Major risks in the PZU Group
The major risks to which the PZU Group is exposed include the following: actuarial risk, market risk, credit risk, concentration risk, operational risk, model risk and compliance risk. The major risks associated with the operation of Alior Bank and Bank Pekao include the following risks: credit risk (including the risk of loan portfolio concentration), operational risk and market risk (involving interest rate risk, FX risk, commodity price risk and financial instrument price risk). The overall risk of the banking sector entities accounts for approximately 33% of the PZU Group’s total risk (Q3 2018), while the largest contribution is in credit risk.
This is the likelihood of a loss or an adverse change in the value of liabilities under the existing insurance contracts and insurance guarantee agreements, due to inadequate assumptions regarding premium pricing and creating technical provisions.
Risk identification commences with a proposal to start developing an insurance product, buying a financial instrument, modifying an operating process and also with the moment when some other event occurs that may potentially lead to the emergence of risk in a given entity and it is in play until the time when the related liabilities expire. The identification of actuarial risk is performed, among others, as follows:
Assessing actuarial risk entails recognizing the degree of the threat or the group of threats determining the possibility of a loss emerging and analyzing the elements of that risk in a manner enabling one to make a decision to accept that risk to be insured and for a given entity to incur liability. The purpose of underwriting is to assess the future loss ratio and curtail adverse selection. Assessing actuarial risk also involves measures to reinsure the largest risks posing the greatest threat.
The measurement of actuarial risk is performed in particular using:
Monitoring and controlling actuarial risk involves the regular analysis of the level of risk and determining the degree of utilization of the established borderline values of risk tolerance and the limits set forth in the Risk Management Strategy in the PZU Group.
Reporting aims to engage in effective communication regarding actuarial risk and supports management of actuarial risk at various decision-making levels from an employee to the supervisory board. The frequency of each report and the scope of information provided are tailored to the information needs of each decision-making level.
The management actions contemplated in the actuarial risk management process are performed in particular by doing the following:
Moreover, to mitigate the actuarial risk inherent in current operations the following actions in particular are undertaken:
This is the risk of a loss or an adverse change in the financial situation resulting, directly or indirectly, from fluctuations in the level and in the volatility of market prices of assets, credit spread, as well as value of liabilities and financial instruments.
The process of managing the credit spread risk and concentration risk has a different set of traits from the process of managing the other sub-categories of market risk and has been described in a subsequent section (Credit and concentration risk) along with the process for managing counterparty insolvency risk.
The market risk in the PZU Group originates from three major sources:
Numerous documents approved by supervisory boards, management boards and dedicated committees govern investment activity in the PZU Group entities.
Market risk identification involves recognizing the actual and potential sources of this risk. The process of identifying market risk associated with assets commences at the time of making a decision to start entering into transactions on a given type of financial instruments. Units that make a decision to start entering into transactions on a given type of financial instruments draw up a description of the instrument containing, in particular, a description of the risk factors. They convey this description to the unit responsible for risk that identifies and assesses market risk on that basis.
The process of identifying the market risk associated with insurance liabilities commences with the process of developing an insurance product and involves an identification of the interdependencies between the magnitude of that product’s financial flows and market risk factors. The identified market risks are subject to assessment using the criterion of materiality, i.e. does the materialization of risk entail a loss capable of affecting its financial condition.
Market risk is measured using the following risk measures:
In the case of banking entities suitable measures are employed in accordance with the regulations applicable to this sector and best market practices.
When measuring market risk, the following stages, in particular, are distinguished:
Monitoring and control of market risk involves an analysis of the level of risk and of the utilization of the designated limits.
Reporting involves communicating the level of market risk, the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.
Management actions in respect of market risk involve in particular:
The application of limits is the primary management tool to maintain a risk position within the acceptable level of risk tolerance. The structure of limits for the various categories of market risk and also for the various organizational units is established by dedicated committees in such a manner that the limits are consistent with risk tolerance. Banking sector entities are in this respect subject to additional requirements in the form of sector regulations.
Credit and concentration risk
Credit risk is the risk of a loss or an unfavorable change in the financial standing resulting from fluctuations in the trustworthiness and creditworthiness of the issuers of securities, counterparties and all debtors, materializing by the counterparty’s default on a liability or an increase in credit spread. The following risk categories are distinguished in terms of credit risk:
Concentration risk is the possibility of incurring a loss stemming from the failure to diversify an asset portfolio or from large exposure to the risk of default by a single issuer of securities or a group of related issuers.
Credit risk and concentration risk are identified at the stage of making a decision on an investment in a new type of financial instrument or on accepting credit exposure to a new entity. Such identification involves an analysis of whether the contemplated investment entails credit risk or concentration risk, what its level depends on and what its volatility over time is. Both actual and potential sources of credit risk and concentration risk should be identified.
Underwriting consists of estimating the probability of risk materialization and the potential impact exerted by risk materialization on a given entity’s financial standing.
Credit risk is measured using:
Concentration risk for a single entity is calculated using the standard formula.
A measure of total concentration risk is the sum of concentration risks for all entities treated separately. In the case of related parties, concentration risk is calculated for all related parties jointly.
In the case of banking entities suitable measures are employed in accordance with the regulations applicable to this sector and best market practices. In particular, credit risk is measured using a set of loan portfolio quality metrics.
Monitoring and control of credit risk and concentration risk involves an analysis of the current risk level, assessment of creditworthiness and calculation of the degree of utilization of existing limits. Such monitoring is performed, without limitation, on a daily and monthly basis.
The following are subject to monitoring:
Reporting involves communicating the levels of credit risk and concentration risk and the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.
Management actions in respect of credit risk and concentration risk involve in particular:
The structure of credit risk limits and concentration risk limits for various issuers is established by dedicated committees in such a manner that the limits are consistent with the adopted risk tolerance and in such a manner that they make it possible to minimize the risk of ‘infection’ between concentrated exposures.
In banking activity the provision of credit products is accomplished in accordance with loan granting methodologies appropriate for a given client segment and type of product. The assessment of a client’s creditworthiness preceding a credit decision is performed using a system devised to support the credit process, scoring or rating tools, external information (for instance, CBD DZ, CBD BR, BIK and BIG databases) and the internal databases of both of the PZU Group’s banks. Credit products are granted in accordance with the binding operational procedures stating the relevant actions performed in the lending process, the units responsible for that and the tools used.
To minimize credit risk, security interests are established in line with the level of exposure to credit risk and in accordance with the client’s ability to provide the required collateral. The establishment of a security interest does not waive the requirement to examine the client’s creditworthiness.
In turn, credit scoring is used as a tool supporting the decision making process regarding loans for retail clients and micro-enterprises, while credit rating has the same role in the segment of small, medium-sized and large enterprises.
Financial liquidity risk means the possibility of losing the capacity to settle, on an ongoing basis, the Company’s liabilities to its clients or counterparties. The aim of the liquidity risk management system is to maintain the capacity of fulfilling the Company’s liabilities on an ongoing basis. The Company maintains the required level of investment portfolio liquidity.
The risk identification involves analysis of the possibility of occurrence of unfavorable events, in particular:
Risk assessment and measurement are carried out by estimating the shortage of cash to pay for liabilities. The risk estimate and measurement is carried out from the following perspectives:
The banks in the PZU Group employ the liquidity risk management metrics stemming from sector regulations, including Recommendation P issued by the Polish Financial Supervision Authority.
To manage the liquidity of the banks in the PZU Group, liquidity ratios are used for different periods ranging from 7 days, to a month, to 12 months and above.
Within management of liquidity risk, banks in the PZU Group also perform analyses of the maturity profile over a longer term, depending to a large extent on the adopted assumptions about development of future cash flows connected with items of assets and equity and liabilities. The assumptions take into consideration:
Monitoring and controlling financial liquidity risk involves analyzing the utilization of the defined limits.
Reporting involves communicating the level of financial liquidity to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.
The following measures aim to reduce financial liquidity risk:
Operational risk is the risk of suffering a loss resulting from improper or erroneous internal processes, human activities, system failures or external events.
Operational risk is identified in particular by:
Operational risk is assessed and measured by:
Both banks in the PZU Group, upon KNF’s consent, apply individual advanced approaches to measure operational risk and to estimate capital requirements on account of that risk.
Monitoring and control of operational risk is performed mainly through an established system of operational risk indicators enabling assessment of changes in the level of operational risk over time and assessment of factors that affect the level of this risk in the business.
Reporting involves communicating the level of operational risk and the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.
Management actions involving reactions to any identified and assessed operational risks involve, in particular:
The business continuity plans in PZU Group entities are kept up to date and tested regularly.
Considering the growing importance of the scope in which models are used and the classification of the risk of models as material for the PZU Group, the formal process of identifying and assessing this risk was launched in 2018. The process aims to ensure high quality of risk management practices applied to this risk. It is currently being implemented in PZU and PZU Życie.
Model risk is defined as the risk of incurring financial losses, incorrectly estimating data reported to the regulatory authority, taking incorrect decision or losing reputation as a result of errors in the development, implementation or application of models.
Model risk is very important for banking sector entities and therefore management of this risk has already been implemented in the course of adaptation to the requirements of Recommendation W issued by the KNF. Both banks have defined standards for the model risk management process, including the rules for developing models and evaluating the quality of their operation and have ensured appropriate corporate governance solutions.
Compliance risk is the risk that PZU Group entities or persons related to PZU Group entities may fail to adhere to or violate the applicable provisions of law, internal regulations or standards of conduct, including ethical standards, adopted by PZU Group entities, which will or may result in the PZU Group or persons acting on its behalf suffering legal sanctions, financial losses or a loss of reputation or trustworthiness.
The compliance risk management process at the PZU and PZU Życie level covers both systemic activities carried out by the Compliance Department and ongoing compliance risk management activities which are the responsibility of the heads of organizational units or cells in the Companies. Compliance risk is identified and assessed for each internal process at PZU and PZU Życie, in line with the demarcation of reporting responsibilities. Moreover, the Compliance Department identifies compliance risk on the basis of information obtained from the legislative process, from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries received by the Department.
The systemic activities include, in particular:
In turn, activities of the heads of organizational units related to ongoing management of compliance risk include, among others:
Moreover, the Compliance Department at PZU level makes efforts aimed at ensuring consistent and uniform standards of compliance solutions in all PZU Group entities and monitors compliance risk throughout the PZU Group.
In 2018 the PZU Group entities had compliance systems adapted to the standards designated by PZU.
The provision of full information on compliance risk in each member of the Group is the responsibility of compliance units. These units are required to assess and measure compliance risk and take appropriate remedial actions aimed at mitigating the likelihood of realization of this risk.
On an ongoing basis, PZU Group entities provide information on compliance risk to the Compliance Department at PZU and PZU Życie. In turn, the tasks of the Compliance Department include the following:
Compliance risk includes, in particular, the risk that the operations performed by PZU Group entities will be out of line with the changing legal environment. This risk may materialize as a result of the absence of clear and unambiguous laws or their non-existence manifesting itself in the form of ‘legal loopholes’. This may cause irregularities in the PZU Group’s business, which may then lead to an increase in costs (for instance, due to the imposition of financial penalties) and an increase in the level of reputation risk, thus in a drop of the Group’s trustworthiness on the market (resulting in a possible financial loss).
Due to the broad spectrum of the PZU Group’s business, reputation risk is also affected by the risk of litigation whose value varies, which is predominantly inherent in the Group’s insurance companies.
The identification and assessment of compliance risk in the Group’s entities is performed for each internal process of these companies by the heads of organizational units, in accordance with the allocation of responsibility for reporting. Moreover, compliance units in PZU Group entities identify compliance risk on the basis of information obtained from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries sent to them.
Compliance risk is assessed and measured by calculating the effects of risk materialization of the following types:
Compliance risk is monitored, in particular, through:
Management actions in the area of response to compliance risk include in particular:
As part of efforts aimed at reducing compliance risk at system level and day-to-day level, the following risk mitigation actions are undertaken:
In 2018, because of the effective dates of critical legal changes, the compliance area was involved in the work on adapting the Company to the new regulations. These included mainly the requirements arising out of the following legal regulations:
As part of its risk management operations, the PZU Group has been identifying, measuring and monitoring risk concentration; in the banking sector, these processes have been carried out at the level of the individual entities, in line with the requirements for the sector. In order to comply with the regulatory requirements imposed on groups identified as financial conglomerates, intensive adaptation work is under way to implement the model for managing significant risk concentrations in a financial conglomerate.
The PZU Group currently identifies the following types of risk concentration:
Risk concentration in the identified areas is subject to regular measurement and monitoring.