Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events.
The objective of operational risk management is to optimise operational efficiency by reducing operating losses, costs streamlining and improving the timing and adequacy of the response of the Group to events which are beyond its control.
57.1. Measurement of the operational risk
Measurement of operational risk at the Bank aims at defining the scale of threats related to the existence of operational risk with the use of defined risk measures. The measurement of operational risk comprises:
- calculation of Key Risk Indicators (KRI),
- calculation of the AMA results,
- stress-tests,
- calculation of capital requirements and internal capital.
Identification and assessment of operational risk comprises operational risk appearing in the existing products, processes and IT applications of the Bank, the above is conducted with the use of:
- accumulation of data on operational events,
- inspections, proceedings and functional internal control,
- Key Risk Indicators (KRI).
57.2. Forecasting and monitoring of operational risk
The Bank regularly monitors:
- utilisation level of strategic tolerance limits and loss limits on operational risk,
- effectiveness and timeliness of actions taken to reduce or transfer the operational risk,
- setting threshold and critical values of Key Risk Indicators (KRI),
- operating events and their effects.
In 2013, the dominant impact on the operational risk profile of the Group was exercised by the following 3 entities: PKO Bank Polski SA,
the PKO Leasing SA Group and KREDOBANK SA. Other Group subsidiaries, considering their significantly smaller scale and type of activity, generate only reduced operational risk. The Group subsidiaries manage operational risk according to principles of risk management in PKO Bank Polski SA, considering their specific nature and scale of activity.
57.3. Reporting of operational risk
The Bank prepares reports concerning operational risk of the Bank and the Group’s subsidiaries on a quarterly basis. The reports contain among others information on:
- the results of measuring and monitoring operational risk,
- the operational risk profile of the Bank resulting from the process of identifying and assessing the threats for products, processes and
IT software of the Bank, - actions taken to reduce operational risk and evaluate the effectiveness of actions taken to reduce operational risk level,
- recommendation and decision for the Operational Risk Committee or the Management Board.
Each month, information on operational risk is prepared and forwarded to members of the Management Board and organisational units of the Bank responsible for system-based operating risk management. The scope of information is diversified and tailored to the scope of responsibilities of individual recipients of the information.
57.4. Management decisions concerning operational risk
Operational risk management is performed through systemic solutions as well as regular ongoing management of the risk. Systemic operational risk management is centralised at the PKO Bank Polski SA Head Office level. The ongoing operational risk management is conducted by every organisational unit of the Bank.
In order to manage the operational risk, the Bank gathers internal and external data about operating events and their causes, data on the operating environment, and data related to the quality of internal functional controls.
In order to mitigate exposure to operational risk, the following tools are used by the Bank:
- control instruments,
- human resources management instruments (staff selection, enhancement of professional qualification of employees, motivation packages),
- setting threshold values of Key Risk Indicators (KRI),
- tolerance and operational risk limits,
- contingency plans,
- insurance,
- outsourcing.
In order to manage the operational risk, the Bank gathers internal and external data about operating events and their causes, data on the operating environment, and data related to the quality of internal functional controls.
If the risk level is elevated or high, the Bank uses the following approach:
- risk reduction – mitigating the impact of risk factors or consequences of its materialisation,
- risk transfer – transfer of responsibility for covering potential losses on a third-party,
- risk avoidance – resignation from activity that generates risk or elimination the probability of the occurrence of a risk factor.
The Group entities manage the operational risk in accordance with the rules implemented by the PKO Bank Polski SA, taking into account the specific nature and scale of the business conducted by individual entities.