---

---

Operational risk is the possibility of losses arising from inadequate or failed internal processes, people and systems or from external events. SMFG has drawn up the Regulations on Operational Risk Management to define the basic rules to be observed in the conduct of operational risk management across the entire Group. Under these regulations, SMFG is working to raise the level of sophistication of its management of operational risk across the whole Group by providing an effective framework for the identification, assessment, control and monitoring of significant risk factors and by establishing a system for executing contingency and business continuity plans.

Moreover, in view of the fact that under the new capital adequacy framework, known as Basel 2, operational risk will be assessed as a regulatory factor in capital adequacy, we are tackling the task of designing an operational risk quantification system, and a sophisticated management system for the entire Group.

At SMBC, on the basis of SMFG’s Groupwide basic policies for risk management, the Operational Risk Management Department set up in the General Affairs Department is responsible for centrally supervising overall operational risk management, jointly with the departments specifically responsible for controlling processing risk and systems risk.

SMBC has also set up the Operational Risk Committee, whose members are drawn from all relevant departments of the bank, to regularly discuss ways of minimizing operational risk and realizing a highly effective system for managing operational risk.

To facilitate effective operational risk management, these departments collect and analyze internal historical data on losses, assess internal control, and undertake risk management according to the risk characteristic, such as processing and systems risk.

Processing Risk

Processing risk is the possibility of losses arising from negligent processing by employees, accidents, or unauthorized activities.

SMFG recognizes that all operations entail processing risk. We are therefore working to raise the level of sophistication of our management of processing risk across the whole Group by ensuring that each branch conducts its own regular investigations of processing risk; minimizing losses in the event of processing errors or negligence by drafting exhaustive contingency plans; and carrying out thorough quantification of the risk under management.

In the administrative regulations of SMBC, in line with SMFG’s Groupwide basic policies for risk management, the basic administrative regulations are defined as “comprehending the risks and costs of administration and transaction processing, and managing them accordingly,” and “seeking to raise the quality of administration to deliver high-quality service to customers.” Adding new policies or making major revisions to existing ones for processing risk management requires the approval of both the Management Committee and the Board of Directors.

In the administrative regulations, SMBC has also defined specific rules for processing risk management. The rules allocate processing risk management tasks among six types of departments: the Operations Planning Department, compliance departments, operations departments, transaction execution departments (primarily front-office departments, branches, and branch service offices), the Internal Audit Department, and the Customer Relations Department. In addition, there is a specialized group within the Operations Planning Department to strengthen administrative procedures throughout the SMBC Group.

Systems Risk

Systems risk is the possibility of a loss arising from the failure, malfunction, or unauthorized use of computer systems. SMFG recognizes that reliable computer systems are essential for the effective implementation of management strategy in view of the IT revolution. We strive to minimize systems risk by drafting regulations and specific management standards, including a security policy. We also have contingency plans with the goal of minimizing losses in the event of a system failure. The development of such a systems risk management system ensures that the Group as a whole is undertaking adequate risk management.

At SMBC, safety measures are strengthened according to risk assessment based on the Financial Services Agency’s Financial Inspection Manual, and the Security Guidelines published by The Center for Financial Industry Information Systems (FISC).

Computer-related trouble at financial institutions now has greater potential to impact the public, with systems risk diversifying owing to the IT revolution, and the resulting expansion of networks and the rise in the number of personal computer users. To prevent any computer system breakdowns, we have taken numerous measures, including the duplication of various systems and infrastructures, constant maintenance of our computer system to ensure steady, uninterrupted operation, and the establishment of a disaster-prevention system consisting of computer centers in eastern and western Japan. And to maintain the confidentiality of customer information and prevent information leaks, sensitive information is encrypted, unauthorized external access is blocked, and all known countermeasures to secure data are implemented. There are also contingency plans and training sessions held as necessary to ensure full preparedness in the event of an emergency. To maintain security, countermeasures are revised as new technologies and usage patterns emerge.