Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events. Operational risk takes into consideration legal risk yet does not comprise risk of losing reputation and business risk.
The objective of operational risk management is to enhance security of the operational activity pursued by the Bank by improving the efficient, tailored to the profile and scale of operations mechanisms of identification, assessment and measurement, monitoring, reduction and reporting of operational risk.
The process of operational risk management is carried out at the level of the entire Bank and at the levels of each system-based operational risk management areas. System-based operational risk management involves creation of solutions served for exercise of control by the Bank over the level of operational risk, enabling accomplishment of Bank’s objectives. The ongoing operational risk management is conducted by every employee of the Group in respect of their roles and responsibilities. The aim of the current operational risk management is preventing the materialisation of operational events and detecting and reacting to occurring operational events.
For the purposes of operational risk management, the Bank collects external data about operational events that occurred in the Bank and in other banks, including causes and effects of their emergence, data about the business environment factors, results of self-assessment of operational risk, data on Key Risk Indicators (KRI) of operational risk and data on quality of the functional internal control.
The operational risk management also includes the self-assessment of operational risk for Bank’s products, processes and applications as well as organisational changes.
Measurement of operational risk comprises calculation of KRI, calculation of own funds requirement for the Bank in respect of operational risk in accordance with the BIA in the activities of Bank’s branch in Federal Republic of Germany and AMA with respect to the other operations of the Bank and for the Group entities under the precautionary consolidation in accordance with BIA stress-tests and calculation of internal capital for the Group.
The control of operational risk includes setting tailored to the scale and complexity of the Group’s activity, the mechanisms in the form of limits on operational risk, in particular the strategic limits of tolerance on operational risk, losses limit, KRI along with thresholds and critical.
The Bank monitors the operational risk level to diagnose areas requiring management and monitoring actions and in particular relates to operational risk limits, operational events and their effects, results of self-assessment, own funds requirement in respect of operational risk in accordance with the AMA and BIA approach, stress-tests and value of KRI.
The Bank uses various solutions to limit its exposure to operational risk, including the following:
- control instruments (including authorization, internal control, separation of functions)
- human resources management instruments (staff selection, enhancement of professional qualification of employees, incentive systems),
- setting or verification of thresholds and critical values of KRI,
- setting or verification of operational risk for the Group,
- contingency plans,
- insurance,
- outsourcing.
- If the risk level is elevated or high, the Bank applies the following approach:
- risk reduction – mitigating the impact of risk factors or consequences of its materialisation,
- risk transfer – transfer of responsibility for covering potential losses on a third-party,
- risk avoidance – resignation from activity that generates risk or elimination the probability of the occurrence of a risk factor.
The correctness of the process of operational risk management is verified in the review of strategy and process of operational risk management, self-assessment of compliance with AMA approach requirements, validation of AMA approach and internal audit.
The Group entities manage the operational risk in accordance with the rules of managing this risk implemented in PKO Bank Polski SA, taking into account the scope and nature of the relation of the Group entities, specific nature and scale of the business conducted by individual entities.
In 2015, the dominant impact on the operational risk profile of the Group was exercised by 3 entities: PKO Bank Polski SA, the PKO Leasing SA Group and the KREDOBANK SA Group. The other Group entities, considering their significantly smaller scale and type of activity, generate only reduced operational risk.