Risk management

Effective risk management is a prerequisite for maintaining a high level of security of the funds entrusted to the Group, and for achieving a sustainable and balanced profit growth within the risk appetite assumed by the Group.

The key risks material for the Group include credit risk, liquidity, market risks and operational risk. Moreover, the Group identifies the following risks as material in its business activity: business, macroeconomic, reputation, compliance, excessive leverage, bancassurance, real estate, financial investment, and model risks. The Group also identifies environmental, social and governance risk (ESG risk) currently considered insignificant in its operations. The Group will develop its own ESG risk methodology following the publication of regulatory quidelines.

The Management Board of the Bank is responsible for achieving the strategic risk management goals, while the Supervisory Board, supported by the Risk Committee, oversees whether the Group’s policy of taking various risks is compliant with the overall strategy and financial plan. The Credit Committee plays an important role in the credit risk management, the Asset, Liability and Risk Committee and Liquidity and Market Risk Committee in market and liquidity risk management, the Operational Risk Committee in the management of the operational risk and the Model Risk Committee in model risk management.

The rules of managing each of the risks are defined by internal procedures and the guidelines set up by the credit risk policy, investment and market risk policy and the operational risk strategy and policy accepted annually by the Management Board and approved by the Supervisory Board. Detailed reports on credit, liquidity, market, operational and model risks are presented to the Management Board and the Supervisory Board on a regular basis.

The rules and instruments of managing each of the risks and information on the risk exposure are included in Note 6 to the Consolidated Financial Statements of Bank Pekao S.A. for the period ended on December 31, 2021 and in the document “Information in respect to capital adequacy of Bank Pekao S.A Group as at 31 December 202”1” published on the Bank’s website.

The objective of proper operational risk management is to maintain the operational risk the Group takes, on the level consistent with a specific risk appetite. Operational risk management is based on internal procedures that are consistent with the law requirements, resolutions, recommendations and guidelines of the supervisor and includes: identification, assessment, monitoring, preventing and reporting of operational risk.

The operational risk profile is determined mainly by two operational event categories, in which the highest exposure to operational risk is identified i.e. Clients, products and business practices and Execution, delivery and process management.

This is reflected in the table below, which presents the distribution of losses resulting from operational events by categories as defined by the Article 324 of Regulation (EU) No 575/2013 of the European Parliament and of the Council. In connection with the acquisition of the part of Idea Bank, the operational risk profile has not changed. According to the Decision of the Bank Guarantee Fund (BFG) the part of the Idea Bank business with higher exposure to operational risk was not acquired by Bank Pekao.

The Group executes mitigation actions for all of the operational event categories, with particular emphasis on categories of the highest relevance.

Bank executes mitigation actions for all of the operational event categories, with particular emphasis on categories of the highest relevance.

Managing credit risk and maintaining it at a safe level is vital for the Bank’s financial performance. In order to minimize credit risk, special procedures have been established, pertaining in particular to the rules of assessing obligor and transaction risk, collateralization of loan and lease receivables, credit decision powers and concentration risk management.

Prudent credit risk management at Bank Pekao S.A. is based on the Credit Risk Policy, which takes into account, among the others, measures reducing the potential threats coming from macroeconomic factors related to the ongoing COVID-19 pandemic and their impact on the quality of the loan portfolio. The same approach is applied in the Bank’s subsidiaries.

Lending activities are subject to limits following both from the external regulations (CRR) and the Bank’s internal standards, including limits concerning exposure concentration ratios for individual sectors of the economy, limit on the share of large exposures in the Bank’s loan portfolio, portfolio limits and limits of exposures to countries, foreign banks and domestic financial institutions.

The credit decision powers, lending restrictions as well as internal and external prudential standards, pertain to loans and guarantees as well as derivative transactions and debt instruments. The quality of the loan portfolio is also protected by periodic reviews and ongoing monitoring of the timely servicing of loans and the financial standing of customers.

Internal limits, lending restrictions and the calculation of allowances take into account the risks arising from the COVID-19 pandemic.

The Bank has continued to work on further rationalization of the credit process with an aim to obtaining better efficiency and security, including in particular enhancement of the procedures and tools for risk measurement and monitoring.

According to the applicable regulations the total exposure of the Bank to the risks associated with the single borrower or a group of borrowers in which entities are related by capital or management may not exceed 25% of a bank’s Tier 1 capital. In 2021, the maximum exposure limits set forth in the external regulations were not exceeded.

In order to mitigate credit risk associated with excessive sector concentration the Bank sets up a system for shaping the sectoral structure of credit exposure. Every year within Credit Policy the Bank defines sector limits for particular sectors of economy. These limits are subject to ongoing monitoring. The system applies to credit exposure in particular types of business activity according to the classification based on the Polish Classification of Economic Activities (Polska Klasyfikacja Działalności – PKD).

Concentration limits are set based on the Bank’s current credit exposure and risk assessment of each sector. Periodic monitoring of the Bank’s exposure allows for ongoing identification of the sectors in which the concentration of exposure may be too excessive. In such cases, an analysis of the economic situation of the sector is performed including both the current and forecast trends and an assessment of quality of the current exposure to that sector. These measures enable the Bank to formulate the activities to reduce sector concentration risk and ongoing adaptation of the Bank’s Credit Policy to a changing environment.

The Bank supervises the risk related with subsidiaries. In particular an assessment on size and profile of risk related with their activities is performed. Risk management processes are consistent throughout the Group and adapted to the complexity of the risk profile of individual entities, in accordance with the principle of proportionality.

Compliance risk is the risk resulting from breaching laws, internal regulations and market standards in the processes functioning within the Bank. Compliance risk can lead to criminal or administrative sanctions, material financial losses, diminished reputation, reduced brand value, reduced development potential and inability to perform contracts, as well as reduction or loss of business opportunities.

There is a separate unit for compliance matters functioning within the Bank, the Compliance Department, organisationally and operationally independent and subordinated directly to the President of the Management Board. Compliance Department is the key element of ensuring compliance within the Bank.

The Bank ensures compliance through application of suitable control mechanisms and compliance risk management process coordinated by the Compliance Department. Within the control function, the Compliance Department designsand supervises the implementation of control mechanisms with the aim to ensure compliance with law, internal regulations and market standards. The Compliance Department autonomously applies some of such control mechanism and performs independent monitoring of their compliance by other organizational units of the Bank, as well as reports the results of this monitoring. The compliance risk management process includes the following stages: identification, assessment, control, monitoring and reporting of the compliance risk level.

Within the control function, the Compliance Department ensures compliance, in particular through:

As part of compliance with laws, internal regulations and market standards each employee of the Bank applies appropriate control mechanisms and performs independent monitoring of adherence to control mechanisms, within the scope of duties assigned to him/her.

Assumptions of compliance risk management process were defined in Bank Pekao S.A. Compliance Policy developed by the Management Board and approved by the Supervisory Board and the Compliance Department Regulation There are following key elements supporting compliance risk management process:

The reports on performance of tasks by Compliance Department together with the level of assessed compliance risk are presented to the Management Board and Supervisory Board. The oversight of compliance risk related to the activities of subsidiaries is performed in the Bank.

The reports on performance of tasks by Compliance Department together with the level of assessed compliance risk are presented to the Management Board and Supervisory Board. The oversight of compliance risk related to the activities of subsidiaries is performed in the Bank.