SBI Group Risk Management

SBI Group is developing its business globally with a focus on the financial industry. In order to identify, properly assess and manage risks associated with factors that may impede corporate activities, SBI Group has designated the Officer in Charge of Risk Management and established the Risk Management Department. In the event of a management crisis that has or may have a significant impact on the survival of the company or the group, the Officer is given overall responsibility for collecting, evaluating, and responding to information, as well as for reporting and disclosing information to the relevant authorities. Risk management plans are reported to the Board of Directors each period and progress reports are reported twice a year. Additionally, quantitative reports on risk information are presented separately each quarter.
With regard to information management and system risks, SBI Group has appointed the officer in charge of information security since 2018 and established the IT Management Department to promote Group-wide information security measures and conduct Group-wide security self-assessments, thereby continuously maintaining and improving the information security level of the entire Group.
For day-to-day risk management, the Risk Management Department compiles periodic risk information reports from each division of the company and each Group company, and comprehensively evaluates them from the perspective of the company's risk management and Group risk management. The department subsequently compiles periodic reports on the company's risks and the Group's risks and reports them to the Officer in Charge of Risk Management without delay. In the event that risk values or risk information exceeding a certain threshold are detected in the regular monitoring of risk, the company manages the risk of loss for the entire group by reporting without delay to the Officer in Charge of Risk Management the circumstances of the occurrence, the necessity of future countermeasures, etc., in coordination with the departments concerned, and by having the Officer report to the Board of Directors in a timely manner. In the event of an incident, the department or company where the incident occurred is responsible for resolving it, while at the same time taking measures to prevent damage from cascading or spreading to other departments or Group companies by preparing a report on the incident and disseminating it to all concerned parties.

SBI Group has established the Group Risk Management Department as its risk management department. The purpose of this department is to ensure that the Group's overall business management system, the soundness of the Group's assets and the appropriateness of the Group's business operations are fully implemented. In this regard, the Group can appropriately address the risks associated with being a financial conglomerate.
The Group Risk Management Department comprises, in addition to employees of SBI Holdings, employees of Group companies in the financial business, such as those seconded from the SBI Shinsei Bank Group and those concurrently working for SBI SECURITIES. A special feature is that the department incorporates a wide variety of viewpoints based on the Group’s strategy and culture as well as the business characteristics of the banking and securities businesses.
The Risk Management Department also promotes collaboration with other departments: in accounting and finance, it works with the director in charge of accounting and finance, in sustainability risk, with the Sustainability Promotion Office; and in compliance, with the Legal & Compliance Department. In addition, information security risks and system risks are addressed in cooperation with the IT Management Department.

Group Risk Management Department

1. Credit risk (risk of incurring losses due to a decrease or loss in the value of invested assets due to deterioration in the financial condition of the investee or borrower)

2. Market risk (risk of incurring losses due to fluctuations in interest rates, stock prices, exchange rates, value of real estate, etc.)

3. Operational risk (risk of losses arising from inadequate or dysfunctional internal processes, people, or systems, or from the occurrence of external events, as well as reputational risk)

4. Liquidity risk (risk of losses arising from the inability to secure necessary funds due to deterioration of SBI Group's financial condition or from being forced to procure funds at significantly higher interest rates than usual)

The Department integrates the impact of the aforementioned risks on the SBI Group into a comprehensive risk management framework and identifies and deepens the response to such risks. Suppose any new risks were anticipated or materialized. In that case, the department or company that incurred the risk establishes a response and management method, and the Risk Management Department monitors the risk as appropriate.
Besides, SBI Group complies with the "Rules for Management of Affiliated Companies," "Rules for Risk Management" and "Risk Management Implementation Bylaws" and has established the "Management Policy for Conflicts of Interest" to protect the interests of customers.

The Company has developed a mechanism in which regular updates are made to the “top risks,” a set of risks that span across the entire Group. These risks have been identified for the purpose of managing risk within the Group, which encompasses a diverse range of businesses. In order to identify the top risks with major impacts upon the Group’s growth potential, reputation, and finances, the Company adopts both a top-down and a bottom-up approach. In the top-down approach, a broad risk scenario is assumed from the business strategy for each period. In the bottom-up approach, various indicators for each risk category, such as market, credit and operational risk, are compiled for each business type, and items that are assumed as high-risk are identified. The Company has identified, for example, rising interest rate risk, regulatory risk, system risk and cybersecurity risk in Internet business as the top risks and reported on them for effective mitigation and management decision-making on the scope of risk appetite.
In order to have this type of broadsweeping, comprehensive risk management, the Company utilizes the risk management methods of heat maps, stress tests, and risk inspection meetings as the three pillars.
The heat map is a graphical representation of the results of various quantitative risk indicators and qualitative risk information collected from Group companies in accordance with their business type from a Group perspective. The Heat map is prepared on a regular basis in accordance with risk inspection meetings and various risk status reports from subsidiaries.
The stress tests are mainly conducted in fields that lend themselves to quantitative risk management and designed to calculate what type of financial losses may be incurred under stress scenarios.
A risk inspection meeting is an initiative that lessens risks carried by the Group while also supporting subsidiaries by providing advice and guidance on their internal control systems.
This method starts by selecting subsidiaries for priority monitoring and holding separate dialogues with individual companies to get a concrete grasp of risks. Unlike the other two methods which involve broadly scoped management targets considered from a holistic view, the risk inspection meeting uses individualized micro points of view.
A multidisciplinary combination of these methods enable risk management that is both big-picture and dynamic, while not leaving out any individual issues.

The main initiatives are management of credit and market risks, as well as customer information and system risk management.
[Credit Risks]
In the banking business, SBI Group is exposed to credit risks related to counterparties in lending and derivative transactions, and in the securities-related business, in debt-credit and margin transactions. To manage these credit risks, the Company conducts integrated risk management that includes monitoring the balance between capital adequacy and risk amount, quantifying the amount of risk as well as confirming qualitative information on counterparties and avoiding concentration of risk on specific counterparties and areas.
[Market Risks]
For market risks management associated with fluctuations in stock prices, foreign exchange rates, and interest rates, the Company has a system in place to ensure appropriate risk acquisition by quantifying acquisition risks, setting risk limits consistent with capital adequacy and business plans, and monitoring compliance with such limits.
［Protection of Customer Information］
SBI Group recognizes the "risks that may arise from the use of information technology," which has become apparent with the development of an advanced IT society, including the diffusion of the Internet. Therefore, it strives to develop and operate services with maximum consideration for the reliability and stability of information systems. Especially, in view of the importance of the protection of personal information, we have established a "Personal Information Protection Policy" and appointed the Personal Information Officer to prevent accidents and incidents and create an environment and system that enables our customers to use our services with a peace of mind. Furthermore, as appropriate, each company handling personal information obtains a Privacy Mark from the JIPDEC. In addition, we are also reinforcing measures to prevent information leaks derived from cyberattacks against our information systems using malware and other means, known as targeted attacks. In particular, SBI Group recognizes that one of the most important factors in maintaining and improving information security systems is personnel. Hence, SBI Group provides ongoing training for its employees through e-learning and other means. We will continue to take effective and efficient measures to improve the information security of all Group companies, for example, by sharing good practices from each company.
［Information management and system risk measures］
In view of the increasing importance of information security measures in recent years, the Officer responsible for information security promotes the development of a Group-wide information management system, including customer information, and reinforcement of the management framework for system risks and information security risks throughout the Group. For this purpose, the Officer establishes a system for preventing and responding to cybersecurity incidents. In terms of business continuity, we promote the introduction of cloud computing environments and other measures to ensure the availability of system services in a variety of events.

The main risks in the Asset Management Business are reducing sales to investors, increasing cancellations and difficulties in establishing new funds due to poor investment performance. To reduce such risks, SBI Group has established various committees to analyze fund performance and manage investment risks.
In addition, the Group has established rules for liquidity risk management and monitors the liquidity risk of the assets in the funds, as well as formulating and verifying emergency measures. The Board of Directors, etc. of the fund management company supervises the appropriate implementation of liquidity risk management and the liquidity risk management system.
Furthermore, in the Asset Management Business, client-oriented business operations are considered important. Therefore, SBI Group implements client-oriented business operations through "pursuit of clients' best interests," "appropriate conflict of interest management," "clarification of fees," and "provision of important information in an easy-to-understand manner.”

In the Investment Business, there is a risk of fluctuations in the performance of investee companies due to uncertainties in the future and political, economic, and industrial trends. However, SBI Group's investment policy is to invest in companies that have a basic understanding that management executives must be aware that business is not about just making money but is based on virtue and that companies are within society that are able to survive only within society. Therefore, they must contribute to the maintenance and development of society." In the investment decision-making process, SBI Investment, the Group's core company of the venture capital business, conducts due diligence from qualitative and quantitative aspects, including the vision and qualities of the management of the company to be invested in, the growth potential and scale of the market, novelty, the feasibility of the business model and whether the company contributes to the growth and development of a sustainable society. In addition, there is a possibility that the corporate value of the investees may decline or its credit standing may deteriorate after the investment. To avoid such risks, after making investments in the startup companies, SBI Investment endeavors to mitigate the investment risks by overseeing the companies' operation through periodical meetings with business managers and attendance at the Board of Directors' meetings while sending executives and assisting them via business alliances to introduce new customers.
As of the end of August 2022, SBI Investment has no investments in companies dealing with tobacco, fossil fuels such as oil and coal, as well as companies manufacturing weapons or companies that generate nuclear power. This outcome is in line with the trend towards ESG investments. As stated in its management philosophy, "New Industry Creator," the SBI Group has concentrated its investments in growth areas such as IT, biotechnology and life sciences, environment and energy, in order to create and nurture core industries of the 21st century since its inception. Currently, in addition to these fields, SBI Investment has actively been investing in next-generation innovative areas such as fintech, AI, blockchain, IoT and robotics. Moving forward, SBI Group will continue to invest in startups with high level of expertise and innovative ideas in the areas contributing to solving social issues such as the shortage of workers due to the declining birthrate and aging population and the depopulation of regional and local areas, thereby conducive to the realization of a sustainable society.

In the Crypto-asset Business, SBI Group strives for sophistication in managing market risks due to fluctuations in crypto asset prices and transaction volume, as well as credit risk management of counterparties for lending and margin transactions. SBI Group also recognizes that its response to cybersecurity risks and countermeasures of Anti-Money Laundering/ Countering the Financing of Terrorism (AML/CFT) are also major risks.
In addition, given the nature of the assets handled in this business, which are all digital assets, SBI Group is strongly aware that it is extremely important to enhance and strengthen its system risk management system, and is working to build such a system. SBI Group has identified computer system downtime or malfunction, system inadequacy, or unauthorized use of computers as risk factors, and has implemented countermeasures. SBI Group is fully aware of the risks associated with money laundering due to the anonymity of crypto assets and the risks associated with the financing of terrorism and is working to establish a system that meets international standards for anti-money laundering measures and customer verification.

SBI Group mainly addresses quality control and response to the risk of contamination of the natural environment related to the business of developing pharmaceuticals and other products, as well as risks related to new businesses.
Since SBI Pharmaceuticals develops and manufactures products using 5-aminolevulinic acid (5-ALA), in order to ensure the quality and safety of the products, it has established a management system that complies with relevant laws and regulations, such as "standards for quality control," a requirement for pharmaceutical manufacturers and distributors. It identifies risk factors such as defects and flaws in products and services, large-scale recalls and quality problems that could lead to product liability claims and has taken measures to address these issues. SBI ALApromo, which distributes products containing 5-ALA, also takes similar means. Furthermore, as SBI Biotech is engaged in the research and development of pharmaceuticals, it determines the risk of environmental contamination due to the loss of laboratory animals, risk of genetically modified organisms being released into the ecosystem, and risk of radioisotope (RI) being released into the environment, and it has taken measures to address these risks.
In addition, SBI Group conducts business related to new technologies while recognizing the risk of litigation for damage to customer rights and assets, given the immaturity of the technology itself and the fact that laws and regulations have not yet been fully developed. In addition, SBI Group manages business in developing regions after thoroughly investigating and verifying the risks associated with laws and regulations, business practices, economic conditions, political conditions, and culture.

The following page summarizes the risks that may have a material impact on investors' decisions concerning the SBI Group's business and accounting conditions.
Risks