61. Operational risk management

Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events. Operational risk takes into consideration legal risk yet does not comprise reputation risk and business risk.

The objective of operational risk management is to enhance security of the operational activity pursued by the Bank by improving the efficient, tailored to the profile and scale of operations mechanisms of identification, assessment and measurement, reduction, monitoring and reporting of operational risk.

The Group entities manage operational risk according to principles of these risk management in PKO Bank Polski SA, considering the extent and nature of the relationship of entities included in the Group, their specific nature and scale of activities of particular entities.

61.1. Measurement of the operational risk

Measurement of operational risk at the Bank aims at defining the scale of threats related to the existence of operational risk with the use of defined risk measures. The measurement of operational risk comprises:

  • calculation of Key Risk Indicators (KRI),
  • calculation of own funds requirement in respect of operational risk in accordance with the AMA approach,
  • stress-tests,
  • calculation of internal capital.

The operational risk self-assessment comprises identification and assessment of operational risk for Bank’s products, processes and applications as well as organisational changes and it is conducted cyclically and before the introduction of new or changed Bank’s products, processes and applications with the use of:

  • accumulation of data on operational events,
  • result of inspections, proceedings and functional internal control,
  • Key Risk Indicators (KRI).

61.2 Forecasting and monitoring of operational risk

Monitoring of operational risk aims at controlling operational risk and diagnosis of areas requiring management actions.

 The Bank regularly monitors in particular:

  • utilisation level of strategic tolerance and operational risk losses limits,
  • effectiveness and timeliness of actions taken to reduce or transfer the operational risk,
  • Key Risk Indicators (KRI) in relation to threshold and critical values,
  • results of operational risk self-assessment,
  • own funds requirement in respect of operational risk for the Bank – using the Advanced Measurement Approach (AMA), and for the Group entities conducted financial operations - the Basic Index Approach (BIA),
  • results of stress-tests,
  • operating events and their effects.

In 2014, the dominant impact on the operational risk profile of the Group was exercised by the following entities: PKO Bank Polski SA (including acquired subsidiary), the PKO Leasing SA Group the Qualia Development Sp. z o.o. Group and the KREDOBANK SA Group. Other Group entities, considering their significantly smaller scale and type of activity, generate only reduced operational risks.

61.3. Reporting of operational risk

Reporting on information concerning operational risk is being performed for the purposes of:

  • Bank’s internal requirements, particularly of the senior management staff, ORC, RC, the Management Board, the Supervisory Board’s Audit Committee and the Supervisory Board,
  • external supervisory and control,
  • shareholders and financial market.

Reporting on information concerning operational risk of the Bank and Group’s subsidiaries for the Bank’s internal purposes is performed on a quarterly basis. Recipients of quarterly reports are ORC, RC, the Management Board, the Supervisory Board’s Audit Committee and the Supervisory Board. Quarterly reports contain in particular information on:

  • the results of measuring and monitoring of operational risk,
  • the operational risk profile of the Bank resulting from the process of identifying and assessing the threats for products, processes and

applications of the Bank,

  • operational risk level and instruments used for operational risk management,
  • actions taken to reduce operational risk and evaluate the effectiveness of actions taken to reduce the operational risk level,
  • recommendation and decision of the ORC or the Management Board.

Each month, information on operational risk is prepared and forwarded to the members of the Management Board, the organisational units of the Head Office and specialised units as well as organisational units responsible for system-based operational risk management. The scope of information is diversified and tailored to the scope of responsibilities of individual recipients of the information.

61.4. Management decisions concerning operational risk

The process of operational risk management is realised at the level of the entire Bank and at the levels of each system-based operational risk management areas. System-based operational risk management involves creation of solutions served for exercise of control by the Bank over the level of operational risk, enabling accomplishment of Bank’s objectives. The ongoing operational risk management is conducted by every employee of the Bank and involves prevention against materialisation of operational events arising during the product servicing, realisation of processes and use of applications as well as response on occurring operational events.

In order to manage the operational risk, the Bank gathers data about operational events that occurred at the Bank and other banks together with their causes and results, data on the factors of the business environment, results of operational risk self-assessment, data on the key operational risk indicators (KRI) and data related to the quality of internal functional controls.

In order to mitigate exposure to operational risk, the following tools are used by the Bank:

  1. control instruments (authorisation, internal control, function distributivity),
  2. human resources management instruments (staff selection, enhancement of professional qualification of employees, motivation packages),
  3. setting threshold and critical values of Key Risk Indicators (KRI),
  4. the Group’s strategic tolerance limits and the Bank’s limits for operational risk losses,
  5. contingency plans,
  6. insurance,
  7. outsourcing.

Management actions are taken under the following cases:

  • on ORC’s initiative,
  • on the initiative of organisational units and cells of the Bank managing operational risk,
  • when there is a reasonable probability that the risk will exceed either moderate or high level or when exceedance of these levels have occurred.

Especially when the risk level is elevated or high, the Bank uses the following approach:

  • risk reduction – mitigating the impact of risk factors or consequences of its materialisation,
  • risk transfer – transfer of responsibility for covering potential losses on a third-party,
  • risk avoidance – resignation from activity that generates risk or elimination the probability of the occurrence of a risk factor.

The process of operational risk management is a subject to internal control system including:

  • review of strategy and process of operational risk management,
  • self-assessment of compliance with AMA approach requirements,
  • validation of AMA approach,
  • internal audit.