Risks - Annual Report PKO BP 2023

Principles of risk management:

Risk management is one of the key internal processes, both in PKO Bank Polski SA, and in other entities of the PKO Bank Polski SA Group. Risk management is aimed at ensuring the profitability of business activities while ensuring control over the risk level and maintaining it within the system of limits and risk tolerance limits adopted by the Bank and the Group in the changing macroeconomic and legal environment.

The primary objective is to ensure adequate management of all types of risk related to its business. As part of the risk management system, the Bank’s Group identifies, measures and assesses, controls, forecasts, monitors and reports risk, and performs management actions.

The process of risk management in the Bank’s Group consists of the following stages:

Risk identification

Risk identification consists of recognizing the existing and potential sources of risk and estimating the significance of its potential impact on the Bank’s and the Bank Group’s financial situation. As part of risk identification, the Bank and the Bank’s Group entities identify the risks considered to be material in the Bank’s or the Group’s operations.

Risk measurement and assessment

Risk measurement and assessment are aimed at determining the scale of threats connected with the risks arising. Risk measurement covers determining the risk assessment measures adequate to the type and significance of the risk, and data availability. Quantitative and qualitative risk measurement results are the basis for the risk assessment aimed at identifying the scale or scope of risk.

As part of risk measurement, the Bank’s Group carries out:

specific stress tests which are conducted separately for individual risk types and are used to assess sensitivity of a given risk to unfavourable market conditions,
comprehensive stress tests conducted jointly for the concentration risk and risks regarded as material, used to determine sensitivity of the capital adequacy measures and Bank’s results to the occurrence of a negative scenario of changes in the environment and the functioning of the Bank’s Group

The stress-tests are conducted by the Bank’s Group based on assumptions which ensure a sound assessment of the risk, in particular taking into account the recommendations of the Polish Financial Supervision Authority.

Risk control

Risk control involves the determination of risk control mechanisms adjusted to the scale and complexity of the Group’s activities, especially in the form of strategic tolerance limits for the individual types of risk. Strategic risk tolerance limits are subject to regular monitoring, and if they are exceeded, the Bank’s Group takes management actions.

Risk forecasting and monitoring

Risk forecasting involves foreseeing future risk levels, taking into account the assumed business development projections, and internal and external events. Risk level forecasts are assessed by the Bank and the Bank’s Group (so-called “reverse stress tests”) in order to verify their accuracy.

Risk monitoring involves observing deviations from the forecasts or the adopted benchmarks (e.g. limits, thresholds, plans, prior period measurements, recommendations and instructions issued by external supervisory and regulatory authority). Risk monitoring and forecasting frequency is adequate to the materiality and variability of specific risks.

Risk reporting

Risk reporting includes informing about the results of the risk identification, measurement, assessment and forecasting, causes of changes in the risks, actions taken and recommended. The scope, frequency and form of the reporting are adjusted by the Bank to the managerial level of the recipients. If potential liquidity problems arise, the Supervisory Board is immediately informed about significant changes in the risk level, and in particular, about threats and remedial actions taken, and of their impact on the Bank’s liquidity level.

Management actions

Management actions consist of determining the desired risk level favourable for building the structure of assets and liabilities. Management actions may result, in particular, in:

acceptance of the risk – determining the acceptable risk level, taking into account business needs and developing management actions in the event that the level is exceeded;
reduction of the risk – mitigation of the impact of the risk factors or effects of its materialization (e.g. by reducing or diversifying the risk exposure, determining limits, utilizing collaterals);
transfer of the risk – transferring responsibility for covering potential losses (e.g. by transferring the risk to another entity with the use of legal instruments, such as insurance contracts, security services agreements for a building, accepting guarantees);
risk avoidance – resignation from the risk-generating activity or elimination of the probability of materialization of the risk factor, including in particular determination of zero tolerance to risk.

The Bank supervises the functioning of individual entities in the Bank’s Group. The Bank monitors their risk management systems and supports their development. In addition, the Bank takes into account the level of risk in particular Group companies for the purpose of the risk monitoring and reporting system at the Bank’s Group level. Risk management in the Bank takes place in all of the organizational units of the Bank.

Organizational structure of banking risk management:

The Supervisory Board supervises and evaluates the risk management process, in particular, on the basis of regular reports on the risk, taking into account the adequacy and effectiveness of the risk management system and information about the implementation of the risk management strategy, also the level of limits which limit the risk and conclusion from stress tests, and if necessary, orders the verification of the process.

The Supervisory Board is supported by the following committees: the Nominations and Remuneration Committee, the Risk Committee and the Audit Committee.

In respect of risk management, the Management Board the Bank is responsible for strategic risk management, including supervising and monitoring actions taken by the Bank in respect of risk management. The Management Board makes major decisions affecting the risk profile of the Bank and adopts internal regulations concerning risk management. It ensures operation of the risk management system, monitors and assesses its functioning, and transfers the respective information to the Supervisory Board.

In its risk management activities, the Management Board is supported by the following committees:

the Risk Committee;
Asset and Liability Management Committee (KZAP);
Bank’s Credit Committee (KKB);
Operational Risk Committee (KRO);
Sustainable Development Committee (KZR).

Risk management at the Bank’s Group is based, in particular, on the following principles:

the Bank’s Group manages all identified types of risk;
the risk management process is appropriate from the perspective of the scale of operations and materiality, scale and complexity of a given risk, and adjusted on an on-going basis to take account of the new risks and their sources;
risk management methods (especially models and their assumptions) and risk management measurement or assessment systems are tailored to the scale and complexity of individual risks, the current and planned operations of the Bank’s Group and its operating environment, and are periodically verified and validated;

organisational independence of the risk management area from business operations is maintained,
risk management is integrated into the planning and controlling systems;
the level of risk is monitored and controlled on an on-going basis;
the risk management process supports the implementation of the Bank’s strategy in compliance with the Risk Management Strategy, in particular with respect to the level of risk tolerance.

The Bank assesses the materiality of all the identified risks on a regular basis, at least annually. Some of them have a material impact on the profitability and capital necessary to cover the exposure. Internal capital is assessed for risks that are regarded as material. All risks classified as material for PKO Bank Polski S.A. are also material for the Bank’s Group.

In 2023, the catalogue of risk types regarded as material was not extended.

Below is a list of all risks regarded as material in the Bank;

Credit risk – the risk of incurring losses due to the Customer’s default in payments to the Bank’s Group or as a risk of a decrease in the economic value of amounts due to the Bank’s Group when the Customer’s ability to repay amounts due to the Bank deteriorates;
Currency risk – the risk of incurring losses in connection with exchange rate fluctuations. The risk is generated by maintaining open positions in various foreign currencies;
Interest rate risk – the risk of incurring losses on the Bank’s Group’s statement of financial position and offbalance sheet items sensitive to interest rate changes, in connection with changes in interest rates on the market;
Liquidity risk – the risk of the inability to regularly settle liabilities due to a lack of liquid assets; liquidity risk comprises financing risk;
Operational risk – the risk of losses being incurred due to the failure or unreliability of the internal processes, people and systems or due to external events. Operational risk excludes reputation and business risks, and includes legal and cyber security risks;
- Legal risk – the risk of losses being incurred due to a lack of knowledge and understanding, failure to comply with legal norms and accounting standards, inability to enforce contractual provisions, unfavourable interpretations or rulings issued by courts or public administration bodies,
- Cyber security risk – the degree of exposure to potential negative cyber security risk factors related to telecommunication technologies which may lead to a financial loss for the organization by violating the availability, integrity, confidentiality or accountability of the information processed in the Bank’s IT system resources (SIB);
Risk of foreign currency mortgage loans for households – the risk of incurring losses due to the customer’s default in payments to the Bank related to a foreign currency mortgage loan;
Business (strategic) risk – the risk of failing to achieve the assumed financial targets, including incurring losses, which results from adverse changes in the business environment, making bad decisions, incorrectly implementing the decisions made, or not taking appropriate actions in response to changes in the business environment;
Macroeconomic risk – the risk of deterioration in the Bank’s Group financial situation as a result of an adverse change in macroeconomic conditions; macroeconomic risk includes geopolitical risk, understood as the macroeconomic effects taking into account the negative effects of the geopolitical environment on the economy and financial markets;
Model risk – the risk of incurring losses resulting from incorrect business decisions made based on the models in place.

The Bank pursues the ESG risk integration plan with the risk management system. The Bank manages ESG risk as part of its management of other risks as – ESG risk is not a separate risk but a cross-cutting risk affecting individual risks, in particular credit risk.

ESG risk was defined by the Bank as the risk of negative financial consequences for the Bank of the current or future impact of ESG risk factors on customers and counterparties or the Bank’s statement of financial position items.

Significant activities of the PKO Bank Polski S.A. Group in 2023

In the Bank’s Group (Polish entities), the Bank applied guidelines for the financing of and providing banking services to:

customers conducting business whose business model is based on the benefits of active operation in the markets of Russia and Belarus or through significant links (e.g. economic, personal),
customers on whom sanctions have been or can be imposed in connection with Russia’s war in Ukraine

PKO Bank Polski S.A. has been monitoring the situation of its customers on an ongoing basis and adjusting its credit policy with a view to securing a good quality loan portfolio. As part of the measurement of credit exposures, the Bank specifically took into account information on customers’ economic ties with counterparties in Ukraine, Belarus and Russia. The Bank Group recognized an allowance for its portfolio of loans granted in Ukraine

In terms of interest rate risk, the series of interest rate cuts initiated in the third quarter of 2023 reduced the reference rate to 5.75% at the end of 2023, which translated into an increase in valuations in the portfolio of debt instruments and derivatives that hedge the volatility of interest income. At the same time, the customers’ interest in mortgage loans temporarily based on fixed interest rates, in particular the „Safe 2% Loan”, continues, affecting the interest income sensitivity measures of the Bank.

The Bank’s Group has maintained a safe level of liquidity, allowing for a quick and effective response to potential threats. Supervisory and internal measures of liquidity risk were maintained significantly above accepted warning thresholds. In 2023, the PKO Bank Polski S.A. structured its sources of funding accordingly by adjusting its deposit offering (in particular deposit interest rates) to meet current needs, while at the same time renewing long-term securities and covered bonds issued maturing in 2023 in the amount of approximately PLN 4.5 billion (including EUR 0.75 billion and PLN 1.25 billion).

KREDOBANK S.A.’s liquidity, despite the ongoing conflict in Ukraine, remained stable and secure; the company did not experience a decline in liquidity measures or significant deposit outflows; KREDOBANK S.A. is classified by the NBU as a systemic bank of Ukraine.

At the same time, in connection with the war in Ukraine, the Bank has had a Support Group, chaired by the Head of Crisis Staff, in place since 2022 to, among other things, prevent the disruption of the Bank’s critical processes, exchange information within the Bank’s Group and coordinate the aid provided. The Bank takes actions to mitigate the threats associated with the war in Ukraine on an ongoing basis, in particular with respect to ensuring access to the Bank’s systems and cyber security.

A detailed description of material risks management principles, including risk mitigation techniques, protection measures taken and hedge accounting policies is provided in the Bank Group’s financial statements for 2023 (in the part describing risk management and in Note 33 “Hedge accounting and other derivative instruments”), and in the Capital Adequacy Report and other information reportable by the PKO Bank Polski S.A. Group as at 31 December 2023.

Characteristics of the lending policy of the PKO Bank Polski S.A.

The credit policy of the Bank and the Bank’s Group consists of a set of principles and guidelines contained in credit regulations and procedures, which together form the credit risk management process.

The Bank’s credit risk management takes into account external factors, including compliance with external regulations and recommendations of the supervision and inspection authority, as well as internal factors, including in particular the level of strategic limits and credit risk parameters.

The priority of the risk management activities is the balanced relation of risk and the assumed profitability level, within the specified risk appetite limits. Comprehensive risk measurement is ensured by using a wide range of qualitative and quantitative methods, which are supported by appropriate IT systems and analytical tools.

The credit risk management model is adjusted to the current business activity and market conditions in the individual customer segments.

Credit risk assessment of exposures is separated from the sales function thanks to an appropriate organizational structure, independence in developing and validating tools supporting an assessment of credit risk and independence of decisions approving departures from the recommendations of these tools.

The financing terms offered to the customer depend on the assessment of credit risk level of the customer. The risk assessment takes into account the sector policies described in Chapter 13.7.6B.

In order to mitigate the level of credit risk resulting from interest rate increases and inflation, PKO Bank Polski S.A. and PKO Bank Hipoteczny S.A. introduced changes to the parameters used in the assessment of the creditworthiness of individual borrowers applying for housing loans (in accordance with Recommendation S and the position of the Office of the PFSA of 7 March 2022 communicated to banks). As part of these changes, the minimum value of the interest rate buffer was increased to 5 p.p., the minimum subsistence costs were increased (taking into account the inflation rate), and the maximum acceptable DStI (debt service to income) values were changed.

According to the rating of corporate customers, companies and enterprises, the Bank each time assesses and classifies the impact of environmental, social and corporate governance factors (ESG) on the customer’s creditworthiness and identifies leveraged credit transactions.

The Bank’s subsidiaries with a material level of credit risk manage credit risk individually. Their credit risk assessment and measurement methods are adapted to those applied at PKO Bank Polski S.A. They take into account the specific nature of the entity’s activities.