68. Operational risk management

Definition

Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events. Operational risk takes into account legal risk, and does not include reputational risk and business risk.

Management objective

The objective of operational risk management is to enhance collateral of the operational activity pursued by the Bank by improving the efficient, tailored to the profile and the scale of operations mechanisms of identification, assessment and measurement, controlling, monitoring reduction and reporting of operational risk.

Risk identification and measurement

Operational risk management comprises the identification of operational risk in particular through collecting data about the operational risk and the self-assessment of operational risk.

In order to manage the operational risk, the Bank gathers internal and external data about operational events and the causes and consequences of their occurrence, data on the factors of the business environment, results of operational risk self-assessment, data on KRI and data related to the quality of internal functional controls.

The operational risk self-assessment comprises identification and assessment of operational risk for Bank’s products, processes and applications as well as organizational changes and it is conducted cyclically and before the introduction of new or changed Bank’s products, processes and applications.

The measurement of operational risk comprises:

  • calculation of Key Risk Indicators (KRI),
  • requirement calculation of own funds for operational risk under the AMA (the Bank) and BIA (Branch in Germany and the Group companies included in precautionary consolidation),
  • stress-tests,
  • calculation of Group internal capital.

Control

Control of operational risk includes setting tailored to the scale and complexity of the Bank’s activities risk controls in the form of limits on operational risk, in particular the strategic limits of tolerance and operational risk, losses limits, KRI with thresholds and critical values.

Forecasting and monitoring

The Group regularly monitors:

  • utilization level of strategic tolerance and operational risk losses limits for the Bank,
  • operational events and their consequences,
  • results of operational risk self-assessment,
  • requirement in respect of own funds as regards to operational risk in accordance with the BIA approach in the activities of the branch of the Bank in the Federal Republic of Germany and in accordance with the AMA approach with respect to the remaining activity of the Bank and the Group companies included in prudential consolidation, in accordance with the BIA approach,
  • the results of stress tests,
  • the level of risk, areas and tools for operational risk management,
  • key Risk Indicators (KRI), in relations to threshold and critical values,
  • effectiveness and timeliness of actions undertaken to reduce or transfer the operational risk,
  • management activities, related to the presence of elevated or high levels of operational risk and their effectiveness in reducing the level of operational risk.

In 2016, the dominant impact on the operational risk profile of the Group was exercised by the following entities: PKO Bank Polski SA, the PKO Leasing SA Group and the KREDOBANK SA Group. Other Group entities, considering their significantly smaller scale and type of activity, generate only reduced operational risks.

Reporting

Reporting of information concerning operational risk is performed for the needs of the senior management staff, the ORC, the RC, the Management Board and the Supervisory Board. Each month, information about operational risk is prepared and forwarded to the senior management staff, the organizational units of the Head Office and specialist organizational units responsible for system-based operational risk management. The scope of the information is diversified and tailored to the scope of responsibilities of the individual recipients of the information.

Management actions

Management actions are taken in the following cases:

  • on ORC’s initiative or Management Board,
  • on the initiative of organizational units and cells of the Bank managing operational risk,
  • when operational risk exceeded levels described by Management Board or ORC.

In particular when the risk level is elevated or high, the Bank uses the following approach and instruments to manage the operational risk:

  • risk reduction – mitigating the impact of risk factors or the consequences of its materialization by introducing or strengthening various types of instruments for managing operational risk such as: control instruments, human resources management instruments, determination or verification of threshold values and critical KRIs, determination or verification of operational risk levels and contingency plans,
  • risk transfer – transfer of responsibility for covering potential losses on a third-party: insurance and outsourcing,
  • risk avoidance – resignation from activity that generates risk or elimination the probability of the occurrence of a risk factor.