2022 Annual Report

53. Risk management within the Group

2022 Annual Report

Risk management is one of the most important internal processes in both the Bank and other entities of the PKO Bank Polski S.A. Group.

It is aimed at ensuring (in the changing environment) the profitability of business activities while ensuring an appropriate level of control and keeping the risk level within the risk tolerances and limits system adopted by the Bank and the Group, in a changing macroeconomic environment. The level of risk is an important part of the planning processes.

The Group identifies risks in its operations and analyses the impact of each type of risk on its business. All the risks are managed; some of them have a material effect on the profitability and capital needed to cover them. The following risks are considered material for the Group: credit risk, risk of foreign currency mortgage loans for households, currency risk, interest rate risk, liquidity risk (including financing risk), operating risk, business risk, risk of macroeconomic changes and model risk. The materiality of all the identified risks is assessed by the Group on a regular basis, at least annually.

A detailed description of the management policies for material risks is presented in the “REPORT ON CAPITAL ADEQUACY AND OTHER INFORMATION SUBJECT TO PUBLICATION BY THE PKO BANK POLSKI S.A. GROUP”.

RISK MANAGEMENT OBJECTIVE

The objective of the risk management is to strive to maintain the level of risk within the accepted tolerances in order to:

  • protect shareholder value;
  • protect customer deposits;
  • support the Group in conducting efficient operations.

The risk management objectives are achieved, in particular, by providing appropriate information on the risks, so that decisions are made in full awareness of the particular risks involved.

Main principles of risk management

Risk management at the Group is based, in particular, on the following principles:

  • the risk management covers all the risks identified;
  • the risk management process is appropriate from the perspective of the scale of operations and materiality, scale and complexity of a given risk, and adjusted on an on-going basis to take account of the new risks and their sources;
  • risk management methods (especially models and their assumptions) and risk measurement or assessment systems are tailored to the scale and complexity of individual risks, the current and planned operations of the Group and its operating environment, and are periodically verified and validated;
  • the area of risk management remains organizationally independent of business activities;
  • risk management is integrated into the planning and controlling systems;
  • the level of risk is monitored and controlled on an on-going basis;
  • the risk management process supports the implementation of the Bank’s strategy in compliance with the Risk Management Strategy, in particular with respect to the level of risk tolerance.

Risk management process

The process of risk management in the Group consists of the following stages:

Risk identification consists of recognizing the existing and potential sources of risk and estimating the significance of its potential impact on the Bank’s and the Group’s operations. As part of risk identification, the Group entities identify the risks considered to be material in the Bank’s or the Group’s operations.

Risk measurement and assessment are aimed at determining the scale of threats connected with the risks arising. Risk measurement covers determining the risk assessment measures adequate to the type and significance of the risk, and data availability. Quantitative and qualitative risk measurement results are the basis for the risk assessment aimed at identifying the scale or scope of risk.

As part of risk measurement, the Bank’s Group carries out:

  • specific stress tests which are conducted separately for individual risk types and are used to assess sensitivity of a given risk to unfavourable market conditions,
  • comprehensive stress tests conducted jointly for the concentration risk and risks regarded as material, used to determine sensitivity of the capital adequacy measures and Bank’s results to the occurrence of a negative scenario of changes in the environment and the functioning of the Bank’s Group.

The stress-tests are conducted by the Bank’s Group based on assumptions which ensure a sound assessment of the risk, in particular taking into account the Recommendations of the Polish Financial Supervision Authority

Risk control involves the determination of risk control mechanisms adjusted to the scale and complexity of the Group’s activities, especially in the form of strategic tolerance limits for the individual types of risk. Strategic risk tolerance limits are subject to regular monitoring, and if they are exceeded, the Bank’s Group takes management actions.

Risk forecasting involves foreseeing future risk levels, taking into account the assumed business development projections, and internal and external events. Risk level forecasts are assessed by the Bank and the Bank’s Group (socalled “reverse stress tests”) in order to verify their accuracy.

Risk monitoring involves observing deviations from the forecasts or the adopted benchmarks (e.g. limits, thresholds, plans, prior period measurements, recommendations and instructions issued by external supervisory and regulatory authority). Risk monitoring and forecasting frequency is adequate to the materiality and variability of specific risks

Management actions consist of determining the desired risk level favourable for building the structure of assets and liabilities. Management actions may result, in particular, in:

  • acceptance of the risk – determining the acceptable risk level, taking into account business needs and developing management actions in the event that the level is exceeded;
  • reduction of the risk – mitigation of the impact of the risk factors or effects of its materialization (e.g. By reducing or diversifying the risk exposure, determining limits, utilizing collaterals);
  • transfer of the risk – transferring responsibility for covering potential losses (e.g. by transferring the risk to another entity with the use of legal instruments, such as insurance contracts, security services agreements for a building, accepting guarantees);
  • risk avoidance – resignation from the risk-generating activity or elimination of the probability of materialization of the risk factor, including in particular determination of zero tolerance to risk.

Management actions consist of determining the desired risk level favourable for building the structure of assets and liabilities. Management actions may result, in particular, in:

  • acceptance of the risk – determining the acceptable risk level, taking into account business needs and developing management actions in the event that the level is exceeded;
  • reduction of the risk – mitigation of the impact of the risk factors or effects of its materialization (e.g. By reducing or diversifying the risk exposure, determining limits, utilizing collaterals);
  • transfer of the risk – transferring responsibility for covering potential losses (e.g. by transferring the risk to another entity with the use of legal instruments, such as insurance contracts, security services agreements for a building, accepting guarantees);
  • risk avoidance – resignation from the risk-generating activity or elimination of the probability of materialization of the risk factor, including in particular determination of zero tolerance to risk.

Organization of risk management within the Group

The Bank supervises the functioning of individual entities in the PKO Bank Polski S.A. Group. As part of its supervisory role, the Bank monitors their risk management systems and supports their development. In addition, the Bank takes into account the level of risk in particular Group companies for the purpose of the risk monitoring and reporting system at Group level. Risk management in the Bank takes place in all of the organizational units of the Bank.

The organization of risk management in PKO Bank Polski SA is presented in the diagram below:

The Supervisory Board supervises and evaluates the risk management process, in particular, on the basis of regular reports on the risk, taking into account the adequacy and effectiveness of the risk management system and information about the implementation of the risk management strategy, also at the level of limits which limit the risk and conclusion from stress tests, and if necessary, orders the verification of the process.

The Supervisory Board is supported by the following committees: the Supervisory Board for Nominations and Remuneration Committee, the Supervisory Board Risk Committee and the Supervisory Board Audit Committee.

In respect of risk management, the Management Board of PKO Bank Polski SA is responsible for strategic risk management, including supervising and monitoring actions taken by the Bank in respect of risk management. The Management Board makes major decisions affecting the risk profile of the Bank and adopts internal regulations concerning risk management. It ensures operation of the risk management system, monitors and assesses its functioning, and transfers the respective information to the Supervisory Board. In its risk management activities, the Management Board is supported by the following committees:

  • the Risk Committee;
  • the Asset and Liability Committee (ALCO);
  • the Bank’s Credit Committee;
  • the Operational Risk Committee.

The risk management process is carried out at three independent but complementary levels:

is formed of organizational structures responsible for product management, selling products and servicing customers, and of other structures which perform operational tasks that generate risk, which function based on internal regulations. This function is performed by all of the Bank’s and the Group’s entities. The Bank’s entities implement appropriate risk controls, including in particular limits, designed by them and located at the second level. They also ensure that they are met by means of appropriate controls.

At the same time, the Group entities and the Bank are obliged to have comparable and consistent systems for the risk assessment and control, taking into account the specific characteristics of each entity and its market

covers compliance units and involves the identification, measurement, evaluation and/or control, monitoring and reporting of significant types of risks, and of the threats and irregularities identified; the tasks are performed by dedicated organizational structures acting on the basis of the applicable internal regulations of the Bank; the objective of these structures is to ensure that the tasks performed as part of the first level are properly governed in the internal regulations of the Bank and that they effectively limit the risk, support risk measurement, assessment and analysis and contribute to operational effectiveness. The function is performed, in particular. by the Risk Management Area, the Compliance Department and relevant committees. The second level supports actions taken to eliminate unfavourable deviations from the financial plan, with respect to the amounts impacting the quantitative strategic risk tolerance limits specified in the financial plan. These tasks are performed in particular in the entities of the Bank responsible for controlling.

consists of the internal audit function which performs independent audits of individual components of the Bank’s management system, including the risk management system, and the internal control system; the internal audit operates independently of the first and second levels and may support their actions by way of consultation, but without the possibility to impact the decisions taken. The function is performed in accordance with the Bank’s internal regulations concerning the operation of the internal control system. The independence of the levels consists of ensuring organizational separation at the following levels:

  • the function of the second level with regard to creating system solutions is independent of the function of the first level;
  • the function of the third level is independent of the functions of the first and second levels,

Risk management within the Group

The Bank, as the parent company in the Bank’s Group, determines the key risk management principles applied in the Bank’s Group, supervises the implementation in the Group entities of the risk management principles resulting from the risk management strategy, taking into account the adequacy of these principles to the activities of the Bank’s Group entities, and exercises control over the risk in the Bank’s Group with respect to significant types of risk. Entities in the Bank’s Group create and update internal regulations concerning the management of specific risks, upon consultation with the Bank and taking into account recommendations issued by the Bank and the Risk Management Strategy.

The risk management function in the Group entities is executed, in particular, by:

  • participation of the units from the Bank’s Risk Management Area or of the relevant committees of the Bank in consulting large transactions in the Group entities;
  • the assessments and reviews of the internal regulations concerning risk management in individual Group entities by the Bank’s units from Risk Management Area and the Compliance Department;
  • reporting of the Group risks to the relevant committees of the Bank or to the Management Board;
  • monitoring the strategic limits of risk tolerance for the Group.

Search results