Compliance risk and conduct risk management
Compliance risk is defined as the risk of legal sanctions, incurring financial losses or losing reputation due to failure of the Group, its employees or entities acting on its behalf to comply with the provisions of the law, internal regulations, standards adopted by the Group, including market standards.
Conduct risk means a risk which arises on the part of:
1) the customer,
2) the Group, including its credibility,
3) financial markets, with regard to their credibility, as a result of inappropriate action (also unintentional) or any omission by the Group, its staff or related entities, with regard to offering purchase and provision of financial services.
The objectives of the compliance risk and conduct risk management are as follows:
To identify and assess the compliance and conduct risks, information on the compliance incidents and their reasons is used, including information resulting from internal audits, internal controls and external inspections. Identification and assessment of the compliance and conduct risks is based mainly on the following:
During the assessment, the nature and the potential scale of losses is identified and the possible ways of mitigating or eliminating the compliance risk. The assessment is conducted in the form of workshops.
Monitoring of the compliance and conduct risk is performed using information provided by the Bank’s organizational units and consists in:
|reporting||The reporting of compliance risk and conduct risk takes the form of quarterly reports addressed to the Risk Committee, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board and information submitted for the purposes of external regulatory and control bodies.|
Compliance risk management covers, in particular, the following issues:
Business risk management
|Definition||Business risk is the risk of incurring losses due to adverse changes in the business environment, taking bad decisions, the incorrect implementation of decisions taken, or not taking appropriate actions in response to changes in the business environment. This includes in particular strategic risk.|
|Management objective||Maintaining, on an acceptable level, the potential negative financial consequences resulting from adverse changes in the business environment, making adverse decisions, improper implementation of adopted decisions or lack of appropriate actions, which would be a response to changes in the business environment.|
|Risk identification and measurement||Identification is to recognise and determine factors both current and potential, resulting from current and planned activities of the Group and which may significantly affect the financial position of the Group, generating or change in the Group’s income and expense. Business risk identification is performed by identifying and analyzing the factors that had an impact on the significant deviations of realization of income and expense from their forecasted values. Measurement of business risk is aimed at defining the scale of threats related to the existence of business risk with the use of defined risk measures. The measurement of business risk includes: calculation of internal capital, conducting stress-tests.|
|Control||Control of the business risk is aimed at striving to maintain the business risk at an acceptable level. It involves setting and periodic review of the risk controls in the form of tolerance limits on the business risk along with its thresholds and critical values, adequate to the scale and complexity of the Group.|
|Forecasting and monitoring|
Forecasting of the business risk is aimed at determining an anticipated scenario of changes in the income and expense items in the income statement. The forecast is prepared once a quarter on a yearly basis and includes forecasting the level of business risk and internal capital.
Once a quarter, the verification of a business risk forecast (so-called backtesting) is performed.
Monitoring of the business risk is aimed at diagnosing the areas which require management actions.
|Reporting||Reporting is performed on a quarterly basis. The reports on the business risk level are addressed to the ALCO, the RC, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board.|
Management actions consist of, in particular:
Reputation risk management
|Definition||The reputation risk is understood as the risk of deterioration of reputation among clients, counterparties, investors, supervisory and control authorities, and the general public as a result of the business decisions, operating events, instances of non-compliance or other events.|
|Management objective||The objective of managing the reputation risk is to protect the Group’s reputation by counteracting the occurrence of reputation and limiting the negative effect of image-related events on the Group’s reputation.|
|Identification||Identification of the reputation risks covers the developments observed in the Group’s internal processes and in its external environment, including in particular: image-related events and factors related to the business environment, i.e. quantitative and qualitative information, including especially the data which describes the Group and its external environment, which suggest the existence of the reputation risk.|
|Assessment||An assessment of the reputation risk involves evaluating the impact of image-related events on the Group’s reputation, and in particular, quantifying and determining the severity of reputation losses. The evaluation of a reputation loss includes the impact, credibility and the opinion-forming potential of the disclosure of an image-related event to the public.|
|Monitoring||Monitoring reputation risk consists of a regular assessment of the value of reputation risk measures compared with the adopted threshold values. The level of reputation risk is determined based on the value of reputation risk measures.|
Information on the reputation risk is reported in the form of:
1) a semi-annual management report addressed to the Risk Committee, the Management Board, the Risk Committee of the Supervisory Board and the Supervisory Board.
2) ad-hoc information on current events having a material impact on the Bank’s reputation, addressed to the President of the Management Board and to his Office.
3) information included in the Bank’s and the Group’s financial statements and provided at the request of the external supervisory and control bodies.
Based on the specific level of reputation risk management actions are taken which may cover:
1) an analysis of the reasons for a given level of risk occurring;
2) assessment of the effects of such a level of risk occurring;
3) preparation of proposed management actions aimed at reducing the level of reputation risk or justification of the lack of the need to take such action, e.g. in the event of incidental extraordinary events occurring.
Model risk management
|Definition||Model risk is the risk of incurring negative financial effects or reputation as a result of making incorrect business decisions on the basis of the models functioning. Within the Group, model risk is managed both on the part of a given Group entity (an owner of a model) and at the level of the Bank as a parent company of the Group|
|Management objective||The objective of model risk management is to mitigate the level of risk of incurring losses as a result of making incorrect business decisions on the basis of existing models in the Group through a well-defined and implemented process of models management. One of the elements of the model management process is to cover all significant models in the Group with regular, independent validation.|
|Risk identification and measurement||Identification of the model risk consists of, in particular, collecting information about the existing models and models planned to be implemented as well as determining the materiality of the models on a periodical basis. The model risk evaluation is aimed at determining the scale of the threats associated with the occurrence of the model risk. The evaluation is made at the level of each model as well as on an aggregate basis at the level of the Group.|
|Control||Control of the model risk is aimed at maintaining an aggregated evaluation of the model risk at a level which is acceptable to the Group. Control of the model risk consists of determining the mechanisms used to diagnose the model risk level and tools for reducing the level of this risk. The tools used to diagnose the model risk include, in particular, a strategic limit of tolerance to the model risk and the threshold values of the model risk.|
Monitoring of the model risk on a periodical basis is aimed at diagnosing the areas requiring management actions and includes, in particular:
|Reporting||The results of monitoring the model risk are presented periodically in the reports addressed to the RC, the Management Board, and the Supervisory Board.|
|Management actions||The purpose of management actions is to form a model risk management process and to affect the level of this risk, in particular by determining acceptable risk levels and making decisions about the use of tools supporting model risk management.|
Macroeconomic changes risk management
|Definition||Risk of macroeconomic changes is a risk of deterioration of the financial situation of the Group as a result of the adverse impact of changes in macroeconomic conditions.|
|Management objective||The purpose of risk of macroeconomic changes management is to identify macroeconomic factors having a significant impact on the Group's activities and taking actions to reduce the adverse impact of potential changes in the macroeconomic situation on the financial situation of the Group.|
|Risk identification and measurement||Identification of risk of macroeconomic changes involves determination of scenarios of the potential macroeconomic changes and to determine risk factors having the greatest impact on the financial situation of the Group. Risk of macroeconomic changes results from interaction of factors dependent and independent of the Group's activities. The Group identifies the factors affecting the level of risk of macroeconomic changes during carrying out comprehensive stress-tests. The risk of macroeconomic changes materializes indirectly through other risks affecting the Group's operations. For the purpose of measuring the risk of macroeconomic changes the Group uses risk measures based on the results of comprehensive stress-tests, in particular: financial result and its components, capital adequacy measures and their components, selected liquidity measures, data on the quality of the loan portfolio.|
|Control||Control of the risk of macroeconomic changes is aimed at striving to mitigate the adverse effect of potential changes in the macroeconomic situation on the financial position of the Group. Control of the risk of macroeconomic changes consists of determining the acceptable risk level tailored to the scale of the Group’s operations, with the level of the risk of macroeconomic changes being assessed on the basis of the results of comprehensive stress tests. An acceptable level of the risk of macroeconomic changes is a situation in which stress test results do not point to the need to take any remedial measures.|
|Monitoring||Monitoring consists of, among other things, analyzing macroeconomic factors and the economic situation on a current basis and includes in particular: changes in the macroeconomic situation, the macroeconomic factors to which the Group is sensitive, stress test results, the level of the risk of macroeconomic changes.|
|Reporting||Reporting is provided in the form of additional information about the risk of macroeconomic changes which accompanies a quarterly report on capital adequacy, in which the stress tests were conducted. The reports are addressed to the ALCO, the RC, the Management Board and the Supervisory Board.|
|Management actions||Management actions in particular consist of: issuing internal regulation, determining acceptable levels of risk, proposals of actions aimed at reducing the level of risk in the event of elevated or high risk of macroeconomic changes occurrence|
Capital risk management
|Definition||Capital risk is the risk of failing to ensure an appropriate level and structure of own funds, with respect to the scale of the Group operations and risk exposure and, consequently, insufficient for the absorption of unexpected losses, taking into account development plans and extreme situations.|
|Management objective||The objective of managing the capital risk is to ensure an appropriate level and structure of own funds, with respect to the scale of the operations and risk exposure of the Group and the Group, taking into account of the assumptions of the Group’s dividend policy as well as supervisory instructions and recommendations concerning capital adequacy.|
The capital risk level for the Group is determined based on the minimum, threshold and maximum values of capital adequacy measures, amongst others, the total capital ratio and basic capital (Tier 1) ratio. In addition, threshold and maximum values are determined for capital adequacy measures, as an excess over the minimum values constituting strategic tolerance limits for the capital adequacy measures. The capital risk level is determined as follows:
1) low level – when all capital adequacy measures exceed the threshold values,
2) raised level – when at least one adequacy measure is lower than a threshold value and no capital adequacy measure is lower than the strategic tolerance limit,
3) high level – when at least one capital adequacy measure is lower than the strategic tolerance limit.
The Group regularly monitors the level of capital adequacy measures in order to determine the degree of compliance with supervisory standards, internal strategic limits, and to identify instances which require taking capital contingency actions.
Should a high level of capital risk be identified, the Group takes measures to bring capital adequacy measures to a lower level, taking into account of the assumptions of the dividend policy as well as the supervisory instructions and recommendations concerning capital adequacy.
Insurance risk management
|Definition||Insurance risk is a risk of loss or of adverse change in value of insurance liabilities, due to inadequate pricing and provisioning assumptions (in particular for technical provisions).|
|identification, measurement and risk assessment|
The exposure to insurance risks in the Group related to insurance companies is monitored and shaped in accordance with the adopted risk management strategy. In PKO Życie Towarzystwo Ubezpieczeń SA (PKO Życie), the dominant type of insurance risk depends on the type of product in the Company’s portfolio:
The Company mitigates its exposure to the risks through:
As a result of the proceedings of the UOKiK and the agreements concluded in 2015 and 2016 as a result of these proceedings, the Company estimated the changes in the distribution of future withdrawals. The amounts of the future surrender fees were also adjusted in accordance with the above agreement. The decisions made constitute the continuation of activities conducted by the PKO Życie so far, with regard to reducing the total surrender value of selected life insurance contracts with insurance capital funds. Up until the date of this report, no increase in contract withdrawals in excess of the assumptions for determining the Best Reserve Estimate was observed. PKO Towarzystwo Ubezpieczeń S.A. (PKO TU) is exposed to the following types of insurance risk:
The dominant type of risk is dependent on the type of product:
The measurement of the insurance risk in insurance companies is performed, among other things, as part of the analysis of contract withdrawals, claims ratio analysis, the analysis of the amounts of assets to cover technical reserves (APR), and an annual analysis of shock scenarios – stress tests as part of the process of self-assessment of risk and solvency.
The companies have implemented the requirements arising from changes in regulations Solvency II system and have been calculating capital ratios under the new regime as from 1 January 2016, maintaining own funds at an adequate level.
As to mitigate the insurance risk exposure, PKO Życie uses among others: reinsurance of risks (mortality, morbidity), grace periods, exemptions and retention activities.
Ceded reinsurance of PKO Życie is performed on the basis of:
Facultative reinsurance is applied for all insurance agreements and risks not covered by obligatory – facultative reinsurance agreements, in which the sum on the gross risk exceeds agreed amount.
In case of the new products and the risks, PKO Życie choses reinsurer, level of protection, conditions of the reinsurance, changes in concluded reinsurance contracts and concluding new reinsurance contracts in relation to the newly introduced to offer or modified insurance products and new risks.
|Reporting||In PKO Życie and in PKO TU, the reporting on insurance risk is provided in the form of periodical reports to the Management Board and for the Asset and Liabilities Committee, the Risk Committee, and the Risk Committee of the Supervisory Board.|
The assets to cover technical reserves (APR) remained at a sufficient level (over 100%) and had an appropriate structure. As at the end of 2016, the aggregate assets to reserves ratio amounted to 103% for PKO Życie and 140% for PKO TU.
Management of the risk of excessive leverage
|Definition||The risk of excessive financial leverage is the risk resulting from vulnerability to threats due to financial leverage or conditional financial leverage that may require taking unintended action to adjust business plans, including an emergency sale of assets which could result in losses or result in the need for valuation adjustments of other assets.|
|Management objective||The objective of managing the risk of excessive leverage is to ensure an appropriate relationship between the amount of the core capital (Tier 1) and the total of balance sheet assets and off-balance sheet liabilities granted by the Group.|
|Identification and measurement||The risk of excessive leverage materializes as a mismatch of scale of activities and structure of the sources of financing and insufficient equipment of Group’s own funds. For the purpose of measuring the risk of excessive financial leverage, a leverage ratio is calculated as a measure of Tier 1 capital divided by the measure of total exposure and is expressed as a percentage rate. The leverage ratio is calculated on the reporting reference date. The leverage ratio is calculated both with reference to Tier 1 capital and in accordance with the transitional definition of Tier 1 capital.|
|Forecasting and monitoring|
A forecast is made regularly, on a quarterly basis, using the leverage ratio. The following parameters are in particular subject to monitoring of the risk of excessive leverage:
|Control||The objective of the control of the risk of excessive leverage is to strive to maintain the Group’s risk of excessive leverage at an acceptable level. It covers a periodical review of the risk control mechanisms in the form of a tolerance limit, including its threshold value.|
|Reporting||Reporting is performed on a quarterly basis. The reports on the level of the risk of excessive leverage are addressed to the RC, the Management Board, the Risk Committee of the Supervisory Board, and the Supervisory Board.|
|Management actions||The management actions concerning the risk of excessive financial leverage are identical to the management actions concerning capital risk. In the event of an increased risk, actions are taken to bring capital adequacy measures to a proper level, taking into account the assumptions of the dividend policy as well as supervisory suggestions and recommendations concerning capital adequacy.|