size
  • Thorough development of the internal management structure in line with increases in operations and employees
(13) Training and securing human resources
  • Shortfall in excellent human resources
  • Delay in securing sales staff in the Sansan/Bill One Business and loss of them
  • Aggressive recruitment of human resources
  • Strengthening of the structure by internally fostering personnel, etc.
  • Development of the working environment
(14) Dependence on specific individuals
  • Occurrence of any event that brings difficulties for Chikahiro Terada, Representative Director, to continue operations
  • Creation of a structure that does not excessively depend on him
  • Mutual information sharing among executives and strengthening of the management organization
Legal risk (15) Laws and regulations
  • Impact of enactment of new privacy-related regulations, laws regulating internet-related business operators, and relevant laws, etc. applicable in line with the expansion of the business environment in Japan and overseas
  • Collection of information on legal regulations, etc. as well as extraction of issues and implementation of solutions
(16) Intellectual property right infringement, etc.
  • A claim for damage or injunction request from a third party on the grounds of infringement of patent right or trademark right
  • A third party’s infringement of intellectual property rights held by the Group
  • Implementation of survey on intellectual property right infringement via patent firms
  • Patent applications and registrations
  • Implementation of legal actions
Overseas risk (17) Launching overseas
  • Occurrence of risks specific to overseas that are difficult to address
  • Delay in monetarization of the overseas business
  • Collection of information on regions where the Group has developed its businesses as well as extraction of issues and implementation of solutions
  • Formulation of appropriate business plans
Others (18) Granting incentives
  • Dilution of value of shares held by existing shareholders through exercise of stock options issued
  • Design of stock options with adequate consideration of the market environment, impact on existing shareholders, etc.