PZU Group’s risk profile

This is the likelihood of a loss or an adverse change in the value of liabilities under the existing insurance contracts and insurance guarantee agreements, due to inadequate assumptions regarding premium pricing and creating technical provisions.

This is the likelihood of a loss or an adverse change in the value of liabilities under the existing insurance contracts and insurance guarantee agreements, due to inadequate assumptions regarding premium pricing and creating technical provisions:

• this is the likelihood of a loss or an adverse change in the value of liabilities under the existing insurance contracts and insurance guarantee agreements, due to inadequate assumptions regarding premium pricing and creating technical provisions;
• an analysis of the general terms and conditions of insurance with respect to the accepted risk and compliance with the existing laws;
• an analysis of the general/specific terms and conditions of insurance or other model agreements with respect to the relevant actuarial risk being undertaken;
• identification of potential risks related to a given product, for the purposes of subsequent measurement and monitoring;
• analyzing the impact exerted by the introduction of new insurance products on capital requirements and risk margin computed using the standard formula;
• verifying and validating modifications to insurance products;
• an assessment of actuarial risk with reference to similar existing insurance products;
• monitoring of existing product;
• analyzing the policy of underwriting, tariffs, technical provisions and reinsurance and the claims and benefits handling process.

The assessment of actuarial risk consists in the identification of the degree of the risk or a group of risks that may lead to a loss, and in an analysis of risk elements in order to make an underwriting decision.

The measurement of actuarial risk is performed in particular using:

• an analysis of selected ratios;
• the scenario method - an analysis of impairment arising from an assumed change in risk factors;
• the factor method - a simplified version of the scenario method, reduced to one scenario per risk factor;
• statistical data;
• exposure and sensitivity measures;
• application of the expertise of the Company’s employees.

The monitoring and control of actuarial risk includes a risk level analysis by means of a set of reports on selected ratios.

Reporting aims to engage in effective communication regarding actuarial risk and supports management of actuarial risk at various decision-making levels from an employee to the supervisory board. The frequency of each report and the scope of information provided are tailored to the information needs of each decision-making level.

The management actions contemplated in the actuarial risk management process are performed in particular by doing the following:

• defining the level of tolerance for actuarial risk and monitoring it;
• business decisions and sales plans;
• calculation and monitoring of the adequacy of technical provisions;
• tariff strategy, monitoring of current estimates and assessment of the premium adequacy;
• the process of assessment, valuation and acceptance of actuarial risk;
• application of tools designed to mitigate actuarial risk, including in particular reinsurance and prevention.

Moreover, to mitigate the actuarial risk inherent in current operations the following actions in particular are undertaken:

• defining the scopes of liability in the general / specific terms and conditions of insurance or other model agreements;
• co-insurance and reinsurance;
• application of an adequate tariff policy;
• application of the appropriate methodology for calculating technical provisions;
• application of an appropriate procedure to assess underwriting risk;
• application of a correct claims or benefits handling procedure;
• sales decisions and plans;
• prevention.

Credit risk is grasped as the risk of loss or adverse change in the financial situation, resulting from fluctuations in the credit standing of issuers of securities, counterparties and any debtors, which materializes in the form of a counterparty’s default on a liability or an increase in credit spread. The following risk categories are distinguished in terms of credit risk:

• spread;
• counterparty default risk;
• credit risk in financial insurance.

Concentration risk is grasped as the possibility of incurring loss stemming either from lack of diversification in the asset portfolio or from large exposure to default risk by a single issuer of securities or a group of related issuers.

Credit risk and concentration risk are identified at the stage of making a decision on an investment in a new type of financial instrument or on accepting credit exposure. Identification involves an analysis of whether the contemplated investment entails credit risk or concentration risk, what its level depends on and what its volatility over time is. Actual and potential sources of credit risk and concentration risk are identified.

Risk assessment consists of estimating the probability of risk materialization and the potential impact exerted by risk materialization on a given entity’s financial standing.

Credit risk is measured using:

• measures of exposure (gross and net credit exposure and maturity-weighted net credit exposure);
• capital requirement calculated using the standard formula.

Concentration risk for a single entity is calculated using the standard formula.

A measure of total concentration risk is the sum of concentration risks for all entities treated separately. In the case of related parties, concentration risk is calculated for all related parties jointly.

In the case of banking entities suitable measures are employed in accordance with the regulations applicable to this sector and best market practices. In particular, credit risk is measured using a set of loan portfolio quality metrics.

Monitoring and control of credit risk and concentration risk involves an analysis of the current risk level, assessment of creditworthiness and calculation of the degree of utilization of existing limits. Such monitoring is performed, without limitation, on a daily and monthly basis.

The following are subject to monitoring:

• exposures to financial insurance;
• exposures to reinsurance;
• exposure limits and VaR limits;
• loan exposures (this pertains to banking entities).

Reporting involves communicating the levels of credit risk and concentration risk and the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.

Management actions in respect of credit risk and concentration risk involve in particular:

• setting limits to curtail exposure to a single entity, group of entities, sectors or countries;
• diversification of the portfolio of assets and financial insurance, especially with regard to country and sector;
• acceptance of collateral;
• execution of transactions to mitigate credit risk, i.e. selling a financial instrument, closing a derivative, purchasing a hedging derivative, restructuring a debt;
• reinsurance of the financial insurance portfolio.

The structure of credit risk limits and concentration risk limits for various issuers is established by dedicated committees in such a manner that the limits are consistent with the adopted risk tolerance determined by the management boards of the individual subsidiaries and in such a manner that they make it possible to minimize the risk of ‘infection’ between concentrated exposures.

In banking activity the provision of credit products is accomplished in accordance with loan granting methodologies appropriate for a given client segment and type of product. The assessment of a client’s creditworthiness preceding a credit decision is performed using tools devised to support the credit process, including a scoring or rating system, external information and the internal databases of a given PZU Group bank. Credit products are granted in accordance with the binding operational procedures stating the relevant actions performed in the lending process, the units responsible for that and the tools used.

To minimize credit risk, adequate collaterals are established in line with the credit risk incurred. The establishment of a collateral does not waive the requirement to examine the client’s creditworthiness.

Operational risk is the risk of suffering a loss resulting from improper or erroneous internal processes, human activities, system failures or external events.

Operational risk is identified in particular by:

• accumulation and analysis of information on operational risk incidents and the reasons for their occurrence;
• self-assessment of operational risk;
• scenario analyses.

Operational risk is assessed and measured by:

• calculating the effects of the occurrence of operational risk incidents;
• estimating the effects of potential operational risk incidents that may occur in the business.

Both banks in the PZU Group, upon KNF’s consent, apply advanced individual models to measure operational risk and to estimate capital requirements on account of this risk.

Monitoring and control of operational risk is performed mainly through an established system of operational risk indicators and limits enabling assessment of changes in the level of operational risk over time and assessment of factors that affect the level of this risk in the business.

Reporting involves communicating the level of operational risk and the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.

Management actions involving reactions to any identified and assessed operational risks involve, in particular:

• risk mitigation by taking actions aimed at minimizing risks, for instance by strengthening the internal control system;
• risk transfer – in particular, by entering into insurance agreements;
• risk avoidance by refraining from undertaking or withdrawing from a particular type of business in cases where too high a level of operational risk is ascertained and where the costs involved in risk mitigation are unreasonable;
• risk acceptance – approval of consequences of a possible realization of operational risk unless they threaten to exceed the operational risk tolerance level.

The business continuity plans in PZU Group entities are kept up to date and tested regularly.

Compliance risk is the risk that PZU Group entities or persons related to PZU Group entities may fail to adhere to or violate the applicable provisions of law, internal regulations or standards of conduct, including ethical standards, adopted by PZU Group entities, which will or may result in the PZU Group or persons acting on its behalf suffering legal sanctions, financial losses or a loss of reputation or trustworthiness.

The compliance risk management process at the PZU and PZU Życie level covers both systemic activities carried out by the Compliance Department and ongoing compliance risk management activities which are the responsibility of the heads of organizational units or cells in the Companies. Compliance risk is identified and assessed for each internal process at PZU and PZU Życie, in line with the demarcation of reporting responsibilities. Moreover, the Compliance Department identifies compliance risk on the basis of information obtained from the legislative process, from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries received by the Department.

The systemic activities include, in particular:

• development and implementation of systemic assumptions and internal regulations consistent with those assumptions;
• recommending to other PZU Group entities solutions for the application of a consistent compliance function and a systemic approach to compliance risk management;
• monitoring of the compliance risk management process, including in particular: performing compliance risk analyses, reviewing the degree of implementation of guidelines provided by external entities in respect of compliance risk management;
• consulting on and issuing interpretations and guidelines for the application of the adopted standards of conduct and compliance risk management;
• planning and delivery of training and internal communication in the field of compliance;
• preparation of compliance risk reports and information.

In turn, activities of the heads of organizational cells and units related to ongoing management of compliance risk, include in particular:

• identification and evaluation of compliance risk in the supervised area;
• measurement of compliance risk in the supervised area;
• determining the instruments to provide protection and limit the number and scale of irregularities;
• reporting any threats and events in the compliance risk area to the Compliance Department;
• taking actions to mitigate compliance risk;
• ongoing monitoring of compliance risk in the supervised area.

Moreover, the Compliance Department at PZU level makes efforts aimed at ensuring adequate and uniform standards of compliance solutions in all PZU Group entities and monitors compliance risk throughout the PZU Group.

In 2019 the PZU Group entities had compliance systems adapted to the standards designated by PZU.

The provision of full information on compliance risk in each member of the Group is the responsibility of compliance units of these entities. These units are required to assess and measure compliance risk and take appropriate remedial actions aimed at mitigating the likelihood of realization of this risk.

PZU Group entities are obligated to report compliance risk to the Compliance Department at PZU and PZU Życie on an on-going basis. In turn, the tasks of the Compliance Department include the following:

• analysis of monthly and quarterly reports received from compliance units of each member of the Group;
• assessment of the impact of compliance risk on the PZU Group as a whole;
• analysis of the performance of compliance-related instructions given to entities;
• support of the PZU Group’s entities’ compliance business units when assessing compliance risk;
• reporting to the PZU Management Board and Supervisory Board.

Compliance risk includes, in particular, the risk that the operations performed by PZU Group entities will be out of line with the changing legal environment. This risk may materialize as a result of delayed implementation or absence of clear and unambiguous laws, or what is known as a legal gap. This may cause irregularities in the PZU Group’s business, which may then lead to higher costs (for instance, administrative penalties, other financial penalties) and a heightened level of loss of reputation risk.

Due to the broad spectrum of the PZU Group’s business, reputation risk is also affected by the risk of litigation whose value varies, which is predominantly inherent in the Group’s insurance companies and banks.

The identification and assessment of compliance risk in the Group’s entities is performed for each internal process of these entities by the heads of organizational units, in accordance with the allocation of responsibility for reporting. Moreover, compliance units in PZU Group entities identify compliance risk on the basis of information obtained from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries sent to them.

Compliance risk is assessed and measured by calculating the consequences of the following types of risk materializing:

• financial risks, resulting among others from administrative penalties, court judgments, decisions issued by UOKiK, contractual penalties and damages;
• intangible risks pertaining to a loss of reputation, including damage to the PZU Group’s image and brand.

Compliance risk is monitored, in particular, through:

• systemic analysis of the regular reports received from the heads of organizational units and cells;
• monitoring of regulatory requirements and adaptation of the business to the changing legal environment of PZU Group entities;
• participation in legislative work aimed at amending the existing laws of general application;
• performing diverse activities in industry organizations;
• coordination of external control processes;
• coordination of the fulfillment of reporting duties imposed by the stock exchange (in respect of PZU) and by statute;
• increasing the level of knowledge among PZU Group staff in the field of competition law and consumer protection, tailored to the specific business areas;
• monitoring of anti-monopoly jurisprudence and proceedings conducted by the President of UOKiK;
• reviews of the implementation of recommendations issued by the PZU Group’s compliance unit;
• ensuring uniform standards and consistent implementation of the compliance function within the PZU Group.

Management actions in the area of response to compliance risk include in particular:

• acceptance of the risk arising, without limitation, from legal and regulatory changes;
• mitigation of risk, also through aligning procedures and processes to regulatory requirements, evaluation and design of internal regulations to suit compliance needs, participation in the process of agreeing on marketing activities;
• avoidance of risk by preventing any involvement of PZU Group entities in activities that are out of compliance with the applicable regulatory requirements, best market practices or activities that may have an unfavorable impact on the PZU Group’s image.

As part of efforts aimed at reducing compliance risk in the PZU Group at system level and day-to-day level, the following risk mitigation actions are undertaken:

• continuous implementation of an effective compliance function as a key management function;
• participation in consultations with legislative and regulatory authorities (supervised entities within the PZU Group) at the stage of development of the regulations (social consultations);
• delegating representatives of the PZU Group’s supervised entities to participate in the work of various commissions of regulatory authorities;
• participation in implementation projects for new regulations;
• training of staff on new regulations, standards of conduct and recommended management actions;
• issuing opinions on internal regulations and recommending possible amendments to ensure compliance with the applicable laws and accepted standards of conduct;
• verifying procedures and processes in the context of their compliance with the applicable laws and accepted standards of conduct;
• aligning documentation to upcoming changes in legal requirements before they are enacted;
•  systemic supervision exercised by PZU over the execution of the compliance function in PZU Group entities;
• running analyses and conducting ongoing monitoring of the application of the rules for the functioning of the Chinese walls – in connection with the additional investor commitments made by PZU in connection with the proceedings under the notification on the intent to purchase Bank Pekao’s shares;
• ongoing monitoring of changes in the legal and regulatory environment in order to identify gaps or areas requiring action to ensure compliance.

In 2019 - in connection with the PZU Group continuing to meet the criteria for treating it as a financial conglomerate, and hence the necessity for KNF to continue applying supplementary oversight to it under the Act of 15 April 2005 on supplementary oversight over credit institutions and insurance undertakings, reinsurance undertakings and investment firms comprising a financial conglomerate – compliance was involved in the work to align the Company to the requirements ensuing from this act, as well as to the requirements stemming chiefly from the following legal acts:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
• Directive of 15 May 2014 on Markets in Financial Instruments (MIFID II) (this regulation is material for some PZU Group entities, in particular for TFI);
• Act of 15 December 2017 on Distribution of Insurance;
• Act of 1 March 2018 on Combating Money Laundering and Financing of Terrorism;
• Act of 16 October 2019 on amending the Act on Public Offerings and the Conditions for Offering Financial Instruments in an Organized Trading System and on Public Companies and some other acts.