Risk management
in the Group

Risk management is one the most important internal processes both in PKO Bank Polski SA and other entities of the PKO Bank Polski SA Group. Risk management aims at ensuring an appropriate level of security and profitability of business activity in the changing legal and economic environment and the level of the risks plays an important role in the planning process.

At the PKO Bank Polski SA Group the following types of risk have been identified, which are subject to management: credit risk, interest rate risk, currency risk, liquidity risk, price risk of equity instruments, operational risk, compliance risk, business risk (including strategic risk) and reputation risk. Derivatives risk is a subject to a special control due to the specific characteristics of these instruments.

The process of banking risk management in the Group consists of the following stages:

  • risk identification – the identification of actual and potential sources of risk and estimation of the significance of the potential influence of a given type of risk on the financial situation in the Group. Within the risk identification process, types of risk perceived as material in the banking activity, the entities of the Group and the whole Group’s activity are identified,
  • risk measurement and assessment – defining risk assessment tools adequate to the type and significance of the risk, data availability and quantitative risk assessment by means of defined tools, as well as risk assessment aimed at identifying the scale or scope of risk, taking into account the achievement of goals of risk management. Within risk measurement, stress-test are being conducted on the basis of assumption providing a fair risk assessment,
  • risk forecasting and monitoring – preparing risk level forecasts and monitoring deviances from forecasts and adopted reference points (e.g. limits, thresholds, plans, measurements from the previous period. issued recommendations and suggestions). Risk monitoring is performed with the frequency adequate to the materiality and volatility of a specific risk type,
  • risk reporting – periodic informing the Management of the Bank about the results of risk assessment, taken actions and recommendations. Scope, frequency and the form of reporting is adjusted to the managing level of the recipients,
  • management actions – including, among others, issuing internal regulations, establishing the level of risk tolerance, establishing limits and thresholds, issuing recommendations, making decisions about the use of tools supporting risk management. The objective of taking management actions is to form the risk management and credit risk level.

The risk management process is described on the chart below:

Risk management in the Group is based specially on the following principles:

  • the Group manages all of the identified types of banking risk,
  • the risk level is monitored on a current basis,
  • the risk management process is appropriate to the scale of the operations and to the materiality, scale and complexity of a given risk and tailored to new risk factors and sources on a current basis,
  • the risk management methods (in particular the models and their assumptions) and the risk measurement systems are tailored to the scale and complexity of the risk and verified and validated on a periodical basis,
  • the risk management process supports the pursuit of the Group’s strategy in keeping with the risk management strategy, in particular with regard to the level of tolerance of the risk,
  • the area of risk and debt recovery remains organisationally independent of business activities,
  • risk management is integrated with the planning and controlling systems.

Risk management in the Bank takes place in all of the organisational units of the Bank.

The organisation of risk management is presented in the chart below:

 The risk management process is supervised by the Supervisory Board of the Bank, which is informed on a regular basis about the risk profile of the Bank as well as of the PKO Bank Polski SA Group and the most important activities taken in the area of risk management.

The Bank’s Management Board is responsible for the risk management, including supervising and monitoring of activities taken by the Bank in the area of risk management. The Bank’s Management Board approves the most important decisions affecting the risk profile of the Bank and enacts internal regulations defining the risk management system.

The risk management process is carried out in three, mutually independent lines of defence:

  1. the first line of defence, which is functional internal control that ensures using risk controls and compliance of the activities with the generally applicable laws,
  2. the second line of defence, which is the risk management system, including risk management methods, tools, process and organisation of risk management,
  3. the third line of defence, which is an internal audit.

The independence of the lines of defence consists of preserving organisational independence in the following areas:

  • the function of the second line of defence as regards creating system solutions is independent of the function of the first line of defence,
  • the function of the third line of defence is independent of the functions of the first and second lines of defence,
  • the function of managing the compliance risk reports directly to the Member of the Management Board of the Bank.

The first line of defence is being performed in the organisational units of the Bank, the organisational units of the Head Office and entities of the Group and concerns the activities of those units and entities which may generate risk. The units, cells and entities of the Group are responsible for identifying risks, designing and implementing appropriate controls, including in the external entities, unless controls have been implemented as part of the measures taken in the second line of defence. At the same time the Group’s entities are obliged to have comparable and cohesive systems of risk control in the bank and in the Group’s entities, taking into account the specific business characteristic of each entity and market conditions.

The second line of defence is being performed, in particular, in the Risk and Debt Collection Area, the specialist organisational units of the Bank responsible for credit analyses, the organisational unit of the Head Office managing the compliance risk, as well as the organisational units of the Head Office responsible for controlling.

The third line of defence is being performed as part of internal audit, including the audit of the effectiveness of the system of managing the risk relating to the Bank’s activities.

The organisational units of the Head Office of the Bank that are grouped within the Banking Risk Division, the Restructuring and Debt Collection Division, and the Credit Risk Assessment Department manage risk within the limits of competence assigned to them.

The Banking Risk Division is responsible for:

  • identifying risk factors and sources,
  • measuring, assessing, and monitoring and reporting risk levels (material risks) on a regular basis,
  • measuring and assessing capital adequacy,
  • preparing recommendations for the Management Board of the Bank or committees regarding the acceptable level of risk,
  • creating internal regulations on managing risk and capital adequacy,
  • developing IT systems dedicated to supporting risk and capital adequacy management.

The Restructuring and Debt Collection Department is responsible for:

  • recovering receivables from difficult clients swiftly and increasing the effectiveness of such measures,
  • effective and early monitoring of delays in the collection of receivables of retail market clients,
  • selling difficult receivables effectively and outsourcing the tasks carried out, as well as effective management of assets taken over as a result of recovering the Bank’s receivables.

The Analysis and Credit Risk Assessment Centre (Centrum Analiz i Oceny Ryzyka Kredytowego) is responsible for evaluating and verifying the level of credit risk level assessed in respect of individual credit exposures, which due to the scale of the exposure, client’s segment or risk level required independent assessment. In connection with the implementation of the T Recommendation by the Bank, the Analysis and Credit Risk Assessment Centre takes lending decisions in respect of individual clients.

Risk management is supported by the following committees:

  • Risk Committee (RC),
  • Assets & Liabilities Committee (ALCO),
  • Bank’s Credit Committee (BCC),
  • Central Credit Committee (CCC),
  • the Operating Risk Committee (ORC),
  • credit committees which operate in the regional retail and corporate branch offices.

The RC monitors the integrity, adequacy and efficiency of the bank risk management system, as well as capital adequacy and implementation of the risk management policies consistent with the Bank’s Strategy, and analyses and evaluates the application of strategic risk limits specified in the PKO Bank Polski SA’s Bank Risk Management Strategy.

The RC supports the Supervisory Board in the bank risk management process by formulating recommendations and making decisions concerning capital adequacy and the efficiency of the bank risk monitoring system.

ALCO makes decisions within the scope of granted authorisations and issues recommendations to the Bank’s Management Board with regard to portfolio credit risk management, interest rate risk management, currency risk, liquidity risk and the Bank’s asset and liabilities management. The Committee is chaired by the President of the Bank’s Management Board.

BCC makes loan decisions with regard to significant individual loan exposures, or issues recommendations in this respect to the Bank’s Management Board.

CCC supports the decisions taken by the relevant managing directors and the Bank’s Management Board members with its recommendations and the credit committees operating in the regions support branch directors and directors of the Regional Corporate Branches in matters bearing a higher risk level.

ORC supports the Bank’s Management Board in the process of managing operating risk by:

  • giving recommendations, inter alia, as to the Bank's Management Board approval of the level of operating risk tolerance, operating risk limits reserved for the competences of the Bank's Management Board, defining operating risk stress tests and other activities related to systemic management of the operating risk,
  • taking decisions in respect of thresholds and critical values of key risk indicators (KRI), operating risk limits reserved for the competences of ORC, values of key parameters used in calculating value at risk (VaR) in respect of operating risk, and individual approach to outliers.

Moreover, ORC prepares operating risk management recommendations for member companies of the PKO Bank Polski SA Group, which are submitted to the Group’s entities as part of the Bank’s corporate governance.

The Bank supervises activities of the individual subsidiaries of the PKO Bank Polski SA Group. As part of this supervision, the Bank sets out and approves their development strategies, including the level of the risk. The Bank also supervises the entities’ risk management systems and provides support in the development of these systems. Additionally, it reflects business risk of the particular Group entities in the risk reporting and risk monitoring system of the entire Group.

The internal regulations concerning management of certain types of risk in the entities of the Group are defined by internal regulations implemented by those entities, after consulting the Bank’s opinion and having taken into account the recommendations issued to the entities by the Bank. The internal regulations of the entities concerning risk management allow for consistent and comparable assessment of particular types of risk within the Bank and entities of the Group, as well as reflect the specific nature of the entity’s activity and the market on which it operates.

PKO Bank Polski SA’s top priority is to maintain its strong capital position and to further increase its stable sources of financing underlying the stable development of business activity, while maintaining the priorities of efficiency and effective cost control.

On 21 June 2011 PKO Bank Polski SA obtained the consent of the Polish Financial Supervision Authority (PFSA) for applying statistical methods to calculate capital requirements for operating risk (AMA) as of 30 June 2011, with temporary limitation (until the elimination of the PFSA conditions) on a decrease in capital requirements no more than to the level of 75% of the requirement calculated by the standardised approach.

Moreover, in 2011 the PKO Bank Polski Group participated in a stress tests organised by EBA (European Banking Authority). The test results confirmed the Group’s strong equity position and significant resistence to potential negative market scenarios.

In 2011, actions were carried out in relation to the development of the credit risk measurement methodology in KREDOBANK SA aimed at adapting the solutions to IAS. Active efforts were also made to automate the crediting process, including the assessment of the credit risk by adapting and implementing a system analogical to the application used by PKO Bank Polski SA. Additionally, internal regulations related to the process of crediting individuals and legal entities were updated.

In 2011 actions started in the Bankowy Fundusz Leasingowy SA Group on amending the ‘Procedures for assessing the risk of lease transactions and the scoring methodology, and reconstruction of the decision-making process’. These together with the new IT system are planned to be implemented in 2012.

Identification of significant types of risk

The significance of the individual types of risk is established at the Bank’s and Group’s entities level. When determining criteria of classifying a given type of risk as significant, an influence of a given type of risk on the Bank’s, Group’s entities and whole Group’s activities are taken into account, whereas three types of risk are recognised:

  • considered as significant a priori – being managed actively,
  • potentially significant – for which significance monitoring is being made,
  • other non-defined or non-occurring in the Bank or Group types of risk (insignificant and non-monitored).

Based on quantitative and qualitative information, an assessment of significance of given types of risk is performed in the Bank periodically. As a result of assessment, a given type of risk is being classified as significant/insignificant. Similar assessment is concluded periodically in the Group’s entities. Monitoring is conducted if significant change in activities took place or the profile of the Bank or the Group changed.