The process of operational risk management is carried out at the level of the entire Bank and at the levels of each system-based operational risk management areas.
Operational risk is defined as the risk of occurrence of a loss due to non-compliance or unreliability of internal processes, people and systems or external events. Operational risk takes into consideration legal risk yet does not comprise risk of losing reputation and business risk. The objective of operational risk management is to enhance security of the operational activity pursued by the Bank by improving the efficient, tailored to the profile and scale of operations mechanisms of identification, assessment and measurement, reduction, monitoring and reporting of operational risk.
The process of operational risk management is carried out at the level of the entire Bank and at the levels of each system-based operational risk management areas. System-based operational risk management involves creation of solutions served for exercise of control by the Bank over the level of operational risk, enabling accomplishment of Bank’s objectives. The ongoing operational risk management is conducted by every employee of the Group in respect of their roles and responsibilities. The aim of the current operational risk management is preventing the materialisation of operational events and detecting and reacting to occurring operational events.
For the purposes of operational risk management, the Bank collects external data about operational events that occurred in the Bank and in other banks, including causes and effects of their emergence, data about the business environment factors, results of self-assessment of operational risk, data on Key Risk Indicators (KRI) of operational risk and data on quality of the functional internal control.
The operational risk management also includes the self-assessment of operational risk for Bank’s products, processes and applications as well as organisational changes.
Measurement of operational risk comprises calculation of KRI, calculation of own funds requirement for the Bank in respect of operational risk in accordance with the AMA approach, and for the Group entities conducting financial activities in accordance with BIA (base rate), stress-tests and calculation of internal capital for the Group.
The Bank monitors the operational risk level to control operational risk and diagnose areas requiring management actions and in particular relates to operational risk limits, operational events and their effects, results of self-assessment, own funds requirement in respect of operational risk in accordance with the AMA approach, stress-tests and value of KRI.
The Bank uses various solutions to limit its exposure to operational risk, including the following:
- control instruments,
- human resources management instruments (staff selection, enhancement of professional qualification of employees, incentive systems),
- thresholds and critical values of Key Risk Indicators (KRI),
- strategic tolerance limits for the Group and limits on operational risk losses for the Bank,
- contingency plans,
- insurance,
- outsourcing.
If the risk level is elevated or high, the Bank applies the following approach:
- risk reduction – mitigating the impact of risk factors or consequences of its materialisation,
- risk transfer – transfer of responsibility for covering potential losses on a third-party,
- risk avoidance – resignation from activity that generates risk or elimination the probability of the occurrence of a risk factor.
The process of operational risk management is a subject to internal control system including review of strategy and process of operational risk management, self-assessment of compliance with AMA approach requirements, validation of AMA approach and internal audit.
The Group entities manage the operational risk in accordance with the rules of managing this risk implemented in PKO Bank Polski SA, taking into account the scope and nature of the relation of the Group entities, specific nature and scale of the business conducted by individual entities.
In 2014, the dominant impact on the operational risk profile of the Group was exercised by PKO Bank Polski SA, the PKO Leasing SA Group, the Qualia Development Sp. z o.o. Group and the KREDOBANK SA Group. The other Group entities, considering their significantly smaller scale and type of activity, generate only reduced operational risk.