The main types of risks incurred by PZU Group include underwriting risk, market risk, credit risk, concentration risk, operational risk, and compliance risk.
The main types of risks incurred by PZU Group include underwriting risk, market risk, credit risk, concentration risk, operational risk, and compliance risk. The main risks associated with the activity of Alior Bank include the following: credit risk, operational risk, and market risk (covering interest rate, liquidity, foreign currency, and commodity price risk). The overall risk of Alior Bank constitutes approximately 9% of the total risk of PZU Group, whereas the credit risk makes up the largest contribution.
It is a risk of loss or an adverse change in the value of liabilities which may arise from insurance contracts and insurance guarantee agreements in relation to improper assumptions regarding premium valuation and establishment of technical and insurance provisions.
The process of risk identification starts with the idea of creating an insurance product and it lasts until the liabilities relating to it expire. Underwriting risk identification is carried out, inter alia by means of:
- analysis of general insurance terms in respect of the accepted risk and compliance with generally applicable provisions of law;
- analysis of general/specific insurance terms or other agreement templates in respect of the underwriting risk accepted under such agreements;
- recognition of potential risks related to a given product, performed in order to measure and monitor them in the future;
- analysis of the influence of introducing new insurance products on capital requirements and the Company’s risk margin calculated according to the standard formula;
- verification and validation of changes to products;
- assessment of underwriting risk viewed in the framework of similar existing products;
- monitoring of existing products;
- analysis of the policy relating to underwriting, tariffs, provisions, and reinsurance, as well as the claims and benefits handling process.
Underwriting risk assessment involves recognizing the degree of exposure or a group of exposures related to the possibility of incurring a loss and analyzing the risk elements in order to make a decision on whether PZU should accept a risk for insurance and assume liability. The aim of the risk assessment (underwriting) is the assessment of future claims and the reduction of anti-selection. Underwriting risk assessment covers also actions related to reinsurance of the largest and the highest risks.
Underwriting risk measurement is based in particular on:
- analysis of selected ratios;
- scenario method – analysis of impairment arising from an assumed change in risk factors;
- factor method – a simplified version of the scenario method, reduced to one scenario per risk factor;
- statistical data;
- exposure and sensitivity measures;
- expertise of company’s staff.
Monitoring and controlling the underwriting risk involve regular analyses of the risk level and determination of the utilization level of the agreed risk tolerance thresholds and limits specified in the Risk management strategy in PZU Group.
Reporting aims to ensure efficient underwriting risk communication and supports actuarial risk management at various position from the employee level to the Supervisory Board. The frequency of individual reports and the scope of information is tailored to meet the information needs at different decision-making levels.
Administration activities in the underwriting risk management process are carried out, in particular by:
- specifying the level of tolerance to underwriting risk and monitoring thereof;
- business decisions and sales plans;
- calculating and monitoring the adequacy of technical provisions;
- tariff strategy, as well as monitoring existing estimates and assessing the adequacy of the premium;
- process of assessment, measurement and acceptance of underwriting risk;
- use of underwriting risk mitigation tools, including, in particular, reinsurance and prevention.
Furthermore, in order to reduce the underwriting risk associated with the ongoing activities the following actions, in particular, are undertaken:
- definition of the scopes of liability in the general/specific terms of insurance or other agreement templates in the financial insurance sector;
- definition of the exclusions of liability in the general/specific terms of insurance or other agreement templates in the financial insurance sector;
- definition of the scopes of liability and exclusions in the general terms of insurance;
- reinsurance activities;
- adequate tariff policy;
- application of appropriate methodology of provisions calculation;
- appropriate underwriting procedure;
- appropriate claims handling procedure;
- sales decisions and plans;
- prevention.
Risk of a loss or an adverse change in the financial standing, which directly or indirectly arises from fluctuations and changes in market prices of assets, credit spread, value of liabilities, and financial instruments.
The nature of the process of credit spread risk management and concentration risk varies from management process of other subcategories of market risk and has been defined in the next section (Credit and concentration risk) along with the process of managing counterparty insolvency risk.
Market risk in PZU Group originates from three key sources:
- matching of assets and liabilities (ALM portfolio);
- strategic allocation of assets, i.e. determining an optimum medium-term structure of assets (AA portfolios).
- banking activity at Alior Bank – as a result of which PZU Group significantly increased exposure to interest rate risk and credit risk.
The investment activity in PZU Group entities is regulated in a number of documents approved by the Supervisory Boards, the Management Boards and dedicated Committees.
The identification of market risk involves recognizing the actual and potential sources of such a risk. In the case of assets, the market risk identification process begins when a decision is made to commence transactions on a given type of financial instrument. The units which decide to start transactions on a given type of a financial instrument prepare the description of the instrument, including, in particular, the description of the risk factors. The description is then submitted to the risk management unit which uses it to identify and assess the market risk.
The process of identifying market risk related to insurance liabilities starts simultaneously with the process of creating an insurance product and involves identifying the relationship between the amount of cash flows associated with this product and the market risk factors. Identified market risks are assessed in terms of materiality, i.e. based on whether the materialization of a risk would be related to a loss that could affect the financial standing.
The market risk is measured using the following measures of risk:
- VaR, i.e. Value at Risk – a risk measure quantifying the potential economic loss which will not be exceeded over a period of one year with a 99.5% probability under normal market circumstances;
- standard formula;
- exposure and sensitivity measures;
- accumulated monthly loss.
The following stages of the market risk measurement process can be distinguished:
- collection of information on assets and liabilities that generate market risk;
- calculation of the value of the risk.
The risk measurement is performed:
- for the measures of exposure and sensitivity of instruments;
- when using a partial internal model.
Monitoring and control of the market risk involves analyzing the risk levels and the utilization of limits.
Reporting consists of communicating the level of market risk and the effects of monitoring and control to the different decision-making levels. The frequency of individual reports and the scope of information is tailored to meet the information needs at different decision-making levels.
Management actions regarding market risk include, in particular:
- concluding transactions to mitigate market risk, such as selling a financial instrument, closing out a transaction on a derivative, and purchasing a hedging derivative;
- diversifying the portfolio of assets, in particular with respect to market risk categories, maturities of instruments, concentration of exposure in one entity, geographical concentration;
- setting market risk restrictions and limits.
The setting of limits is the main management tool for maintaining risk positions within acceptable risk levels. The structure of limits for the individual market risk categories and the organizational units is defined by dedicated Committees in line with the risk tolerance determined by the Management Board.
Credit risk is the risk of loss or adverse change of the financial standing resulting from fluctuations of reliability and creditworthiness of issuers of instruments, counterparties and debtors, which materializes in the default of counterparty or an increase in credit spread.
Concentration risk is a risk arising from a lack of diversification in the portfolio of assets or from high exposure to the risk of default by a single issuer of instruments or a group of related issuers.
Identification of the credit and concentration risk takes place at the stage of making a decision to invest in a new type of financial instrument or the credit exposure to a new entity.
Identification is based on an analysis of whether a given investment is related to credit or concentration risk, on which its level and volatility depends. The actual and potential sources of credit and concentration risk are identified.
Risk assessment is based on estimating how probable it is that the risk occurs and a potential impact of such an occurrence on the financial standing.
Credit risk is measured with the use of the following tools:
- exposure measures (the amount of the gross and net credit exposure and maturity-weighted net credit exposure);
- standard formula.
Concentration risk for a single entity is calculated in accordance with the standard formula.
The total concentration risk is measured as the sum of concentration risks of individual entities. In the case of related entities, concentration risk is specified for all related entities cumulatively.
Monitoring and controlling of the credit and concentration risk involve analyzing the current risk level, assessing creditworthiness, and determining the level of utilization of the limits set.
Monitoring is conducted for:
- financial insurance exposures;
- reinsurance exposures;
- exposure limits and VaR limits.
Reporting consists of communicating the level of credit and concentration risk and the effects of monitoring and control to different decision-making levels. The frequency of individual reports and the scope of information is tailored to meet the information needs at different decision-making levels.
Management actions with respect to credit risk and concentration risk include, in particular:
- setting limits of exposure to a single entity, group of entities, sectors or states;
- diversifying a portfolio of financial assets and insurance, mainly with respect to the state, sector;
- accepting collateral;
- concluding transactions aimed at mitigating credit risk, such as selling a financial instrument, closing out a derivative transaction or purchasing a hedging derivative, restructuring of the granted debt;
- reinsuring a financial insurance portfolio.
The structure of credit and concentration risk limits for the individual issuers is determined by dedicated committee in line with the risk tolerance.
In the banking activity, credit products are granted in accordance with appropriate crediting methodologies depending on the client segment and product type. Client’s creditworthiness is assessed prior to issuing a decision on granting a credit product using a credit process support system and the following tools: scoring or rating; external information (such databases as CBD DZ, CBD BR, BIK, BIG) and Alior Bank’s internal databases. Credit products are issued pursuant to applicable operating procedures that indicate appropriate activities to be performed as part of the credit process, as well as entities in charge and tools to be used.
To minimize credit risk, a collateral is established; the collateral is adjusted to the credit risk incurred and flexible with respect to the situation of the client. The establishment of a collateral does not exempt from the duty to examine the client’s creditworthiness.
The value of collaterals considered when determining impairment losses with respect retail and business credits in 2016 amounted to PLN 1,277 million (in 2015: PLN 994 million). In the case of credits for which no impairment was reported in 2016, it amounted to PLN 15,456 million (in 2015: PLN 13,600 million). The impact of non-recognition of collateral value on the level of impairment losses as at 31 December 2016 would amount to PLN 183 million (PLN 124 million as at 31 December 2015) for impairment losses and PLN 78 million (PLN 97 million as at 31 December 2015) for IBNR respectively.
Whereas, credit scoring is a tool supporting credit decisions for individual clients and microenterprises, whereas credit rating is applied to the segment of small, medium-sized and large enterprises.
Is a risk of loss resulting from incorrect or erroneous internal processes, human actions, operation of systems or external factors.
Identification of operational risk is carried out, in particular, by means of:
- collecting and analyzing information on operational risk incidents;
- operational risk self-assessment;
- scenario analyses.
Assessment and measurement of operational risk is carried out by means of:
- identifying the results of operational risk incidents;
- estimating the results of potential operational risk incidents which may occur in the course of business activity.
Monitoring and controlling operational risk is carried out mainly by established operational risk indicators which make it possible to assess the change of operational risk level and the factors that influence the risk level in business activities.
Reporting consists of communicating the level of operational risk and the effects of monitoring and control to the different decision-making levels. The frequency of individual reports and the scope of information is tailored to meet the information needs at different decision-making levels.
Management actions in response to identified and assessed operational risk involve in particular:
- reducing risk by taking actions aimed at minimizing the risk, i.a. by strengthening the internal control system;
- risk transfer – in particular by means of concluding an insurance agreement;
- avoiding risk by not engaging in or withdrawing from particular business activity when excessive operational risk is detected and its restriction would be too costly to make the venture profitable;
- risk acceptance – approval of consequences of a possible materialization of operational risk if its level does not exceed the tolerance level for operational risk.
The business continuity plans in the PZU Group companies are kept up to date and regularly tested.
It is a risk that the PZU Group entities or persons related to the PZU Group entities violate or fail to comply with the provisions of law, internal regulations, or standards of conduct adopted by the PZU Group entities, including ethical norms, which result or may result in suffering by PZU Group or persons acting on its behalf legal sanctions, financial losses, or loss of reputation or credibility.
Compliance risk management process at the PZU and PZU Życie level concerns both the systemic operations, realized by the Compliance Bureau, and ongoing compliance risk management, for which responsible are the managers of the entities and organizational units of the Companies. Compliance risk is identified and assessed for individual internal processes of PZU and PZU Życie in line with the division of reporting responsibilities. Additionally, the Compliance Bureau identifies risks on the basis of legislative process, entries in the register of conflicts of interest, gifts, benefits and irregularities, as well as the enquiries it receives.
Among systemic operations, the following should be noted:
- development and implementation of systemic assumptions and internal regulations coherent with them;
- recommendation of solutions concerning the method for coherent compliance function realization and systemic compliance risk management to other entities of PZU Group;
- monitoring of the compliance risk management process comprising in particular: performance of compliance risk analyses, review of the implementation of guidelines concerning compliance risk management provided by external entities;
- providing consultation, interpretation, and guidelines in the scope of application of adopted standards of conduct and compliance risk management;
- planning and realization of training, as well as conducting internal communication in scope of compliance assurance;
- preparing reports and information in scope of compliance risk.
In turn, the operations related to the ongoing management mean, among others:
- compliance risk identification and assessment within the supervised area;
- compliance risk measurement;
- defining hedging instruments and instruments limiting the number and scale of occurring irregularities;
- reporting threats and compliance risk events to the Compliance Bureau;
- performing mitigating activities;
- constant compliance risk monitoring.
In addition, at the PZU level, the Compliance Bureau cares for coherent and uniform standards of compliance solutions in all PZU Group entities, as well as it monitors compliance risk at the PZU Group level.
In 2016, the PZU Group companies continued to adapt their compliance systems to standards set by PZU; the insurance companies subject to the Solvency 2 regime additionally concentrated on adapting their business operations to the requirements of the directive.
The compliance units are responsible for delivering complete information on compliance risk at the Group’s companies. Such units assess and measure compliance risk and take appropriate remedial actions which will mitigate the materialization of such a risk.
PZU Group companies deliver up-to-date information on compliance risk to the PZU and PZU Życie Compliance Bureau. The Compliance Bureau conducts i.a. the following actions:
- analysis of monthly and quarterly reports received from compliance units from the Group companies;
- assessment of impact of the companies’ compliance risk on PZU Group;
- analysis of implementation of recommendations given to the companies with regards to realizing the compliance function;
- supporting compliance units at PZU Group companies at compliance risk assessment process;
- reporting to the Management Board and Supervisory Board of PZU.
Compliance risk covers especially the risk of non-compliance of PZU Group companies’ operation with a changing legal environment. The risk may be materialized as a result of absence of clear and unambiguous provisions or any provisions at all, i.e. the so-called legal loophole. This may cause irregularities in PZU Group operations, which may in turn contribute to a cost increase (e.g. due to financial penalties), as well as higher risk of reputation loss, and – what follows – deteriorated credibility of the Group on the market (and a potential possibility to suffer financial loss).
Due to a wide scope of PZU Group’s operations, reputation loss risk is also influenced by the risk of court proceedings of variable value which pertain mostly to insurance companies within the Group.
Compliance risk in the Group’s companies is identified and assessed for the individual internal processes by the
managers of organizational units of such companies, in line with the division of reporting responsibilities. Additionally, the compliance units in PZU Group companies identify risks on the basis of entries in the register of conflicts of interest, gifts, benefits and irregularities, as well as the enquiries received.
Compliance risk is assessed and measured by determining the effects of materialization of the following risks:
- financial, resulting i.a. from administrative penalties, court verdicts, Office of Competition and Consumer Protection (UOKiK) decisions, contractual penalties, and damages.
- intangible, such as loss of reputation, including damage to PZU Group’s image and brand.
Compliance risk is monitored mainly through:
- analysis of reports received from the managers of the entities and organizational units;
- monitoring of regulatory requirements and compliance of PZU Group companies’ operation to a changing legal environment;
- participation in legislative work on amending the generally applicable regulations;
- participation in the activities of professional organizations;
- coordination of external control processes;
- coordination of fulfilling the reporting requirements arising from the stock exchange regulations (PZU) and the statutory law;
- popularizing knowledge on competition and consumer protection law in PZU Group among the employees and adopting it to the fields they operate in;
- monitoring of anti-trust rulings and proceedings conducted by the President of the Office of Competition and Consumer Protection;
- review of the recommendations of PZU Group’s compliance unit;
- ensuring coherent realization of compliance function in PZU Group.
Management actions taken in response to the compliance risk comprise in particular:
- acceptance of risk, e.g. in connection with legal or of compliance, participating in the process of agreeing marketing activities;
- avoiding risk through the prevention of involvement in activities which do not comply with regulatory requirements or good market practices or which could have an adverse effect on the image.
Under compliance risk mitigation on a system and current level, among others the following mitigating activities have been implemented:
- current realization of effective compliance function as one of the key functions in the management system at the PZU Group companies;
- participating in consultations with legislative and supervision bodies (PZU Group’s supervised companies) upon drafting regulations (public consultation);
- delegating representatives of PZU Group’s supervised companies to participate in committee works at supervision bodies;
- conducting implementation projects for new regulations;
- training employees of the Group’s companies in the field on new regulations, standards of conduct, and recommended remedial actions;
- issuing opinions on internal regulations of PZU Group companies and recommending potential changes with regards to compliance with legal provisions and accepted standards of conduct;
- verification of procedures and processes with regards to compliance with legal provisions and accepted standards of conduct;
- advance adjustment of documentation to upcoming changes of legal requirements;
- systemic supervision of PZU over realization of compliance function in PZU Group companies.