Compliance risk is the risk that PZU Group entities or persons related to PZU Group entities may fail to adhere to or violate the applicable provisions of law, internal regulations or standards of conduct, including ethical standards, adopted by PZU Group entities, which will or may result in the PZU Group or persons acting on its behalf suffering legal sanctions, financial losses or a loss of reputation or trustworthiness.
The compliance risk management process at the PZU and PZU Życie level covers both systemic activities carried out by the Compliance Department and ongoing compliance risk management activities which are the responsibility of the heads of organizational units or cells in the Companies. Compliance risk is identified and assessed for each internal process at PZU and PZU Życie, in line with the demarcation of reporting responsibilities. Moreover, the Compliance Department identifies compliance risk on the basis of information obtained from the legislative process, from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries received by the Department.
The systemic activities include, in particular:
- development and implementation of systemic assumptions and internal regulations consistent with those assumptions;
- recommending to other PZU Group entities solutions for the application of a consistent compliance function and a systemic approach to compliance risk management;
- monitoring of the compliance risk management process, including in particular: performing compliance risk analyses, reviewing the degree of implementation of guidelines provided by external entities in respect of compliance risk management;
- consulting on and issuing interpretations and guidelines for the application of the adopted standards of conduct and compliance risk management;
- planning and delivery of training and internal communication in the field of compliance;.
- preparation of compliance risk reports and information.
In turn, activities of the heads of organizational units related to ongoing management of compliance risk include, among others:
- identification and evaluation of risk in the supervised area;
- measurement of risk;
- determining the instruments to provide protection and limit the number and scale of irregularities;
- reporting any threats and events in the compliance risk area to the Compliance Department;
- taking mitigation activities;
- ongoing monitoring of compliance risk.
Moreover, the Compliance Department at PZU level makes efforts aimed at ensuring consistent and uniform standards of compliance solutions in all PZU Group entities and monitors compliance risk throughout the PZU Group.
In 2018 the PZU Group entities had compliance systems adapted to the standards designated by PZU.
The provision of full information on compliance risk in each member of the Group is the responsibility of compliance units. These units are required to assess and measure compliance risk and take appropriate remedial actions aimed at mitigating the likelihood of realization of this risk.
On an ongoing basis, PZU Group entities provide information on compliance risk to the Compliance Department at PZU and PZU Życie. In turn, the tasks of the Compliance Department include the following:
- analysis of monthly and quarterly reports received from compliance units of each member of the Group;
- assessment of the impact of compliance risk on the PZU Group as a whole;
- analysis of the implementation of recommendations issued to companies pertaining to the fulfillment of the compliance function;
- provision of support to compliance units in various PZU Group entities in assessing their own compliance risk;
- preparation of reports for the PZU Management Board and Supervisory Board.
Compliance risk includes, in particular, the risk that the operations performed by PZU Group entities will be out of line with the changing legal environment. This risk may materialize as a result of the absence of clear and unambiguous laws or their non-existence manifesting itself in the form of ‘legal loopholes’. This may cause irregularities in the PZU Group’s business, which may then lead to an increase in costs (for instance, due to the imposition of financial penalties) and an increase in the level of reputation risk, thus in a drop of the Group’s trustworthiness on the market (resulting in a possible financial loss).
Due to the broad spectrum of the PZU Group’s business, reputation risk is also affected by the risk of litigation whose value varies, which is predominantly inherent in the Group’s insurance companies.
The identification and assessment of compliance risk in the Group’s entities is performed for each internal process of these companies by the heads of organizational units, in accordance with the allocation of responsibility for reporting. Moreover, compliance units in PZU Group entities identify compliance risk on the basis of information obtained from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries sent to them.
Compliance risk is assessed and measured by calculating the effects of risk materialization of the following types:
- financial, resulting, without limitation, from administrative penalties, court judgments, decisions issued by UOKiK, contractual penalties and damages;
- intangible, pertaining to a loss of reputation, including damage to the PZU Group’s image and brand.
Compliance risk is monitored, in particular, through:
- analysis of reports obtained from the heads of organizational units and cells;
- monitoring of regulatory requirements and adaptation of the business to the changing legal environment of PZU Group entities;
- participation in legislative work aimed at amending the existing laws of general application;
- performing diverse activities in industry organizations;
- coordination of external control processes;
- coordination of the fulfillment of reporting duties imposed by the stock exchange (in respect of PZU) and by statute;
- increasing the level of knowledge among PZU Group staff in the field of competition law and consumer protection, tailored to the specific business areas;
- monitoring of anti-monopoly jurisprudence and proceedings conducted by the President of UOKiK;
- reviews of the implementation of recommendations issued by the PZU Group’s compliance unit;
- ensuring a consistent implementation of the compliance function within the PZU Group.
Management actions in the area of response to compliance risk include in particular:
- acceptance of the risk arising, without limitation, from legal and regulatory changes;
- mitigation of risk, including adjustment of procedures and processes to regulatory requirements, issuing opinions and drafting internal regulations from the point of view of compliance, participating in the process of agreeing marketing activities;
- avoidance of the risk by preventing any involvement in activities that are out of compliance with the applicable regulatory requirements or best market practices or activities that may have an unfavorable impact on the entity’s image.
As part of efforts aimed at reducing compliance risk at system level and day-to-day level, the following risk mitigation actions are undertaken:
- continuous implementation of an effective compliance function as a key function in the management system of PZU Group entities;
- participation in consultations with legislative and regulatory authorities (supervised entities within the PZU Group) at the stage of development of the regulations (social consultations);
- delegating representatives of the PZU Group’s supervised entities to participate in the work of various commissions of regulatory authorities;
- execution of implementation projects for new regulations;
- training of staff in PZU Group entities in new regulations, standards of conduct and recommended management actions;
- issuing opinions on internal regulations of PZU Group entities and recommending possible amendments to ensure compliance with the applicable laws and accepted standards of conduct;
- verifying procedures and processes in the context of their compliance with the applicable laws and accepted standards of conduct;
- anticipating adjustment of documentation to upcoming changes in legal requirements;
- systemic supervision exercised by PZU over the execution of the compliance function in PZU Group entities.
In 2018, because of the effective dates of critical legal changes, the compliance area was involved in the work on adapting the Company to the new regulations. These included mainly the requirements arising out of the following legal regulations:
- Act of 11 May 2017 on Statutory Auditors, Audit Firms and Public Supervision;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Act of 16 December 2016 on Rules for Managing State Property;
- Markets in Financial Instruments Directive of 15 May 2014 (MIFID 2) (regulation material for some PZU Group entities, in particular TFI);
- Insurance Distribution Act of 15 December 2017;
- Act of 1 March 2018 on Preventing Money Laundering and the Financing of Terrorism.