The risk management system in the PZU Group is based on the following:
- organizational structure – comprising a split of duties and tasks performed by statutory bodies, committees and individual organizational units and cells in the risk management process;
- risk management process, including risk identification, measurement and assessment, monitoring and control methods, risk reporting and undertaking management actions. The framework for this process is universal among financial market entities.
The organizational structure of the risk management system that is identical across the PZU Group and the PZU Group’s various financial sector entities has four decision-making levels.
The first three entail the following:
- The Supervisory Board, which supervises the risk management process and assesses its adequacy and effectiveness as part of its decision-making powers defined in a given entity’s Articles of Association and the Supervisory Board bylaws, as well as through the Audit Committee;
- The Management Board, which organizes the risk management system and ensures that it is operational, by adopting strategies and policies, setting the level of risk appetite, defining the risk profile as well as tolerance levels for the individual categories of risk;
- Committees, which make decisions to mitigate individual risks to a level determined by the risk appetite. The committees adopt the procedures and methodologies for mitigating various risks and they accept limits to mitigate the various types of risk.
The role of the PZU Group Risk Committee is to provide support to subsidiaries’ supervisory boards and management boards in implementing an effective risk management system that is coherent for the entire PZU Group. The operational objective of the PZU Group Risk Committee is to coordinate and supervise activities related to the PZU Group’s risk management system and processes.
The fourth decision-making level pertains to operational measures and is divided into three lines of defense:
- the first line of defense – entails ongoing risk management at the entities’ business unit and organizational unit level and decision-making as part of the risk management process;
- the second line of defense – risk management by specialized units responsible for risk identification, monitoring and reporting, as well as for limits control;
- the third line of defense – internal audit which conducts independent audits of the individual elements of the risk management system, as well as of control activities embedded in operations.
Chart of the organizational structure for the risk management system