Risk management is one the most important internal processes both in PKO Bank Polski SA and in other entities of the PKO Bank Polski SA Group. Risk management aims at ensuring profitability of business activity, with ensuring control of risk level and maintaining it within the risk tolerance and limits system applied by the Bank, in the changing macroeconomic and legal environment. The level of the risk plays an important role in the planning process.
In the PKO Bank Polski SA Group, the following types of banking risk have been identified, which are subject to management: credit risk, interest rate risk, currency risk, liquidity risk, commodity price risk, price risk of equity instruments, derivative instruments, operational risk, compliance risk, macroeconomic changes risk, model risk, business risk (including strategic risk), and reputation risk.
48.1. Elements of banking risk management process
The process of banking risk management in the Group consists of the following stages:
- risk identification:
- the identification of actual and potential sources of risk and estimation of the significance of the potential influence of a given type of risk on the financial situation of the Group. Within the risk identification process, types of risk perceived as material in the Bank’s activity, the entities of the Group and the whole Group’s activity are identified,
- risk measurement and assessment:
- defining risk assessment measures adequate to the type and significance of the risk, data availability and quantitative risk assessment by means of determined measures, as well as risk assessment aimed at identifying the scale or scope of risk, taking into account the achievement of goals of risk management. Within risk measurement, stress-test are being conducted on the basis of assumption providing a fair risk assessment,
- risk forecasting and monitoring:
- preparing risk level forecasts and monitoring deviations from forecasts or adopted reference points (e.g. limits, thresholds, plans, measurements from the previous period, issued recommendations and suggestions). Risk monitoring is performed with the frequency adequate to the materiality and volatility of a specific risk type,
- risk reporting:
- periodic informing the authorities of the Bank about the results of risk measurement, taken actions and actions recommendations. Scope, frequency and the form of reporting are adjusted to the managing level of the recipients,
- management actions:
- including, particularly, issuing internal regulations, establishing the level of risk tolerance, establishing limits and thresholds, issuing recommendations, making decisions about the use of tools supporting risk management. The objective of taking management actions is to form the risk management and the risk level.
The risk management process is described on the chart below:
48.2. Main principles of risk management
Risk management in the Group is based especially on the following principles:
- the Group manages all of the identified types of banking risk,
- the risk management process is appropriate to the scale of the operations and to the materiality, scale and complexity of a given risk and tailored to new risk factors and sources on a current basis,
- the risk management methods (in particular the models and their assumptions) and the risk measurement systems are tailored to the scale and complexity of the risk and verified and validated on a periodical basis,
- the area of risk and debt recovery remains organisationally independent from business activities,
- risk management is integrated with the planning and controlling systems,
- the risk level is monitored on a current basis,
- the risk management process supports the implementation of the Group’s strategy in keeping with the risk management strategy, in particular with regard to the level of tolerance of the risk.
48.3. The organisation of risk management in the Bank
Risk management in the Bank takes place in all of the organisational units of the Bank.
The organisation of risk management is presented in the chart below:
The organisation of risk management chart
The risk management process is supervised by the Supervisory Board of the Bank, which is informed on a regular basis about the risk profile of the Bank as well as of the PKO Bank Polski SA Group and the most important activities taken in the area of risk management.
The Bank’s Management Board is responsible for the risk management, including supervising and monitoring of activities taken by the Bank in the area of risk management. The Bank’s Management Board takes the most important decisions affecting the risk profile of the Bank and adopts internal regulations defining the risk management system.
The risk management process is carried out in three, mutually independent lines of defence:
- the first line of defence, which is functional internal control that ensures using risk controls mechanisms and compliance of the activities with the generally applicable laws,
- the second line of defence, which is the risk management system, including risk management methods, tools, process and organisation of risk management,
- the third line of defence, which is an internal audit.
The independence of the lines of defence consists of preserving organisational independence in the following areas:
- the function of the second line of defence as regards creating system solutions is independent of the function of the first line of defence,
- the function of the third line of defence is independent of the functions of the first and second lines of defence,
- the function of managing the compliance risk reports directly to the President of the Management Board.
The first line of defence is being performed in the organisational units of the Bank, the organisational units of the Head Office and entities of the Group and concerns the activities of those units, cells and entities which may generate risk. The units, cells and entities of the Group are responsible for identifying risks, designing and implementing appropriate controls, including in the external entities, unless controls have been implemented as part of the measures taken in the second line of defence. At the same time the Group entities are obliged to have comparable and cohesive systems of risk evaluation and control in the Bank and in the Group entities, taking into account the specific business characteristic of each entity and the market on which it operates.
The second line of defence is being performed, in particular, in the Risk and Debt Collection Area, the specialisted organisational units of the Bank responsible for credit analyses, the organisational unit of the Head Office managing the compliance risk, as well as the organisational units of the Head Office responsible for controlling.
The third line of defence is being performed as part of internal audit, including the audit of the effectiveness of the system of managing the risk relating to the Bank’s activities.
The organisational units of the Head Office of the Bank that are grouped within the Banking Risk Division, the Restructuring and Debt Collection Division, and the Analysis and Credit Risk Assessment Centre manage risk within the limits of competence assigned to them.
The Banking Risk Division is responsible for:
- identifying risk factors and sources,
- measuring, assessing, monitoring and reporting risk levels (material risks) on a regular basis,
- measuring and assessing capital adequacy,
- preparing recommendations for the Management Board or committees regarding the acceptable level of risk,
- creating internal regulations on managing risk and capital adequacy,
- developing IT systems designated to supporting risk and capital adequacy management.
The Model Validation Office is responsible for:
- validation of risk measurement models,
- creating an effective system of the model risk management at the Bank, measurement and reporting of risk of the models,
- supporting risk management.
The Restructuring and Debt Collection Centre and the Department of Restructuring and Debt Collection of the Corporate Client are responsible for:
- recovering receivables from difficult clients effectively and increasing the effectiveness of such actions,
- effective intervention activities within the effective and early monitoring of delays in the collection of receivables from retail market clients,
- effective outsourcing of the tasks carried out, as well as effective management of assets taken over as a result of recovering the Bank’s receivables,
- selling difficult receivables effectively.
Analysis and Credit Risk Assessment Centre is responsible for the reduction of the credit risk of individual credit exposures of the Bank’s retail and corporate market clients and ensuring effective credit analyses in respect of mortgage loans granted to individual clients through the Bank’s retail network and loans granted to small and medium enterprises clients evaluated with rating methods, as well as taking credit decisions in this regard.
Risk management is supported by the following committees:
Risk Committee (RC):
- monitors the integrity, adequacy and efficiency of the bank risk management system, as well as capital adequacy and implementation of the risk management policies binding in the Bank consistent with the Bank’s Strategy,
- analyses and evaluates the application of strategic risk limits specified in the PKO Bank Polski SA’s Bank Risk Management Strategy,
- supports the Supervisory Board in the bank risk management process by formulating recommendations and making decisions concerning capital adequacy and the efficiency of the bank risk monitoring system.
Assets & Liabilities Committee (ALCO),
- makes decisions within the scope of limits and thresholds on particular kinds of risks, issues related to transfer pricing and risk models and their parameters,
- gives recommendations to the Management Board i.a. with regard to determining the structure of the Bank’s assets and liabilities, managing different types of risk, equity and price policy.
Bank’s Credit Committee (BCC),
- makes loan decisions with regard to significant individual loan exposures,
- issues recommendations in respect to the mentioned above to the Management Board.
Central Credit Committee (CCC) and credit committees which operate in the regional retail and corporate branch offices.
- supports the decisions taken by the relevant Division directors and the Bank’s Management Board members with its recommendations and the credit committees operating in the regions support branch directors and directors of the Regional Corporate Branches in matters bearing a higher risk level.
Operating Risk Committee (ORC),
- takes decisions, issues recommendations and opinions regarding i.a. strategic tolerance limits and loss limit for operational risk, key risk indicators (KRI), assumptions of stress tests, results of validation of operational risk measurement models and changes in AMA approach,
- prepares operating risk management recommendations for entities of the PKO Bank Polski SA Group, which are submitted to the Group entities as a part of the Bank’s corporate governance over those entities.
ALCO, RC, ORC, BCC, the Management Board and the Supervisory Board are recipients of cyclic reports concerning the individual risk types.
48.4. Activities in the area of risk management in the Bank
The Bank supervises activities of the individual subsidiaries of the PKO Bank Polski SA Group. As part of this supervision, the Bank sets out and approves their development strategies, including the level of the risk. The Bank also supervises the entities’ risk management systems and provides support in the development of these systems. Additionally, it reflects business risk of the particular Group entities in the risk reporting and risk monitoring system of the entire Group.
The internal regulations concerning management of certain types of risk in the entities of the Group are defined by internal regulations implemented by those entities, after consulting the Bank’s opinion and having taken into account the recommendations issued to the entities by the Bank. The internal regulations of the entities concerning risk management allow for consistent and comparable assessment of particular types of risk within the Bank and entities of the Group, as well as reflect the specific nature of the entity’s activity and the market on which it operates.
The PKO Bank Polski SA Group’s top priority is to maintain its strong capital position and to further increase its stable sources of financing underlying the stable development of business activity, while maintaining the priorities of efficiency and effective cost control and appropriate risk assessment.
In this respect, the Bank took the following actions in 2013:
- rolled forward short-term bonds in the amount from PLN 500 to 850 million, while extending the maturity date of the securities from three to six months,
- it transferred part of the Bank's profit for 2012 to equity,
- acquired in September 2013, financing in the form of a loan in the amount of EUR 75 million and in November 2013 ca. CHF 185 million.
On 12 June 2013, the Bank signed an agreement to purchase Nordea Bank Polska SA, Nordea Finance Polska SA, Nordea Polska Towarzystwo Ubezpieczeń na Życie SA, and the corporate loan portfolio serviced directly by the Seller – the Scandinavian financial Group Nordea. The above mentioned acquisition shall have no impact on the change in the risks identified in the business of PKO Bank Polski SA or Nordea Bank Polska SA.
In the first half of 2013 in respect of operational risk, the Bank endeavoured to adapt to the requirements of Recommendation M of the Polish Financial Supervision Authority amended in January 2013 relating to operational risk management in banks. The Bank complied with all the recommendations by 30 June 2013, and complied with the recommendation relating to disclosure of information on operational losses
– in accordance with Recommendation M – in the third quarter of 2013.
In the second half of 2013, the Bank implemented the process of incorporating counterparty credit risk in the valuation of financial instruments in accordance with the best practices in the market and internal conditions.
In 2013, works aimed at optimising the lending process and increasing its efficiency through the improvement of the Management Information System (MIS) and optimisation of the lending process dedicated to individuals, small and medium enterprises (SME) and corporate clients were carried out at KREDOBANK SA. Furthermore, internal regulations concerning the basic principles of the lending process organisation and regulations relating to the process of lending to individuals and legal persons were amended.
In 2013, the PKO Leasing SA Group focused mainly on building a safe lease portfolio to guarantee positive consolidated financial results of the PKO Leasing SA Group, safety of the capital and reduction in the share of irregular receivables in the portfolio.
48.5. Identification of significant types of risk
The significance of the individual types of risk is established at the Bank’s and Group entities level. When determining criteria of classifying a given type of risk as significant, an influence of a given type of risk on the Bank’s, Group entities and whole Group’s activities is taken into account, whereas three types of risk are recognised:
- considered as significant a priori – being managed actively,
- potentially significant – for which significance monitoring is being made,
- other non-defined or non-occurring in the Bank or Group types of risk (insignificant and non-monitored).
Based on quantitative and qualitative information, an assessment of significance of given types of risk is performed in the Bank periodically. As
a result of assessment, a given type of risk is being classified as significant/insignificant. Similar assessment is concluded periodically in the Group entities. Monitoring is conducted if significant change in activities took place or the profile of the Bank or the Group changed.