69. Operational risk management

The objective of operational risk management is to enhance the safety of the operational activities conducted by the Group by improving the efficiency – tailored to the profile and the scale of operations – of the mechanisms for identifying, assessing and measuring, controlling, monitoring, mitigating and reporting operational risk.

Operational risk management comprises the identification of operational risk in particular through collecting data about the operational risk and the self-assessment of operational risk.

In order to manage the operational risk, the Bank gathers internal and external data about operational events and the causes and consequences of their occurrence, data on the factors of the business environment, results of operational risk self-assessment, data on KRI and data related to the quality of internal controls.

The operational risk self-assessment comprises the identification and assessment of the operational risk for the Bank’s products, processes and applications as well as organizational changes and it is conducted cyclically and before the introduction of new or changed Bank products, processes and applications.

The measurement of operational risk comprises:

• calculating Key Risk Indicators (KRI) and Risk Indicators (RI);
• calculating the requirement for own funds to cover operational risk under the AMA approach (the Bank) and BIA approach (the German and Czech Branches and the Group companies covered by prudential consolidation):
• stress-tests;
• calculating the Group’s internal capital.

Control of operational risk includes setting up risk controls tailored to the scale and complexity of the Bank’s and Group’s activities, in the form of limits on operational risk, in particular the strategic limits of tolerance to operational risk, loss limits, key risk indicators, with thresholds and critical values.

The following measures are monitored by the Group on a regular basis:

• utilization of the strategic tolerance limits for the Group and operational risk losses limits for the Bank,
• operational events and their consequences,
• results of the operational risk self-assessment,
• the requirement in respect of own funds to cover operational risk, in accordance with the BIA approach in the case of the German and Czech Branches and in accordance with the AMA approach in the case of the remaining activity of the Bank, and in accordance with the BIA approach in the case of Group companies included in prudential consolidation,
• the results of stress tests and backtesting,
• Key Risk Indicators (KRI) in relation to threshold and critical values,
• the risk level for the Bank and the Group, areas and tools of and for the operational risk management at the Bank such as self-assessment, key risk indicators and loss limits;
• the effectiveness and timeliness of actions undertaken to reduce or transfer operational risk;
• management actions relating to the presence of elevated or high levels of operational risk and their effectiveness in reducing the level of operational risk.

In 2018, the following entities had a decisive impact on the operational risk profile of the Group: PKO Bank Polski, and the PKO Leasing SA Group.

Reporting of information concerning operational risk is performed for the needs of the senior management staff, the ORC, the RC, the Management Board and the Supervisory Board in monthly and quarterly cycles. Each month, information about operational risk is prepared and forwarded to the ORC, senior management staff, the organizational units of the Head Office and specialist organizational units responsible for system-based operational risk management. The scope of the information is diversified and tailored to the scope of responsibilities of individual recipients of information.

Management actions are taken in the following cases:

• on an initiative of ORC or the Management Board
• on the initiative of organizational units and cells of the Bank managing operational risk;
• when operational risk has exceeded the levels determined by the Management Board or ORC.

In particular when the risk level is elevated or high, the Bank uses the following approach and instruments to manage the operational risk:

• risk reduction – mitigating the impact of risk factors or the consequences of its materialization by introducing or strengthening various types of instruments for managing operational risk such as: control instruments, human resources management instruments, determination or verification of thresholds and critical key risk indicators, determination or verification of operational risk levels, and contingency plans,
• risk transfer – transfer of responsibility for covering potential losses to a third-party: insurance and outsourcing,
• risk avoidance – resignation from the risk-generating activity or elimination of the probability of occurrence of a risk factor.