Defending to Pioneer Vol. 3, Risk Management
About the Defending to Pioneer Series
The Legal & Risk Management Division protects PayPay not only from cyberattacks and fraud, but also from various risks in internal processes or ones that arise from changes in the business environment.
Although it is true that the division shields PayPay from the threats directed at it, this protective unit is also a group of specialists who work together to enable the company and employees to assertively move forward into uncharted territory. In this series, we will ask the heads of respective departments to explain their thoughts on the all-encompassing protection against risks, to keep PayPay the undisputed no. 1 in the industry. This third installment features Jun Matsuda, the head of risk management. We discussed the ideal of risk management he is aiming for and the talent he seeks.
Protective Measures to Run an Assertive BusinessPlease tell us about the overall protection framework you handle.
The responsibilities of the Risk Management Department cover risk management and BCP activities. However, since we handle all risks against the company, we must cooperate with other areas in the figure above, as well as share information and build a cooperative system with the first and second lines of defense.
Our department consists of three teams: Enterprise Risk Management, Operational Risk Management, and System Risk Management.What are your “offense” tactics despite you being a defensive division?
Although the Risk Management Department is a protective department, that doesn’t mean our defensive measures are always passive. Naturally, how we respond to problems that have emerged or accidents that have occurred is crucial. Nevertheless, apart from such activities, it is possible to take proactive measures against potential threats by recognizing the current environment we are in, and from there understand and assess latent risks.
In the risk assessment we conduct at PayPay, we have two approaches: top-down and bottom-up.
In the former, the opinions of the management team, division heads, and department senior managers are all taken into account based on our understanding of the external and internal environments, as well as the business plans. We then identify the major risks that PayPay could face and examine how we can respond with our current capabilities. Moreover, In the process of gaining awareness of our business environment, we collaborate with other companies such as Z Holdings, Yahoo! JAPAN, and SoftBank.
On the other hand, in the bottom-up approach, each department at PayPay conducts risk identification, risk assessments, and control evaluations. For cases where the residual risk is unacceptable, we introduced a process in which the department formulates its own risk response plan.
Through these two procedures, we promote both a major company-wide PDCA cycle and risk management activities by various branches.What areas do you want to strengthen in the future?
We recognize that it is very important for a company to mature its risk culture. This is because the best defense against any threat is to instill an understanding of risk management throughout the corporation. This includes clarifying who owns the risk, and healthy discussions in the decision-making processes. We are working to engender this way of thinking through the company-wide risk assessment activities mentioned earlier, the follow-up measures to prevent accidents from reoccurring, and risk management-related training.
Each employee should view risk management as a personal issue, plus recognize and control risks. If we do that, we will be able to move forward without slowing down anyone’s work. This is not something that can be accomplished in a day, so I believe that the Risk Management Department needs to be diligent in its activities.
I also believe that going forward, we need to address the risk appetite framework (RAF), which many financial institutions advocate. This is because the risks the company will take or avoid need to be spelled out and incorporated into the risk management framework. As this framework is still in its infancy at PayPay, this will not happen overnight, but we would like to build one that is fitting for a leading payment service company.As a leader, what are some things you share with your team to be mindful of?
In one of the PayPay Inside-Out articles, Terada-san, our CRO (Chief Risk Officer), talked about “awareness as a financial institution and boldness as an IT startup.” I’ve felt the same way since I first arrived. PayPay’s greatest strengths are its service planning and development capabilities, along with its speed. Our goal is to enhance our risk management abilities without nullifying those strengths.
Nakayama-san, the CEO, also told me, “When you stop a certain measure for risk management reasons, be sure to add an explanation on how we can proceed with it.” So I make it a point to do that.
As there are various services being developed at PayPay one after the other, in some cases, the fastest way to complete a project may be to deal with such new services quickly and independently. But if there is no uniformity and we accumulate cases which receive a unique response, it creates an inefficient process for the entire organization. We must propose and promote management methods not only from a short-term perspective, but also from a mid- to long-term and company-wide ne.
The People PayPay Seeks for Its Defense and OffenseWhat sort of person would you like to see join PayPay?
At the moment, PayPay is not a company that deals with sophisticated financial products or complex risks. That means, for now, there are no operations that require advanced financial engineering.
Having said that, with more than 45 million registered users and 3.44 million merchants, PayPay is bearing a heavier social responsibility. In addition, as our services expand rapidly, the types and scope of risks are also changing and broadening. I would like to see people who have the eagerness to realize risk management at a financial institution in such an environment, and one that can meet the expectations of diverse stakeholders including users.What skills are required in working with PayPay’s defensive framework?
The Risk Management Department handles a wide range of business operations, such as risk management system development, operational risk management, system risk management, BCP, outsourcing management, and screening new products. We welcome people who consider a couple of these fields to be their forte (have extensive knowledge and experience in them).
The skills to analyze data, as well as to organize problems and explain them logically and simply are also important in risk management work.A message to those interested in joining PayPay.
PayPay is a company that focuses on creating a comfortable work environment for each employee through WFA (Work From Anywhere at Anytime), WePassport, and flextime. Within the Risk Management Department, there are people who work remotely from Kyushu, and others who telecommute from nearby WeWork offices. As a department, we will also pursue a comfortable working environment for our members, diversity being one of the factors.
PayPay’s risk management operations are still under development, and there are many situations where the persons in charge have to think and propose their own management systems or methods. I hope you consider joining PayPay’s Risk Management Department to work with a small group of experts to build a sophisticated risk management system.
*Employees’ affiliations are as of the time of the interview.