Enterprise Risk Management (ERM)

LY Corporation (the “Company”) conducts risk management activities centered on Enterprise Risk Management (ERM), risk intelligence, incident tracking across the LY Corporation Group (the “Group”), and the development of a risk-conscious culture, all aimed at minimizing risks.

ERM Process and Process Infrastructure

In accordance with the regulations on ERM, LY Corporation comprehensively identifies and assesses risks related to the management and businesses of the Company and its Group companies, and promotes ERM activities that lead to the generation of corporate value. The Risk Management Committee convenes to make decisions related to risks.

(1) Risk management: The Company identifies risks and opportunities that could affect its achievement of the Group’s mission and business goals and then analyzes these from two angles: (i) how severe the impact would be if the risk materializes (i.e., how much it would affect the Company’s ability to achieve its goals), and (ii) the likelihood of the risk materializing (i.e., how likely and frequently it would occur). From this, the Company assesses the risk level based on impact × likelihood and prepares measures accordingly. At the end of the fiscal period, the Company reviews its responses and conducts a risk management maturity assessment with each division responsible for risk management and business division to understand the current situation and strive for improvements in the next fiscal year. Additionally, the Company analyzes both internal environments (self-analysis by each division responsible for risk management and business division) and external environments (information acquisition from external sources). Based on these analyses as well as insights from the top management and the persons in charge, the Company identifies particularly critical risks as the top risks of the LY Corporation Group. While bearing in mind the impact from the environment surrounding the Group, the Company reviews these top risks as needed, ranks them by priority level, and carries out and monitors the progress of measures.

(2) Crisis management: In the event of an incident, the Company takes prompt and appropriate initial actions to prevent the situation from escalating and to quickly bring it under control, and considers measures to prevent recurrence. Additionally, to ensure that users can continuously access essential services that serve as critical infrastructure for daily life and business, the Company has established a service continuity framework for emergencies.

(3) Establishment of basic rules, plans and systems: The Company establishes policies, rules, regulations, and others to support the operation of ERM processes.

(4) Risk intelligence activities: The Company collects and analyzes external information on matters such as the business environment and changes in social conditions, and shares the information with those engaged in risk management throughout the Group.

(5) Fostering risk conscious culture and education: The Company communicates the importance of risk management as a top message to all employees. Additionally, it uses all available channels to raise awareness on risk management throughout the Group so that all personnel can engage in their daily activities with risk management in mind.

(6) Information disclosure: The Company discloses the material risks of the LY Corporation Group and the status of its efforts to address them in a timely and appropriate manner through available channels.

Diagram of the ERM Process. The company first takes on a risk management process to identify potential risks. The individual steps are written from left to right of the diagram, starting with the steps involved to perform a risk assessment. This includes an analysis of the internal environment, analysis of the external environment, identification of risks, and their evaluation. Risk assessment is followed by risk response, monitoring, and follow-ups. While the aim of risk management is to visualize potential risks, the crisis management process is undertaken to identify risks that have already materialized. The steps involved in crisis management are listed from left to right of the diagram, starting with incident response. This is followed by the establishment of an incident response team, damage control, and recovery, which are all implemented based on the company’s business continuity plan. Then, information disclosures are made through the securities report, company website, and so on. The entire enterprise risk management process is based on the following foundations: establishment of plans, systems, and basic rules such as policies and regulations; risk intelligence activities; and the education and fostering of a risk-conscious culture within the company.

ERM Structure

LY Corporation establishes an ERM structure, designating the highest responsibilities to the President and Representative Director, and strives to reduce and prevent risks by smoothly implementing an ERM process. The ISO31000 framework is used as an external guiding standard.
The Board of Directors determines the basic policies on risk management applicable to the entire Group. Based on the basic policies determined by the Board, executive bodies such as the Risk Management Committee, the Supervisory Organization of Risk Management (headed by the Head of the Governance Group), divisions responsible for risk management, and business divisions, develop the ERM structure and promote Group-wide risk management activities in cooperation with the Group companies.
In order to promptly respond to risks in an ever-changing business environment, important matters are reported to and discussed in the Top Management Committee (a meeting body comprising the President and Representative Director, directors, and others) and other relevant bodies. In addition, senior general managers are responsible for risks arising from the fields supervised by each business division head, and RM (Risk Management) Promotion Managers are also appointed to ensure a prompt response to risks. The Audit and Supervisory Committee, composed entirely of independent outside directors, and the internal audit division, led by the Head of the Internal Audit Group, maintain an independent structure to provide assurance and advise on the effectiveness of the risk management function. Reports on particularly noteworthy issues are provided to the Audit and Supervisory Committee as needed.
Furthermore, the function overseeing risk management is structurally separated from the business divisions to ensure independence. To further strengthen this independence, the Head of the Governance Group, who is responsible for the Supervisory Organization of Risk Management, and the Head of the Internal Audit Group, who is responsible for the internal audit division, are each held by different officials.

Related Links

Diagram of the ERM Structure. The Risk Management Committee supervises the entire Group’s risk management. It is chaired by the President and Representative Director who is also the Chief Executive of Risk Management. Members of the committee comprise non-outside directors, CFO, CTO, head of the Governance Group who is responsible for supervising risks, personnel appointed by the Chief Executive of Risk Management, and the corporate officer in charge of the Supervisory Organization of Risk Management. The committee works with the Supervisory Organization of Risk Management by way of providing instructions and receiving reports. The Supervisory Organization of Risk Management also collaborates and reports to business divisions and divisions responsible for risk management. The executive body, which includes the Risk Management Committee and Supervisory Organization of Risk Management, collaborates and reports to group companies through each of their Supervisory Organization of Risk Management.

*1 The Risk Management Committee is chaired by the President and Representative Director (the Chief Executive of Risk Management) and its members comprise directors (excluding outside directors) who serve as Committee members, the CFO and CTO, and the Head of the Governance Group (responsible for supervising risks), as well as personnel appointed by the Chief Executive of Risk Management, and the corporate officer in charge of the Supervisory Organization of Risk Management. The Committee supervises the risk management of the entire Group.

Risk Categories

LY Corporation defines risk categories to thoroughly understand the risks faced by the LY Corporation Group. The Company classifies risks within specific fields as risk categories and designates the divisions in charge of each risk category to conduct risk assessments. When a top risk is identified from among the risk categories, the division in charge of the risk category also becomes the risk owner.

Classification Risk Categories Outline
Strategic risks Business strategy risks Risks affecting or arising from the organization's business strategy and strategic objectives
Non-strategic risks Finance Market risks Risks of financial impact from fluctuations in various market risk factors
Credit risks Risks of incurring financial losses due to the deterioration of financial conditions of credit recipients
Liquidity risks Risks of not being able to secure necessary funds, inhibiting cash management, or risks of being forced to raise funds at an interest rate significantly higher than usual
Investment Investment risks Risks of being affected by fluctuations in the value of invested assets in inter-company investments/loans and M&As
Information technology System operational risks Risks of incurring losses due to errors, system downtime, malfunctions, or inadequacies in operations necessary for the running and maintenance of services
Product quality risks Risks of affecting users due to lack of quality control in the services and products provided
Information security risks Risks of damage due to break down, corruption, or falsification of information systems or data, or information leakage, etc.
Legal/compliance Legal risks Risks of being affected by penalties and damage compensations resulting from non-compliance with or breach of contracts for various transactions, etc., and risks of the companies and employees of the LY Corporation Group violating laws and regulations
Compliance risks Risks of being affected by actions that violate the LY Corporation Group Code of Conduct or internal regulations, risks of the Group or its employees committing violations intentionally or due to gross negligence
Money laundering and financing of terrorism risks Risks of the LY Corporation Group’s services being misused for money laundering or for financing terrorism, or risks of being warned by supervisory authorities for insufficiencies in anti-money laundering measures
Governance Corporate governance risks Risks that insufficiently established governance frameworks for important decision-making in the LY Corporation Group lead to inability of the Group to make timely and appropriate decisions
Data governance risks Risks associated with the management and use of retained data
Supply chain governance risks Risks of being affected by the inappropriate selection of subcontractors or inadequate management of subcontract work and subcontract employees
Social Economic security risks Risks of being affected by changes in political, economic, and social climates in specific countries and regions related to businesses
Regulatory/public policy risks Inadequacies related to understanding of regulations, policies, stakeholder conditions, etc.; risks related to insufficient response to the various laws and regulations
Environmental/social risks Risks of businesses adversely affecting the environment or society, or risks of businesses being affected by external social environment
Reputation risks Risks of being affected by the spreading of bad reputations or rumors, or risks of failing to respond to the media
Business operation Business continuity risks Risks of difficulty in continuing to operate businesses or services due to natural disasters or other external factors
Human risks Risks related to human resources, or risks that threaten the life/health of employees
Business operations risks Risks of incurring losses due to clerical errors in business operations
Other Tangible asset risks Risks of losses due to damage to tangible assets or deterioration in the quality of work environment

Fostering Risk Conscious Culture within the LY Corporation Group

LY Corporation regularly conducts (one or more times a year) mandatory training for all employees to learn the basic knowledge and concepts of risk management necessary to perform their work and to raise their awareness. The Company also gathers risk-related proposals and information from internal and external experts in various fields and notifies all employees of these.

The Company also believes that building relationships that facilitate the sharing of important information and communication among the Group companies is an important aspect of risk management of the Group. The Company is therefore committed to communication with each Group company and regularly shares information with the risk management staff of each company.
Risk management activities are promoted through mutual sharing of information on matters such as the Company’s initiatives and other information from each Group company.

In addition, risk intelligence seminars and other activities open to all personnel from the Group are held to raise risk management awareness throughout the Group.

Risk Management in Service Planning and Development

LY Corporation examines risks during service planning and development in accordance with its business characteristics.
For example, the Company introduces guidelines that clearly define the process for developing and operating products. At PayPay Corporation, a Group company, each department conducts risk identification, risk assessment, and control evaluation, and the company has introduced a process in which the frontline itself develops a risk response plan if the residual risks are unacceptable.

Top Risks of the LY Corporation Group

From its risk management activities, the Company selects the top risks for the LY Corporation Group, which serve as a guideline for the risk management activities of the entire Group.

Top risks are identified one or more times a year after the Risk Management Committee discusses risks that could have significant impact on the LY Corporation Group. Important risks identified during the fiscal year are reported to the Top Management Committee and decisions are made as they arise. The Risk Management Committee also convenes as needed in addition to their regular meetings.

Risk owners are appointed for top risks in order to clarify the responsibilities over the response measures. The risk owners promote the matters decided by the Top Management Committee and other bodies regarding priorities and response policies, and report the status of their response to the Risk Management Committee once every six months.

After the reports on risk management are submitted to the Risk Management Committee, the details are also reported to the outside directors by the Supervisory Organization of Risk Management at the Board of Directors meetings.

A structure is in place and is implemented so that the Supervisory Organization of Risk Management can regularly monitor the implementation status of risk management.

FY2025 Top Risks of the LY Corporation Group

LY Corporation defines risk categories to thoroughly understand the risks faced by the LY Corporation Group. The Company classifies risks within specific fields as risk categories and designates the divisions in charge of each risk category to conduct risk assessments. When a top risk is identified from among the risk categories, the division in charge of the risk category also becomes the risk owner.

  • Business strategy risks
  • Information security risks
  • Geopolitical/economic security risks
  • Regulatory/public policy risks

Please refer to the Annual Securities Reports (currently available in Japanese only) for financial risks that may have material impacts on investors' investment decisions.

Top risk categories Representative risk contents Measures to mitigate risks
Business strategy risks
Impact of delays in responding to generative AI technology
  • The generative AI field is rapidly expanding into various industries and applications. Due to the fast pace of market changes, failure to adapt to sudden shifts in user preferences and needs could hinder business growth.
  • In the process of introducing generative AI, insufficient technological development, utilization, and acquisition of advanced AI talent within the Group could lead to missed business opportunities and a loss of competitive advantage.
  • Inadequate measures regarding data privacy and intellectual property along with the use of generative AI may result in diminished social credibility and increased legal risks.
  • The Company is continuously enhancing its marketing capabilities to swiftly identify the potential applications in new markets and customer needs, aiming to shorten the post-release improvement cycle and maximize outcomes through technological innovation.
  • The Company’s measures include advancing both the internal development of generative AI technologies and strengthening partnerships, alongside swift support for AI integration into services, governance decision frameworks, and educational content development for employees.
  • The Company is dedicated to ongoing efforts in proprietary technology development and human resource development, strengthening collaboration with relevant departments such as legal and security, and continuously developing cross-functional coordination mechanisms across business divisions.
Stagnation of business advancement (organizational rigidity and decreased efficiency)
  • As the Company drives its business strategy forward, there is a risk that the organizational expansion may lead to rigidity and decreased efficiency, which could in turn, diminish the implementation capabilities and slow the pace of operations.
  • The Company is continuously enhancing its business promotion capabilities through education focused on business strategy for employees, creating opportunities for communication among employees, and reviewing its HR systems.
  • By appropriately establishing task forces for collaboration among various business projects, the Company aims to further advance cross-functional initiatives through swift decision-making and efficient operations.
Information security risks
Risks related to cybersecurity
  • The Group may face impacts on its performance and a potential loss of credibility if incidents such as business-related human error or intentional misconduct, system failures due to disasters, cyberattacks such as malware infections and advanced persistent threats, or vulnerabilities in systems and products lead to information leakage, data destruction or alteration, or service disruptions.
  • If the measures taken in response to the administrative guidance and recommendation regarding the unauthorized access incident announced on November 27, 2023, are deemed insufficient by the relevant authorities, the Group’s reputation and performance may be adversely affected.
  • Should threats such as cyberattacks exceed expectations, the Group may incur additional costs, potentially affecting its performance.
  • The Group is committed to enhancing information security from a medium- to long-term perspective across the entire organization to provide users with safe and reliable services.
  • The Company has established the Security Governance Committee, chaired by the President and CEO, to further promote responses related to unauthorized access incidents and to discuss the Company's overall challenges. Additionally, the Group CISO Board comprising the Company’s CISO, the CISOs of major Group companies including those globally, is established to fundamentally review and enhance the security governance of the entire Group. The CISO of SoftBank Corp. also participates as an observer in the Board.
  • To prepare for increasingly sophisticated threats such as cyberattacks, the Company is ensuring the allocation of necessary and adequate resources to implement essential and advanced measures.
Risks related to specified user information
  • The Company handles specified user information in services such as LINE and Yahoo! JAPAN Mail, as defined under Article 27-5 of Japan‘sTelecommunications Business Act and Article 22-2-21 of the Regulations for Enforcement of the Telecommunications Business Act (Ordinance of the Ministry of Posts and Telecommunications No. 25 of 1985). Specified user information refers to information about users obtained in relation to telecommunications services specified by the Ordinance of Japan’s Ministry of Internal Affairs and Communications as having a significant impact on user interests based on the content, scope of users, and usage status. The information also falls under those protected as communication secrets or those that can identify users. The Company has been designated by Japan’s Minister of Internal Affairs and Communications as a telecommunications carrier required to handle specified user information appropriately. If specified user information is compromised due to malfunctions in systems that provide services such as LINE and Yahoo! JAPAN Mail, malware impacts, physical intrusions into communication facilities, or intentional or negligent actions by the Company's associates, business partners, or consigned parties, this could lead to a deterioration of the Company's brand image, legal disputes, and administrative guidance. Furthermore, such results could lead to user decline, potential damages arising from service disruptions or degradation, and decreased revenue, thereby impacting the Company's performance.
  • When handling specified user information, the Company adheres to the Telecommunications Business Act and ensures appropriate handling based on its information security measures.
Risks related to data governance
  • Due to the diverse range of businesses operated by the Company and its Group, there is a potential risk that governance might not be effectively implemented across all entities, or that deficiencies in the governance structure could lead to issues or incidents. Additionally, bottlenecks may occur, potentially causing disruptions such as delays in service releases.
  • Should data governance strategies fail to function effectively, the Group may face administrative penalties, reputational damage, reduced service demand, the necessity for formulation and implementation of additional measures, and data breaches, impacting the Group’s social credibility and financial performance.
  • LY Corporation prioritizes four aspects in data handling: "clear explanations," "operations under domestic law," "expert advice and evaluation," and "privacy & security first." To ensure the rational and efficient use of data, the Company works to establish data governance (control over data asset management). Specifically, the Company has established the Basic Policy on Data Protection and is making continuous efforts based on this policy.
  • Similar to the risks related to cybersecurity, following the incident of unauthorized access announced on November 27, 2023, LY Corporation has made reports to the Ministry of Internal Affairs and Communications and the Personal Information Protection Commission of Japan, and is advancing measures based on the administrative guidance and recommendations. Since the organizational restructuring as LY Corporation, the Company has been strengthening data governance and establishing a framework to ensure its smooth operation, with ongoing efforts to enhance these initiatives.
Geopolitical/economic security risks
Risks related to economic security
  • Failure to appropriately respond to government reviews as stipulated by the Economic Security Promotion Act may result in administrative actions such as recommendations or orders from authorities for the Company to rectify or cease operations. This could lead to temporary business suspension, delays, additional capital investments, extra measures and costs, and potential damage to the Company's reputation. Such outcomes may impact the Company's business, performance, and social credibility.
  • The rising geopolitical risks leading to social, economic, and political instability, and potentially political intervention, may affect the Company's business, performance, and social credibility.
  • The Company is actively working to ensure appropriate compliance with the reviews mandated by the Economic Security Promotion Act.
  • Led by the Economic Security Office, the Company continues to monitor and gather information on domestic and international social conditions, seeking advice from external experts as necessary. This enables the Company to identify, pinpoint, and address economic security risks in the regions where the Company operates.
Regulatory/public policy risks
Risk of corporate value deterioration due to increased regulations and reputational damage arising from the misuse of platforms and services
  • Should the Company fail to effectively address issues such as investment and romance scams using social media involving impersonation of celebrities to defraud individuals through internet advertising, illegal part-time job schemes, and the spread of illegal, harmful, false, or misleading information online, the Company’s services may be exploited for criminal purposes. Such failure to respond can also lead to disciplinary actions based on legal provisions, reputational damage, stricter regulations, a decline in users, higher response costs, and ultimately, a decline in corporate value.
  • The Company is reinforcing its measures that are necessary to address the risk of misuse for fraudulent activities and illegal job recruitment by establishing an anti-fraud team and enhancing its internal systems on advertising reviews and others.
  • Additionally, discussions on countermeasures against illegal and harmful information, as well as false and misleading information, are ongoing in the Ministry of Internal Affairs and Communications' study group. The Company plans to closely monitor these discussions and implement necessary measures accordingly.

Related Links

Emerging Risks

By regularly reviewing risks, the Company identifies and manages emerging risks that could significantly impact its business. The Company focuses on key risks identified annually and selects emerging risks for which it implements countermeasures.
The emerging risk that has been identified for FY2025 is the following:

Risks arising from the use of generative AI, particularly centered around AI agents

Representative risk content If the Company fails to appropriately respond to the rapid advancement of generative AI technology, the competitiveness of its core businesses, such as search and advertising, may decline, making value creation challenging. However, effectively leveraging generative AI technology can enable the creation of new value not only in these core areas but also across various service domains.
Impact on business If the Company fails to achieve strategic outcomes from its engagement with generative AI technologies and becomes unilaterally dependent on external resources or specific corporations, it risks losing its competitive technological edge. However, successful strategic integration of generative AI can provide new user experiences in various service domains, elevate customer satisfaction, and secure a competitive advantage.
Countermeasures
  • Clarification of the necessary technologies to realize differentiated AI agents
  • Building and strengthening a technology development framework for securing an in-house development field
  • Enhancement of alliances in areas dependent on external resources
  • Monitoring external environments such as domestic and international laws and regulations related to AI governance decisions, and reflecting them in rules and processes.

Critical Incident Response

The criteria for critical incidents are defined in the Rules on Incident Management. A system is in place to promptly report incidents which fall under critical incidents to the management via the Supervisory Organization of Risk Management. A system is also in place to ensure that the reported incidents are also shared with the divisions responsible for risk management, so that the status of the incidents within the Group can be promptly identified. Additionally, the Company has implemented the LY Corporation Group Critical Incident Reporting Guidelines , ensuring that any critical incidents occurring within Group companies are reported to management according to the same standards.

Business Continuity Plan (BCP)

LY Corporation provides numerous services that serve as infrastructures essential for daily lives and businesses. Many of these services play important roles in the event of a sudden accident/natural disaster, and the social responsibilities of the Company are increasing. The Company implements systems to minimize damages in the event of a disaster and to ensure that users have stable access to its services.

Continuance of Services in Emergencies

Especially at the time of emergencies, such as large-scale earthquakes, one of LY Corporation’s missions is to provide services needed by users, such as Yahoo! JAPAN News, disaster information, and the LINE communication app, without interruption.
To ensure that users can continue to access the services with peace of mind, the Company establishes a system to ensure the continuous operation of services at multiple locations in emergencies.

Flexible Work Systems Taking Emergencies into Account

LY Corporation introduces a work system that allows employees to work from home in a VPN environment with appropriate security measures in place.
While providing diverse and flexible work styles, as part of the BCP, this work style is designed to ensure the safety of employees and the continuity of business operations in the event of natural disasters or other situations that make it difficult for employees to commute or leave the house.

Establishment of Crisis Response Headquarters and Periodic Drills

In the event of an emergency, a Crisis Response Headquarters, led by the President and Representative Director will be established to ensure the continuity and early recovery of services.
LY Corporation formulates the BCP Rules that form the basis for the Crisis Response Headquarters, clarifies the roles of management and each department in the event of an emergency, gathers relevant personnel to conduct drills on the assumption of an emergency situation and safety confirmation drills for all employees on a regular basis, and reviews the BCP as needed in response to drill results and changes in the environment.

Page top