Other risks

Compliance and conduct risk management

DefinitionCompliance risk is defined as the risk of legal sanctions, incurring financial losses or loss of reputation due to the failure of the Group, its employees or entities acting on its behalf to comply with the provisions of the law, internal regulations, standards adopted by the Group, including market standards.

Conduct risk is the risk of damages arising on the part of: 1) the customer, 2) the Group, including its credibility, 3) financial markets, with regard to their credibility, as a result of inappropriate action (also unintentional) or omission by the Group, its staff or related entities, with regard to offering and providing financial services.
Risk management objectiveThe objectives of the compliance and conduct risks management are as follows:

  • strengthening the image of the Group as an institution acting in accordance with the law and the accepted market standard, trustworthy, reliable and fair, among the Group’s shareholders, customers, employees, business partners and other market participants;
  • preventing financial losses, legal penalties or loss or reputation which may result from breaching the law, the Group’s internal regulations and the market standards adopted by the Group;
  • preventing losses on the part of the Group’s customers, which may result from inappropriate conduct (also unintentional) or omission by the Group, its staff or related entities, with regard to offering and providing financial services.
IdentificationTo identify and assess the compliance and conduct risks, information on compliance incidents and their reasons is used, including information resulting from internal audits, internal controls and external inspections.

Identification and assessment of compliance and conduct risks is based mainly on the following:

  1. estimating the potential impact of non-compliance;
  2. the results of operational risk self-assessment;
  3. the results of a review and assessment of the adequacy and effectiveness of control mechanisms;
  4. information on irregularities identified during internal controls;
  5. an evaluation of the existence of additional risk of non-compliance with the law.

During the assessment, the nature and the potential scale of the losses is identified and the possible ways of mitigating or eliminating the compliance risk. The assessment is conducted in the form of workshops.
MonitoringMonitoring the compliance and conduct risk is performed using information provided by the Bank’s organizational units and consists of:

  • analysing compliance incidents occurring in the Group and in the banking sector, their reasons and effects;
  • evaluating changes in the key legal regulations affecting the operations of the Bank and the Group;
  • evaluating actions undertaken by the Bank and the Group companies as part of compliance risk management;
  • evaluating the effectiveness and adequacy of the controls relating to mitigation of the compliance risk;
  • analysing information on the status of the major projects conducted within the Group to ensure compliance with the generally applicable provisions of the law, market standards adopted by the Group and information from external regulatory and inspection bodies;
  • analysing information on operational events, security incidents, disputes (including court cases) against the Group, complaints and irregularities relating to conduct risk.
ReportingThe reporting of compliance risk and conduct risk takes the form of quarterly reports addressed to the Risk Committee, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board, and information submitted for the purposes of external regulatory and inspection bodies.
Management actionsCompliance risk management covers, in particular, the following issues:

  • preventing the Group from engaging in illegal activities;
  • promoting ethical standards and monitoring their application;
  • managing conflicts of interests;
  • preventing situations in which the Group’s employees could be perceived as pursuing their own interest in a professional context;
  • professional, fair and transparent formulation of the product offer, advertising and marketing communication;
  • ensuring data protection;
  • prompt, fair and professional consideration of the customers’ complaints, suggestions and claims;
  • preventing situations when a product which does not meet a customer’s needs is offered;
  • determining an adequate manner and form of offering a product, depending on the product’s character;
  • monitoring sales and the fair execution of the agreements concluded with customers.
The Group has adopted a zero tolerance policy against compliance risk, which means that the Group focuses its actions on eliminating this risk.

Business (strategic) risk management

Business risk is the risk of failing to achieve the adopted financial targets, including incurring losses, due to adverse changes in the business environment, taking bad decisions, incorrectly implementing the decisions made, or not taking appropriate actions in response to changes in the business environment.
Risk management objectiveMaintaining, on an acceptable level, the potential negative financial consequences resulting from adverse changes in the business environment, making wrong decisions, improperly implementing the adopted decisions or not taking appropriate actions in response to changes in the business environment.
Risk identification and measurementRisk identification consists of determining both existing and potential factors arising from the current and planned activities of the Group which may significantly affect the Group’s financial position and the level of the Group’s income and expenses. Business risk identification is performed by identifying and analysing the factors which contributed to significant deviations in the actual income and costs from their budgeted values.The measurement of business risk is aimed at defining the scale of threats related to the existence of business risk using the adopted risk measures. The measurement of business risk includes: calculating internal capital, conducting stress-tests and backtesting.
Risk controlControl of business risk is aimed at maintaining it at an acceptable level. It involves setting and periodic review of the risk controls in the form of tolerance limits on business risk along with its thresholds and critical values, tailored to the scale and complexity of the Group.
Risk forecasting and monitoringForecasting of the business risk is intended to determine the anticipated extent of achievement of the planned results by the Group. Forecasts are prepared on a quarterly basis with a 1-year horizon and include a forecast of internal capital. Business risk forecasts are verified on a quarterly basis (backtesting).

Business risk is monitored to identify areas which require management action. Business risk monitoring includes:

  • strategic limits of business risk tolerance;
  • results of stress tests;
  • results of backtesting;
  • internal capital level;
  • deviations in business risk materialization from the forecast;
  • results of a qualitative assessment of the business risk.
ReportingReporting is performed on a quarterly basis. The reports on the business risk level are addressed to the ALCO, the RC, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board.
Management actionsManagement actions involve, in particular:

  • verifying and updating quarterly financial forecasts, including actions aimed at lowering the business risk level in accordance with the limits;
  • monitoring the level of the strategic limit of tolerance to business risk.

Reputation risk management

DefinitionThe reputation risk is understood as the risk of a deterioration in reputation among customers, counterparties, investors, supervisory and inspection authorities, and the general public, as a result of business decisions adopted, operating events, instances of non-compliance or other events.
Risk management objectiveThe objective of managing reputation risk is to protect the Group’s reputation by preventing reputation losses and mitigating the negative effect of image-related events on the Group’s reputation.
IdentificationIdentifying reputation risks covers the developments observed in the Group’s internal processes and in its external environment, including in particular: image-related events and factors related to the business environment, i.e. quantitative and qualitative information, including especially the data which describes the Group and its external environment, which suggest the existence of reputation risk.
AssessmentAn assessment of the reputation risk involves evaluating the impact of image-related events on the Group’s reputation, and in particular, quantifying and determining the severity of reputation losses. The evaluation of a reputation loss includes the impact, credibility and the opinion-forming potential of the disclosure of an image-related event to the public. 
MonitoringMonitoring reputation risk consists of regularly assessing the reputation risk measures compared to the adopted thresholds. The level of reputation risk is determined based on the reputation risk measures.
ReportingInformation on the reputation risk is reported in the form of:
  1. a semi-annual management report addressed to the Risk Committee, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board. 
  2. ad-hoc information on current events having a material impact on the Group’s reputation, addressed to the President of the Management Board and to his Office. 
  3. information included in the Bank’s and the Group’s financial statements and provided at the request of the external supervisory and inspection bodies.
Management actionsBased on the specific level of reputation risk, management actions are taken. These may involve:
  1. analysing the reasons behind a specific level of risk; 
  2. evaluating the effects of such a level of risk occurring; 
  3. developing suggestions of the management actions to be taken in order to reduce the level of reputation risk or a justification for refraining from taking such action if not needed, e.g. in the event of incidental extraordinary events occurring.

Model risk management

DefinitionModel risk is the risk of incurring losses as a result of making incorrect business decisions based on the existing models. Within the Group, model risk is managed both at the level of a given Group entity (an owner of the model) and at the level of the Bank as the Group’s parent company.
Risk management objectiveThe objective of model risk management is to mitigate the level of risk of incurring losses as a result of making incorrect business decisions on the basis of existing models in the Group through a well-defined and implemented process of models management. One of the elements of the model management process is to regularly perform independent validation of all significant models in the Group.
Risk identification, measurement and assessment

Identification of the model risk consists of, in particular, collecting information about the existing models and models planned to be implemented as well as periodically determining the materiality of the models.

Model risk evaluation is aimed at determining the scale of the threats associated with the occurrence of the model risk. The evaluation is made at the level of each model as well as on an aggregate basis at the level of the Group.

Risk controlControl of the model risk is aimed at maintaining an aggregate evaluation of the model risk at a level which is acceptable to the Group. Control of the model risk consists in determining the mechanisms used to diagnose the model risk level and tools for reducing the level of this risk. The tools used to diagnose the model risk include, in particular, a strategic limit of tolerance to the model risk and the thresholds for the model risk.
Monitoring

Periodical monitoring of the model risk is aimed at diagnosing areas requiring management actions and includes, in particular:

  • updating the model risk level; 
  • evaluating the utilization of the strategic limit of tolerance to the model risk and the thresholds of the model risk; 
  • verifying the stage of implementation and evaluating the effectiveness of the implementation of actions intended to mitigate the model risk.
ReportingThe results of model risk monitoring risk are presented periodically in reports addressed to the RC, the Management Board, and the Supervisory Board.
Management actionsThe purpose of management actions is to shape the model risk management process and to affect the level of this risk, in particular by determining acceptable risk levels and making decisions about the use of tools supporting model risk management.

Macroeconomic risk management

DefinitionMacroeconomic risk is the risk of a deterioration in the Group’s financial position as a result of and the adverse impact of changes in macroeconomic conditions.
Risk management objectiveThe objective of macroeconomic risk management is to identify macroeconomic factors having a significant impact on the Group’s activities and taking actions to reduce the adverse impact of the potential changes in the macroeconomic situation on the financial position of the Group.
Risk identification, measurement and assessmentIdentification of the risk of macroeconomic changes consists in determining scenarios of the potential macroeconomic changes and determining those risk factors which have the greatest impact on the financial position of the Group. Macroeconomic risk arises due to the impact of both factors which depend on the Group’s activities (in particular, the structure of the balance sheet and response plans prepared for the purposes of stress test scenarios) and those which are independent of it (macroeconomic factors). The Bank identifies factors which contribute to the level of macroeconomic risk when conducting comprehensive stress tests. The risk of macroeconomic changes is measured in order to determine the scale of threats associated with the occurrence of macroeconomic changes.

Macroeconomic risk measurement includes:

  • calculating the profit or loss and its components, and the risk measures, as part of the comprehensive stress tests; 
  • backtesting; 
  • calculating the internal capital level; 
The risk of macroeconomic changes is assessed on a yearly basis, based on the results of periodical comprehensive stress tests. The level of macroeconomic risk is described as moderate, elevated or high.
Risk controlControl of the risk of macroeconomic changes is intended to mitigate the adverse effect of the potential changes in the macroeconomic developments on the financial position of the Group.

Macroeconomic risk control consists of determining the acceptable level of the risk, tailored to the scale of the Group’s operations, and the impact of the risk of the Group’s operations and financial position. An acceptable level of the risk of macroeconomic changes means a situation where stress test results do not signal a need to take any corrective measures, or the corrective measures which need to be taken will be sufficient to improve the financial position of the Group.
Risk forecasting and monitoringForecasting the macroeconomic risk is intended to determine the anticipated impact of the future materialization of an adverse scenario on the Bank’s results, including its capital. The forecast includes a forecast of the internal capital and is prepared on a quarterly basis with a 1-year horizon based on the results of comprehensive stress tests.

Monitoring the macroeconomic risk consists in analysing macroeconomic developments, the macroeconomic factors to which the Group is sensitive, the level of the risk and the results of comprehensive stress tests.  
ReportingReports on the macroeconomic risk are prepared on a quarterly basis. The reports are addressed to the ALCO, the RC, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board.  
Management actions

Management actions involve, in particular:

  • determining acceptable levels of risk; 
  • proposals of actions aimed at reducing the level of risk in the event of an elevated or high risk of macroeconomic changes.  

Capital risk management

DefinitionCapital risk is the risk of failing to ensure an appropriate level and structure of own funds and inability to ensure that the level of capital which would be adequate to the risk borne by the Bank in connection with its operations and is necessary to absorb unexpected losses and complies with the regulatory requirements which enable the Bank to continue to operate independently.
Risk management objectiveThe objective of managing the capital risk is to ensure an appropriate level and structure of own funds, with respect to the scale of the operations and risk exposure of the Group and the Group, taking into account the assumptions of the Group’s dividend policy as well as supervisory instructions and recommendations concerning capital adequacy.
Risk identification and measurementThe capital risk level for the Group is determined based on the thresholds and strategic tolerance limits, including, among other things, the total capital ratio and basic capital (Tier 1) ratio.

The capital risk level is determined as follows:

  1. low level – when all capital adequacy measures exceed the thresholds; 
  2. elevated level – when at least one adequacy measure is lower than the respective threshold and no capital adequacy measure is lower than the strategic tolerance limit; 
  3. high level - when at least one capital adequacy measure is lower than the strategic tolerance limit.
MonitoringThe Group regularly monitors the level of capital adequacy measures in order to determine the degree of compliance with the supervisory standards, internal strategic limits, and to identify instances which require taking capital contingency actions.

Should a high level of capital risk be identified, the Group takes measures to bring capital adequacy measures to a lower level, taking into account the assumptions of the dividend policy as well as the supervisory instructions and recommendations concerning capital adequacy.

Insurance risk management

DefinitionInsurance risk is the risk of a loss or of an adverse change in the value of insurance liabilities resulting from inadequate pricing and provisioning assumptions (in particular for technical provisions).
Risk management objectiveThe objective of insurance risk management is to achieve the company’s targets while maintaining exposure to the said risk on an acceptable level, and ensuring the company’s solvency.
Risk identification, measurement and assessmentThe exposure to insurance risks in the Group relating to insurance companies is monitored and shaped in accordance with the adopted risk management strategy.

In PKO Życie Towarzystwo Ubezpieczeń SA (PKO Życie), the type of prevailing insurance risk depends on the type of product in the Company’s portfolio:

  • insurance products where the benefit is determined based on specific indices or other underlying values and insurance products with a capital fund – mainly the risk of withdrawal from the contract;
  • protection products:
  • mortality and claims risk;
  • negative selection (decreasing risk);
  • for all products – the risk associated with volatility of the future unit costs (which depend on the size of the portfolio and the level of the company’s total costs).

PKO Towarzystwo Ubezpieczeń S.A. (PKO TU) which started operating in 2016 is exposed to the following types of insurance risk:

  • unearned premium and reserve risk;
  • catastrophic risk;
  • contract withdrawal risk.

The type of prevailing risk depends on the type of product:

  • multi-annual loss of source of income insurance contracts – unearned premium and reserve risk;
  • property insurance – catastrophic risk (flood).

In order to reduce its exposure to insurance risk, PKO Życie and PKO TU apply, among others, the following measures:

  • reinsurance of the risks (mortality and morbidity), including the catastrophic risk;
  • grace periods;
  • exemptions;
  • retention actions.

Ceded reinsurance of the insurance companies is performed based on the following agreements:

  • quota share and surplus treaties;
  • proportional reinsurance contracts, obligatory or facultative-obligatory;
  • catastrophe reinsurance and excess of loss reinsurance contracts.

In the case of new products and risks, PKO Życie and PKO TU select the reinsurer, level of protection, conditions of reinsurance, update the concluded reinsurance contracts, if appropriate, or conclude new reinsurance contracts in relation to the newly introduced or modified insurance products and new risks.

The measurement of the insurance risk in insurance companies is performed as part of the analysis of contract withdrawals, claims ratio analysis, the analysis of the amounts of assets to cover technical reserves (APR), and an annual analysis of shock scenarios – stress tests conducted as part of the process of the risk and solvency self-assessment. PKO Życie and PKO TU have implemented the requirements of the new Solvency II regulations and have been calculating capital ratios under the new regime since 1 January 2016.
MonitoringAs part of risk monitoring, PKO Życie and PKO TU implemented a number of mechanisms such as setting and reviewing limits, ensuring the operation of the relevant processes and taking care of the adequacy of reinsurance products and programs.
ReportingIn PKO Życie and in PKO TU, the reporting of insurance risk is provided in the form of periodical reports to the Management Board and for the Asset and Liabilities Committee, and the Risk Committee of the Supervisory Board.

 

Assets to cover technical reserves (APR) remained at a sufficient level (over 100%) and had an appropriate structure. As at the end of 2017, the aggregate assets to reserves ratio amounted to 106% for PKO Życie and 132% for PKO TU.

Management of the risk of excessive leverage

DefinitionThe risk of excessive financial leverage is the risk resulting from vulnerability to threats resulting from financial leverage or conditional financial leverage which may require taking unintended action to adjust business plans, including an emergency sale of assets which could result in losses or the need to adjust the valuation of other assets.
Risk management objectiveThe objective of managing the risk of excessive leverage is to ensure an appropriate objective relationship between the amount of the core capital (Tier 1) and the total of balance sheet assets and off-balance sheet liabilities granted by the Group.
Identification, assessment and measurementRisk identification consists of recognizing the existing and potential sources of risk and estimating the significance of their potential impact on the Bank’s and the Group’s operations.

For the purpose of measuring the risk of excessive financial leverage, a leverage ratio is calculated as a measure of Tier 1 capital divided by the measure of total exposure and is expressed as a percentage rate. The Group calculated the leverage ratio as at the reporting date. As at 31 December 2017, the leverage ratio is calculated both with reference to Tier 1 capital and in accordance with the transitional definition of Tier 1 capital. When assessing the risk of excessive leverage, the mismatch of assets and liabilities ratio is also used.
Monitoring and forecasting

The risk of excessive leverage is monitored on a quarterly basis by verifying:

  • the current level of the leverage ratio, by comparing it with the strategic tolerance limits and threshold;
  • deviation of the leverage ratio from forecasts. 


Leverage ratio forecasts are prepared on a quarterly basis. The level of the excessive leverage ratio is described as low – when the leverage ratio is equal to or lower than the threshold, elevated – when the leverage ratio is lower than the threshold and equal to or higher than the strategic tolerance limit, or high – when the leverage ratio is below the strategic tolerance limit.

Risk controlThe objective of the control over the risk of excessive leverage is to maintain the Bank’s risk at an acceptable level. To maintain the risk of excessive leverage at an acceptable level, a tolerance limit and a threshold for the ratio are determined.
ReportingReporting is performed on a quarterly basis. Reports on the excessive leverage risk include the current and forecast levels of the leverage ratio in relation to the strategic tolerance limits and the threshold. Information on the level of risk of excessive leverage is presented in the “Report on Capital Adequacy of PKO Bank Polski SA”. The reports on the level of the risk of excessive leverage are addressed to ALCO, the RC, the Management Board, the Risk Committee of the Supervisory Board, and the Supervisory Board.
Management actionsIn the event of a high or elevated risk level, proposals for management actions are developed, taking into account the current macroeconomic situation and the costs of the actions proposed. The impact of the recommended management actions on the level of risk of excessive leverage is identified.

As part of updating quarterly financial forecasts and developing the financial plan, management actions intended to reduce the level of risk of excessive leverage to an acceptable level are taken into account,