Mizuho Financial : Briefing material related to IT system failures (PDF/678KB)

Presentation material - IT system failures

November 26, 2021

Measures to prevent further incidents in light of the Business Improvement Order (IT system failures)【FG/BK】

Reference: Main contents of the Business Improvement Order 【FG/BK】

1. Promptly implement the measures Mizuho has formulated to prevent further incidents in regard to system failures.
2. Formulate a business improvement plan and promptly implement the plan. Reassess and review the plan on an ongoing basis

Addressed by Jan. 17, 2022

3. Clarify and report on the responsibility of management in line with the causes of the system failures and other factors.

Measures to prevent further incidents based on the corrective action order (related to Japan's Foreign Exchange and Foreign Trade Act of Japan)【BK】

Reference: Main contents of the corrective action order 【BK】

1. Formulate effective measures to improve operations and prevent further incidents in order to fully comply with the provisions of the Foreign Exchange and Foreign Trade Act in regard to economic sanctions such as asset freezes, as well as to fully comply with the provisions of the corrective action order based on the act.

Addressed by Dec. 17, 2021

1

Measures to prevent further incidents in light of the Business Improvement Order (IT system failures) (1)

FG・BK

Findings from the business improvement order

Direct causes of the recent series of IT system failures

• Insufficient verifications to ensure quality for development and system failure responses
• Failure to establish a maintenance management framework for stable operations of BK's new core IT system (MINORI), including inadequate management of external contractors, resulting in the failure to correct issues in maintenance and operations
• Insufficient verifications through drills and training in relation to the crisis response frameworks

Factors behind the direct causes

• Insufficient awareness and understanding of on-site conditions at IT locations by FG and BK executives resulted in the mistaken impression of stable MINORI operations. MINORI was advanced from the development phase to the maintenance and operations phase without adequately examining the requirements for stable system operations (including necessary measures to minimize the impact of possible emergencies) due to an overestimation of MINORI's ability to limit the impact of system failures to localized areas. Restructuring was also carried out, including reallocating personnel required for MINORI maintenance and operations, as well expense reductions for system maintenance.
• With the mistaken impression of stable MINORI operations and insufficient awareness of the IT system risk management framework, BK executive management proceeded to reallocate personnel and entrust vendors with operations.
• The above factors resulted in greatly weakened MINORI and other IT system operations.

Issues in governance concerning IT systems

• An underestimation of the risks of and required technical specialization related to IT systems
• Insufficient attention given to on-site conditions at IT locations
• Lack of awareness toward impacts on customers and insufficient attention given to on-site conditions at front-line offices
• A basic approach in which employees do not say what should be said, and only do as told

2

Our measures to prevent further incidents thus far

Summary of causes identified by the Special Investigative Committee*

1. Deficient organizational capability to respond to crisis situations
2. Deficient IT system management
3. Deficient focus on the customer's perspective

4. Issues with the corporate culture	* From the Special
Investigative Committee's report

Preventing further incidents (June 15, 2021)

• Measures in response to IT system failures in February, March and the past ～

Improving multilayered IT system failure responses

• IT System －Set up structure suited to the characteristics of MINORI
• Readiness to respond when "MINORI" the core banking system deviates from normal operations（Comprehensive MINORI-related inspection, and run drills for errors on actual ATMs）
• Visualize staff portfolios and enhance organizational control
• Response to customers / Crisis management

• Ensure we always consider the customer's perspective, in normal times and contingencies
• Organizational response that accounts for customer opinion
• Establish a framework centered on the impact on customers and settlements

Continuous enhancement of our people and organization, in step with our customers and society

Review the measures to prevent further incidents in response to IT system failures in August and September

Measures to prevent further incidents in light of the Business Improvement Order (IT system failures) (2)

FG・BK

Executive managementis listening to the views of employees and stakeholders, and will continue to work tirelessly as a unifiedorganization to formulate, implement, and verify further incidents in response to the factors that caused the system failures

1. Formulate and implement measures that will allow both for preventing system failures with a significant impact on customers and for minimizing impacts on customers in the event a system failure occurs
2. Assess the on-site conditions at IT locations and develop IT governance that allows for appropriate decision-making and evaluation in regard to measures to prevent further incidents
3. In terms of measures to prevent further incidents already formulated, ensure their dissemination and adoption, respond to changes in the business environment as appropriate, and develop a sustainable framework

Recognition of issues and direction of initiatives based on root causes

• Enhancing risk management in line with the systems' unique features and improving expertise
• Assessing on-site conditions at IT locations and reflecting these in executive management's allocation of resources
• Continually putting customers first
• Understanding the actual conditions at frontline offices, and integrating these approaches into our services and measures
• Establishing an organization where people can say what needs to be said
• Improving our capacity for all members to think, act, and deliver as a unified organization

Main recognition towards reviewing measures to prevent further incidents

		 Build a structure suited to the maintenance and operation phases in light of the characteristics of MINORI
		 Assess the status of operations at IT locations in order to understand both operational issues and latent
System	system risk. Further develop a framework to appropriately reflect these factors into executive
management's allocation of corporate resources
		 Undertake necessary inspections to ensure MINORI does not deviate from normal operations and ensure the
IT		foundational infrastructure developed with MINORI's adoption operates stably
Clarify necessary maintenance and operations and allocate appropriate resources in line with actual conditions
			on-site(Employ experts with system infrastructure skills and establish a framework for cooperating with vendors)
		 Enhance our ability to respond to failures in line with MINORI's unique features and enhance our system recovery
			management
/	managementCrisis
customerstoResponse	 Further foster awareness and behavior that gives top consideration to impact on customers both under
		business-as-usual and during incidents and establish an organizational framework that continually puts
		customers first
		 Maintain close ties with frontline offices in line with specific operations and develop a framework to reflect
			customers' and frontline offices' views into operations and services on an ongoing basis
		 Through coordination between IT system divisions, user divisions, and crisis management divisions, will reinforce
			our early warning indicator management and enhance our ability to respond to failures
enhancementof	organizationand	 Establish an organization where people can say what needs to be said and improve our capacity for all
members of the organization to think, act, and deliver. Will further improve our ability to act as a unified
		organization without being negatively restricted by rules or areas of responsibility
		 Develop and employ experts with wide-ranging perspectives
		 Review our methods of internal communication and establish multifaceted flat communication
Continuous	peopleour	 Establishing and enhancing a corporate management (governance) framework that will ensure stable
operations in IT systems

 Effectively communicate the purpose of structural reforms and improve processes for allocating corporate resources  The supervisory line will undertake in-depth assessments of the actual status of the business execution line's initiatives

and further demonstrate its supervisory functions

expertise and views external Utilizing	process Establish
knowledge

3

Measures to prevent further incidents in light of the Corrective Action Order (Foreign Exchange Act)

BK

Findings from

the corrective action order

• Insufficient knowledge of all employees regarding foreign exchange laws and regulations
• Insufficient communication between relevant departments during crisis responses
• Problems with confirmation obligation practices during normal times in addition to insufficient communication and collaboration between relevant departments
• Vulnerabilities in the IT system management framework targeting foreign exchange legal compliance

Measures to prevent further incidents

• Improve the awareness and knowledge of all employees regarding foreign exchange laws and regulations

 Regularly conduct appropriate training for all employees based on their specific roles and responsibilities

 Establish a new specialist team on foreign exchange laws and regulations Group to collect information on, analyze, and thoroughly implement laws and regulations

 Build a framework in which appropriate considerations and decisions for legal compliance can be made (in the event of emergency and during normal times)

Eventof Emergency:	 Enhance our meeting formats in view of legal compliance.
	of matters in compliance divisions, and clarification of departments that requires cooperation
		Establish appropriate information gathering framework by cooperation among relevant
		departments in an event of emergency; through division of responsibilities and understanding
		with.
Times	 Clarifying roles and responsibilities between relevant departments regarding performance of
	the confirmation obligation required of banks
Normal	 Collaboration between front offices and head office regarding treatment of customer
	transaction information, monitoring confirmation obligation practices from head office

 Improving communication between relevant departments through regular meetings

• Measures to ensure stable AML operations including Foreign Exchange Act

• Review and develop ALM-related systems based on reassessment done by departments including users
• Expand and improve our business contingency plan

• In view of reassessing the causes of incidents and appropriately restructuring internal management systems in relation to foreign exchange laws and regulations in regard to economic sanctions such as asset freeze, we are considering additional measures to prevent further incidents
• • Establish new committee focusing on AML, further clarify roles and responsibilities between relevant departments, strengthen internal controls and monitoring, establish an audit framework for assessment

4