Sustainability
Risk Management
Risk Management
We consider the appropriate management of risk to be one of its key management priorities, with the aim of enhancing corporate value while maintaining sound and stable management. To comprehensively grasp and manage the Group's diverse risks, we have established a "Risk Management Basic Policy". We promote autonomous control activities within operational departments and group companies. The relevant risk-managing departments manage individual risk situations, while the Risk Management Department comprehensively identifies and evaluates risks, thereby ensuring appropriate risk control. The status of the group's comprehensive risk management is discussed and reported at the Comprehensive Risk Management Committee, which meets quarterly. Furthermore, the Head of the Risk Management Group who is a Managing Executive Officer* appropriately and as necessary reports on these matters to the President and Representative Director, the Management Committee and the Board of Directors, thereby establishing a risk management framework for the entire group. To foster a corporate culture that prioritizes risk management, we strive to instill risk awareness among all officers and employees. We conduct training and awareness initiatives to ensure they recognize the importance of risk management and act accordingly. We refer to ISO 31000, a leading risk management framework.
*Not the Chairperson of the Audit and Supervisory Committee
Risk Appetite Framework
We position the RAF as a management framework for risk-taking that is aligned with our risk appetite, which is defined as the types and aggregate amount of risk that we should proactively accept in order to achieve our business and financial strategies. Based on the "Basic Policy on Operating the Risk Appetite Framework" we integrate business and financial strategy management with risk management. Our aim is to achieve optimal risk-return through appropriate risk-taking. We conduct management and operational activities that contribute to ensuring management safety and optimising the allocation of resources. This includes confirming capital adequacy by monitoring progress and performing rapid rebalancing in response to environmental changes.
![Quantify risk-return and and cost-return for each product,department,or segment to gain a detailed understanding of profitability. Managerial constraints on capital holdings,funding Develop a business strategy with an acceptable risk/cost in relation to the management strength to construct a balance sheet that maximizes risk-adjusted return. [Risk Measurement]Measure credit risk,market risk,and operational risk based on internally available bankruptcy probability and market data [Risk Capital Allocation]Determine the target risk level in relation to vapital and allocate it to relevant departments [Set Risk Appetite]Take risks to achieve strategic objectives set focus area [Report the above to the Board of Directors to strengthen corporate governance] Optimal valance sheet management and business strategy → Rebalance in accordance with environmental changes → Resource allocation and strong corporate governance → Increase corporate value and improve overall productivity](/en/company/assets/imgs/sustainability/esginfo/16/img-risk_management-02.png)
Top Risk
We identify risk events, including ESG risks, that could significantly impact the Group as "Top Risks" based on both internal and external factors, looking ahead three to five years from the present.
To select these risks, we gather information on internal and external risk events, assess their likelihood and potential impact, and then determine them list through deliberation by the Comprehensive Risk Management Committee and the Executive Management Meeting. The President and Director provides final approval.
We maintain a system for periodically reviewing the selected top risks and reassessing them as necessary. Furthermore, we implement effective countermeasures to ensure appropriate risk control.
![[Top Risk Selection Cycle] Identify Risk Events: Identify risk events from internal and external environments that have an impact on our Group. Analyze and Evaluate Risk Events: Create a heatmap to evaluate the significance of risk events on an assessment of the likelihood and impact of the risk events. Select Potential Top Risks: Select top risk by potential high-importance risks based on similarity and relevance. Identify Top Risks: Comprehensively evaluate the impact on the Group and the response status and select top risks with the involvement of management. Following deliberation by the Comprehensive Risk Management Committee and the Executive Management Meeting, the President and Director determines the top risks. Evaluate and Improve Risk Management: Regularly monitor and evaluate the operational status and report to the Comprehensive Risk Management Committee, Executive Management Meeting, and Board of Directors. Review and reassess the selected top risks periodically and as necessary.](/en/company/assets/imgs/sustainability/esginfo/16/img-risk_management-03.png)
The "top risks" as of the end of June 2025 are as follows.
| Risk Events | Risk Scenarios | |
|---|---|---|
| 1 | Impact on Business Performance due to the Worsening Economic Downturn | Due to prolonged inflation and significant fluctuations in the economic environment, customers are finding it difficult to make repayments, leading to an increase in bad debt losses. The deterioration of the business environment has resulted in an increase in the management decline and bankruptcy of member merchants |
| 2 | Impact on Increasing in Interest Rates on Business Performance | An increase in financial expenses and a decline in business revenue due to an unexpected increase interest rates are weighing on performance |
| 3 | Impact on Business from Cyber Attacks and Major System Disruptions | Loss of stakeholder trust and missed business opportunities due to data breaches, operational disruptions, and cyber-attacks causing leakage of personal information and system outages |
| 4 | Damage to Corporate Value due to Non-Compliant behavior Contrary to Social Norms | Loss of stakeholder trust and missed business opportunities resulting from employees' failure to act in accordance with social norms and ethical standards |
| 5 | Impact of Increased Fraudulent Use on Business | The impact on business performance due to increased fraudulent card usage and losses of stakeholder trust and missed business opportunities |
| 6 | Impact on Business Performance due to Natural Disasters and Emerging Infectious Diseases | Damage the company's credibility by making business continuity difficult due to damage to company buildings and core systems caused by a major earthquake occurring directly beneath the capital region or by large-scale wind and flood disasters |
| 7 | Impact of Insufficient Human Resource Management on Strategy Implementation | Decline in competitiveness due to insufficient human resource management to execute business plans |
Principal Risks Concerning Our Group's Business Activities
The principal matters that could significantly impact our business operations are as follows:please note that this section contains forward-looking statements. These statements reflect our assessment at the end of June 2025 and are not intended to cover all risks that may arise in future business operations.
1.Credit risk
Risks
- Potential losses could be incurred due to users' payment delays and deterioration in debt recovery.
- Unforeseen factors such as future economic trends, an increase in personal bankruptcy filings, and other unexpected circumstances may necessitate a boost in provisions for bad debts.
- Regarding overseas operations, fluctuations in customer payment ability due to trends in prices and employment conditions in the Southeast Asian economy may impact performance.
Counter measures
- We are actively maintaining an appropriate delinquency rate through statistical methods based on past performances and improvements in our AI-based evaluation system and logic.
- To prepare for potential loan losses, an estimated loss rate is calculated using statistical methods and an allowance for doubtful accounts is established.
- In our overseas operations, we are revising our credit extension standards and strengthening our debt collection framework for customers who have fallen behind on their payments.
2.Interest Rate Fluctuation Risk
Risks
- There is the possibility of increased financial expenses should future interest rates rise significantly or substantial credit rating revisions result in higher funding costs. Additionally, there may be a limitation in passing on the increase in funding costs to investment interest.
Counter measures
- We implement ALM (Asset and Liability Management), adjusting the balance between short-term and long-term funding in response to market conditions and our Group's portfolio. We also manage interest rate fluctuation risk appropriately by utilizing derivative transactions.
3.Liquidity Risk
Risks
- In the event of significant changes in financial conditions or a substantial revision of ratings, there is a possibility that securing funds smoothly will become difficult, or that we may be forced to procure funds at significantly unfavorable interest rates compared to usual.
Counter measures
- We implement ALM (Asset and Liability Management) to secure the necessary funding for our group's business activities. We are working to diversify our funding sources and reduce liquidity risk through the establishment of commitment lines with multiple financial institutions and adjustments to our available liquidity.
4.Cybersecurity Risks
Risks
- In the event of a cyber attack causing computer system shutdown, data tampering, or leakage of important information, there is a possibility that customer service may be disrupted, customer information may be misused, trust from stakeholders may be undermined, liability for damages may arise, penalties under laws and regulations may be imposed, and additional costs may be incurred to address these incidents.
Counter measures
- Recognizing that increasingly more sophisticated and skillful cyber-attacks and other threats are an important management issue, we are maintaining a cybersecurity risk management framework, centered on the Cyber Security Office, a dedicated department.Specifically, we strive for early incident detection and immediate response through information gathering in collaboration with external organizations and 24/365 monitoring of networks and devices via our integrated SOC. Furthermore, we maintain a framework for system security by implementing organizational and human measures. These include technical countermeasures, establishing procedures for cyber incident preparedness, supply chain management, and training and drills for executives and staff.
- We have established the "Orico CSIRT" framework aimed at improving security quality and strengthening incident response capabilities. This system is designed to consistently control everything from preventive safety measures during normal operations to immediate response readiness during incidents.
5.Information Security Risks
Risks
- We acquire, store, and utilize a significant amount of customer information. Therefore, in the event of a leakage of important information, such as unauthorized access from external sources, accidents during media transportation, or involvement of internal personnel, there is a possibility of incurring liability for damages, damaging the trust of our group, being subject to regulatory penalties, and incurring additional expenses to address these incidents.
Counter measures
- To prevent the leakage of sensitive information, including personal data of our valued customers, we have established regulations and procedures for information handling. We implement security measures on our systems by implementing organizational, technical, human, and physical measures, including provide staff education and training, and manage access to our facilities, ensuring proper information handling.
- We are enhancing our security measures through continuous improvement, including ensuring compliance with revisions to information security certification standards.
6.Systems Risks
Risks
- We possess a large-scale computer system that connects our domestic locations, customers, and various payment institutions through a communication network to process information. In the event of a major system malfunction or similar incident, potentially causing disruptions to customer services.
Counter measures
- For the information systems we use in our operations, we take preventive measures to ensure stable operation, such as maintenance activities and the implementation of backup systems. We also established contingency plans to deal with unforeseen events, ensuring that in the event of system downtime or malfunctions, we can continue our operations safely and promptly. Furthermore, we regularly audit external contractors, such as cloud service providers, before and after implementation, evaluating their security measures and service levels to enhance quality.
7.Conduct Risk
Risks
- Not only actions that violate laws, internal regulations, and social norms but also actions that negatively impact customer protection, market integrity, public interest, and stakeholders can potentially harm corporate value.
Counter measures
- We view compliance not merely as adherence to laws but as a commitment to corporate ethics and social norms. To ensure that employees take "correct actions" when faced with issues, we have established "The Orico Group Code" as our code of conduct and are working to embed it within the organization.
- By establishing an internal reporting system, the "Orico Helpline," that employees can use with confidence, we aim to enhance self-regulation and work towards preventing the occurrence of fraud.
8.External Fraud Risk
Risks
- The amount of fraudulent losses related to credit cards is on the rise across the industry, and the methods of fraudulent transactions are becoming increasingly complex and sophisticated. The increase in fraudulent losses may negatively impact performance. Furthermore, as curbing fraudulent transactions is also important from a social responsibility perspective, failure to implement sufficient countermeasures could damage trust among stakeholders.
Counter measures
- We are conducting trend investigations and monitoring of fraudulent applications, working to prevent fraud by improving the accuracy of our screening logic.
- We are enhancing our fraud prevention measures through the use of an AI-powered fraud detection system, promoting the registration of identity verification services for members, and providing usage notifications and suspension features.
- We monitor for the emergence of phishing sites mimicking our website around the clock and promptly take action to block them upon detection. At the same time, we use videos and websites to raise awareness of potential risks among our members.
9.Climate Change Risks
Risks
- We recognize "climate change risks", which are influences from frequent natural disasters caused by extreme weather events and the transition to a decarbonized society.
- As physical risks, the intensification of extreme weather events such as typhoons and floods could potentially disrupt our business operations and damaged the business foundation.
- As transition risks, tradition to circular society, innovations that promote decarbonization, inadequate response to technological innovations, policies and regulations, and changes in supply and demand for specific financial services, as well as insufficient efforts in disclosing such information, may undermine the trust of stakeholders.
Counter measures
- With sustainability as a core management principle and in line with our Environmental Basic Policy, we are further enhancing our environmental initiatives while working towards realizing a circular society and decarbonization.
- Through the Sustainability Committee, we are addressing climate change-related risks and opportunities, reviewing the status of our sustainability initiatives, strengthening internal and external communication, and enhancing monitoring.
- We are assessing the likelihood of occurrence, impact, and financial implications related to physical risks and transition risks, and are working on response measures accordingly.
10.Natural Disasters and Infectious Diseases Risks
Risks
- There is a possibility that our business operations may be affected by large-scale disasters such as earthquakes, typhoons, or the outbreak of infectious diseases.
- If recovery from disaster-related damage takes a considerable amount of time, or if circumstances such as a sudden surge in infectious diseases or a significant increase in severely ill patients arise, there may be an increase in credit and liquidity risk.
Counter measures
- To prepare for unforeseen events such as large-scale earthquakes, disasters, or accidents, we have established a "Business Continuity Management Regulations" and formulated an "Annual Plan for Business Continuity Management". We have also implemented a dedicated system for promptly confirming the safety of personnel and assessing the situation in affected areas.
- In the event of a major natural disaster or similar event in the Tokyo metropolitan area, we have established a provisional emergency headquarters in the western Japan region and conducted training to ensure business continuity.
- To ensure the stable operation of payment infrastructure and appropriate customer responses, we have developed a business contingency plan that is updated annually.
11.Regulations Risks
Risks
- We conduct our business in compliance with various laws and regulations, such as the Installment Sales Act, Money Lending Business Act, Investment Act, Interest Rate Restriction Act, Act on Prevention of Transfer of Criminal Proceeds, and Personal Information Protection Act. Our business area requires registration or permission from regulatory authorities, thus future changes in laws, regulations, policies, and industry practices may potentially impact our business operations and performance.
- In the event of any violation of laws and regulations, there is a possibility of receiving sanctions or penalties from regulatory authorities in accordance with the applicable laws.
Counter measures
- We strive to timely and accurately grasp risks that derive from regulatory changes and to report the details and response status to the Comprehensive Risk Management Committee. We ensure appropriate management and operation for risk avoidance and mitigation.
- We conduct business verification related to relevant laws and regulations, and report the details and results to the Compliance Committee. We ensure proper management and operation in compliance with laws and regulations.
12.Human (Talent, Human Rights, among others) Risks
Risks
- As the labor population decreases due to a declining birthrate and aging population, the values regarding work and living environments are diversifying. If we cannot meet employees' expectations for job satisfaction and fulfillment, it may become difficult to secure the necessary talent to execute our management strategy, potentially lowering our competitiveness.
- To realize our management strategy, we require more specialized talent, particularly in digital transformation (DX). If we are unable to secure and develop sufficient talent in line with changes in the business environment, it may hinder our operational capabilities and decrease competitiveness.
- If our efforts to respect human rights are deemed insufficient, we risk losing the trust of stakeholders.
Counter measures
- We are revising our HR system and implementing key initiatives based on a talent strategy that considers changes in external environments and the values and lifestyles of each employee, aiming to maximize employee engagement.
- We are undertaking systematic employee development through new experience-building programmed and enhanced learning content. We are also recruiting experienced personnel strategically to secure diverse talent, alongside we have established a remuneration system for highly specialized personnel.
- Recognizing that respect for human rights constitutes a vital social responsibility, we are strengthening our efforts to uphold human rights, including conducting human rights due diligence in accordance with "Human Rights Basic Policy" established under the "UN Guiding Principles on Business and Human Rights". This applies to all Group companies, both domestically and internationally.
13.Risks Related to Recoverability of Deferred Tax Assets
Risks
- We assess the recoverability of deferred tax assets based on future taxable income. However, the estimation of future taxable income is subject to influences such as future economic conditions, unforeseen interest rate fluctuations, increased personal bankruptcy filings, and other unexpected factors.
Counter measures
- Deferred tax assets are recognized for future deductible temporary differences and are assessed for their recoverability based on estimated future taxable income, taking into account certain uncertainties inherent in the three-year business plan and other factors.
Other Risks
In addition to the risks mentioned above, there are other factors that could potentially impact the performance of the Orico Group, including:
- Insufficient measures to combat anti-social forces, money laundering, terrorist financing, and proliferation financing.
- Significant depreciation of priority beneficiary rights or tangible fixed assets, such as land and buildings, due to the liquidity of installment sales receivables.
- Consumer disputes arising from violations of laws by member merchants, partner companies, or business commission recipients, which could escalate into social responsibility issues for the Orico Group.
- In the event that negative reports regarding our group and the industry undermine stakeholder trust, it may lead to a loss of confidence from stakeholders.
BCP
Business Continuity Management Policy
Orient Corporation (hereinafter referred to as " we"), based on its Philosophy and Orico's Sustainability Goals, has positioned the response to emergencies such as large-scale 'natural disasters', 'spread of infectious diseases' and 'system failures' as one of its key management issues and has established the Basic Business Continuity Management Policy as follows.
- We prioritize human life in situations where there is a risk to life or physical well-being during emergencies.
- Considering our role as a company contributing to vital social infrastructure, we focuse on the maintenance and continuity of payment functions and the early recovery of operations during emergency situations.
- We establish a prompt response system, including organizational structure, authorities, instructions, and emergency action plans, to effectively respond to emergencies.
- We provide education and training to all employees regarding emergency response measures and emergency action plans. Regular training exercises are conducted to improve the effectiveness of emergency response.
- We monitor changes in the surrounding environment of us and our group companies, as well as societal trends related to emergencies, and reviews the organizational structure based on this policy as necessary.
Major Business Continuity Management Efforts:
- Formulation of an annual business continuity management plan (deliberated in Executive Management Meetings and reported to the Board of Directors)
- Development of initial response systems for emergencies, particularly large-scale earthquakes
- Establishment and thorough dissemination of evacuation and communication systems during disasters
- Conduct regular reviews of "assumed scenarios" within business continuity management and formulate "business continuity plans and system continuity plans" based on the results of a "business impact analysis" covering all operations.
- Conducting comprehensive training exercises to enhance the response capability for large-scale system failures, including cyberattacks
- Radio communication training at both the headquarters and nationwide branches
- Participation in "Shakeout drills (Chiyoda Ward's simultaneous disaster prevention drill)" at the Kojimachi head office building
- Establishment of self-defense firefighting organizations at the Kojimachi head office building
- Implementing and maintaining test emails to confirm safety
Disaster Resilience Measures for Data Centers:
The financial services offered by our Group rely on computer processing in data centers. To ensure that operations continue uninterrupted in the event of a disaster, we have reinforced our data centers as follows:We will continue to review these measures and enhance our disaster resilience further.
- Installation of a self-generated power system capable of continuous operation for up to three days
- Power supply sourced from two independent sources
- Construction of data centers in locations known for their high resilience to seismic and weather-related disasters
