69. Other risk

Compliance risk and conduct risk management 

Definition

Compliance risk is defined as the risk of legal sanctions, incurring financial losses or losing reputation due to failure of the Group, its employees or entities acting on its behalf to comply with the provisions of the law, internal regulations, standards adopted by the Group, including market standards.

Conduct risk means a risk which arises on the part of:

1) the customer,

2) the Group, including its credibility,

3) financial markets, with regard to their credibility, as a result of inappropriate action (also unintentional) or any omission by the Group, its staff or related entities, with regard to offering purchase and provision of financial services.

Management objective

The objectives of the compliance risk and conduct risk management are as follows:

  • strengthening the image of the Group as an institution acting in accordance with the law and the accepted market standard, trustworthy, reliable and fair, among the Group’s shareholders, customers, employees, business partners and other market participants;
  • preventing financial losses, legal penalties or the loss or reputation which may result from breaching the law, the Group’s internal regulations and the market standards adopted by the Group.
  • countervailing losses on the part of the Group, which can result from inappropriate conduct (also unintentional) or omission by the Group, its staff or related entities, with regard to offering purchase and provision of financial services.
identification

To identify and assess the compliance and conduct risks, information on the compliance incidents and their reasons is used, including information resulting from internal audits, internal controls and external inspections. Identification and assessment of the compliance and conduct risks is based mainly on the following:        

  1. estimating the potential impact of non-compliance,
  2. the results of operational risk self-assessment,
  3. the results of a review and assessment of the adequacy and effectiveness of control mechanisms,
  4. information on irregularities identified within the internal control,
  5. an evaluation of the existence of additional risk of non-compliance with the law.

During the assessment, the nature and the potential scale of losses is identified and the possible ways of mitigating or eliminating the compliance risk. The assessment is conducted in the form of workshops.

monitoring

Monitoring of the compliance and conduct risk is performed using information provided by the Bank’s organizational units and consists in:

  • analyzing compliance incidents occurring in the Group and in the banking sector, their reasons and effects,
  • evaluating changes in the key legal regulations affecting the operations of the Bank and its Group,
  • evaluating actions undertaken by the Bank and the Group companies as part of compliance risk management,
  • evaluating the effectiveness and adequacy of the controls relating to mitigation of the compliance risk,
  • analyzing information on the status of the major projects conducted within the Bank to adjust to the universally applicable provisions of the law, market standards adopted by the Bank and communication from external regulatory and control bodies,
  • analyzing information on operational events, security incidents, disputes (including court cases) against the Bank, complaints and irregularities relating to conduct risk.
reportingThe reporting of compliance risk and conduct risk takes the form of quarterly reports addressed to the Risk Committee, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board and information submitted for the purposes of external regulatory and control bodies.
Management actions

Compliance risk management covers, in particular, the following issues:

  • preventing the Group from engaging in illegal activities;
  • promoting ethical standards and monitoring their operation;
  • managing conflicts of interests;
  • preventing situations in which the Group’s employees could be perceived as pursuing their own interest in a professional context;
  • professional, fair and transparent formulation of the product offer, advertising and marketing communication;
  • ensuring data protection;
  • prompt, fair and professional consideration of the customers’ complaints, suggestions and claims,
  • preventing situations in which a product which does not meet a customer’s needs is offered, 
  • determining an adequate manner and form of offering a product, depending on the product’s character, monitoring sales and the fair execution of the agreements concluded with customers. 
The Bank has adopted a zero tolerance policy against compliance risk, which means that the Bank focuses its actions on eliminating this risk.

Business risk management

DefinitionBusiness risk is the risk of incurring losses due to adverse changes in the business environment, taking bad decisions, the incorrect implementation of decisions taken, or not taking appropriate actions in response to changes in the business environment. This includes in particular strategic risk.
Management objectiveMaintaining, on an acceptable level, the potential negative financial consequences resulting from adverse changes in the business environment, making adverse decisions, improper implementation of adopted decisions or lack of appropriate actions, which would be a response to changes in the business environment.
Risk identification and measurementIdentification is to recognise and determine factors both current and potential, resulting from current and planned activities of the Group and which may significantly affect the financial position of the Group, generating or change in the Group’s income and expense. Business risk identification is performed by identifying and analyzing the factors that had an impact on the significant deviations of realization of income and expense from their forecasted values. Measurement of business risk is aimed at defining the scale of threats related to the existence of business risk with the use of defined risk measures. The measurement of business risk includes: calculation of internal capital, conducting stress-tests.
ControlControl of the business risk is aimed at striving to maintain the business risk at an acceptable level. It involves setting and periodic review of the risk controls in the form of tolerance limits on the business risk along with its thresholds and critical values, adequate to the scale and complexity of the Group.
Forecasting and monitoring

Forecasting of the business risk is aimed at determining an anticipated scenario of changes in the income and expense items in the income statement. The forecast is prepared once a quarter on a yearly basis and includes forecasting the level of business risk and internal capital.

Once a quarter, the verification of a business risk forecast (so-called backtesting) is performed.

Monitoring of the business risk is aimed at diagnosing the areas which require management actions.
Monitoring of business risk includes:

  • strategic levels of business risk tolerance – on a quarterly basis,
  • stress-tests results – on an annual basis,
  • reverse stress-tests results – on an annual basis,
  • internal capital level – on a quarterly basis,
  • deviations from the implementation of business risk forecast – on a quarterly basis,
  • results of a survey conducted among senior management staff of the Bank - on an annual basis.
ReportingReporting is performed on a quarterly basis. The reports on the business risk level are addressed to the ALCO, the RC, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board.
Management actions

Management actions consist of, in particular:

  • verifying and updating quarterly financial forecasts,
  • including actions aimed at lowering the business risk level in accordance with the limits, monitoring the level of the strategic limit of tolerance to business risk.
   

Reputation risk management

DefinitionThe reputation risk is understood as the risk of deterioration of reputation among clients, counterparties, investors, supervisory and control authorities, and the general public as a result of the business decisions, operating events, instances of non-compliance or other events.
Management objectiveThe objective of managing the reputation risk is to protect the Group’s reputation by counteracting the occurrence of reputation and limiting the negative effect of image-related events on the Group’s reputation.
IdentificationIdentification of the reputation risks covers the developments observed in the Group’s internal processes and in its external environment, including in particular: image-related events and factors related to the business environment, i.e. quantitative and qualitative information, including especially the data which describes the Group and its external environment, which suggest the existence of the reputation risk.
AssessmentAn assessment of the reputation risk involves evaluating the impact of image-related events on the Group’s reputation, and in particular, quantifying and determining the severity of reputation losses. The evaluation of a reputation loss includes the impact, credibility and the opinion-forming potential of the disclosure of an image-related event to the public. 
MonitoringMonitoring reputation risk consists of a regular assessment of the value of reputation risk measures compared with the adopted threshold values. The level of reputation risk is determined based on the value of reputation risk measures.
Reporting

Information on the reputation risk is reported in the form of:

1) a semi-annual management report addressed to the Risk Committee, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board.

2) ad-hoc information on current events having a material impact on the Bank’s reputation, addressed to the President of the Management Board and to his Office.

3) information included in the Bank’s and the Group’s financial statements and provided at the request of the external supervisory and control bodies.

Management actions

Based on the specific level of reputation risk management actions are taken which may cover:

1) an analysis of the reasons for a given level of risk occurring;

2) assessment of the effects of such a level of risk occurring;

3) preparation of proposed management actions aimed at reducing the level of reputation risk or justification of the lack of the need to take such action, e.g. in the event of incidental extraordinary events occurring.

 

Model risk management

DefinitionModel risk is the risk of incurring negative financial effects or reputation as a result of making incorrect business decisions on the basis of the models functioning. Within the Group, model risk is managed both on the part of a given Group entity (an owner of a model) and at the level of the Bank as a parent company of the Group
Management objectiveThe objective of model risk management is to mitigate the level of risk of incurring losses as a result of making incorrect business decisions on the basis of existing models in the Group through a well-defined and implemented process of models management. One of the elements of the model management process is to cover all significant models in the Group with regular, independent validation.  
Risk identification and measurementIdentification of the model risk consists of, in particular, collecting information about the existing models and models planned to be implemented as well as determining the materiality of the models on a periodical basis. The model risk evaluation is aimed at determining the scale of the threats associated with the occurrence of the model risk. The evaluation is made at the level of each model as well as on an aggregate basis at the level of the Group.
ControlControl of the model risk is aimed at maintaining an aggregated evaluation of the model risk at a level which is acceptable to the Group. Control of the model risk consists of determining the mechanisms used to diagnose the model risk level and tools for reducing the level of this risk. The tools used to diagnose the model risk include, in particular, a strategic limit of tolerance to the model risk and the threshold values of the model risk.
Monitoring

Monitoring of the model risk on a periodical basis is aimed at diagnosing the areas requiring management actions and includes, in particular:

  • updating the model risk level,
  • evaluating the utilization of the strategic limit of tolerance to the model risk and the threshold values of the model risk,
  • verifying the stage of implementation and evaluating the effectiveness of the implementation of the activities as part of the mitigation of the model risk.
ReportingThe results of monitoring the model risk are presented periodically in the reports addressed to the RC, the Management Board, and the Supervisory Board.
Management actionsThe purpose of management actions is to form a model risk management process and to affect the level of this risk, in particular by determining acceptable risk levels and making decisions about the use of tools supporting model risk management.

Macroeconomic changes risk management

DefinitionRisk of macroeconomic changes is a risk of deterioration of the financial situation of the Group as a result of the adverse impact of changes in macroeconomic conditions.
Management objectiveThe purpose of risk of macroeconomic changes management is to identify macroeconomic factors having a significant impact on the Group's activities and taking actions to reduce the adverse impact of potential changes in the macroeconomic situation on the financial situation of the Group.
Risk identification and measurementIdentification of risk of macroeconomic changes involves determination of scenarios of the potential macroeconomic changes and to determine risk factors having the greatest impact on the financial situation of the Group. Risk of macroeconomic changes results from interaction of factors dependent and independent of the Group's activities. The Group identifies the factors affecting the level of risk of macroeconomic changes during carrying out comprehensive stress-tests. The risk of macroeconomic changes materializes indirectly through other risks affecting the Group's operations. For the purpose of measuring the risk of macroeconomic changes the Group uses risk measures based on the results of comprehensive stress-tests, in particular: financial result and its components, capital adequacy measures and their components, selected liquidity measures, data on the quality of the loan portfolio.  
ControlControl of the risk of macroeconomic changes is aimed at striving to mitigate the adverse effect of potential changes in the macroeconomic situation on the financial position of the Group. Control of the risk of macroeconomic changes consists of determining the acceptable risk level tailored to the scale of the Group’s operations, with the level of the risk of macroeconomic changes being assessed on the basis of the results of comprehensive stress tests. An acceptable level of the risk of macroeconomic changes is a situation in which stress test results do not point to the need to take any remedial measures.
MonitoringMonitoring consists of, among other things, analyzing macroeconomic factors and the economic situation on a current basis and includes in particular: changes in the macroeconomic situation, the macroeconomic factors to which the Group is sensitive, stress test results, the level of the risk of macroeconomic changes.
ReportingReporting is provided in the form of additional information about the risk of macroeconomic changes which accompanies a quarterly report on capital adequacy, in which the stress tests were conducted. The reports are addressed to the ALCO, the RC, the Management Board and the Supervisory Board.
Management actionsManagement actions in particular consist of: issuing internal regulation, determining acceptable levels of risk, proposals of actions aimed at reducing the level of risk in the event of elevated or high risk of macroeconomic changes occurrence

Capital risk management

DefinitionCapital risk is the risk of failing to ensure an appropriate level and structure of own funds, with respect to the scale of the Group operations and risk exposure and, consequently, insufficient for the absorption of unexpected losses, taking into account development plans and extreme situations.
Management objectiveThe objective of managing the capital risk is to ensure an appropriate level and structure of own funds, with respect to the scale of the operations and risk exposure of the Group and the Group, taking into account of the assumptions of the Group’s dividend policy as well as supervisory instructions and recommendations concerning capital adequacy.
Risk measurement

The capital risk level for the Group is determined based on the minimum, threshold and maximum values of capital adequacy measures, amongst others, the total capital ratio and basic capital (Tier 1) ratio. In addition, threshold and maximum values are determined for capital adequacy measures, as an excess over the minimum values constituting strategic tolerance limits for the capital adequacy measures. The capital risk level is determined as follows:

1) low level – when all capital adequacy measures exceed the threshold values,

2) raised level – when at least one adequacy measure is lower than a threshold value and no capital adequacy measure is lower than the strategic tolerance limit,

3) high level – when at least one capital adequacy measure is lower than the strategic tolerance limit.

Monitoring

The Group regularly monitors the level of capital adequacy measures in order to determine the degree of compliance with supervisory standards, internal strategic limits, and to identify instances which require taking capital contingency actions.

Should a high level of capital risk be identified, the Group takes measures to bring capital adequacy measures to a lower level, taking into account of the assumptions of the dividend policy as well as the supervisory instructions and recommendations concerning capital adequacy.

 

Insurance risk management

DefinitionInsurance risk is a risk of loss or of adverse change in value of insurance liabilities, due to inadequate pricing and provisioning assumptions (in particular for technical provisions).
identification, measurement and risk assessment

The exposure to insurance risks in the Group related to insurance companies is monitored and shaped in accordance with the adopted risk management strategy. In PKO Życie Towarzystwo Ubezpieczeń SA (PKO Życie), the dominant type of insurance risk depends on the type of product in the Company’s portfolio:

  • products with Insurance Capital Funds (UFK) – mainly the contracts withdrawal risk (a relatively short period of time after implementation of the UOKiK decision),
  • protection products: mortality and claims risks as well as negative selection (decreasing risk),
  • for all products – the risk associated with comparing expenses with income (unit costs).

The Company mitigates its exposure to the risks through:

  • reinsurance of the mortality and claims risks in excess of a specified amount per risk and per insurance contract,
  • retention campaigns,
  • monitoring the quality of sales in order to achieve an improvement in the quality of sales,
  • increasing the scope of cover for investment and protection products. In 2015 and 2016, the risk of changes in the approach to surrender fees materialized partially.

As a result of the proceedings of the UOKiK and the agreements concluded in 2015 and 2016 as a result of these proceedings, the Company estimated the changes in the distribution of future withdrawals. The amounts of the future surrender fees were also adjusted in accordance with the above agreement. The decisions made constitute the continuation of activities conducted by the PKO Życie so far, with regard to reducing the total surrender value of selected life insurance contracts with insurance capital funds. Up until the date of this report, no increase in contract withdrawals in excess of the assumptions for determining the Best Reserve Estimate was observed. PKO Towarzystwo Ubezpieczeń S.A. (PKO TU) is exposed to the following types of insurance risk:

  • unearned premium and reserve risk – mitigated through proportionate reinsurance,
  • product structure, catastrophic risk – mitigated through catastrophic reinsurance,
  • contract withdrawal risk – mitigated through retention measures.

The dominant type of risk is dependent on the type of product:

  • multi-year loss of source of income insurance contracts – unearned premium and reserve risk,
  • property insurance – catastrophic risk (flood).

The measurement of the insurance risk in insurance companies is performed, among other things, as part of the analysis of contract withdrawals, claims ratio analysis, the analysis of the amounts of assets to cover technical reserves (APR), and an annual analysis of shock scenarios – stress tests as part of the process of self-assessment of risk and solvency.

The companies have implemented the requirements arising from changes in regulations Solvency II system and have been calculating capital ratios under the new regime as from 1 January 2016, maintaining own funds at an adequate level.    

Monitoring

As to mitigate the insurance risk exposure, PKO Życie uses among others: reinsurance of risks (mortality, morbidity), grace periods, exemptions and retention activities.

Ceded reinsurance of PKO Życie is performed on the basis of:

  • obligatory-optional, quota share - surplus reinsurance treaties, on the basis of risk – premium,
  • optional reinsurance treaties, on the basis of risk – premium,
  • obligatory, proportionate reinsurance treaties,
  • obligatory catastrophic reinsurance treaties,
  • obligatory excess of loss reinsurance treaties.

Facultative reinsurance is applied for all insurance agreements and risks not covered by obligatory – facultative reinsurance agreements, in which the sum on the gross risk exceeds agreed amount.

In case of the new products and the risks, PKO Życie choses reinsurer, level of protection, conditions of the reinsurance, changes in concluded reinsurance contracts and concluding new reinsurance contracts in relation to the newly introduced to offer or modified insurance products and new risks.

ReportingIn PKO Życie and in PKO TU, the reporting on insurance risk is provided in the form of periodical reports to the Management Board and for the Asset and Liabilities Committee, the Risk Committee, and the Risk Committee of the Supervisory Board.

The assets to cover technical reserves (APR) remained at a sufficient level (over 100%) and had an appropriate structure. As at the end of 2016, the aggregate assets to reserves ratio amounted to 103% for PKO Życie and 140% for PKO TU.

Management of the risk of excessive leverage

DefinitionThe risk of excessive financial leverage is the risk resulting from vulnerability to threats due to financial leverage or conditional financial leverage that may require taking unintended action to adjust business plans, including an emergency sale of assets which could result in losses or result in the need for valuation adjustments of other assets.
Management objectiveThe objective of managing the risk of excessive leverage is to ensure an appropriate relationship between the amount of the core capital (Tier 1) and the total of balance sheet assets and off-balance sheet liabilities granted by the Group.
Identification and measurementThe risk of excessive leverage materializes as a mismatch of scale of activities and structure of the sources of financing and insufficient equipment of Group’s own funds. For the purpose of measuring the risk of excessive financial leverage, a leverage ratio is calculated as a measure of Tier 1 capital divided by the measure of total exposure and is expressed as a percentage rate. The leverage ratio is calculated on the reporting reference date. The leverage ratio is calculated both with reference to Tier 1 capital and in accordance with the transitional definition of Tier 1 capital.
Forecasting and monitoring

A forecast is made regularly, on a quarterly basis, using the leverage ratio. The following parameters are in particular subject to monitoring of the risk of excessive leverage:

  • value of the leverage ratio,
  • threshold of the risk of excessive leverage,
  • deviation of the leverage ratio from forecasts.
ControlThe objective of the control of the risk of excessive leverage is to strive to maintain the Group’s risk of excessive leverage at an acceptable level. It covers a periodical review of the risk control mechanisms in the form of a tolerance limit, including its threshold value.
ReportingReporting is performed on a quarterly basis. The reports on the level of the risk of excessive leverage are addressed to the RC, the Management Board, the Risk Committee of the Supervisory Board, and the Supervisory Board.
Management actionsThe management actions concerning the risk of excessive financial leverage are identical to the management actions concerning capital risk. In the event of an increased risk, actions are taken to bring capital adequacy measures to a proper level, taking into account the assumptions of the dividend policy as well as supervisory suggestions and recommendations concerning capital adequacy.