56. Risk Management in the PKO Bank Polski SA Group

Risk management is one the most important internal processes in PKO Bank Polski SA including the Bank’s branch in Germany and in other entities of the PKO Bank Polska SA Group. It aims at ensuring profitability of business activity, with ensuring control of risk level and maintaining it within the risk tolerance and limits system applied by the Bank and the Group, in the changing macroeconomic and legal environment. The level of the risks plays an important role in the planning process.

At the Group, the following types of risk have been identified, which are subject to management and some of them are considered significant:

type of riskconsidered to be significantsection
credityes57, 58, 60, 61
Credit concentrationyes59
Risk of foreign currency mortgage loansyes62
interest rateyes63
currencyyes64
liquidity, including financing riskyes65
commodity price 66
price of equity securities 66
Other price risk 66
derivativeyes67
operationalyes68
compliance and conductyes69
business (including strategic risk)yes69
loss of reputationyes69
modelsyes69
macroeconomic changes yes69
capitalyes69
excessive leverageyes69
insurance 69

A detailed description of management policies for particular risks was presented in the Report on Capital Adequacy and other information subject to publication.

Purpose of risk management

The purpose of risk management by striving to maintain the risk level within the adopted risk tolerance is to:

  • protect shareholder value,
  • protect customer deposits,
  • support the Group in conducting effective operations.

Risk management goals are achieved in particular by providing appropriate information on risk so as to ensure that the decisions are taken in full awareness of the particular risks involved.

Main principles of risk management

Risk management in PKO Bank Polski SA Group is based especially on the following principles:

  1. the Group manages all of the identified types of risk,
  2. the risk management process is appropriate to the scale of the operations and to the materiality, scale and complexity of a given risk and tailored to new risk factors and sources on a current basis,
  3. the risk management methods (in particular the models and their assumptions) and the risk measurement systems are tailored to the scale and complexity of the risk, current and envisaged Group’s activity and environment in which the Group operates, and are also verified and validated on a periodical basis,
  4. the area of risk management and debt collection remains organizationally independent from business activities,
  5. risk management is integrated with the planning and controlling systems,
  6. the risk level is monitored on a current basis,
  7. the risk management process supports the implementation of the Group’s strategy in compliance with the risk management strategy, in particular with regard to the level of tolerance of the risk.

The risk management process

The process of risk management in Group consists of the following stages:

  • risk identification:

Identification of risk is to recognise actual and potential sources of risk and estimation of the significance of the potential influence on the financial situation of the Group. Within the risk identification process, types of risk perceived as material in the Bank’s, particular Group companies or the entire Group activity are identified.

  • risk measurement and assessment:

Risk measurement covering determination of risk assessment measures adequate to the type and significance of the risk, data availability and quantitative risk assessment by means of determined measures, as well as risk assessment aimed at identifying the scale or scope of risk, taking into account the achievement of goals of risk management. Within risk measurement, valuation of the risks for the purpose of pricing policy and stress-test are being conducted on the basis of assumptions providing a fair risk assessment. Stress-test scenarios cover, i.a. the requirements following from the recommendations of the Polish Financial Supervision Authority. Additionally, complex stress tests are performed in the Group (CST), which constitute an integral element of risk management and supplementary stress tests specific for particular risks. CST also cover an analysis of the impact of changes in the environment (in particular the macroeconomic conditions) and the Bank’s operations on the Group’s financial position.

  • risk control:

Risk control involves determination of tools used for measuring or reducing the level of risk in specific areas of the Bank’s activity, This includes determination of control mechanisms adjusted to the scale and complexity of the Bank’s activities especially in the form of strategic tolerance limits for the individual types of risk.

  • risk forecasting and monitoring:

Forecasting and monitoring risk consists of preparing risk level forecasts and monitoring deviations from forecasts or adopted reference points (e.g. limits, thresholds, plans, measurements from the previous period, recommendations and suggestions issued by the supervisory and control authority) and also carrying out stress test (specific and complex). Forecasts of the level of risk shall be reviewed. Risk monitoring is performed with the frequency adequate to the significance and volatility of a specific risk type.

  • risk reporting:

Risk reporting consists of periodic informing the authorities of the Bank about the results of risk measurement or risk assessment, taken actions and actions recommendations. Scope, frequency and the form of reporting are adjusted to the managing level of the recipients.

  • management actions:

Management actions consist particularly issuing internal regulations affecting the management process of different types of risk, establishing the level of risk tolerance, establishing limits and thresholds, issuing recommendations, making decisions about the use of tools supporting risk management. The objective of taking management actions is to form the risk management and the risk level.

  • The organization of risk management in the Group

Risk management in the Bank takes place in all of the organizational units of the Bank.

The organization of risk management in PKO Bank Polski SA is presented in the chart below:

The risk management process is supervised by the Supervisory Board of the Bank, which is informed on a regular basis about the risk profile of the Bank as well as of the PKO Bank Polski SA Group and the most important activities taken in the area of risk management. The Bank’s Supervisory Board is supported, among other things, by the following committees: the Remuneration Committee of Supervisory Board, the Supervisory Board Risk Committee and the Supervisory Board Audit Committee.

In respect of risk management, the Management Board of PKO Bank Polski SA is responsible for strategic risk management, including supervising and monitoring actions taken by the Bank in respect of risk management. The Board takes the most important decisions affecting the risk profile of the Bank and adopts internal regulations concerning risk management. The Management Board is supported by the following committees operating at the Group:

  1. the Risk Committee (the ‘RC’),
  2. the Assets & Liabilities Management Committee (the ‘ALCO’),
  3. the Bank’s Credit Committee (the ‘BCC’)
  4. the Operating Risk Committee (the ‘ORC’).

The risk management process is carried out in three mutually independent lines of defence:

THE FIRST LINE OF DEFENCE – risk management within the defined limits based on the Bank’s internal regulations, with built-in controls, internal control system and compliance with universally binding legal regulations, the Bank’s internal regulations and market standards. This function is realized in all the Bank’s organizational entities, in the Head Office’s organizational units and in entities of the Group, and covers those aspects of operations of particular entities, units and companies which may generate risk. The Bank’s organizational entities, units and group entities are responsible for risk identification, designing and implementing appropriate controls, if they have not been implemented as part of the actions taken as the second line of defence.

At the same time the Group entities are obliged to have comparable and cohesive systems of risk evaluation and control in the Bank and in the Group entities, taking into account the specific business characteristic of each entity and the market on which it operates.

THE SECOND LINE OF DEFENCE – in particular the measurement or assessment, control, monitoring and reporting particular risks important to the Bank, reporting identified threats and irregularities, preparing the Bank’s internal regulations determining the risk management principles, methods, tools and procedures, and measuring operating effectiveness. The risk management system, including methods, tools, process and organization of risk management. This function is performed in particular in the Risk Management Area, Compliance Department, respective committees.

THE THIRD LINE OF DEFENCE – internal audit. The function Is being performed as part of internal audit, including the audit of the effectiveness of the system of managing the risk.

The independence of the lines of defence consists of preserving organizational independence in the following areas:

  • the function of the second line of defence as regards creating system solutions is independent of the function of the first line of defence,
  • the function of the third line of defence is independent of the functions of the first and second lines of defence,
  • the function of managing the compliance risk reports directly to the President of the Management Board.

Risk Management of the PKO Bank Polski SA Group

The Bank supervises activities of the individual subsidiaries of the PKO Bank Polski SA Group. As part of this supervision, the Bank supervises the entities’ risk management systems and provides support in the development of these systems. Additionally, it reflects business risk level of the particular entities in the risk reporting and monitoring system of the entire Group.

The internal regulations concerning management of certain types of risk in the entities of the Group are defined by internal regulations implemented by those entities, after consulting the Bank’s opinion and having taken into account the recommendations issued to the entities by the Bank. The internal regulations of the entities concerning risk management allow for consistent and comparable assessment of particular types of risk within the Bank and entities of the Group, as well as reflect the extent and nature of the relationship of entities included in the Group, the nature and scale of the entity’s activity and the market on which it operates.

The risk management in the Group entities is carried out in particular by:

  • involving the units in the Bank’s Risk Management Area or the Bank’s relevant committees in evaluating large transactions of the Group entities,
  • giving opinions and reviewing internal regulations concerning risk management in the individual Group entities, carried out by the units in the Bank’s Risk Management Area,
  • reporting on the Group entities’ risks to the Bank’s relevant committees or the Management Board,
  • monitoring of strategic risk tolerance limits for the Group.

Specific activities in the area of risk management in the Group undertaken in 2016

The PKO Bank Polski SA Group’s top priority is to maintain its strong capital position and to further increase in its stable sources of financing underlying the stable development of business activity, while maintaining the priorities of efficiency and effective cost control and appropriate risk assessment.

PKO Bank Polski SA’s priority is to maintain its strong equity position, including effective capital adequacy management, counteracting cyberthreats, while maintaining the priorities of efficiency and effective cost control and appropriate risk assessment.

In this respect, the Group took i.a. the following actions in 2016 turned the maturing own short-term bonds on bonds in the amount of PLN 1 billion (in May) and PLN 815 million (in November) and turned the maturing own short-term bonds on bonds with a maturity to one year in the amount of EUR 200 million.

In 2016, the Group conducted operating risk management-related preparatory work for starting operations of the Bank’s new branch in the Czech Republic, the opening of which is planned for March 2017. As part of this work, in November 2016, the Group filed an application with the Polish Financial Supervision Authority requesting consent for joint application of advanced measurement approach (AMA) and basic indicator approach (BIA) consisting of the calculating the requirements relating to own funds in respect of operational risk using the BIA method in respect of the operations of the Bank’s branch in Germany and in the Czech Republic, and using the AMA approach for the remaining operations of the Bank.

In the fourth quarter of 2016, the Group introduced changes to the process of managing the exposure concentration risk, which constitute the fulfilment of the requirements of Resolution No. 351/2016 of the Polish Financial Supervision Authority dated 24 May 2016 on issuing Recommendation C relating to concentration risk. The amendments include: concentration risk management objectives and process, new measures of tolerance to concentration risk, including internal limits mitigating the risk of excessive concentration, the method of performing stress tests regarding concentration risk.

In the fourth quarter of the year, the Group updated and modified the method of assessing credited entrepreneurs in the formula of specialised lending, which allows an adequate credit risk assessment of large projects involving financing income-generating residential and commercial real estate. In the first half of 2016, the Bank and PKO Bank Hipoteczny SA continued work related to model risk management in the process of adapting to the requirements of Recommendation W on risk management in banks, issued by the Polish Financial Supervision Authority in July 2015.

As of 30 June 2016 the process of model risk management in the Bank and in PKO Bank Hipoteczny SA is conducted pursuant to the requirements of Recommendation W.

Within the Group, mortgage loan portfolios which had been extended by PKO Bank Polski SA are gradually transferred to PKO Bank Hipoteczny SA. The value of the portfolio transferred in 2016 amounted to PLN 5 764 million.

In the first half of 2016, PKO Bank Hipoteczny SA conducted two issues of mortgage bonds addressed to institutional investors, in the total amount of PLN 1 billion, with a maturity period of 5 years and 1 day as of the date of issue. Among the institutions which purchased mortgage bonds are both domestic and foreign investors. Mortgage bonds of PKO Bank Hipoteczny are one of the safest debt instruments on the Polish financial market. Moody’s rating of Aa3, which is the highest rating achievable by Polish securities, attests to this.

In the second half of 2016 PKO Bank Hipoteczny SA conducted one benchmark foreign issue of mortgage bonds addressed to institutional investors, with a value of EUR 0.5 billion and period to redemption of 5 years and 8 months. The securities bear an interest rate of 0.125% and yield of 0.178%. Among the institutions which purchased mortgage bonds are both domestic and foreign investors, including the European Bank of Reconstruction and Development.

In November 2016 PKO Leasing SA signed an agreement for the purchase of shares with Raiffeisen Bank International AG constituting 100% of the share capital of Raiffeisen-Leasing Polska SA, with the support of PKO Bank Polski SA acting as the guarantor. On 1 December 2016 the purchase transaction consisting of the purchase of all shares of Raiffeisen-Leasing Polska SA by PKO Leasing SA was finalized. In connection with the transaction the Bank decided not to pay dividend from the Bank’s profit earned in 2015 and from retained earnings.