64. Operational risk management

Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events. Operational risk takes into account legal risk, and does not include reputational risk and business risk.

The objective of operational risk management is to enhance collateral of the operational activity pursued by the Bank by improving the efficient, tailored to the profile and the scale of operations mechanisms of identification, assessment and measurement, controlling, monitoring reduction and reporting of operational risk.

The Group’s entities manage operational risk according to principles of these risk management in PKO Bank Polski SA, considering the extent and nature of the relationship of entities included in the Group, their specific nature and scale of activities of particular entities.

64.1 Measurement and assessment of the operational risk

Measurement of operational risk at the Bank aims at defining the scale of threats related to the existence of operational risk with the use of defined risk measures. The measurement of operational risk comprises:

  • calculation of Key Risk Indicators (KRI),
  • requirement calculation of own funds for operational risk under the BIA approach in activities of the Bank’s branch in the Federal Republic of Germany and AMA with respect to the other activity of the Bank
  • stress-tests,
  • calculation of internal capital for the Group.

The operational risk self-assessment comprises identification and assessment of operational risk for Bank’s products, processes and applications as well as organisational changes and it is conducted cyclically and before the introduction of new or changed Bank’s products, processes and applications with the use of:

  • accumulation of data on operational events,
  • Information obtained during the measurement, monitoring and cooperation with Group entities and reporting of operational risk, including internal audits and safety audits.

64.2 Operational risk control

The objective of operational risk management is striving for maintaining the level of operational risk of the Bank and Group at fixed level.

Control of operational risk includes setting tailored to the scale and complexity of the Bank’s activities risk controls in the form of limits on operational risk, in particular the strategic limits of tolerance and operational risk, losses limits, KRI with thresholds and critical values.

64.3 Forecasting and monitoring of operational risk

Monitoring of operational risk aims at diagnosis of areas requiring management actions.

The Bank regularly monitors:

  • utilisation level of strategic tolerance and operational risk losses limits for the Bank,
  • operational events and their consequences,
  • results of operational risk self-assessment,
  • requirement in respect of own funds as regards to operational risk in accordance with the BIA approach in the activities of the branch of the Bank in the Federal Republic of Germany and in accordance with the AMA approach with respect to the remaining activity of the Bank and the Group companies included in consolidation, in accordance with the precautionary BIA approach,
  • the results of stress tests,
  • the level of risk, areas and tools for operational risk management,
  • key Risk Indicators (KRI), in relations to threshold and critical values,
  • effectiveness and timeliness of actions undertaken to reduce or transfer the operational risk,
  • management activities, related to the presence of elevated or high levels of operational risk and their effectiveness in reducing the level of operational risk.

In 2015, the dominant impact on the operational risk profile of the Group was exercised by the following entities: PKO Bank Polski SA, the PKO Leasing SA Group the and the KREDOBANK SA Group. Other Group entities, considering their significantly smaller scale and type of activity, generate only reduced operational risks.

64.4 Reporting of operational risk

Reporting on information concerning operational risk is being performed for the purposes of:

  • Bank’s internal requirements, particularly of the senior management staff, ORC, RC, the Management Board, the and the Supervisory Board,
  • external supervisory and control.

Reporting on information concerning operational risk of the Bank and Group entities for internal purposes is performed on a quarterly basis. Recipients of quarterly reports are ORC, RC, the Management Board, Supervisory Audit Committee, the Supervisory Board. Quarterly reports contain in particular information on:

  • the operational risk profile of the Bank resulting from the process of identifying and assessing the threats for products, processes and LDA measurement
  • operational risk level, areas and tools of operational risk management,
  • the results of measuring and monitoring of operational risk,
  • actions taken to reduce operational risk and evaluate the effectiveness of actions taken to reduce the operational risk level,
  • recommendation and decision of the ORC or the Management Board.

Each month, information on operational risk is prepared and forwarded to the members of the Management Board, the organisational units of the Head Office and specialised units as well as organisational units responsible for system-based operational risk management. The scope of information is diversified and tailored to the scope of responsibilities of individual recipients of the information 

64.5 Management decisions concerning operational risk management

The process of operational risk management is realised at the level of the entire Bank and at the levels of each system-based operational risk management areas. System-based operational risk management involves creation of solutions served for exercise of control by the Bank over the level of operational risk, enabling accomplishment of Bank’s objectives. The ongoing operational risk management is conducted by every employee of the Group in terms of their roles and responsibilities and involves prevention against materialisation of operational events arising during the product servicing, realisation of processes and use of applications as well as response on occurring operational events.

In order to manage the operational risk, the Bank gathers internal and external data about operational events and the causes and consequences of their occurrence, data on the factors of the business environment, results of operational risk self-assessment, data on KRI and data related to the quality of internal functional controls.

In order to mitigate exposure to operational risk, the following tools are used by the Bank:

  1. control instruments (authorisation, internal control, function distributivity),
  2. human resources management instruments (staff selection, enhancement of professional qualification of employees, motivation packages),
  3. determination or verification of threshold values of Key Risk Indicators (KRI),
  4. determination or verification of strategic tolerance limits and the Group’s operational risk limits,
  5. contingency plans,
  6. insurance,
  7. outsourcing.

Management actions are taken in especially under the following cases

  • on ORC’s initiative,
  • on the initiative of organisational units and cells of the Bank managing operational risk,
  • when operational risk exceeded levels described by Management Board or ORC.

Especially when the risk level is elevated or high, the Bank uses the following approach:

  • risk reduction – mitigating the impact of risk factors or consequences of its materialisation,
  • risk transfer – transfer of responsibility for covering potential losses on a third-party,
  • risk avoidance – resignation from activity that generates risk or elimination the probability of the occurrence of a risk factor.

The correctness of operational risk management process is reviewed within the following framework::

  • review of strategy and process of operational risk management,
  • self-assessment of compliance with AMA approach requirements,
  • validation of AMA approach,
  • internal audit.