1. KDDI HOME
  2. Corporate Information
  3. Sustainability
  4. Governance
  5. Risk Management and Internal Controls

Risk Management and Internal Controls

KDDI's Approach (Risk Management and Internal Control)

In an ever-changing business environment, the risks facing companies are becoming increasingly diverse and complex.
KDDI has resolved the "Basic Policy for Establishing an Internal Control System" at the Board of Directors in accordance with the Companies Act, and maintains and operates an internal control system, including a risk management framework, in line with this policy.
We define any factors or events that may affect the achievement of our management objectives as "risks," recognize the strengthening of risk management as a critical management issue, and promote group-wide risk management activities to ensure business continuity and fulfill our social responsibilities.

KDDI's Risk Management

Risk Management Committee

KDDI has established the Risk Management Committee to centrally aggregate and deliberate significant risks at the Board level. The committee is chaired by the President and consists of full-time members who are Directors and CxOs. It identifies key risks, appoints responsible officers, and formulates response policies. Matters discussed by the committee are submitted and reported to the Board of Directors.

Furthermore, we have established a risk governance framework based on the "Three Lines Model." The first line (business units) promptly controls risks associated with their operations and reports or consults with the second line as appropriate. The second line, led by the Executive Director, Corporate Sector―who is responsible for risk management―oversees risk management across the KDDI Group and reports on its development and operation to the President, Directors, and Audit & Supervisory Board Members. The third line, the Internal Audit Division, conducts audits independently of the first and second lines, identifies issues at Group companies, provides appropriate support, and enhances the effectiveness of risk management.

Internal Control Officer Framework

Diagram of the Internal Control Officer Framework

Risk Management Activity Cycle

In order to prevent critical events for the company, we at KDDI consider that it is important to recognize signs of danger and implement preventive measures before the situation worsens. Based on this idea, we follow the PDCA cycle for risk management. We also have an organizational framework for risk management in place to ensure any risks we find will be addressed promptly and appropriately.
Furthermore, we are deploying e-learning programs for all employees to explain the basic processes of risk management and are working to enhance their capabilities in this area.

PDCA cycle

Diagram of the PDCA Cycle

Risk Identifying Process

KDDI reviews risk information at least twice a year, identifies risks that could have a material impact on the company's business as important risks, and examines and implements countermeasures to prevent the occurrence of these important risks and to minimize their impact to the greatest extent possible in the event they do occur. Risks are also classified from the perspectives of probability of occurrence and magnitude of potential impact, and we have established risk acceptance criteria (risk appetite) in the KDDI Code of Conduct and other guidelines. These risks are also reflected in the "Business Risks" section of the Securities Report in relation to their financial impact.

Business Risks

Among the matters described in the Securities Report regarding the status of business, accounting, and other aspects, the principal risks that management recognizes as potentially having a significant impact on the Company Group's financial condition, operating results, and cash flows are as follows.
In addition, even matters that are not necessarily recognized as risks at the present time are disclosed from the perspective of proactive information disclosure to investors if they are considered important for investors' investment decisions.

  1. 1Competition with other operators or technologies, and rapid changes in markets or business environments
  2. 2Inappropriate handling or leakage of communication secrets and customer information, as well as inappropriate use of products and services provided by the Company
  3. 3Communication failures, natural disasters, accidents, etc.
  4. 4Laws, regulations, policy decisions, etc., related to telecommunications business
  5. 5Public regulations
  6. 6Litigation and patents
  7. 7Securing, developing, and managing human resources
  8. 8Impairment accounting
  9. 9Reorganization of the telecommunications industry and business restructuring of the Company Group

Risk Review

Examples of identified business risks and corresponding mitigation measures are as follows.

  Identified Risk 1 Identified Risk 2
Name Service outages or interruptions due to communication failures, natural disasters, accidents, etc. Laws, regulations, policy decisions, etc., related to telecommunications business
Risk Exposure If service outages occur due to failures in network systems or communication equipment, there is a possibility that the Company Group's operating results may be affected by a loss of brand image or credibility, or a decline in customer satisfaction. Similar impacts may also arise in the event of large-scale erroneous billing or charging, loss of opportunities to provide products or services due to the closure of sales agents or suspension of logistics, or reputational damage spread through social media or other channels. Changes in laws, regulations, or policy decisions related to the telecommunications business, as well as the electric power or financial businesses, may affect the Company Group's operating results. The Company Group believes it is responding appropriately to such laws, regulations, and policy decisions, including social issues that may impact its brand image or credibility. However, failure to respond appropriately in the future could affect the Company Group's operating results. Additionally, if the Company's competitive advantage is relatively diminished in the future, it may also affect the Company Group's operating results.
Mitigation Measures To minimize the risk of service outages or interruptions due to communication failures, natural disasters, accidents, etc., the Company Group is working to enhance network reliability and implement measures to prevent service outages. Specifically, we have established policies for disaster response operations to ensure communication services even during disasters, and we take steps to prepare for disasters while maintaining close coordination with relevant domestic and international organizations. In the event of a disaster, each Group company fully mobilizes its operational functions to ensure communication connectivity and the early restoration of facilities on a 24/7/365 basis. Regarding the future direction of competition policy, we advocate the need for measures to ensure fair competition with other telecommunications operators through various councils, study groups, and public comment processes at the Ministry of Internal Affairs and Communications and other bodies. We also regularly confirm and collect information on amendments to various laws and guidelines in relevant departments, share this information throughout the Group, and simultaneously develop countermeasures.

Emerging Risks

Examples of emerging risks recognized by KDDI are as follows.

  Emerging Risk 1 Emerging Risk 2
Name Risks related to AI technologies Information leakage due to increasingly sophisticated and diverse cyberattacks
Description The KDDI Group is already utilizing AI for various purposes to advance DX (digital transformation). For example, it is applied in management, operation, and improvement of communication facilities, as well as in customer interactions. Furthermore, KDDI is engaged in the research and development of new AI systems, such as generative AI, and plans to provide AI systems to corporate customers and other business partners of the Company.
However, with the explosive development of AI technologies in recent years, it has become increasingly difficult for developers and users to predict and control AI behavior, leading to the emergence of new risks associated with AI technologies. These can be broadly categorized into the following three risks:
  • Compliance risks, such as the leakage of personal information or infringement of third-party copyrights due to the use of AI, resulting in violations of related laws and regulations
  • Reputational risks arising from inappropriate AI outputs or generated content, such as misinformation or content requiring ethical considerations
  • Financial risks, including loss of business opportunities or damages from compensation claims resulting from the above risks
 In recent years, incidents of critical confidential information being leaked externally or services being misused due to cyberattacks by third parties have occurred worldwide, becoming a significant social issue. Against this backdrop, governments in the countries where the Company Group operates services are advancing legislation for cybersecurity measures, and the Company is addressing global regulatory frameworks such as the EU's General Data Protection Regulation (GDPR). On the other hand, cyberattack methods and forms are becoming increasingly sophisticated and diverse, with activities also becoming more active. Given that telecommunications is one of the social infrastructures and the Company holds a large volume of information assets, we recognize the risk of being targeted by such cyberattacks and suffering damage as a significant concern.
Impact The aforementioned compliance and reputational risks may lead to a loss of corporate social credibility, resulting in the suspension of transactions, a decline in stock price, and further financial risks such as damages or fines from litigation.
Additionally, impacts from loss of social credibility, damages, or fines may delay KDDI's AI-related business plans or hinder business expansion.		 If communication secrets or customer information are leaked, service outages or degradation occur due to intentional or negligent acts by employees or cyberattacks by malicious third parties, or if products or services provided by the Company are used inappropriately, there is a possibility of damage to the Company Group's brand image or credibility, potentially accompanied by compensation or penalties. Furthermore, additional costs may increase in the future to protect communication secrets and customer information and to establish cybersecurity defenses, which could adversely affect the Company Group's operating results.
Mitigation Measures It is impossible to reduce the above risks to zero. However, by designing and developing systems with these risks in mind from the planning and conceptualization stage, we believe it is possible to significantly suppress the likelihood of releasing systems or services with risks unacceptable to the Company without due consideration, thereby preventing serious incidents. Additionally, by operating with risk awareness, we believe that appropriate initial responses can minimize impact even if issues arise. Specifically, we are implementing the following risk mitigation measures and establishing an environment within the Company where AI can be used with peace of mind.

[Formulation of Principles and Policies]

KDDI formulated and published the "KDDI Group AI Development and Utilization Principles" in August 2021. These principles align with the "Basic Policy on Data Utilization" to ensure customers can use KDDI Group services with confidence, and we have established the "AI Development Guidelines" as specific internal rules to comply with these principles, serving as standards for AI utilization.

[Establishment of Systems and Processes]

To ensure compliance with the "KDDI Group AI Development and Utilization Principles" and the "AI Development Guidelines," KDDI has been conducting "AI Development Impact Assessments (AIA)" since 2023 to review whether service planning and development adhere to the guidelines. The AIA Secretariat, which administers these assessments, collaborates with internal security and legal departments to conduct AIAs promptly and appropriately, while also serving as a consultation desk for AI governance and supporting business units in a collaborative manner. Furthermore, to ensure appropriate updates to internal rules and operational procedures, we regularly hold expert meetings on AI governance to share and discuss the latest technological trends and legal developments.

[Utilization of Technology]

KDDI Group is also conducting research on the latest generative AI technologies, including the development of techniques to suppress factually incorrect outputs (hallucinations) by generative AI. We are also actively leveraging cutting-edge technologies, such as analysis methods to detect biases in data, to develop services less prone to AI errors or human rights violations.

[Employee Education]

KDDI provides e-learning and educational content on AI governance (for all employees, including those at Group companies) to raise awareness of AI utilization among each employee. Additionally, through the "KDDI DX University," established to promote the Company's DX business and internal DX initiatives, we offer courses primarily for employees developing AI-based services or systems to deepen their understanding of "responsible AI," thereby promoting the dissemination of specialized knowledge.
 For outsourced operations, particularly au Style/au shops as sales agents, we conduct regular audits and thorough education to strengthen management. Furthermore, to ensure proper handling of customer information, we have implemented measures such as organizational enhancements within the Company, third-party evaluations, and the introduction of Privacy Impact Assessments (PIA) prior to service launches. To avoid or mitigate business impacts from cyberattacks, we have defined security standards that systems supporting operations must adhere to in our security regulations and review compliance with these standards. By rigorously conducting these reviews during the transition from planning to development phases, we not only achieve "security by design" with security measures considered from the planning and design stages but also advance technological development to support advanced security monitoring, thereby strengthening system security and striving to provide safe and secure services.

Initiatives in Response to the Internal Control Reporting System (J-SOX)

In response to the internal control reporting system based on the Financial Instruments and Exchange Law implemented since fiscal year 2008, we conducted evaluations of the internal controls at KDDI and major group companies both in Japan and overseas to ensure the reliability of financial reporting. The results of these evaluations are compiled into internal control reports and disclosed to investors.

Activities to Enhance Operational Quality

We have established a Promotion Office to enhance the overall operational quality activities of the entire company within the Corporate sector. Each division's Internal Control System Manager serves as the Promotion Officer, autonomously working to improve the quality of operations while aiming for operational efficiency and standardization. The initiatives resulting from these operational quality improvement activities are shared company-wide, and mechanisms are in place for all employees to utilize them to enhance the quality of operations in their respective divisions.
Furthermore, to further raise awareness and motivation regarding the quality of operations among employees, we have introduced the Best Award to recognize excellent and ambitious initiatives.

Activities to Enhance Operational Quality

  • Setting and sharing autonomous goals and promotion plans for each division.
  • Implementation of the Best Award recognition for outstanding operational quality improvement activities.
  • Conducting an awareness survey questionnaire for operational quality improvement activities.