1.Management system and framework for major risks

(1) Overview of risk management system

Emerging trends, including the increased frequency of large-scale natural catastrophes, the persistent low interest rate environment, and the spread of COVID-19, demonstrate the volatility, uncertainty, complexity, and ambiguity (VUCA) of the current era. In such times, risk management’s role is no longer simply one of taking measures to avoid potential loss. Increasingly, risk management is expected to steer the Group on an optimal course to reduce opportunity losses as a result of mistimed investments or other miscalculations. Enterprise Risk Management or ERM is the Group’s risk management framework, established as a sophisticated ‘Compass’ for the management to strengthen and improve the following three capabilities:

ERM is effected through a series of business management processes that look to maximize corporate value by achieving a balance of capital, risk, and profit through management of the two objectives: risk-taking for business strategies and risk control for a stable business foundation. In the risk-taking context, we make use of analyses on capital, risk, and profit within the Risk Appetite Framework for important management decisions, corresponding to (c) in the above diagram. For risk control, we use a framework – the Risk Control System – to identify, analyze, and assess various types of risks surrounding the Group, aiming to minimize unexpected losses and to increase the stability of profit. This corresponds to (a) and (b) in the diagram below.

The three functions and overall outline of the Sompo Group’s Enterprise Risk Management (ERM)

Sompo Group Risk Appetite Statement – consisting of the Risk Appetite Principles, the Medium-term Risk-taking Strategy, and the Risk Appetite Indicator – is used as a guideline for risk-taking, in alignment with the Group’s strategies and business management plans, to ensure the effectiveness of ERM.

(2)The Risk Control System and the status of risk and capital

Under the Risk Control System, the Group conducts risk assessment using the Material Risk Management framework – firstly identifying all the material risks we face, then evaluating them from both a qualitative and quantitative perspective. For risks that can be quantified, their impacts on capital adequacy and liquidity are analyzed and assessed based on various quantitative indicators in Capital adequacy management, Stress testing, Limit management, and Liquidity risk management frameworks. Based on these analyses, the management decides necessary risk control measures to secure and improve the Group’s financial soundness.

A．Material Risk Management

The Group defines risks that could have significant impacts on the business as material risks; these are identified and assessed through an exhaustive process. Such risks are comprehensively managed by the Group CRO based on this risk assessment and expert insight, considering concrete risk scenarios that could impact the Group. Risks are evaluated in both qualitative and quantitative terms, assessing the frequency of occurrence, and the severity of impact across three risk dimensions – economic loss, business continuity, and reputational damage. The results, including the status of controls, are reported to the Managerial Administrative Committee (“MAC”) – the advisory committee for the Group COO – and the Board of Directors at least twice a year.
Those risks that carry large volatility, and require specific discussions on countermeasures etc., are raised at Global Executive Committee as well as MAC. Also, we have added a new dimension to the risk assessment to respond to ‘trending risks’ – risks that we anticipate will increase continuously for the next 10 years or more – in order to capture their long-term impact on the Group’s business model. We will use this dimension to validate the continuing effectiveness of risk countermeasures into the future.
Further, the Group defines emerging risks as those that are not currently material risks but which, due to environmental changes, have potential to become material in future. We identify the signs of such risks, that might have a significant impact on the Group in future, and we manage them accordingly. Potential emerging risks, identified through review of literature and consultation with experts, are listed in an emerging risk register, and will be selected as an emerging risk once certain criteria are met – for example when the expected impact exceeds a certain level.
Currently, five emerging risks, including innovative medical technology and biodiversity, have been selected; we monitor, research, and study them not only from the viewpoint of mitigating losses, but also from the viewpoint of seeking new business opportunities through creation of insurance products and services to address these risks.

B．Capital Adequacy Management

We quantify the various types of risks that we face using value at risk (VaR) as a unified risk metric. We take management measures as necessary to ensure that capital is maintained at an adequate level relative to risks.

C．Stress Testing

The Group conducts scenario stress testing, reverse stress testing, and sensitivity analyses on a Group-wide basis to accurately identify and manage events that could significantly affect its business management. We analyze the impact on both capital and risk and take countermeasures as required. As at the end of March 2021, we confirmed that the Group retains sufficient capital even under any of the assumed stress scenarios.

D．Risk Limit Management

We have established the maximum limit for each risk on a Group-wide basis such as credit risk, reinsurance counterparty risk, and overseas natural catastrophe risk to avoid outsize losses arising from the occurrence of specific events, and manage these risks. As at the end of March 2021, we have confirmed that the Group does not violate any risk limits; preliminary limit management is carried out within the limits of each limit.

E．Liquidity Risk Management

In addition to projecting cash requirements for day-to-day operations, we project the maximum cash outflows that could result from events such as a large-scale natural catastrophe. We then conduct management to ensure we have sufficient liquid assets to meet cash requirements in these scenarios. As at the end of March 2021, we have confirmed that the Group has adequate liquid assets to meet such outflows.

2. Major risks

(1) Material risks and the assessment of their likelihood and impact

Material risks are those risks that are recognized by management as having the potential to materially impact the Group's business performance. The following evaluation shows the probability of occurrence and the impact of these risks.

■Heat Map of Material Risk (Probable Occurrence/ Impact Level)

(2) Risk overview and the assessment per material risk category and the status of countermeasures taken

A. Strategic risks（Nos. 1～12）

ａ．Risk overview and assessment

The Group categorizes risks that could result in a significant impact on the Group’s business performance due to the Group’s business assumptions and strategies becoming invalid through external environment changes, or in the failure to establish business models that meet the company's business strategy – through, for example, poor governance or inadequate human resources – as strategic risks.

The following are the environmental changes that we consider significant.

Short-term risk includes:

• the risk of deterioration or damage to our competitiveness and earnings base due to new entrants from digital or other industries to the insurance markets,
• inadequate response to advances in digital technology,
• the risk of constrained business opportunities for the Group due to intensifying industrial competition among major economies,
• the risk of greater-than-expected wind and water damage caused by climate change,
• perceived insufficiency of our ESG initiatives,
• damage to our brand value from rumor and misinformation spread through the media and online sources.

As for long-term risk, the Group's business performance could be affected by shrinkage of the insurance market due to expansion of the sharing economy, dwindling birth rates and aging population, or a reduction in insurance needs as technological innovation results in fewer accidents.

ｂ．The status of countermeasures taken

The Group believes that changes in the external environment will bring opportunities as well as threats; therefore, we are implementing our digital strategy and conducting M&A to advance our transformation into a ‘Theme Park for Security, Health and Wellbeing’. We are also laying the foundations of digital transformation (DX) by:

• improving the productivity of existing businesses through deployment of technologies including AI and Big Data;
• creating new customer value with new products and services that use the digital technologies;
• hiring and training digital talent.

With respect to the risks of geopolitics and regulatory changes, the Company has been closely monitoring them to discern the managerial impact by discussing scenarios for geopolitics that would have adverse impacts and collecting information on trends in domestic and overseas laws and regulations.
Large-scale investments, such as digital strategies, M&A, and extensive IT system development are thoroughly discussed at the Board of Directors. However, there is a possibility that expected results may not be achieved due to changes in the business environment or other unanticipated issues. To ensure the continuing relevance of such investments, and that withdrawal criteria have not been violated, we regularly check the status of these developments, based on predetermined standards, even after implementation.
For physical risks caused by climate change, we are analyzing the impact from more severe natural disasters using climate scenarios.
We established a system to manage and discuss the risk associated with transition to a decarbonized society and the risk of inadequate ESG-related initiatives at the Group Sustainable Management Committee*; this is chaired by the Group Chief Operating Officer (COO) and made up of executives responsible for CSR activities at each Group company. Risks are reported to MAC if necessary. The reputational risk is dealt with and minimized by responding to rumors in a timely and appropriate manner, in accordance with the Company's regulations.

• The Group Sustainable Management Committee was formerly known as the Sustainability / CSR Committee.

B．Financial and investment risks（Nos.13～15）

ａ．Risk overview and assessment

The Group categorizes risks that deteriorate the performance and the financial position of the Group due to market volatility, bankruptcy of invested portfolio companies, guarantee insurance policyholders or reinsurers, and risks that worsen cash flow in the event of a major disaster as financial and investment risks. Fluctuations in domestic stock prices and interest rates, in particular, may have large impacts on the Group's financial performance.

Sompo Group holds a large number of shares for the purpose of maintaining medium- to long-term relationships with customers and invests in a wide range of securities, in Japan and overseas, to generate stable investment income. Should the values of these assets decline, due to a fall in market prices, the Company may incur losses on sale, valuation loss, or decrease in valuation difference on available-for-sale securities. This would impact the Group's business results.

There is also a risk that actual investment yields may be lower than assumed interest rates due to the lower interest rate environment, because the Group sells insurance products with assumed interest rates – the investment yield promised to customers at the time of contracting – over a long period.

Further, declining interest rates may lead to an increase in the economic value of insurance liabilities that exceeds the offsetting increase in market value of securities, resulting in a net overall decrease in equity capital. This risk arises because the domestic life insurance business retains insurance liabilities that have a longer duration than the securities held.

ｂ．The status of countermeasures

The Group strives to mitigate the impact of stock market declines by continuously reducing its strategic shareholdings.

As other initiatives, we are making efforts to reduce the impact of interest rate fluctuations by making long-term investments and loans so that they more closely match to the cash flow of liabilities for maturity refunds on savings-type insurance policies and for domestic life insurance policies. Accumulation limits on investments and loans are also set.

Furthermore, the domestic life insurance business is working to increase the ratio of protection products in its portfolio; these products are less susceptible to interest rate declines under economic value-based calculations for insurance liabilities.

Cash flows are managed at each insurance subsidiary to ensure that the Group has sufficient liquid assets to meet its funding needs in the event of a major disaster or a rise in cancellation due to an interest rate hike.

C． Operational and compliance risks（Nos.16～21）

ａ．Risk overview and assessment

The Group categorizes risks triggered by violations of laws and regulations, the failure of third party management, system failures (including cyber-attacks), labour issues caused by long working hours, customer information leaks, fraud, and misconduct as operational and compliance risks. The Group conducts businesses in compliance with applicable laws and regulations, including the Insurance Business Act of Japan, and the laws and regulations in countries in which it operates. In the event of a violation of these laws and regulations, the Company may be subject to administrative sanctions from Japan’s Financial Services Agency and other authorities.
There is also system risk resulting from a shutdown, malfunction or misuse of the IT systems; these may be caused by external or internal factors, such as unauthorized access by cyber-attacks, or human error.
Sompo handles a large amount of customer information. Each Group company has established a system for managing such information and maintains strict control over this data. However, in the unlikely event of a major information leak, including a cyber-attack, the Group may lose public trust and confidence and may incur remediation costs that would impact business results.
The occurrence of administrative errors, failure to manage outside contractors, physical and mental health problems among employees, fraudulent acts by officers and employees, criminal acts committed by outside parties, and payment of compensation associated with lawsuits may have a direct or indirect impact on the Group's costs leading to disruption of business operations, administrative action by Financial Services Agency and other authorities, and a loss of public trust and confidence in the Group.
Changes in social awareness, customer preferences, and behaviors may lead to gaps between our products, services, and business practices and stakeholder expectations. Such differences may lead to negative customer sentiment, complaints, and other conduct risk issues that may damage the Group's brand value.

ｂ．The status of countermeasures

The Group is constantly aware of the importance of its public mission and the social responsibilities associated with each of its businesses. We have established a system for conducting appropriate corporate activity, in accordance with laws and regulations, social norms and corporate ethics under the SOMPO Group Basic Compliance Policy and other policies. On top of that, the SOMPO Group Code of Conduct for Compliance has been established to foster and ensure the compliance culture among all officers and employees in the Group.
Regarding IT system failures, we have established an IT risk management system and we are continuously working to reduce such risks. Our efforts to counter cyber-attack risk are focused on continuous development of the response system in each group company and establishment of a designated team for cyber security in the Company. Through these overarching and Group-wide initiatives, we are committed to improving the maturity of our defense capabilities within all group companies.
Labour risk caused by long working hours has been dealt with by making sure that the working time is properly and thoroughly managed and establishing a management system to enable improved management skill and communication under the working-from-home environment.
For conduct risk, we have implemented measures to identify and take pre-emptive measures against signs of risk, and we have established a system for managing outsourced contractors – including provisions to manage the process appropriately from the start of outsourcing to the termination of the contract.

D．Business specific risks（Nos. 22～27）

（Insurance underwriting risk）

a．Risk overview and assessment

The Group categorizes the occurrence of claim payments that exceed the expected level in domestic non-life insurance business, overseas insurance business, and domestic life insurance business as business risks (insurance underwriting risk). Key vulnerabilities that may generate insurance underwriting risk include an unexpected rise in the number of wind and water-related disasters associated with climate change, and loss from large-scale cyber attacks.

We may have to pay a large amount of insurance claims for damage caused by natural disasters such as earthquakes, wind, floods, and snow in Japan and abroad. In addition, changing patterns of frequency and severity of wind and water-related disasters due to climate change may increase the amount of claim payments, deteriorate the Group's underwriting balance, and make it difficult for the Group to provide stable insurance coverage.

Sompo Group offers insurance products that directly cover damage caused by cyber-attacks. In the event that a large-scale cyber-attack targeting software vulnerabilities occurs, we may receive simultaneous claims from multiple customers arising both from destruction or theft of data and from interruption of business operations, and this may affect the Group's business performance.

ｂ．The status of countermeasures

The Group aims to stabilize its business performance by using reinsurance and catastrophic loss reserves to prepare for domestic natural catastrophe risks, and by setting appropriate premium rates that quantify the estimated claims payment for natural disasters – factoring in potential impacts of climate change.

For overseas insurance business, the Company sets limits for each region and each type of natural disaster based on the Group's capital and profit level, to maintain control over the accumulation of natural disaster risks, and monitors exposure periodically to ensure that these limits are not exceeded.

Also, we are working to capture and reduce such risks by identifying potential large-scale cyber incidents and calculating the expected maximum losses.

（Nursing care business risk）

ａ．Risk overview and assessment

The Group categorizes the misjudgment of nursing care business strategy and the damage to brand value from major scandals as business specific risks (nursing care business risk).

To meet the diverse needs of many elderly people and their families, we have established Sompo Care Inc. that provides a full range of nursing care services from home care to institutional care.

In the Nursing Care & Seniors Business, the Group's operating results may be affected by the following factors: revision of the Long-Term Care Insurance Act and long-term care compensation, intensifying competition in the nursing care market, difficulty in hiring and retaining employees, food poisoning, outbreaks of communicable diseases, accidents specific to the senior citizen related business, loss of public trust and confidence as a result of such aforementioned incidents, and the occurrence of reputational risk.

ｂ．The status of countermeasures

Sompo Care Inc., which manages the Group’s nursing care business, is committed to building trust with customers by establishing a corporate governance system and facility management structures.

The company has established a Governance, Risk and Compliance Committee as an advisory body to the Executive Committee. This deliberates on response to major risk management related incidents and on internal control matters based on the results of internal audits. The Risk Management Department in SHD consolidates all the information on accidents and works to ensure that all officers and employees are aware of and take preventive measures against reoccurrence.

In addition, we promote the effective use of ICT and leading-edge technologies at nursing care facilities to improve productivity and employee compensation, aiming to close the gap between supply and demand for nursing care personnel. Furthermore, the company aims to help solve societal challenges in Japan facing a super-aged society in future, by maximizing productivity, utilizing know-how on high quality care service to provide solutions that support business process of nursing-care business operators, and promoting preventive services for deteriorating cognitive functions.

E．Other risk（No.28）

（Business interruption）

ａ．Risk overview and assessment

The Group categorizes disruption to the stable operation of the Group’s business due to natural disasters such as major earthquakes, large-scale terrorist attacks including cyber-terrorism, new strains of influenza pandemic, and other events as other risks (business interruption risk). These may affect operations such as SHD functions, insurance payments, and provision of nursing care services, as well as affecting the Group's business results.

ｂ．The status of countermeasures

The Group has formulated a business continuity plan and conducts regular training on its execution. The Group strives to verify and improve the effectiveness of business continuity measures by preparing for natural disasters such as large earthquakes and for emergencies such as pandemics caused by a new strain of influenza or other infectious agents.

In response to the global spread of Covid-19, we have added scenarios into the business continuity plan and stipulated an action plan for each scenario. Through these measures, we are improving our emergency response capability so that we ensure all critical operations in the Group companies continue to function.