Operational
risk management

Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events.

The objective of operational risk management is to optimise operational efficiency by reducing operating losses, costs streamlining and improving the timing and adequacy of the response of the Group to events which are beyond its control.

Measurement of the operational risk

Measurement of operational risk at the Bank aims at defining the scale of threats related to the existence of operational risk with the use of defined risk measures. The measurement of operational risk comprises:

  • KRI calculation,
  • calculation of VaR for operating risk,
  • scenario-based analyses (stress-tests).

Identification and assessment of operational risk comprises operational risk appearing in the existing products, processes and IT applications of the Bank, the above is conducted with the use of:

  • accumulation of data on operational events,
  • results of internal audit,
  • results of functional internal control,
  • Key Risk Indicators (KRI).

Forecasting and monitoring of operational risk

The Bank regularly monitors:

  • utilisation level of strategic tolerance limits on operational risk,
  • utilisation level of operational risk losses,
  • effectiveness and timeliness of actions taken to reduce or transfer the operational risk,
  • setting threshold values of Key Risk Indicators (KRI),
  • operating events and their effects,
  • effects of actions taken following external control recommendations or internal audits,
  • quality of the internal functional controls.

In 2011, the dominant impact on the operational risk profile of the Group was exercised by the following three entities: PKO Bank Polski SA, the BFL SA Group and KREDOBANK SA. The other Group entities, considering their significantly smaller scale and type of activity, generate only reduced operational risk. Group entities manage operational risk according to principles of risk management in PKO Bank Polski SA, considering their specific nature and scale of activity.

Reporting of operational risk

The Bank prepares reports concerning operational risk of the Bank and the entities of the Group on a quarterly basis. The reports are addressed to the Operational Risk Committee, the Bank’s Management Board and the Bank’s Supervisory Board. The reports contain among others:

  • information on the operational risk profile of the Bank resulting from the process of identifying and assessing the threats for products, processes and IT software of the Bank,
  • information on the results of measuring and monitoring operational risk,
  • information on operating events and their financial effects,
  • the most important projects and initiatives as regards operational risk management,
  • recommendation or proposal of actions for the Operational Risk Committee or the Bank’s Management Board,
  • information about utilisation level of strategic tolerance limit and losses limits on operational risk.

Each month, information on operational risk is prepared and forwarded to members of the Bank’s Management Board and organisational units of the Bank responsible for system-based operating risk management. The scope of information is diversified and tailored to the scope of responsibilities of individual recipients of the information.

Management decisions concerning operational risk

Operational risk management is performed through systemic solutions as well as regular ongoing management of the risk. Systemic operational risk management is centralised at the PKO Bank Polski SA Head Office level. The ongoing operational risk management is conducted by every organisational unit of the Bank.

In order to manage the operational risk, the Bank gathers internal and external data about operating events and their causes, data on the operating environment, and data related to the quality of internal functional controls.

In order to mitigate exposure to operational risk, following tools are used by the Bank:

  1. control instruments,
  2. human resources management instruments (proper staff selection, enhancement of professional qualification of employees, motivation packages),
  3. setting threshold values of Key Risk Indicators (KRI),
  4. tolerance and operational risk limits,
  5. contingency plans,
  6. insurance,
  7. outsourcing.

The instruments used for mitigating operating risk are selected among other things depending on:

  1. availability and adequacy of risk-mitigating instruments,
  2. the nature of operations or of the process in which the operating risk was identified,
  3. materiality of the risk,
  4. the cost of using the instrument.

Additionally, the Bank’s internal regulations stipulate the duty to refrain from excessively risky operations, and if such operations are being conducted – to withdraw from them or to limit their scope. The level of operating risk is deemed to be excessive when the potential benefits from a given type of operation are lower than the potential operating losses.

If the level of operational risk is too high, the Bank takes the following actions:

  • risk avoidance – withdrawing from too risky activity or resigning from undertaking it if there is no possibility of managing it,
  • reducing the scale of activities characterised by too high level of risk, if it can be possibly managed and it is possible to take actions reducing risk,
  • risk transfer – insurance against the risk of occurring operational events ensuring the maintenance of operational risk on such a level that the Bank’s activities are not threatened.

The Group entities manage the operational risk in accordance with the rules implemented by the PKO Bank Polski SA, taking into account the specific nature of the business conducted by the Group entities.