Risk Management System
The risk management system in place at Bank Pekao S.A. is defined in the ICAAP Procedure, adopted by the Bank's Management Board and approved by its Supervisory Board.
The ICAAP Procedure outlines the key elements of a comprehensive approach to the risks arising from the Bank's operations and business strategy, both at the level of the Bank and the entire Bank Pekao S.A. Group, by defining the risks identified by the Bank and the criteria for classifying risks as material, and by setting out the objectives and principles of risk management, the target structure of risk exposure arising from the Bank's operations, as well as the acceptable level and structure of the risk exposure.
A risk is defined as "the possibility that the outcome of an action or event could lead to adverse impacts resulting in losses or constraining the Bank's ability to meet its stated business strategy".
Every identified risk should be assessed in terms of its materiality and – if found to be material – measured (if classified as measurable), as well as monitored and controlled in line with the methods and procedures defined specifically for a given type of risk. The risk assessment and measurement methodologies are designed to ensure compliance with the applicable legal requirements, best market practices and the UniCredit Group's guidance.
The risk management system in place at the Bank constitutes an integral part of the Bank's management system. The risk management system is used to identify, measure (estimate), monitor, control and report the risks inherent in the Bank's operations in order to ensure that the process of setting and attaining specific objectives related to the Bank's operations functions properly. Risk management improves the efficiency of the decision-making process, while ensuring compliance of the Bank's decisions with the best market practice and the applicable regulatory regime.
As part of its risk management system, the Bank uses formal rules to quantify and manage its risk exposures, and formal procedures to identify, measure or asses, and monitor the risks, accounting also for expected future exposures. The Bank applies formal limits to mitigate the risks and defines rules to be followed in the event that the limits are exceeded, while the adopted management information system serves as a tool enabling it to monitor the risks. The Bank's organizational structure is adapted to the size and profile of its risk exposure. In managing risks at the Group level, the Bank oversees the risk exposures inherent in the operations of its subsidiaries.
Under the risk management system currently in place at the Bank, the Management Board is responsible for:
- developing and implementing a risk management strategy, including the objectives and key principles of risk management;
- developing, implementing and regularly updating written strategies, policies and procedures related to the area of risk management;
- effectiveness of the risk management system and its continuous enhancement;
- taking appropriate steps with a view to ensuring that the Bank manages all the material risks inherent in its operations and the operations of its subsidiaries and that relevant procedures are in place; in particular, the Management Board appoints the relevant committees, ensures that internal regulations are issued serving to identify, measure, monitor and control the risks, and submits to the Supervisory Board periodic reports on the types of risk and size of the Bank's exposures;
- approving the system of limits adopted by the Bank for different types of risk and the level of general capital limits;
- ensuring compliance of the Bank's operations with the law and effectively managing compliance risk;
- introducing at the Bank an organisational structure adapted to the size and profile of the Bank's risk exposure and reflecting such division of responsibilities which ensures independence of the risk control function from the operating area responsible for the Bank's risk taking;
- transparency of the Bank's operations, making it possible to assess the Supervisory Board's and the Management Board's effectiveness in managing the Bank, monitoring its operational security and assessing its financial standing.
Decisions to implement new, or modify the existing products, including financial products (to the extent such decisions are not reserved for the Bank's Management Board), while ensuring their consistency with the Bank's strategy and defined business model, and prioritising the planned changes, have been entrusted to the Change Management Committee. All such decisions are preceded by a preparatory process as part of which material risks are identified, the product is included in the existing risk identification and measurement system, the internal limits are determined and the rules of accounting/reporting are set down.
The Bank's Management Board receives regular updates on the Bank's risk profile, the largest exposures and credit risk concentrations.
The Supervisory Board exercises supervision over the consistency of the Bank's risk-taking policy with its strategy and financial plan, by:
- approving the Bank's strategy together with prudent and stable management policies; in particular, the Supervisory Board approves the risk management strategy, including the objectives and key principles of the Bank's risk management;
- reviewing the Management Board's reports concerning the types and materiality of the risks to which the Bank is exposed, and in particular exercising supervision over the consistency of the Bank's risk-taking policy with its strategy and financial plan;
- appointing and removing from office members of the Bank's Management Board duly qualified to perform their functions;
- approving the division of responsibilities between members of the Management Board who coordinate and supervise the Bank's operations within their respective areas of responsibility, including the Bank's organisational structure – taking into account the size and profile of the Bank's risk exposures and ensuring independence of the risk control function from the operating area responsible for the Bank's risk taking;
- overseeing the management of compliance risk, approving the key assumptions of the Bank's policy in that area, and performing, at least annually, an assessment of the effectiveness of compliance risk management.
The risk management strategy and system in place at the Bank are subject to regular reviews and necessary updates to ensure that they remain adequate given the scale and complexity of the Bank's operations.