The Bank’s Management Board approves the rules for categorizing irregularities and establishes the criteria for evaluating and the effectiveness of the Internal Control System, and determines the actions to be taken to rectify irregularities detected by the Internal Control System, including certain corrective and disciplinary (including punitive) measures. In addition, the Bank’s Management Board ensures the functioning of the Internal Control System in the Bank’s subsidiaries.
Governance
Control and repair mechanisms
The Bank’s Management Board is responsible for designing, implementing and ensuring the operation of an independent, adequate and effective Internal Control System in all of the Bank’s business units and organizational units, which includes the Control function, the Compliance Department and the Internal Audit Department.
The Bank’s Management Board, when taking Internal Control actions, takes into account:
- the degree of complexity of the processes in place at the Bank and its subsidiaries;
- the resources available to the Bank;
- the risk of irregularities in individual processes, including, in particular, significant processes;
- an assessment of the adequacy and effectiveness of all lines of defense to date.
Control mechanisms are designed in all processes in place at the Bank.
The organizational cell responsible for a given process designs appropriate controls to mitigate the risk of failure to achieve the objectives of the Internal Control System in its process.
When designing control mechanisms, consideration is given to:
- changes in the market and regulatory environment,
- adequacy of a given type of control mechanism with respect to particular processes,
- the effectiveness of a particular type of control mechanism in the past,
- the ability to independently monitor a given control mechanism.
Control mechanisms are applied across all lines of defense and across all processes in the Bank for the purpose of:
- prevention – by preventing irregularities,
- detection – by detecting irregularities,
- adjustment – by adjusting irregularities.
Significant or critical irregularities detected in the first line of defense should be immediately reported to the Compliance Department, the Bank’s Security Department and the Internal Audit Department. It is the responsibility of the head of the cell or organizational unit that identified the irregularity to promptly report the above information. The Compliance Department, in consultation with the Internal Audit Department, may change the scope or category of irregularities, in particular based on the aggregation of data from different cells or organizational units.
The Compliance Department immediately forwards information on detected irregularities to the relevant organizational unit of the second line of defense responsible for independent monitoring of the process under which the significant or critical irregularity occurred.
The Director of the Internal Audit Department decides to immediately inform the Bank’s Management Board and Supervisory Board of critical irregularities detected within the first line of defense.
Significant or critical irregularities detected in the second line of defense should be immediately reported to the Compliance Department and the Internal Audit Department. It is the responsibility of the head of the second line of defense unit that identified the irregularity to promptly report the above information. Critical irregularities should be reported by the second line of defense unit that identified the irregularity, in addition to the Bank’s Management Board and the Audit Committee of the Supervisory Board.
Critical irregularities detected as part of the third line of defense should be immediately reported for information to the Compliance Department, the Bank’s Management Board and the Audit Committee. Significant irregularities detected as part of the third line of defense should be reported to the Compliance Department for information.
The Bank’s Compliance Policy sets forth the principles for managing compliance risk. According to them, internal control system activities are implemented, which include monitoring and testing. As a result of these tasks, irregularities are identified for which an action plan is also established. Information on the number and severity of identified irregularities is conveyed to the Bank’s Management Board as part of the Compliance Department’s cyclical reporting.