Objectives, principles and process of risk management
Risk management is one of the key internal processes, both in PKO Bank Polski SA, and in other entities of the PKO Bank Polski SA Group. Risk management is aimed at ensuring the profitability of business activities while ensuring control over the risk level and maintaining it under the risk tolerance framework and the limits system adopted by the Bank and the Group in the changing macroeconomic and legal environment. The risk level is a significant factor in the planning system.
In the PKO Bank Polski SA Group the following risks were identified which are subject to management (risks considered to be material are underlined): credit, credit concentration, risk of foreign currency mortgage loans, interest rate risk, currency risk, liquidity risk (including risk of financing), commodity price risk, equity securities price risk, other price risks, derivatives risk, operational risk, non-compliance risk, macroeconomic risk, models risk, business (including strategic) risk, reputation risk, risk of proceedings, equity risk, risk of excessive leverage and insurance risk.
A detailed description of management policies for particular risks is presented in the Report on Capital Adequacy and Other Information Subject to Publication of the PKO Bank Polski SA Group.
Objectives of risk management
The objective of risk management by striving to keep the level of risk within the accepted level of tolerance is:
- to protect shareholder equity;
- to protect customer deposits;
- to support the Group in conducting effective activities.
The objectives of risk management are achieved, in particular, by providing appropriate information about risk, so that decisions can be made with the full awareness of the inpidual risks they carry.
The Main principles of risk management
Risk management at the Group is based, in particular, on the following principles:
- the Group manages all identified types of risk;
- the risk management process is appropriate to the scale of operations and to the materiality, scale and complexity of the given risk and is constantly adapted to new factors and sources of risk;
- risk management methods (in particular, models and their assumptions), as well as risk measurement or assessment systems are adapted to the scale and complexity of the risk, the current and planned operations of the Group and the environment in which the Group operates and are periodically verified and validated;
- the area of risk management and debt recovery is kept organizationally independent of business operations;
- risk management is integrated with the planning and controlling systems;
- the risk level is constantly monitored;
- the risk management process supports the implementation of the Bank’s strategy while complying with the risk management strategy, in particular regarding the level of tolerance of risk.
Risk management process
The risk Group’s management process comprises the following elements:
Risk identification involves the identification of current and potential sources of risk and estimating the materiality of its potential impact on the Bank’s and the Group’s financial position. As a part of the risk identification, those types of risk, which are considered material in the Bank’s and the Group’s activities, are taken into consideration.
Risk measurement and assessment
Risk measurement encompasses the definition of the measures of risk which are adequate to its type, the materiality of the risk and the availability of data as well as quantitative risk quantification with the use of the defined measures and risk assessment involving the determination of the size or scope of risk from the point of view of the objectives of risk management. Within the framework of risk measurement, work related to the valuation of the individual types of risk for the purposes of the pricing policy is conducted, as are stress tests based on assumptions assuring reliable risk assessment. The stress testing scenarios include the requirements arising from the recommendations of the Polish Financial Supervision Authority. Additionally, comprehensive assessment stress tests (CASTs) are conducted in the Group, which constitute an integral part of risk management and supplement the stress tests which are peculiar to the individual types of risk. CASTs include an analysis of the impact of changes in the environment (especially the macroeconomic situation) and the functioning of the Bank on the Group’s financial position.
Risk control involves the definition of the tools used to diagnose or reduce the level of risk in individual areas of the Group’s operations. It includes the determination of the risk management mechanisms which are adapted to the scale and complexity of the Bank’s and Group’s activities, in particular in the form of strategic limits of tolerance for individual types of risk.
Risk forecasting and monitoring
Risk forecasting and monitoring involves preparing forecasts of the level of risk and monitoring variances from the forecasts or assumed reference points (e.g. limits, threshold values, plans, measurements from the previous period and recommendations issued by the supervisory and control body), as well as testing extreme conditions (specific and comprehensive). Risk level forecasts are subject to verification. Risk is monitored at a frequency which is adequate to the materiality of a given type of risk and its volatility.
Risk reporting involves periodically informing the Bank’s authorities about the results of risk measurement or risk assessment, the steps taken and the recommended actions. The scope, frequency and form of reporting are adapted to the management level of the recipients.
Management actions involve, in particular, issuing internal regulations determining the process of managing individual types of risk, determining the level of risk tolerance, setting the level of the limits and threshold values, issuing recommendations, and decision-making, including on the use of tools supporting risk management. The objective of taking management actions is to define the risk management process and the level of risk.
The Group’s risk management process
The Bank supervises the operations of the PKO Bank Polski SA Group. This supervision consists of the Bank supervising risk management systems in entities and supporting their development, as well as accounting for the level of operational risk of particular entities under the risk monitoring and reporting system at the Bank’s Group level.
In the Bank, risk management is performed in all entities and organizational units of the Bank.
The organization of risk management in PKO Bank Polski SA is shown in the diagram below:
The risk management system is supervised by the Bank’s Supervisory Board, which controls and assesses its adequacy and effectiveness. The Supervisory Board assesses whether inpidual elements of the risk management system are used to ensure the correctness of the process of specifying and implementing the Bank’s specific objectives. In particular, it verifies whether the system uses formalized principles for determining the level of risk accepted and the principles of risk management, as well as formalized procedures which have the objective of identifying, measuring or estimating and monitoring the risk appearing in the bank’s operations, including the expected level of risk in the future. It verifies whether the risk management system uses formalized limits that reduce the risk and rules of conduct if these limits are exceeded and whether the accepted management reporting system enables the level of risk to be monitored. The Supervisory Board assesses whether the risk management system is continuously adapted to new factors and sources of risk. The Supervisory Board is supported, inter alia, by the following committees: the Supervisory Board’s Remuneration Committee, the Supervisory Board’s Risk Committee and the Supervisory Board’s Audit Committee.
In terms of risk management, the Bank’s Management Board is responsible for strategic risk management, including supervision and monitoring of activities undertaken by the Bank regarding risk management. It makes the most important decisions that affect the Bank’s risk profile and adopts the Bank’s internal rules on risk management. In risk management, the Management Board is supported by the following committees operating at the Bank:
- the Risk Committee
- the Asset and Liability Management Committee;
- the Bank’s Credit Committee;
- the Operational Risk Committee.
The risk management process is performed on three independent, complementary levels:
- The First Level – consists of the product management organization structures selling products and supporting customers, as well as other structures performing operational tasks that generate risk, which operate under separate internal rules. The function is performed in all of the Bank’s organizational units, at the organizational units of the Headquarters and entities of the Group. The entities and organizational units of the Head Office implement appropriate risk controls designed by the Second Line of Defence entities and organizational units of the Head Office, in particular limits, and make certain that they are abided by through implementing appropriate controls. At the same time, the Bank’s Group companies are bound by the cohesion and comparability of risk assessment and control in the Bank and in entities of the Bank’s Group, taking into consideration the specific nature of the entity and the market on which it operates.
- The Second Level – encompasses the activities of the compliance unit, as well as the identification, measurement, assessment or control, monitoring and reporting of material risks, as well as the threats and irregularities that are identified – the tasks are performed by specialized organizational structures operating on the basis of the Bank’s applicable internal regulations; the objective of these structures is to ensure that the activities implemented at the first level are properly regulated in the Bank’s internal regulations and effectively reduce risk, as well as supporting the measurement, assessment and analysis of risk and the efficiency of operations. The second level supports activities undertaken which are intended to eliminate unfavourable variances from the financial plan in terms of the amounts affecting the quantified strategic risk tolerance limits contained in the financial plan. This function is performed in particular in the Risk Management Area, Compliance Department, and the respective committees.
- The Third Level – is the internal audit, which performs independent audits of elements of the Bank’s management system, including the risk management system, as well as the internal control system; the internal audit operates separately from the first and second levels and can support the activities performed there through consultations, but without the ability to influence the decisions that are made.
Independence of the levels involves maintaining organizational separateness in the following areas:
- the second level function regarding the creation of system solutions is independent of the first level functions,
- the third level function is independent of the first and second level functions.
The Group’s risk management
Internal regulations relating to managing particular risks in entities of the Group are specified in the internal regulations implemented by those entities after consulting the Bank for an opinion and in consideration of the Bank’s recommendations. Entities’ internal risk management regulations are implemented based on the principle of cohesion and the comparability of assessing particular risks to which the Bank and Group entities are exposed, taking into consideration the scope and type of relations between Group entities, the specific nature and scale of their operations and the market on which they operate.
Risk is managed in the Group entities in particular by:
- engaging entities from the Bank’s Risk Management Area or relevant Bank committees to give opinions on large transactions of the Group entities,
- giving opinions on and reviewing the internal regulations relating to risk management in particular entities of the Bank’s Group by entities from the Bank’s Risk Management Area;
- reporting on the Group’s risks to appropriate committees of the Bank or the Management Board;
- monitoring strategic limits of risk tolerance in the Group.
The Group’s risk management is based, in particular, on the following principles:
- The Group manages all the risks identified;
- The risk management process is appropriate from the perspective of the scale of operations and materiality, scale and complexity of a given risk, and adjusted on an on-going basis to take account of the new risks and their sources;
- Risk management methods (especially models and their assumptions) and risk management measurement or assessment systems are tailored to the scale and complexity of inpidual risks, the current and planned operations of the Group and its operating environment, and are periodically verified and validated;
- The area of risk management remains organizationally independent from business activities;
- Risk management is integrated into the planning and controlling systems;
- The level of risk is monitored on an on-going basis;
- The risk management process supports the implementation of the Bank’s strategy in compliance with the Risk Management Strategy, in particular with respect to the level of risk tolerance.
The Group and the Bank identified risks which are to be managed, and some of these risks are considered material. Risk Materiality assessment associated with the Bank’s and the Group’s operations is conducted at least once a year. This assessment may be performed more often, especially if the scope of operations or the risk profile of the Bank, a Group entity or the Group change significantly. When determining the criteria for classifying a given risk as material, the impact of the risk on both the Bank’s and the Group’s activities is taken into account. When assessing the materiality of the risks to the Bank and the Group, a list of material, monitored and immaterial risks is determined at Bank and Group level. All risks classified as material for the Bank are also material for the Group. The following risks are considered material for the Bank: credit risk of insolvency, currency risk, interest rate risk, liquidity risk (including financing risk), operating risk, business risk, risk of macroeconomic changes and models risk. Group entities may consider types of risks other than those listed above to be material, taking into account the specific nature and scale of their operations and the markets on which they operate. The Bank verifies the materiality of these risks at Group level. Group entities participate in assessing the materiality of the risks initiated by the Parent Company and assessed at Group level.
Specific actions in respect of risk reporting in the Group taken in 2017
The Bank’s Group’s priority is to maintain a strong capital position, including effective capital adequacy management, maintaining stable sources of financing which form the basis of developing business activities, supporting Polish entrepreneurship, customer satisfaction, commitment to creating new market scale standards, counteracting cyberthreats with simultaneous maintenance of priorities in respect of operating effectiveness, effective cost control and appropriate assessment and levels of risks.
For this purpose, in 2017 the Group took the following action:
- The Bank converted its own maturing short-term bonds to medium-term bonds in the amount of PLN 670 million (in May) and PLN 650 million (in November) and redeemed its own short-term bonds of EUR 200 million (in April).
- Under the EMTN program, the Bank issued: on 25 July 2017 own bonds of EUR 750 million maturing in 4 years, and on 2 November 2017 own bonds with a nominal value of CHF 400 million, maturing in 4 years,
- on 28 August 2017 the Bank floated an issue of subordinated bonds with a total nominal value of PLN 1.7 billion, maturing in ten years, with a call option in respect of all the bonds 5 years after the issue date with the consent of the PFSA. On 30 August 2017 the Bank obtained the consent of the Polish Financial Supervision Authority (“PFSA”) to exercise a call option in respect of subordinated notes, and on 14 September 2017 it redeemed all the subordinated OP0922 series bonds with a total nominal value of PLN 1,600.7 million, issued by the Bank on 14 September 2012. The terms and conditions of issuance of the OP0922 series subordinated bonds constitute the legal basis for exercising the call option in respect of all OP0922 series subordinated bonds after the lapse of 5 years of their issue;
- on 21 December 2017 after obtaining all the corporate consents, the Bank concluded a guarantee agreement with its counterparty ensuring unfunded credit protection in respect of a portfolio of selected corporate credit dues of the Bank, in accordance with CRR. The total value of the portfolio of the Bank’s credit dues covered by the Guarantee is (after rounding) PLN 5,494.73 million, and the portfolio consists of a bond portfolio with a value (after rounding) of PLN 1,097 million, and a portfolio of other dues with a value (after rounding) of PLN 4,398 million;
- PKO Bank Hipoteczny SA conducted three issues of PLN mortgage bonds addressed to institutional investors, in the total nominal amount of PLN 1,265 million, with a maturity period of 4-6 years as of the date of issue;
- PKO Bank Hipoteczny SA conducted four issues of mortgage bonds denominated in EUR, addressed to institutional investors, with a total nominal value of EUR 1,079 million and maturity of 5 to 7 years as of the issue date.
In 2017 in the area of operational risk management, the Bank conducted preparatory work to begin operating from the new branch in the Czech Republic. As part of that work, in February 2017 the Bank obtained the consent of the PFSA for joint application of the advanced measurement approach (AMA) and the base indicator approach (BIA) to calculate the own finds requirement in respect of operational risk using BIA in respect of the operations of the Bank’s branch in the Federal Republic of Germany and the Bank’s branch in the Czech Republic, and using AMA for the Bank’s other operations.
As a result of a legal merger between PKO Leasing SA and Raiffeisen-Leasing Polska SA (28 April 2017) action was taken to integrate risk management in the joint PKO Leasing SA Group. In 2017 the work covered such issues as making part of the management regulations in respect of material risks taken (in particular credit, market, operational risk) cohesive, and implementing new tools for their measurement and assessment, understood as IT systems made available also to PKO Leasing SA Subsidiaries.