46.6. Operational risk
Operational risk is defined as the risk of losses resulting from inadequacy or failure of internal processes, people, systems or external events. It includes law risk, whereas strategic risk, business risk and reputation risk are separate risk categories.
Operational risk management is based on internal procedures that are consistent with the law requirements, resolutions, recommendations and guidelines of the supervisor. Operational risk management includes identification, assessment, monitoring, preventing and reporting.
Identification and assessment of operational risk is based on an analysis of internal factors and external factors that may have a significant impact on the achievement of the objectives of the Group. The main tools used in identifying and assessing operational risk are: internal operational events, external operational events, key risk indicators, scenario analysis and self-assessment of operational risk.
Monitoring activities are conducted on three levels of defence: risk management in operational activity of the Bank (all employees), risk management control (Integrated Risk Management Department) and internal audit (Internal Audit Department). Preventing operational risk includes definition of operational risk limits and the obligation to initiate mitigation actions in case they are exceeded, the system of internal control, business continuity plans and insurance coverage.
Operational risk reporting system enables the assessment of the Group’s exposure to operational risk and the effective management of this risk, and also plays a fundamental role in the process of informing the Supervisory Board, the Management Board and executives of the Group’s exposure to operational risk. It is based in particular on the quarterly reports on operational risk control that include, among others: profile of operational risk, loss limit utilization, analysis of trends in the relevant categories of operational risk, potential losses, information on key indicators of operational risk and operational risk capital requirement.
The Supervisory Board and the Management Board, supported respectively by the Supervisory Board Risk Committee and the Operational Risk Committee, are involved in operational risk management. The Integrated Risk Management Department coordinates the process of operational risk management. All employees of the Group and selected specialized units are responsible in their areas for operational risk management, due to diversified character of this risk which requires professional knowledge.
In order to ensure compliance of the operational risk management system with regulatory requirements, at least once a year verification of the operational risk management system is carried out.