Major sources of risk and threats

Effective risk management is a prerequisite for maintaining a high level of security of the funds entrusted to the Group, and for achieving a sustainable and balanced profit growth within the Group’s risk appetite.

The key risks material for the Group include credit risk, liquidity, market risks and operational risk. Moreover, the Group identifies the following risks as material in its business activity: business, macroeconomic, reputation, compliance, excessive leverage, bancassurance, real estate, financial investment, and model risks. The Group also identifies ESG risk defined as risk arising from environmental, social and governance factors that may have negative impact (directly or indirectly) on the Group. ESG risk is managed within the types of risk identified in the Group’s activity that are affected by ESG risk factors (mainly credit risk). The ESG Council supports the Management Board in decision making process concerning ESG issues.

The Group has adopted a comprehensive and consolidated approach to risk management. It extends to all units of the Bank and subsidiaries. Risks are monitored and managed taking into account business profitability and the capital required to cover the losses resulting from these risks.

The rules of managing each of the risks are defined by internal procedures and the guidelines set up by the credit risk policy, investment and market risk policy and the operational risk strategy and policy accepted annually by the Management Board and approved by the Supervisory Board.

Detailed reports on credit, liquidity, market, operational and model risks are presented to the Management Board and the Supervisory Board on a regular basis.

The rules and instruments of managing each of the risks and information on the risk exposure are included in Note 46 to the Consolidated Financial Statements of Bank Pekao S.A. for the period ended on 31 December, 2022 and in the document “Information in respect to capital adequacy of Bank Pekao S.A Group as at 31 December 2022” published on the Bank’s website.

The objective of proper operational risk management is to maintain the operational risk the Group takes, on the level consistent with a specific risk appetite. Operational risk management is based on internal procedures that are consistent with the law requirements, resolutions, recommendations and guidelines of the supervisor and includes: identification, assessment, monitoring, preventing and reporting of operational risk.

The operational risk profile is determined mainly by two operational event categories, in which the highest exposure to operational risk is identified i.e. Clients, products and business practices and Execution, delivery and process management.

This is reflected in the table below, which presents the distribution of losses resulting from operational events by categories as defined by the Article 324 of Regulation (EU) No 575/2013 of the European Parliament and of the Council. In connection with the acquisition of the part of Idea Bank, the operational risk profile has not changed. According to the Decision of the Bank Guarantee Fund (BFG) the part of the Idea Bank business with higher exposure to operational risk was not acquired by Bank Pekao.

Managing credit risk and maintaining it at a safe level is vital for the Bank’s financial performance. In order to minimize credit risk, special procedures have been established, pertaining in particular to the rules of assessing obligor and transaction risk, collateralization of loan and lease receivables, credit decision powers and concentration risk management .

Prudent credit risk management at Bank Pekao S.A. is based on the Credit Risk Policy, which takes into account, among the others, measures reducing the potential threats coming from macroeconomic factors related to the armed conflict in Ukraine and the related disturbances in the supply of raw materials and their impact on the quality of the loan portfolio. The same approach is applied in the Bank’s subsidiaries.

Lending activities are subject to limits following both from the external regulations (CRR) and the Bank’s internal standards, including limits concerning exposure concentration ratios for individual sectors of the economy, limit on the share of large exposures in the Bank’s loan portfolio, portfolio limits and limits of exposures to countries, foreign banks and domestic financial institutions.

The credit decision powers, lending restrictions as well as internal and external prudential standards, pertain to loans and guarantees as well as derivative transactions and debt instruments. The quality of the loan portfolio is also protected by periodic reviews and ongoing monitoring of the timely servicing of loans and the financial standing of customers.

Internal limits, lending restrictions and the calculation of allowances take into account the risks arising from the COVID-19 pandemic.

The Bank has continued to work on further rationalization of the credit process with an aim to obtaining better efficiency and security, including in particular enhancement of the procedures and tools for risk measurement and monitoring.

The Bank supervises the risk related with subsidiaries. In particular  an assessment  on size and profile of risk related with their activities is performed. Risk management processes are consistent throughout the Group and adapted to the complexity of the risk profile of individual entities, in accordance with the principle of proportionality.

Compliance risk is the risk resulting from breaching laws, internal regulations and market standards in the processes functioning within the Bank. Compliance risk can lead to criminal or administrative sanctions, material financial losses, diminished reputation, reduced brand value, reduced development potential and inability to perform contracts, as well as reduction or loss of business opportunities.

There is a separate unit for compliance matters functioning within the Bank, the Compliance Department, organisationally and operationally independent and subordinated directly to the President of the Management Board. Compliance Department is the key element of ensuring compliance within the Bank.

The Bank ensures compliance through application of suitable control mechanisms and compliance risk management process coordinated by the Compliance Department. Within the control function, the Compliance Department designsand supervises the implementation of control mechanisms with the aim to ensure compliance with law, internal regulations and market standards. The Compliance Department  autonomously applies some of such control mechanism and performs independent monitoring of their compliance by other organizational units of the Bank, as well as reports the results of this monitoring. The compliance risk management process includes the following stages: identification, assessment, control, monitoring and reporting of the compliance risk level.

As part of compliance with laws, internal regulations and market standards each employee of the Bank is obliged to apply appropriate control mechanisms and to perform independent monitoring of adherence to control mechanisms, within the scope of duties assigned to him/her.

Assumptions of compliance risk management process were defined in Bank Pekao S.A. Compliance Policy developed by the Management Board and approved by the Supervisory Board and the Compliance Department Regulation There are following

The reports on performance of tasks by Compliance Department together with the level of assessed compliance risk are presented to the Management Board and Supervisory Board. The oversight of compliance risk related to the activities of subsidiaries is performed in the Bank.

Implementation and application of the compliance risk management standards are key factors in creating the enterprise value, reinforcing and protecting the Bank’s reputation, and winning public trust in the Bank’s activities and its standing.