54. Risk management within the Group

Annual Report
2019

Risk management is one of the most important internal processes in both PKO Bank Polski SA and other entities of the PKO Bank Polski SA Group. Risk management is aimed at ensuring profitability of the business activities while monitoring the risk level, keeping the risks within the risk tolerances and limits adopted by the Bank and the Group, in a changing macroeconomic and legal environment. The level of risk is an important part of the planning processes.

The Group identifies risks in its operations and analyses the impact of each type of risk on the business operations of the Bank and entities in the Group. All the risks are managed; some of them have a material effect on the profitability and capital needed to cover them. The materiality of all the identified risks is assessed on a regular basis, at least annually. When assessing the materiality of the risks, the Group applies the criteria for recognizing a given type of risk as material. All risks classified as material for the Bank are also material for the Group. The following risks are considered material for the Bank: credit risk, risk of foreign currency mortgage loans for households, currency risk, interest rate risk, liquidity risk (including financing risk), operating risk, business risk, risk of macroeconomic changes and model risk. Group entities may consider the types of risks other than those listed above to be material, taking into account the specific nature and scale of their operations and the markets on which they operate. The Bank verifies materiality of these risks at the Group level. Group entities participate in an assessment of materiality of the risks initiated by the parent and assessed at the Group level.

A detailed description of the management policies for material risks is presented in the Report on Capital Adequacy and other information subject to publication by the PKO Bank Polski SA Group.

Risk management objective

The objective of risk management is to strive to maintain the level of risk within the accepted tolerances in order to:

  • protect shareholder value:
  • protect customer deposits;
  • support the Group in conducting efficient operations.

The risk management objectives are achieved, in particular, by providing appropriate information on the risks, so that decisions are made in full awareness of the particular risks involved.

Main principles of risk management

The Group’s risk management is based, in particular, on the following principles:

  • the Group manages all the risks identified;
  • the risk management process is appropriate from the perspective of the scale of operations and materiality, scale and complexity of a given risk, and adjusted on an on-going basis to take account of the new risks and their sources;
  • risk management methods (especially models and their assumptions) and risk management measurement or assessment systems are tailored to the scale and complexity of individual risks, the current and planned operations of the Group and its operating environment, and are periodically verified and validated;
  • the area of risk management remains organizationally independent from business activities;
  • risk management is integrated into the planning and controlling systems;
  • the level of risk is monitored and controlled on an on-going basis;
  • the risk management process supports the implementation of the Bank’s strategy in compliance with the Risk Management Strategy, in particular with respect to the level of risk tolerance.

The risk management process

The process of risk management in the Group consists of the following stages:

pko-grafy_identyfikacja-pomiar kopia 2 pko-grafy_identyfikacja-pomiar kopia 2

Risk identification consists in recognizing the existing and potential sources of risk and estimating the significance of its potential impact on the Bank’s and the Group’s operations. As part of risk identification, the risks considered to be material in the Bank’s or the Group’s operations are identified.

Risk measurement covers determination of the risk assessment measures adequate to the type and significance of the risk, data availability and quantitative risk assessment by means of determined measures, as well as risk assessment aimed at identifying the scale or scope of risk, taking into account the achievement of the risk management objectives. As part of risk measurement, valuation of the risks for the purpose of the pricing policy and stress tests are conducted on the basis of assumptions which ensure a sound assessment of the risk. Stress test scenarios include, among other things, the requirements stemming from Recommendations of the Polish Financial Supervision Authority. In addition, the Group conducts comprehensive stress tests (CST) which are an integral element of the risk management and which supplement stress tests specific for individual risks. CST also covers an analysis of the impact of changes in the environment (in particular, the macroeconomic environment) and the Bank’s functioning on the Group’s financial position.

Risk control involves determination of the tools to be used for measuring or reducing the level of risk in specific areas of the Group’s activities. Risk control involves determining risk controls adapted to the scale and complexity of operations of the Bank and of the Bank Group, in particular in the form of monitored strategic tolerance limits for individual risks, and undertaking management actions in case such limits are exceeded.

Risk forecasting and monitoring involves preparing risk level forecasts and monitoring deviations from forecasts or the adopted benchmarks (e.g. limits, thresholds, plans, prior period measurements, recommendations and instructions issued by supervisory and regulatory authority), and performing (specific and comprehensive) stress tests and reverse stress tests. Risk level forecasts are verified. Risk monitoring frequency is adequate to the significance and variability of specific risks.

Risk reporting consists in regularly providing information to the Bank’s governing bodies on the results of the risk measurement or assessment, actions taken and follow-up recommendations. The scope, frequency and form of the reporting are adjusted to the managerial level of the recipients. If potential liquidity problems arise, the Supervisory Board is immediately informed about the level of the Bank’s liquidity, threats and remedial actions taken, and in the event of significant operational events or security incidents.

Management actions consist particularly in issuing internal regulations affecting the management processes relating to of different types of risk, establishing the level of risk tolerance, establishing limits and thresholds, issuing recommendations, and making decisions, including decisions to use tools supporting risk management. The objective of management actions is to shape the risk management process and the risk levels.

Organization of risk management within the Group

The Bank supervises the functioning of individual entities in the PKO Bank Polski SA Group. As part of its supervisory role, the Bank monitors their risk management systems and supports their development. In addition, the Bank takes into account the level of risk in particular Group companies for purposes of risk monitoring and reporting system at Group level. Risk management in the Bank takes place in all of the organizational units of the Bank.

The organization of risk management in PKO Bank Polski SA is presented in the diagram below:

risks-01 risks-01

The risk management system is supervised by the Supervisory Board of the Bank which controls and evaluates the adequacy and effectiveness of the system. The Supervisory Board evaluates whether or not individual elements of the risk management system support the correct execution of the process for setting and achieving specific objectives of the Bank. In particular, the Supervisory Board verifies if the system applies formal rules to set out the size of the risk taken and risk management principles, as well as formal procedures to identify, measure or estimate and monitor the risks associated with the Bank’s operations, taking into account the anticipated level of risk in the future. The Supervisory Board verifies whether formal limits restricting the risk and the rules of conduct in the case when limits are exceeded are applied as part of the risk management system, and if the adopted management reporting system enables monitoring the risk levels. The Supervisory Board evaluates whether the risk management system is updated on an on-going basis to take into account new risk factors and sources. The Supervisory Board is supported by the following committees: the Supervisory Board Nominations and Remuneration Committee, the Supervisory Board Risk Committee and the Supervisory Board Audit Committee.

In respect of risk management, the Management Board of PKO Bank Polski SA is responsible for strategic risk management, including supervising and monitoring actions taken by the Bank in respect of risk management. The Management Board makes major decisions affecting the risk profile of the Bank and adopts internal regulations concerning risk management. In its risk management activities, the Management Board is supported by the following committees:

  • the Risk Committee;
  • the Asset and Liability Committee (ALCO);
  • The Bank’s Credit Committee;
  • the Operational Risk Committee.

The risk management process is carried out in three independent but complementary lines of defence:

THE FIRST LINE OF DEFENCE – is formed of organizational structures responsible for product management, executing sales of products and customer servicing, and of other structures which perform risk-generating operating tasks based on the internal regulations. The function is realized in all organizational units of the Bank, as well as in the Group entities. The organizational units of the Bank implement appropriate risk controls, including in particular limits, designed by the second-level organizational units of the Bank, and ensure that they are met by means of appropriate controls.

At the same time, the Bank Group companies are obliged to have comparable and consistent systems for risk assessment and control, taking into account the specific characteristics of each entity and its market.

THE SECOND LINE OF DEFENCE – covers compliance units and involves the identification, measurement, evaluation or control, monitoring and reporting of significant types of risks, and of the threats and irregularities identified; the tasks are executed by dedicated organizational structures acting on the basis of the applicable internal regulations of the Bank; the objective of these structures is to ensure that the tasks performed as part of the first level are properly governed in the internal regulations of the Bank and that they effectively limit the risk, support risk measurement, assessment and analysis and contribute to operational efficiency. The second line of defence supports actions undertaken in order to eliminate unfavourable deviations from the financial plan (i.e. the budget), to the extent applicable to figures which affect the quantitative strategic risk tolerance limits adopted in the financial plan. The function is performed, in particular by the Risk Management Area, the Compliance Department and relevant committees. The second line of defence supports actions undertaken in order to eliminate unfavourable deviations from the financial plan, to the extent applicable to figures which affect the quantitative strategic risk tolerance limits adopted in the financial plan. These tasks are performed in particular in the organizational units of the Bank responsible for controlling.

THE THIRD LINE OF DEFENCE – consists of the internal audit function which performs independent audits of individual components of the Bank’s management system, including the risk management system, and of the internal control system; the internal audit operates independently of the first and second lines of defence and may support their actions by way of consultations, but without participating in their decision-making. The function is performed in accordance with the Bank’s internal regulations concerning the operation of the internal control system.

The independence of the lines consists in ensuring organizational separation at the following levels:

  • the function of the second line of defence with regard to creating system solutions is independent of the function of the first line of defence;
  • the function of the third line of defence is independent of the functions of the first and second lines of defence.

Risk management within the Group

The principles concerning the management of specific risks types in the Bank’s Group’s entities are set out in their internal regulations, implemented after having consulted the Bank and taking into account the Bank’s recommendations. The risk management policies of these entities are implemented in accordance with the principles of consistency and comparability of the assessments of individual types of risks in the Bank and in the Bank’s Group entities, taking into account the extent and the type of relations between the Group entities, the specific characteristics and scale of their operations and the markets on which they operate.

The risk management function in the Group entities is executed, in particular, by:

  • participation of the units from the Bank’s Risk Management Area or of the relevant committees of the Bank in consulting large transactions in the Group entities;
  • the assessments and reviews of the internal regulations concerning risk management in individual Group entities by Bank’s units from Risk Management Area and Compliance Department;
  • reporting of the Group risks to the relevant committees of the Bank or to the Management Board;
  • monitoring the strategic limits of risk tolerance for the Group.

Specific activities in the area of risk management undertaken by the Group in 2019

In 2019 exposure to the risk of mortgage loans for households denominated in foreign currencies was considered to be material.

In September 2019, PKO Leasing SA conducted the largest securitization of assets on the Polish market. The transaction consisted of selling the portfolio of high quality lease receivables with a total value of PLN 2.5 billion (see the Note “Information on securitization of lease portfolio and portfolio sale of receivables”).

In 2019 the Group made an early repayment of funding obtained from the European Investment Bank, repayment of own issues maturing, as part of the EMTN programme, and it repaid an instalment of a loan from the Council of Europe Development Bank.

In 2019 PKO Bank Hipoteczny SA conducted new issues of mortgage covered bonds. Both domestic and international institutional investors acquired these mortgage covered bonds. PKO Bank Hipoteczny SA’s mortgage covered bonds are among the safest debt instruments on the Polish financial market. This is reflected in the highest possible rating which can be obtained by Polish securities of Aa3 assigned by Moody’s.

As part of monitoring of the credit losses measurement model, the Group updated the assumptions for using LGD and PD parameters. Recoveries in the LGD parameter were adjusted at the long end of the curve and the series of historical data was shortened to better reflect the present economic and macroeconomic position. Also, the manner of calculating PD for retail portfolios and for the portfolio of Firms and Companies changed, putting more emphasis on the amount of exposures contributing to the amount of default.

search results::