Purpose of risk management
The purpose of risk management by striving to maintain the risk level within the adopted risk tolerance is to:
- protect shareholder value,
- protect customer deposits,
- support the Bank in conducting effective operations.
Risk management goals are achieved in particular by providing appropriate information on risk so as to ensure that the decisions are taken in full awareness of the particular risks involved.
Main principles of risk management
Risk management in PKO Bank Polski SA Group is based especially on the following principles:
- the Group manages all of the identified types of risk,
- the risk management process is appropriate to the scale of the operations and to the materiality, scale and complexity of a given risk and tailored to new risk factors and sources on a current basis,
- the risk management methods (in particular the models and their assumptions) and the risk measurement systems are tailored to the scale and complexity of the risk, current and envisaged Group’s activity and environment in which the Group operates, and are also verified and validated on a periodical basis,
- the area of risk management and debt recovery remains organizationally independent from business activities,
- risk management is integrated with the planning and controlling systems,
- the risk level is monitored on a current basis,
- the risk management process supports the implementation of the Group’s strategy in compliance with the risk management strategy, in particular with regard to the level of tolerance of the risk.
The risk management process
The process of risk management in Group consists of the following stages:
- Risk identification
Identification of risk is to recognize of actual and potential sources of risk and estimation of the significance of the potential influence on the financial situation of the Group. Within the risk identification process, types of risk perceived as material in the Bank’s, particular Group companies or the entire Group activity are identified,
- Risk measurement and assessment
Risk measurement covering determination of risk assessment measures adequate to the type and significance of the risk, data availability and quantitative risk assessment by means of determined measures, as well as risk assessment aimed at identifying the scale or scope of risk, taking into account the achievement of goals of risk management. Within risk measurement, work related to the valuation of the risks for the purpose of pricing policy and stress-test are being conducted on the basis of assumptions providing a fair risk assessment. Stress-test scenarios cover, among other things, the requirements following from the recommendations of the Polish Financial Supervision Authority. Additionally, complex stress tests are performed in the Bank (KTWS), which constitute an integral element of risk management and supplementary stress tests specific for particular risks. KTWS also cover an analysis of the impact of changes in the environment (in particular the macroeconomic conditions) and the Bank’s operations (defined, among other things, by the GDP, inflation level, unemployment rate, foreign exchange rates, interest rates) on the Bank’s financial position.
- Risk control
Risk control is to determination of tools used for measuring or reducing the level of risk in specific areas of the Bank’s activity, This includes determination of control mechanisms adjusted to the scale and complexity of the Bank’s and Group’s activities especially in the form of strategic tolerance limits for the individual types of risk.
- Risk forecasting and monitoring
Forecasting and monitoring risk consists of preparing risk level forecasts and monitoring deviations from forecasts or adopted reference points (e.g. limits, thresholds, plans, measurements from the previous period, recommendations and suggestions issued by the supervisory and control authority) and also carrying out stress test (specific and complex). Forecasts of the level of risk shall be reviewed. Risk monitoring is performed with the frequency adequate to the materiality and volatility of a specific risk type,
- Risk reporting
Risk reporting consists of periodic informing the authorities of the Bank about the results of risk measurement or risk assessment, taken actions and actions recommendations. Scope, frequency and the form of reporting are adjusted to the managing level of the recipients,
- Management actions
Management actions consist particularly, issuing internal regulations affecting the management process of different types of risk, establishing the level of risk tolerance, establishing limits and thresholds, issuing recommendations, making decisions about the use of tools supporting risk management. The objective of taking management actions is to form the risk management and the risk level.
The organization of risk management in the Group
Risk management in the Bank takes place in all of the organizational units of the Bank.
The organization of risk management in PKO Bank Polski SA is presented in the chart below:
The risk management process is supervised by the Supervisory Board of the Bank, which is informed on a regular basis about the risk profile of the Bank as well as of the PKO Bank Polski SA Group and the most important activities taken in the area of risk management. The Bank’s Supervisory Board is supported, among other things, by the following committees: the Remuneration Committee, the Supervisory Board Risk Committee and the Supervisory Board Audit Committee.
In respect of risk management, the Management Board of PKO Bank Polski SA is responsible for strategic risk management, including supervising and monitoring actions taken by the Bank in respect of risk management. Takes the most important decisions affecting the risk profile of the Bank and adopts internal regulations concerning risk management. The Supervisory Board is supported by the following committees:
- the Risk Committee (the ‘RC’),
- the Assets & Liabilities Management Committee (the ‘ALCO’),
- the Bank’s Credit Committee (the ‘BCC’),
- the Operating Risk Committee (the ‘ORC’).
The risk management process is carried out in three, mutually independent lines of defence:
- The first line of defence is being performed particularly in the organizational units of the Bank, the organizational units of the Head Office and the external entities to which the Bank outsourced other banking activities and concerns the activities of those units’, cells and entities which may generate risk. The units and entities are responsible for identifying risks, designing and implementing appropriate controls, including in the external entities, unless controls have been implemented as part of the measures taken in the second line of defence.
- The second line of defence the risk management system, in particular the measurement or assessment, control, monitoring and reporting particular risks important to the Bank, reporting identified threats and irregularities, preparing the Bank’s internal regulations determining the risk management principles, methods, tools and procedures, and measuring operating effectiveness. The function is being performed, in particular, in the Risk Management Area, Compliance Department, Planning and Controlling Department, relevant committees, as well as the other organizational units of the Head Office responsible for controlling.
- The third line of defence is being performed as part of internal audit, including the audit of the effectiveness of the system of managing the risk.
The independence of the lines of defence consists of preserving organizational independence in the following areas:
- the function of the second line of defence as regards creating system solutions is independent of the function of the first line of defence,
- the function of the third line of defence is independent of the functions of the first and second lines of defence,
- the function of managing the compliance risk reports directly to the President of the Management Board.
Risk management in the group
The Bank supervises activities of the individual subsidiaries of the PKO Bank Polski SA Group. As part of this supervision, the Bank. The Bank also supervises the entities’ risk management systems and provides support in the development of these systems. Additionally, it reflects business risk of the particular entities in the risk reporting and risk monitoring system of the entire Group.
The internal management regulations of certain types of risk in the Group entities are defined by internal regulations implemented by those entities, after consulting the Bank’s opinion and having taken into account the recommendations issued by the Bank. The internal regulations of the entities concerning risk management are introduced based on consistency principle and comparable assessment of particular types of risk within the Bank and Group entities, including the scope and nature of the link entities included in the Group, the specificity and scale of the entity’s activity and the market on which it operates.
The risk management in the Group entities is carried out in particular by:
- involving the units in the Bank’s Risk Management Area or the Bank’s relevant committees in evaluating large
- transactions of the Group entities,
- giving opinions and reviewing internal regulations concerning risk management in the individual Group entities, carried out by the units in the Bank’s Risk Management Area,
- reporting on the Group entities’ risks to the Bank’s relevant committees or the Management Board,
- monitoring of strategic risk tolerance limits for the Group.