67. Operational risk management

Operational risk is defined as the risk of losses being incurred due to a mismatch or unreliability of the internal processes, people and systems may or due to external events. Operational risk includes legal risk and cyber security risk:

• legal risk – the risk of incurring a loss due to ignorance, misunderstanding and non-application of legal norms and accounting standards, the inability to enforce contractual provisions, unfavourable interpretations or decisions of courts or public administration bodies;
• cyber security risk – the degree of exposure by potential negative cyber security risk factors, related to information and communication technologies, which may cause financial damage to the organization by compromising the availability, integrity, confidentiality or accountability of information processed in the Bank’s IT system resources (SIB).

Operational risk excludes reputation risk and business risk.

The objective of operational risk management is to ensure operational and cost efficiency and business security by limiting the occurrence of operational events and their negative consequences.

There are two levels of operational risk management at the Group:

• systemic operational risk management – which consists of creating solutions for the Group to control the level of operational risk that enables the Group to achieve its objectives;
• on-going operational risk management – aimed at preventing operational events and responding to operational events that occur, for which each Group employee is responsible within the scope of his/her tasks and

The process of operational risk management is carried out at the level of the Group and at the levels of individual areas of systemic operational risk management.

Operational risk management comprises the identification of operational risk in particular through collecting data about the operational risk and the self-assessment of operational risk.

In order to manage operational risk, the Group gathers internal and external data about operational events and the causes and effects of their occurrence, data on the factors of the business environment, results of operational risk self-assessment, data on the operational risk indicators and data related to the quality of the internal control system.

The operational risk self-assessment comprises the identification and assessment of operational risk for the Group’s products, processes and applications as well as organizational changes and it is conducted cyclically and before implementing new or changed Group products, processes and applications, using the data gathered on operational events and information obtained during the measurement, monitoring, cooperation with the Bank Group’s entities and operational risk reporting, including internal audits and security audits.

The measurement of operational risk comprises:

• calculating operational risk indicators: KRI (Key Risk Indicators) and RI (Risk Indicators);
• calculating the requirement for own funds to cover operational risk under the AMA approach (the Bank, including the German and Czech Branches and excluding the Branch in Slovakia) and BIA (the Branch in Slovakia and the prudential Group entities);
• stress-tests;
• calculating the Group’s internal

Control of operational risk includes determining risk control mechanisms tailored to the scale and complexity of the Bank’s and the Group’s activities, in the form of operational risk limits, in particular the strategic limits of tolerance of operational risk, loss limits, operational risk indicators with thresholds and critical values.

The following measures are monitored by the Group on a regular basis:

• utilization of the strategic tolerance limits for the Group and operational risk losses limits for the Bank;
• operational events and their consequences;
• results of the operational risk self-assessment;
• the requirement in respect of own funds to cover operational risk, in accordance with the BIA approach in the case of the Slovak Branch and in accordance with the AMA approach in the case of the remaining activity of the Bank, and in the case of the Group entities covered by prudential consolidation – in accordance with the BIA approach;
• the results of stress tests, including reverse stress tests;
• operational risk indicator values in relation to thresholds and critical values;
• the level of risk for the Bank and the Group, areas and tools for managing operational risk in the Bank such as self-assessment, operational risk indicators, loss limits;
• the effectiveness and timeliness of actions undertaken to reduce or transfer operational risk;
• management actions relating to the presence of elevated or high levels of operational risk and their effectiveness in reducing the level of operational risk.

In 2022 and 2021, the following entities had a decisive impact on the operational risk profile of the Group: PKO Bank Polski and the PKO Leasing SA Group.

Information relating to operational risk is reported for the purpose of senior management, the Operational Risk Committee, the Risk Committee, the Management Board and the Supervisory Board in monthly and quarterly cycles. Each month, information about operational risk is prepared and forwarded to the ORC, senior management staff, the organizational units of the Bank responsible for systemic operational risk management. The reports are addressed to the ORC, the RC, the Management Board and the Supervisory Board. The scope of the information is diversified and tailored to the scope of responsibilities of individual recipients of information.

Management actions are taken in the following cases:

• on an initiative of ORC or the Management Board;
• on the initiative of the Bank’s organizational units managing operational risk;
• when operational risk has exceeded the levels determined by Management Board or

In particular, when the risk level is elevated or high, the Group uses

the following approaches and instruments to manage the operational risk:

• risk reduction – mitigating the impact of risk factors or the consequences of their occurrence by introducing or strengthening various types of instruments for managing operational risk such as:
  • control instruments (including approval, internal control, segregation of duties);
  • human resources management instruments (selection of staff, increasing the qualifications of employees, incentive systems);
  • determination or verification of threshold values and critical operational risk indicators;
  • determination or verification of operational risk limits;
  • contingency plans;
• risk transfer – transfer of responsibility for covering potential losses on a third-party:
  • insurance;
  • outsourcing;
• risk avoidance – resignation from the risk-generating activity or eliminating the probability of the risk factor’s occurrence.