Major sources of risk and threats

Effective risk management is a prerequisite for maintaining a high level of security of the funds entrusted to the Group, and for achieving a sustainable and balanced profit growth within the Group’s risk appetite.

The key risks material for the Group include credit risk, liquidity, market risks and operational risk. Moreover, the Group identifies the following risks as material in its business activity: business, reputation, compliance, excessive leverage, bancassurance and model risks.

The Group also identifies ESG risk defined as risk of losses arising from environmental, social and governance factors The Group has adopted a comprehensive and consolidated approach to risk management. It extends to all units of the Bank and subsidiaries. Risks are monitored and managed taking into account business profitability and the capital required to cover the losses resulting from these risks.

The Management Board of the Bank is responsible for achieving the strategic risk management goals. The Management Board designs, implements and ensures the operation of the risk management system which covers all material risks. The Management Board develops the risk management strategy and defines the Group’s risk appetite. The Supervisory Board, supported by the Risk Committee and Audit Committee, oversees whether the Group’s policy of taking various risks is compliant with the overall strategy and financial plan. The Supervisory Board approves the risk management strategy and risk appetite of the Group and evaluates the adequacy and efficiency of the risk management system. The Credit Committee and Credit Risk Committee play an important role in the credit risk management, the Asset, Liability and Risk Committee and Liquidity and Market Risk Committee in market and liquidity risk management, the Operational Risk Committee and Bank Security Committee in the management of the operational risk and the Model Risk Committee in model risk management.

The rules of managing each of the risks are defined by internal procedures and the guidelines set up by the credit risk strategy and policy, financial risk strategy and investment and market risk policy and the operational risk management strategy and policy approved annually by the Management Board (policies) and by the Supervisory Board (strategies).

Detailed reports on credit, liquidity, market, operational and model risks are presented to the Management Board and the Supervisory Board on a regular basis.

The rules and instruments of managing each of the risks and information on the risk exposure are included in Note 46 to the Consolidated Financial Statements of Bank Pekao S.A. for the period ended on 31 December, 2022 and in the document “Information in respect to capital adequacy of Bank Pekao S.A Group as at 31 December 2022” published on the Bank’s website.

The objective of proper operational risk management is to maintain the operational risk the Group takes, on the level consistent with a specific risk appetite. Operational risk management is based on internal procedures that are consistent with the law requirements, resolutions, recommendations and guidelines of the supervisor and includes: identification, assessment, monitoring, preventing and reporting of operational risk.

The operational risk profile is determined mainly by two operational event categories, in which the highest exposure to operational risk is identified i.e. Clients, products and business practices and Execution, delivery and process management.

This is reflected in the table below, which presents the distribution of losses resulting from operational events by categories as defined by the Article 324 of Regulation (EU) No 575/2013 of the European Parliament and of the Council.

Managing credit risk and maintaining it at a safe level is vital for the Bank’s financial performance. In order to minimize credit risk, special procedures have been established, pertaining in particular to the rules of assessing obligor and transaction risk, collateralization of loan and lease receivables, credit decision powers and concentration risk management.

Prudent credit risk management at Bank Pekao S.A. is based on the Credit Risk Strategy and Credit Risk Policy, which take into account, among the others, measures reducing the potential threats coming from macroeconomic factors related to the armed conflict in Ukraine and the related disturbances in the supply of raw materials and their impact on the quality of the loan portfolio. The same approach is applied in the Bank’s subsidiaries.

Lending activities are subject to limits following both from the external regulations (CRR) and the Bank’s internal standards, including limits concerning exposure concentration ratios for individual sectors of the economy, limit on the share of large exposures in the Bank’s loan portfolio, portfolio limits and limits of exposures to countries, foreign banks and domestic financial institutions.

The credit decision powers, lending restrictions as well as internal and external prudential standards, pertain to loans and guarantees as well as derivative transactions and debt instruments. The quality of the loan portfolio is also protected by periodic reviews and ongoing monitoring of the timely servicing of loans and the financial standing of customers.

The Bank has continued to work on further rationalization of the credit process with an aim to obtaining better efficiency and security, including in particular enhancement of the procedures and tools for risk measurement and monitoring.

According to the applicable regulations the total exposure of the Bank to the risks associated with the single borrower or a group of borrowers in which entities are related by capital or management may not exceed 25% of a bank’s Tier 1 capital. In 2023, the maximum exposure limits set forth in the external regulations were not exceeded.

In order to mitigate credit risk associated with excessive sector concentration the Bank sets up a system for shaping the sectoral structure of credit exposure. Every year within Credit Policy the Bank defines sector limits for particular sectors of economy. These limits are subject to ongoing monitoring. The system applies to credit exposure in particular types of business activity according to the classification based on the Polish Classification of Economic Activities (Polska Klasyfikacja Działalności – PKD).

The Bank supervises the risk related with subsidiaries. In particular an assessment on size and profile of risk related with their activities is performed. Risk management processes are consistent throughout the Group and adapted to the complexity of the risk profile of individual entities, in accordance with the principle of proportionality.

Compliance risk is the risk resulting from breaching laws, internal regulations and market standards in the processes functioning within the Bank. Compliance risk can lead to criminal or administrative sanctions, material financial losses, diminished reputation, reduced brand value, reduced development potential and inability to perform contracts, as well as limitation or loss of the ability to conduct business activities.

There is a separate unit for compliance matters functioning within the Bank, the Compliance Department, organisationally and operationally independent and subordinated directly to the President of the Management Board. Compliance Department is the key element of ensuring compliance within the Bank.

The Bank ensures compliance through application of suitable control mechanisms and compliance risk management process coordinated by the Compliance Department. Within the control function, the Compliance Department designs and supervises the implementation of control mechanisms with the aim to ensure compliance with law, internal regulations and market standards. The Compliance Department autonomously applies some of such control mechanism and performs independent monitoring of their compliance by other organizational units of the Bank, as well as reports the results of this monitoring. The compliance risk management process includes the following stages: identification, assessment, control, monitoring and reporting of the compliance risk level.

As part of compliance with laws, internal regulations and market standards each employee of the Bank is obliged to apply appropriate control mechanisms and to perform independent monitoring of adherence to control mechanisms, within the scope of duties assigned to him/her.