Risk Management
Risk Management Committee
We have established the Risk Management Regulations with the aim of ensuring the proper, smooth, and continuous operation of our business. These regulations define the fundamental principles for identifying potential risks, developing a risk prevention and control system, and responding appropriately to risks when they occur.We have also established a Risk Management Committee as an organization under the direct control of the Board of Directors.
The Risk Management Committee is composed of the President & CEO as Chairperson, and all executive directors. Observers include the Audit Committee members, the Internal Audit Department, and other individuals deemed necessary by the Chairperson.
The Risk Management Committee identifies risks that could significantly impact the Company's operations by analyzing and evaluating risks reported by each department. The committee continuously monitors the implementation status of risk management initiatives and takes necessary measures in advance to avoid or mitigate risks.Furthermore, the Board of Directors reviews the company’s overall risk management system based on reports and proposals submitted by the committee, working to identify any issues and make improvements as necessary.
Incident Response
Response Principles
If an incident occurs or is likely to occur, the employee shall, in accordance with the incident response flow, ascertain the facts, investigate possible damage, take prompt and appropriate initial action, prevent the situation from spreading and bring it under control as soon as possible, and report the incident according to the reporting route.
Determination of the level of incident response
・The person who receives a report of an incident shall discuss the response plans, including the level of response to the incident.
・Our company has the criteria for decision-making related to response classifications, ensuring that we can respond appropriately to incidents.
・The person receiving the incident report shall make the final decision on the level of response to the incident. If the incident corresponds to Level 3 and a company-wide response is deemed necessary, the incident shall be reported to the Emergency Task Force.
Emergency Task Force
The Emergency Task Force consists of members of the ZOZO group management committee (including observers and the secretariat) and shall serve as an emergency communication network in the event of an incident.
Restoration activities
Restoration activities shall be carried out in cooperation with affiliated companies, etc., to establish restoration priorities and effectively deploy personnel, materials, and equipment for early restoration.
Relapse prevention
The department in charge of each risk shall summarize the problems in the emergency response, analyze the causes of the situation, measure to prevent recurrence, etc., promptly after the situation is resolved and report them to the Executive Committee and the Board of Directors.
Improvement of risk management system
The Risk Management Committee shall analyze reports, progress records, etc., and address instructions for improvement of the risk management system.
Individual risks and main countermeasures
| Risk items | Risk overview and impact | Main countermeasures | |||||||
| Cyber Attacks and System Incident Risks | Our group's main business is operating e-commerce platform. The entire supply chain—from order placement to delivery—relies heavily on IT systems. Any unforeseen event, such as external cyberattacks, internal misconduct, natural disasters (earthquakes, tsunamis, fires), accidents, or power outages, could cause damage to our facilities or communication networks, resulting in system failures would have a serious impact on our business operations. Additionally, if transactions are suspended due to server malfunctions or defects, this could potentially affect our Group's business operations, financial performance, and corporate reputation. |
To reduce the risk of system failures, our group is implementing the following measures:
By implementing these measures, we aim to minimize the impact of system failures and ensure business continuity.
|
|||||||
| Risk of Service Interruption from Key Vendors | Our group entrusts certain operations, such as the collection of sales proceeds from product purchasers and product delivery, to partner companies, and relies on third-party services for system infrastructure such as data centers and databases. As of now, there are not known issues with the outsourcing partners responsible for these functions. However, in the future, changes in the business policies or strategies of these companies, changes in their business conditions or financial status, changes in transaction terms, or unforeseen circumstances that result in the suspension of their operations could adversely affect our Group’s business operations and financial performance. |
Our group strives to maintain good relationships with the contractors who support our business and continuously monitors their financial condition. In addition, we have implemented the following measures for our system infrastructure to ensure business continuity:
These measures are designed to minimize the likelihood and potential impact of any disruption in specific functions.
|
|||||||
| Business Continuity Risk | Our group's headquarters and main logistics hubs are located in Chiba and Ibaraki Prefecture. Within this region, we are subject to the risk of large-scale disasters such as earthquakes and storm or flood damage, pandemics affecting our facilities or business partners, and man-made threats including crime, accidents, fires, and power outages. In the event of such incidents, there is a possibility that our logistics operations may be disrupted due to failures in core systems or equipment, or that service levels may decline if employees are unable to report to work. Additionally, delays or interruptions in large-scale system development due to unforeseen events, or the materialization of risks described under “Cyberattacks, System Incidents, and Risks Related to Outsourcing”, could adversely affect the operations and financial performance of our group. |
Our group has implemented measures to minimize the impact of natural disasters and human threats on business operations.
Through these measures, our group is committed to mitigating business continuity risks, maintaining service quality, and enhancing operational stability.
|
|||||||
| Risk of Leakage of Confidential and Personal Information | The ZOZO Group manages personal information obtained through its e-commerce site ZOZOTOWN, sales of ZOZOSUIT in the United States, and the operation of services such as ZOZOFIT and WEAR. In addition, we handle personal information obtained through our B-to-B business operations and the ZOZOMETRY service. We are subject to obligations under the “Act on the Protection of Personal Information” and the European Union's “General Data Protection Regulation (GDPR)” and other overseas regulations governing the protection of personal information. In the event that personal information is leaked to third parties due to willful misconduct or negligence by employees or contractors, or as a result of unauthorized external access or other unforeseen incidents, the Group may incur substantial response costs, be subject to claims for damages, or suffer reputational damage to its brand and the reliability of its services. Such incidents may adversely affect the Group’s business operations and financial performance. Furthermore, if we unintentionally violate any applicable regulations and are subject to significant penalties or fines, this may also negatively impact our business and results of operations. |
To ensure proper handling of personal information, we have established a robust management system in accordance with the Personal Information Protection Management System by establishing internal regulations and manuals, Personal Information Protection Policy and other rules related to the management of personal data. Additionally, through education on personal information for all employees, we ensure that rules regarding the handling of personal information are thoroughly understood and communicated, thereby rising awareness of personal information protection. Through these efforts, we strive to comply with the Act and relevant laws and regulations. Furthermore, we established our Information Security Policy in May 2021 and, following an audit by a third-party organization in July of the same year, obtained certification for the international standard “ISO/IEC 27001:2013” and the Japanese national standard “JIS Q 27001:2014” for Information Security Management Systems (ISMS). In addition, the servers that store personal information are managed in external data centers equipped with advanced security infrastructure. We have implemented stringent security measures to prevent unauthorized access from outside, and have established strict access controls to limit viewing of personal data. These measures are implemented with advice from external experts as necessary. We will continue to enhance our security and compliance to the laws and regulations, thereby reinforcing the reliability of our business operations. |
|||||||
| Licensing/Legal Compliance Risk | Our main businesses, the e-commerce site ZOZOTOWN and the social networking service WEAR, are subject to the regulations such as the Telecommunications Business Act and the Secondhand Articles Act. If these laws are revised or new laws are enacted, it may affect our business operations. | Our group monitors the latest developments in these laws and regulations. We ensure compliance with these regulations by strengthening collaboration between the legal and business divisions. Through these efforts, we strive to maintain the stability and reliability of our business operations. | |||||||
| Compliance and Reputation risk | Our group recognizes compliance with laws and regulations, including the Act Against Unjustifiable Premiums and Misleading Representations, the Act on Specified Commercial Transactions, and other relevant laws and industry regulations, as well as social expectations, as an important management issue for our business.. However, it is difficult to completely eliminate these risks arising from within or outside the group.In the event of a serious incident, there is a possibility that our business or operating results may be adversely affected by administrative sanctions, damages, or a decline in social credibility. As of now, no significant litigation have been identified. However, compliance risks (such as human errors in the management of personal information held by the Group, unauthorized access by third parties leading to information leaks or system failures, infringement of third-party intellectual property rights, or litigation risks arising from defects in products sold) always exist, and depending on their nature and outcome, they could have a significant impact on corporate value. Additionally, if the Company’s initial response—such as internal information-sharing systems, collaboration with external experts, or media handling—is inadequate in addressing compliance issues or reputational risks, it may be difficult to swiftly mitigate the situation. This could be lead to the spread of negative public opinion or media coverage, which could adversely affect the Company's business operations or financial results. | Our group places compliance with laws, regulations, and internal rules as a key management priority to ensure the sound and sustainable operation of our business. We are committed to preventing serious legal violations and misconduct by implementing a multi-layered compliance framework, centered on the establishment and thorough dissemination of internal policies and compliance education.
Through these efforts, our group will continue to strengthen our compliance framework to support sound corporate management and sustainable growth.
|
|||||||
| Risks to the Life, Body, and Health of Employees | Our group recognizes that ensuring the safety and security of our employees is one of the most critical issues for achieving sustainable growth. We have implemented various safety measures based on this fundamental understanding. However, it is not possible to completely eliminate the risk of harm to employees’ lives, physical health, or mental well-being due to unforeseen natural disasters, sudden outbreaks of infectious diseases, accidents, unexpected incidents, or excessive workloads caused by such events. Should such situations arise, the impact may go beyond the loss of human resources due to employee leave or resignation, potentially affecting the Group’s business performance and operations through post-incident response costs, business disruptions, and reputational damage. |
Our group recognizes risks to the life, physical well-being, and health of our employees as important, and we are promoting the following measures to avoid and mitigate such risks.
Through these measures, our group will strive to protect the safety and health of our employees, while maintaining and enhancing corporate value by ensuring business continuity.
|
|||||||
| Conflict of Interest Risks Related to Parent Companies | We are a subsidiary of SoftBank Group Corp., SoftBank Corp., LINE Yahoo Corp., and other companies. We engage in transactions with these parent companies and their group companies , including user referral-based customer acquisition, the operation of Yahoo! Shopping stores such as “ZOZOTOWN,” and the introduction of the smartphone payment service PayPay on platforms such as “ZOZOTOWN.” We plan to continue conducting numerous transactions with these companies in the future with the aim of expanding our group's business. These parent companies directly or indirectly hold a majority of the voting rights at our shareholders' meetings and have significant influence over our management. In the event of a conflict of interest between our parent companies, their group companies, there is a risk that our interests may be harmed. |
We have established “Regulations on Maintaining Fairness in Transactions with Parent Companies and Affiliated Companies” and a system to ensure fairness in such transactions. Under these regulations and system, when resolutions related to such transactions are made at the Board of Directors, any directors who have relationships with the parent company or its group companies are excluded from voting. Through this mechanism, we operate in a manner that upholds the fairness of these transactions. | |||||||
| Risks Associated with Corporate Acquisitions (M&A) | Our group considers corporate acquisitions to be an important management strategy for achieving sustainable growth and enhancing corporate value. When considering corporate acquisitions, we conduct thorough investigations in advance and make decisions carefully through a defined approval process. In addition, we have recognized significant goodwill arising from corporate acquisitions on our consolidated balance sheet. However, if unforeseen risks that could not be identified during the pre-acquisition due diligence become apparent, or if post-acquisition changes such as economic fluctuations, shifts in market conditions, intensifying competition, or underperformance of the acquired business occur, the anticipated benefits may not be realized. In such cases, impairment losses on goodwill, significant additional costs, or further investments may be incurred, which could affect the financial position and operating results of our group. |
We are implementing the following measures to reduce the risk of impairment of goodwill.
By continuously implementing these measures, we will manage the risk of impairment of goodwill and strive to maintain and enhance corporate value.
|
|||||||