Operational risk management

Definition

Operational risk is defined as the risk of losses being incurred due to a failure or the unreliability of the internal processes, people and systems or due to external events. Operational risk includes legal risk and excludes reputation risk and business risk.

Risk management objective

The objective of operational risk management is to enhance the safety of the operational activities conducted by the Group by improving the efficiency – tailored to the profile and the scale of operations – of the mechanisms for identifying, assessing, measuring, controlling, monitoring, mitigating and reporting operational risk.

Risk identification and measurement

Operational risk management comprise of the identification of operational risk in particular through collecting data about the operational risk and the self-assessment of operational risk.

In order to manage the operational risk, the Bank gathers internal and external data about operational events and the causes and consequences of their occurrence, data on the factors of the business environment, results of operational risk self-assessment, data on KRI and data related to the quality of internal functional controls.

The operational risk self-assessment comprises the identification and assessment of the operational risk for the Bank’s products, processes and applications as well as organizational changes and it is conducted cyclically and before the introduction of new or changed Bank products, processes and applications.

The measurement of operational risk comprises:

  • calculating Key Risk Indicators (KRI);
  • calculating the requirement for own funds to cover operational risk under the AMA approach (the Bank) and BIA approach (the German and Czech Branches and the Group companies covered by prudential consolidation):
  • stress-tests;
  • calculating the Group’s internal capital.

Risk control

Control of operational risk includes setting up risk controls tailored to the scale and complexity of the Bank’s and Group’s activities, in the form of limits on operational risk, in particular the strategic limits of tolerance to operational risk, loss limits, KRIs with thresholds and critical values.

Risk forecasting and monitoring

The following measures are monitored by the Group on a regular basis:

  • utilization of the strategic tolerance and operational risk losses limits for the Bank;
  • operational events and their consequences;
  • results of the operational risk self-assessment;
  • the requirement in respect of own funds to cover operational risk, in accordance with the BIA approach in the case of the German and Czech Branches and in accordance with the AMA approach in the case of the remaining activity of the Bank, and in accordance with the BIA approach in the case of Group companies included in prudential consolidation;
  • the results of stress tests;
  • Key Risk Indicators (KRI) in relation to threshold and critical values;
  • the risk level for the Bank and the Group, and for the operational risk management areas and tools within the Bank; 
  • the effectiveness and timeliness of actions undertaken to reduce or transfer operational risk;
  • management actions relating to the presence of elevated or high levels of operational risk and their effectiveness in reducing the level of operational risk.

In 2017, the following entities had a decisive impact on the operational risk profile of the Group: PKO Bank Polski, Qualia Development, the PKO Leasing SA Group and the KREDOBANK SA Group. Other Group entities, considering their significantly smaller scale and type of activity, generate only limited operational risks.

Reporting

Reporting of information concerning operational risk is performed for the needs of the senior management staff, the ORC, the RC, the Management Board and the Supervisory Board. Each month, information about operational risk is prepared and forwarded to the ORC, senior management staff, the organizational units of the Head Office and specialist organizational units responsible for system-based operational risk management. The scope of the information is diversified and tailored to the scope of responsibilities of individual recipients of information.

Management actions

Management actions are taken in the following cases:

  • on an initiative of ORC or the Management Board
  • on the initiative of organizational units and cells of the Bank managing operational risk;
  • when operational risk has exceeded the levels determined by the Management Board or ORC.

In particular when the risk level is elevated or high, the Bank uses the following approach and instruments to manage the operational risk:

  • risk reduction – mitigating the impact of risk factors or the consequences of its materialization by introducing or strengthening various types of instruments for managing operational risk such as: control instruments, human resources management instruments, determination or verification of thresholds and critical KRIs, determination or verification of operational risk levels, and contingency plans;
  • risk transfer – transfer of responsibility for covering potential losses to a third-party: insurance and outsourcing;
  • risk avoidance – resignation from the risk-generating activity or elimination of the probability of materialization.