Major sources of risk and threats

Effective risk management is a prerequisite for maintaining a high level of security of the funds entrusted to the Group, and for achieving a sustainable and balanced profit growth within the Group’s risk appetite.

Key risks material for the Group include:

  • credit risk – the risk deriving from an unexpected change of the counterparty creditworthiness that might generate a change in the value of the counterparty’s credit exposure,
  • market risk – the risk of incurring losses on balance and off-balance sheet items due to changes in market prices; market risk includes interest rate risk and credit spread risk in the banking book, to which the financial result or economic value of the Bank’s equity is exposed due to interest rate changes or credit spread changes,
  • operational risk – the risk of loss resulting from inadequate or unreliable internal processes, human resources and systems or from external events,
  • liquidity risk – the risk that the Bank may be unable to meet its payment obligations (by cash or delivery), whether expected or unexpected, without jeopardizing its day-to-day operations or its financial condition,
  • excessive leverage risk – the risk of excessive increase in credit exposures in relation to the Bank’s own funds (Tier 1),
  • compliance risk – the risk of legal or regulatory sanctions, financial losses or reputation damage to which the Bank is exposed as a result of non-compliance with the law, regulators’ recommendations or standards of conduct adopted by the Bank and applicable to its activities,
  • reputation risk – current or prospective risk to earnings and capital arising from adverse perception of the image of the financial institution on the part of customers, counterparties, shareholders, investors, regulators,
  • business risk – the risk of adverse, unexpected changes in business volume or margins that are not caused by credit, market or operational risks. An element of business risk is the risk of changes in macroeconomic conditions defined as the risk of changes in the macroeconomic environment that may affect future capital requirements or the level of available financial resources, and strategic risk, i.e. the risk of incurring losses due to the lack or faulty implementation of the adopted strategy or lack of responsiveness to changes in the business environment, e.g. a change of the trend in the economic cycle,
  • model risk – the risk of loss resulting from decisions that are essentially based on the output of models, due to errors in the design, development, parameter estimation, implementation, use or monitoring of such models,
  • bancassurance risk – the risk resulting from the activity of offering insurance products,
  • ESG risk (Environmental, Social, Governance) – the risk of any negative financial impact on the Bank arising from current or prospective impacts of environmental, social or governance factors on the Bank’s counterparties or assets invested by the Bank,
  • ICT risk (Information and Communication Technology Risk) – the risk of loss related to reasonably identifiable circumstances in relation to the use of network and information systems which, if materialized, could jeopardize the security of the network and information systems, any technology-dependent tools or processes, operations and processes, or the provision of services, by producing adverse effects in the digital or physical environment.

For all risks deemed material, the Bank has in place a risk management process that includes the following stages: identification of threats as part of operational risk management, risk measurement or estimation and assessment, determination of economic capital, control, including risk mitigation, monitoring and reporting.

The Group has adopted a comprehensive and consolidated approach to risk management. It extends to all units of the Bank and subsidiaries. The risks are monitored and managed taking into account business profitability and the capital required to cover the losses resulting from these risks.

The risk management system, ensuing directly from the adopted risk management strategy, is based on the concept of shared responsibility and organised on three independent levels:

  • First level, which covers risk management in the Bank’s operational activities,
  • Second level, which comprises risk management by employees employed in positions or organizational units related to risk management and independent activities of the Compliance Department,
  • Third level, which is the activity of the Internal Audit Department, regularly and independently assessing the risk management system and internal control system.

The Management Board of the Bank is responsible for achieving the strategic risk management goals. The Management Board designs, implements and ensures the operation of the risk management system which covers all material risks. The Management Board develops the risk management strategy and defines the Group’s risk appetite. The Supervisory Board of the Bank, supported by the Risk Committee and Audit Committee, oversees whether the Group’s policies of taking various risks is compliant with the overall strategy and financial plan. The Supervisory Board of the Bank approves the risk management strategy and risk appetite of the Group and evaluates the adequacy and efficiency of the risk management system. The Credit Committee and Credit Risk Committee (supported by the Retail Client Risk Committee and Corporate Client Risk Committee) play an important role in the credit risk management, the Asset, Liability and Risk Committee and Liquidity and Market Risk Committee in market and liquidity risk management, the Operational Risk Committee and Bank Security Committee in the management of the operational risk and the Model Risk Committee in model risk management.

The rules of managing each of the risks are defined in the guidelines set up by the credit risk strategy and policy, financial risk and investment activity strategy and investment and market risk policy and the operational risk management strategy and policy approved annually by the Management Board (policies) and by the Supervisory Board of the Bank (strategies) as well as in internal procedures.

Detailed reports on credit, liquidity, market, operational and model risks are presented to the Management Board and the Supervisory Board of the Bank on a regular basis.

The rules and instruments of managing each of the risks and information on the risk exposure are included in Note 45 to the Consolidated Financial Statements of Bank Pekao S.A. for the period ended on 31 December, 2025 and in the document “Information in respect to capital adequacy of Bank Pekao S.A Group as at 31 December 2025” published on the Bank’s website.

Operational risk

The objective of proper operational risk management is to maintain the operational risk the Group takes, on the level consistent with a specific risk appetite. Operational risk management is based on internal procedures that are consistent with the law requirements, resolutions, recommendations and guidelines of the supervisor and includes: identification, assessment, monitoring, preventing and reporting of operational risk.

The operational risk profile is determined mainly by two operational event categories, in which the highest exposure to operational risk is identified i.e. Clients, products and business practices and External frauds.

This is reflected in the table below, which presents the distribution of losses resulting from operational events by categories as defined by the Article 324 of Regulation (EU) No 575/2013 of the European Parliament and of the Council.

The Group executes mitigation actions for all of the operational event categories, with particular emphasis on categories of the highest relevance.

OPERATIONAL EVENTS BY CATEGORIES 2025 2024
Internal frauds 0.00% 0.00%
External frauds 4.25% 3.22%
Employment practices and workplace safety 0.14% 0.14%
Clients, products and business practices 91.82% 95.65%
Damages to physical assets 0.15% 0.23%
Business disruption and system failures 0.03% 0.63%
Execution, delivery and process management 3.61% 0.13%
Total 100.00% 100.00%

Bank executes mitigation actions for all of the operational event categories, with particular emphasis on categories of the highest relevance.

OPERATIONAL EVENTS BY CATEGORIES 2025 2024
Internal frauds 0.00% 0.00%
External frauds 4.37% 3.64%
Employment practices and workplace safety 0.14% 0.15%
Clients, products and business practices 91.67% 95.21%
Damages to physical assets 0.15% 0.26%
Business disruption and system failures 0.03% 0.71%
Execution, delivery and process management 3.64% 0.03%
Total 100.00% 100.00%

Credit risk

Managing credit risk and maintaining it at a safe level is vital for the Bank’s financial performance. In order to minimize credit risk, special procedures have been established, pertaining in particular to the rules of assessing obligor and transaction risk, collateralization of loan and lease receivables, credit decision powers and concentration risk management..

Prudent credit risk management at Bank Pekao S.A. is based on the Credit Risk Strategy and Credit Risk Policy, which take into account, among the others, measures reducing the potential threats coming from macroeconomic factors related to the armed conflict in Ukraine and the related disturbances in the supply of raw materials and their impact on the quality of the loan portfolio. The same approach is applied in the Bank’s subsidiaries.

Lending activities are subject to limits following both from the external regulations (CRR) and the Bank’s internal standards, including limits concerning exposure concentration ratios for individual sectors of the economy, limit on the share of large exposures in the Bank’s loan portfolio, portfolio limits and limits of exposures to countries, foreign banks and domestic financial institutions.

The credit decision powers, lending restrictions as well as internal and external prudential standards, pertain to loans and guarantees as well as derivative transactions and debt instruments. The quality of the loan portfolio is also protected by periodic reviews and ongoing monitoring of the timely servicing of loans and the financial standing of customers.

The Bank has continued to work on further rationalization of the credit process with an aim to obtaining better efficiency and security, including in particular enhancement of the procedures and tools for risk measurement and monitoring.

Credit risk concentration limits

According to the applicable regulations the total exposure of the Bank to the risks associated with a client or a group of connected clients may not exceed 25% of a bank’s Tier 1 capital. In 2025, the limits of large exposures were not exceeded.

Sector concentration

In order to mitigate credit risk associated with excessive sector concentration the Bank sets up a system for shaping the sectoral structure of credit exposure. Every year within Credit Risk Policy the Bank defines sector limits for particular sectors of economy. These limits are subject to ongoing monitoring. The system applies to credit exposure in particular types of business activity according to the classification based on the Polish Classification of Economic Activities (Polska Klasyfikacja Działalności – PKD).

Concentration limits are set based on the Bank’s current credit exposure and risk assessment of each sector. Periodic monitoring of the Bank’s exposure allows for ongoing identification of the sectors in which the concentration of exposure may be too excessive. In such cases, an analysis of the economic situation of the sector is performed including both the current and forecast trends and an assessment of quality of the current exposure to that sector. These measures enable the Bank to formulate the activities to reduce sector concentration risk and ongoing adaptation of the Bank’s Credit Risk Policy to a changing environment.

The Group’s risk management process

The Bank supervises the risk related with subsidiaries. In particular an assessment on size and profile of risk related with their activities is performed. Risk management processes are consistent throughout the Group and adapted to the complexity of the risk profile of individual entities, in accordance with the principle of proportionality

Compliance risk is the risk resulting from breaching laws, internal regulations and market standards in the processes functioning within the Bank. Compliance risk can lead to criminal or administrative sanctions, material financial losses, diminished reputation, reduced brand value, reduced development potential and inability to perform contracts, as well as limitation or loss of the ability to conduct business activities.

There is a separate unit for compliance matters functioning within the Bank, the Compliance Department, organisationally and operationally independent and subordinated directly to the President of the Management Board. Compliance Department is the key element of ensuring compliance within the Bank.

The Bank ensures compliance through application of suitable control mechanisms and compliance risk management process coordinated by the Compliance Department. Within the control function, the Compliance Department designs and supervises the implementation of control mechanisms with the aim to ensure compliance with law, internal regulations and market standards. The Compliance Department autonomously applies some of such control mechanism and performs independent monitoring of their compliance by other organizational units of the Bank, as well as reports the results of this monitoring. The compliance risk management process includes the following stages: identification, assessment, control, monitoring and reporting of the compliance risk level.

Within the control function, the Compliance Department ensures compliance, in particular through:

  • current vertical verification on a continuous basis within risk-based approach on selected processes operating at the Bank (ex-ante activities)
  • vertical testing, including monitoring of adherence to selected on risk-based approach control mechanisms, performed in the case of completed activities within selected processes functioning at the Bank (ex-post activities), within the scope specified in the Regulations of functioning of the Compliance Department at Bank Pekao S.A.

As part of compliance with laws, internal regulations and market standards each employee of the Bank is obliged to apply appropriate control mechanisms and to perform independent monitoring of adherence to control mechanisms, within the scope of duties assigned to him/her.

The assumptions of the compliance risk management process were defined in developed by the Management Board and approved by the Supervisory Board, the Compliance Policy of Bank Pekao S.A. and Regulations of functioning of the Compliance Department at Bank Pekao S.A. There are following key elements supporting compliance risk management process:

  • supervision of the Supervisory Board and responsibility of the Management Board for the effective management of compliance risk and observance of the Compliance Policy of Bank Pekao S.A.,
  • responsibility of the Bank’s employees for ensuring compliance within the scope of their duties,
  • properly defined organizational structure, including appropriate location of the Compliance Department,
  • internal regulations on compliance matters,
  • training,
  • constant cooperation between the Compliance Department, and the Internal Audit Department and other internal control system units.

The reports on performance of tasks by Compliance Department together with the level of assessed compliance risk are presented to the Management Board and Supervisory Board. The oversight of compliance risk related to the activities of subsidiaries is performed in the Bank.

Implementation and application of the compliance risk management standards are key factors in creating the enterprise value, reinforcing and protecting the Bank’s reputation, and winning public trust in the Bank’s activities and its standing.

Previous page
Investing in human capital
Next page
Sponsorship and charity policy

Search results