Risk Management and Internal Controls

As corporations deal with constantly-changing business conditions, they also face increasingly diverse, complex risks. KDDI defines risks as those factors and phenomena that influence the achievement of management objectives. We recognize that strengthening risk management is an important management issue. To ensure the continuation of business and fulfill our responsibilities to society, we promote risk management activities across the Group as a whole.

KDDI's Risk Management and Internal Control Systems

We have established a system to centralize the management of risks with the Corporate Sector at the core.
Furthermore, we are promoting risk management throughout the KDDI Group, in order to realize the continuous growth of the entire group. We have appointed 44 Internal Control System Managers within KDDI and 45 at group companies, as well as 5 Internal Control System Directors to oversee their activities. Under their leadership, we introduce and run internal control systems, carrying out risk management activities and run operational quality improvement activities to foster a company culture in which risks are less likely to arise.

Personnel in Charge of Internal Control

Risk Management Activity Cycle

KDDI recognizes that in order to prevent a corporate crisis from occurring, it is important to understand the signs of such crises and to put countermeasures in place before the situation worsens. To that end, we have built a PDCA cycle for risk management activities. We have also put in place a structure for managing risks to ensure they are dealt with rapidly and appropriately when they are discovered.

Risk Management Activity Cycle

Risk Identifying Process

We annually examine information about risks to identify significant risks that seriously influence corporations, and discuss measures to reduce such risks and their impacts as much as possible in case we face them.
In order to ensure the achievement of our business goals, in FY23.3, we selected 29 significant risks based on issues that manifested in the past and changes in the business environment, and held internal audits centered on risk prediction, the reduction of significant risks and risk approach. In order to minimize information security risks, we have also established a common standard applicable group-wide to improve the level of information security across the group. The status of these significant risks is also reflected on business risks that are revealed in the Securities Report since it relates to the finance as well.

Basic Policy for Constructing an Internal Control System

Based on the provision of Article 362, Paragraph 5 of the Companies Act, we passed the Basic Policy for Constructing an Internal Control System at a meeting of the Board of Directors. In addition, we publicly announce resolutions and our operational status to ensure the fair, transparent and efficient execution of our corporate duties and maintain an effective system for internal controls to raise the company's quality level.

Main Operational Risks


Competitors, rival technologies and rapid market shifts

Risk Background
  • The need to provide user support for product defects problems attributable to the rapid expansion of the commerce business
  • Inability to acquire needed bandwidth we need
  • Increase in competition due to new high-speed wireless data technology
  • Possible rise in connection fees with other telecommunications operators
  • Intensifying competition as a result of changes in the business landscape due to partnerships with other industries, sales packages that include other products (such as telecommunications + power), the emergence of MNOs and MVNOs in the market and other companies expanding their business fields
Potential impact on KDDI

Possible impact on the earnings performance etc. of the KDDI Group

KDDI's response

Supporting new consumer lifestyles and promoting initiatives to create a resilient society that achieves both economic development and solutions to social issues


Inappropriate handling or leakage of confidential communications, violations of customer privacy, and improper use of the products and services provided by the company etc.

Risk Background
  • Internal privacy breaches
  • Unauthorized access from external networks
Potential impact on KDDI
  • Could seriously damage the brand image of the KDDI Group
    In addition to a possible loss of customer trust, we could also be forced to pay substantial compensation or surcharge
  • In the future, we may face higher costs to develop the framework necessary to protect the confidentiality of communications and customer privacy and protect against cyberattacks
  • Could have a negative impact on the financial position and/or earnings performance of the KDDI Group
KDDI's response
  • Establishment of the Information Security Committee
  • Establishment of the KDDI Code of Business Conduct, KDDI Security Policy, and KDDI Privacy Policy
  • Establishment of the Business Ethics Committee
  • Reinforcement of various technical, organizational and human safety management measures
  • Educating all employees on how to protect the confidentiality of communications and customer privacy
  • Working with our external partners, particularly with our retail network of au Shops, to strengthen management through the improvement of shop operations, regular audits, and training
  • Establishment of standards for the security regulation measures to be taken by business systems and the review of compliance with the regulations
  • Establishment of the KDDI Service Security Incident Readiness & Response Team (KDDI-SSIRT), which specializes in service security to prevent harm before it occurs

Communications failure, natural disasters, and other unforeseen events

Risk Background
  • Natural disasters, such as earthquakes, tsunamis, typhoons, or floods, as well as secondary damage from the spread of toxic substances caused by natural disasters
  • Worldwide spread of an infectious disease (pandemic)
  • War, terrorism, accidents, or other unforeseen events
  • Power brownouts or blackouts
  • Computer viruses or other forms of cyber-attack and hacking
  • Operation system hardware or software failures
  • Flaws in communication equipment and services
Potential impact on KDDI
  • Risk of service outages or interruptions, etc. due to communications failures, natural disasters or accidents, etc.
  • Loss of opportunities to offer products and services due to service outages as a result of failures in network systems or communications equipment, substantial billing errors, the closing of distributors, the suspension of distribution, and reputational damages through media such as SNS could damage the brand image of the KDDI Group and lead to loss of customer trust and decreased customer satisfaction, which could have an impact on earnings performance
KDDI's response
  • Initiatives to improve the reliability of our network and prevent service outages
  • Establishment of a policy for implementing disaster prevention operations in the event of a disaster, taking measures to prepare for disasters, and maintaining close communication and coordination with related organizations in Japan and overseas

Laws, regulations, and government policies relating to the telecommunications business

Risk Background
  • Revisions to the calculation formula for inter-operator connection fees and/or accounting methods
  • Revisions to designated telecommunications facilities system and/or the regulations on prohibited activities
  • Revisions to the universal service systems
  • The emergence of MNOs and MVNOs in the mobile communication market
  • Revisions to the frequency allocation system
  • Revisions to the spectrum user fee system
Potential impact on KDDI
  • The KDDI Group's earnings performance, etc. could be negatively impacted by the revision or abolition of laws and regulations or the formulation of government policies relating to telecommunications, electricity and finance business
  • The KDDI Group's earnings performance, etc. could be negatively impacted as well if the company's competitive advantage is relatively diminished as a result of competition
KDDI's response
  • Taking appropriate actions based on laws, regulations and government policies
  • Advocating measures for fair competition with other telecommunications operators through various deliberation councils and study sessions as well as the public comment system of the Japan's Ministry of Internal Affairs and Communications

Acquisition of human resources, training and personnel management

Risk Background
  • Rise in human resources investment costs in the future
Potential impact on KDDI
  • If we are unable to handle matters appropriately in the future, the KDDI Group's brand image could be damaged, leading to loss of customer trust and impacting on our earnings performance
KDDI's response
  • Working together across the entire company to support personnel training and career development to keep up with technological Innovations
  • Appropriate personnel management and the promotion of work style reforms based on the law

Initiatives in Response to the Internal Control Reporting System (J-SOX)

In response to the internal control reporting system based on the Financial Instruments and Exchange Law implemented in FY09.3, we conducted evaluations of the internal controls at KDDI and 11 major group subsidiaries (totaling 12 companies) in and outside Japan to ensure reliability of our financial reporting. The results of these evaluations were compiled in an internal control report, which was submitted to Japan's Prime Minister in June 2023, as well as disclosed to investors.

Activities to Enhance Operational Quality

In conjunction with the response to the internal control reporting system, we established an Internal Control Department that promotes initiatives for improving the overall operational quality of the whole Company, and Internal Control System Managers in each department facilitate initiatives that enhance the efficiency and standardization of operations to do so. Business improvement projects through this activity are added to a database, enabling all employees to utilize activities to enhance operational quality in their own departments.
Furthermore, to further raise each employee's awareness and motivation regarding the quality of operations, we have introduced the Operational Quality Improvement Prize to recognize excellent and ambitious initiatives. In addition, we have started working on the introduction of robotic process automation (RPA) across the Company as a way of improving operational quality, productivity, and efficiency at the same time, starting with the preparation of the RPA system environment and education programs.

Activities to Enhance Operational Quality

  • e-learning training
  • Sharing messages from executives and good examples of initiatives in e-mail newsletters and internal magazines
  • Implementation of Operational Quality Improvement Prize (Once a year)

E-mail Alerts

E-mail Alerts is a service that informs subscribers by E-mail of updates to the Investor Relations website, financial results, and other vital up-to-the-minute information.

Open link in a new windowRegistration

KDDI IR Official Twitter