PZU Group’s risk profile

This is the risk of a loss or unfavorable movement in financial position stemming directly or indirectly from fluctuations in the level and variance of the market prices for assets, credit spread, value of liabilities and financial instruments.

The process of managing the credit spread risk and concentration risk has a different set of traits from the process of managing the other sub-categories of market risk and has been described in a subsequent section (Market and concentration risk) along with the process for managing counterparty insolvency risk.

The market risk in the PZU Group originates from three major sources:

• operations associated with asset and liability matching (ALM portfolio);
• operations associated with active allocation, i.e. designating the optimum medium-term asset structure (AA portfolios);
• banking operations – in conjunction with them the PZU Group has materially increased its exposure to interest rate and credit risk.

A number of documents approved by supervisory boards, management boards and dedicated committees govern investment activity in the PZU Group’s companies.

Market risk identification involves recognizing the actual and potential sources of this risk. The process of identifying market risk associated with assets commences at the time of making a decision to start entering into transactions on a given type of financial instruments. Units that make a decision to start entering into transactions on a given type of financial instruments draw up a description of the instrument containing, in particular, a description of the risk factors. They convey this description to the unit responsible for risk that identifies and assesses market risk on that basis.

The process of identifying the market risk associated with insurance liabilities commences with the process of developing an insurance product and involves an identification of the interdependencies between the magnitude of that product’s financial flows and market risk factors. The identified market risks are subject to assessment using the criterion of materiality, i.e. does the materialization of risk entail a loss capable of affecting its financial condition.

Market risk is measured using the following risk measures:

• VaR, value at risk, forming a measure of risk quantifying a potential economic loss that will not be exceeded within a period of one year under normal conditions with a probability of 99.5%;
• standard formula;
• exposure and sensitivity measures;
• cumulative monthly loss.

In the case of banking entities suitable measures are employed in accordance with the regulations applicable to this sector and best market practices.

When measuring market risk, the following stages, in particular, are distinguished:

• collecting information regarding assets and liabilities generating market risk;
• computing the value of the risk.

Risk is measured:

• for instruments’ exposure and sensitivity measures;
• using a partial internal model.

Monitoring and control of market risk involves an analysis of the level of risk and of the utilization of the designated limits.

Reporting involves communicating the level of market risk, the effects of monitoring and control to various decision- making levels. The frequency of each report and the scope of information provided are tailored to the information needs of each decision-making level.

Management actions in respect of market risk involve in particular:

• execution of transactions serving the purpose of mitigation of market risk, i.e. selling a financial instrument, closing a position on a derivative, purchasing a derivative to hedge a position;
• diversification of the asset portfolio, in particular having regard for the category of market risk, the maturities of instruments, the concentration of exposure in a single entity, geographic concentration;
• application of market risk limitations and limits.

The application of limits is the primary management tool to maintain a risk position within the acceptable level of risk tolerance. The structure of limits for the various categories of market risk and also for the various organizational units is established by dedicated committees in such a manner that the limits are consistent with risk tolerance.

Credit risk is the risk of a loss or an unfavorable change in the financial standing resulting from fluctuations in the trustworthiness and creditworthiness of the issuers of securities, counterparties and all debtors, materializing by the counterparty’s default on a liability or an increase in credit spread. The following risk categories are distinguished in terms of credit risk:

• credit spread risk;
• counterparty default risk;
• credit risk in financial insurance.

Concentration risk is the risk of a loss resulting from the absence of diversification of a portfolio of assets or from a significant exposure to the risk of default on a liability by a single issuer of securities or a group of related issuers.

The credit risk and concentration risk management process consists of the following stages:

• identification;
• measurement and assessment;
• monitoring and control;
• reporting;
• management actions.

Credit risk and concentration risk are identified at the stage of making a decision on an investment in a new type of financial instrument or on accepting credit exposure to a new entity. Such identification involves an analysis of whether the contemplated investment entails credit risk or concentration risk, what its level depends on and what its volatility over time is. Both actual and potential sources of credit risk and concentration risk should be identified.

Risk assessment consists of estimating the probability of realization of a specific risk and estimating the potential impact of its realization on the Company’s financial standing.

Credit risk is measured using:

• measures of exposure (gross and net credit exposure and maturity-weighted net credit exposure);
• standard formula.

Concentration risk for a single entity is calculated using the standard formula.

In the case of banking entities suitable measures are employed in accordance with the regulations applicable to this sector and best market practices.

A measure of total concentration risk is the sum of concentration risks for all entities treated separately. In the case of related parties, concentration risk is calculated for all related parties jointly.

Monitoring and control of credit risk and concentration risk involves an analysis of the current risk level, assessment of creditworthiness and calculation of the degree of utilization of existing limits. Such monitoring is performed, without limitation, on a daily and monthly basis.

The following are subject to monitoring:

• exposures to financial insurance;
• exposures to reinsurance;
• exposure limits and VaR limits.

Reporting involves communicating the levels of credit risk and concentration risk and the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided are tailored to the information needs of each decision-making level.

Management actions in respect of credit risk and concentration risk involve in particular:

• establishment of limits on exposure to a single entity, a group of entities, sectors or states;
• diversification of the portfolio of assets and financial insurance, especially with regard to state, sector;
• acceptance of collateral;
• execution of transactions serving the purpose of mitigation of credit risk, i.e. selling a financial instrument, closing a derivative, purchasing a hedging derivative, restructuring a debt;
• reinsurance of the financial insurance portfolio.

The structure of credit risk limits and concentration risk limits for each issuer is established by a dedicated committee in such a manner that the limits are consistent with the adopted risk tolerance and in such a manner that they enable to minimize the risk of ‘infection’ between concentrated exposures.

In banking activity the provision of credit products is accomplished in accordance with loan granting methodologies appropriate for a given client segment and type of product. The assessment of a client’s creditworthiness preceding a decision on granting a credit product to the client is performed using a system devised to support the credit process, scoring or rating tools, external information (for instance, CBD DZ, CBD BR, BIK and BIG databases) and bank’s internal databases. The granting of credit products is performed in accordance with the binding operating procedures whose purpose is to indicate the proper activities to be carried out in the credit process, the units responsible for those activities and the tools to be applied.

To minimize credit risk, security interests are established in line with the level of exposure to credit risk and in accordance with the client’s ability to provide the required collateral. The establishment of a security interest does not waive the requirement to examine the client’s creditworthiness.

In turn, credit scoring is used as a tool supporting the decision-making process regarding loans for

retail clients and micro-enterprises, while credit rating has the same role in the segment of small, medium-sized and large enterprises.

Operational risk is the risk of suffering a loss resulting from improper or erroneous internal processes, human activities, system failures or external events.

Operational risk is identified in particular by:

• accumulation and analysis of information on operational risk incidents;
• self-assessment of operational risk;
• scenario analyses.

Operational risk is assessed and measured by:

• calculating the effects of the occurrence of operational risk incidents;
• estimating the effects of potential operational risk incidents that may occur in the business.

Monitoring and control of operational risk is performed mainly through an established system of operational risk indicators enabling assessment of changes in the level of operational risk over time and assessment of factors that affect the level of this risk in the business.

Reporting involves communicating the level of operational risk and the effects of monitoring and control to various decision- making levels. The frequency of each report and the scope of information provided are tailored to the information needs of each decision-making level.

Management actions involving reactions to any identified and assessed operational risks involve, in particular:

• risk mitigation by taking actions aimed at minimizing risks, for instance by strengthening the internal control system;
• risk transfer – in particular by entering into insurance agreements;
• risk avoidance by refraining from undertaking or withdrawing from a particular type of business in cases where too high a level of operational risk is ascertained and where the costs involved in risk mitigation are unreasonable;
• risk acceptance – approval of consequences of a possible realization of operational risk unless they threaten to exceed the operational risk tolerance level.

The business continuity plans in PZU Group companies are kept up to date and tested regularly.

Compliance risk is the risk that PZU Group entities or persons related to PZU Group entities may fail to adhere to or violate the applicable provisions of law, internal regulations or standards of conduct, including ethical standards, adopted by PZU Group entities, which will or may result in the PZU

Group or persons acting on its behalf suffering legal sanctions, financial losses or a loss of reputation or trustworthiness.

The compliance risk management process at the PZU and PZU Życie level covers both systemic activities carried out by the Compliance Department and ongoing compliance risk management activities which are the responsibility of the heads of organizational units or cells in the Companies. Compliance risk is identified and assessed for each internal process at PZU and PZU Życie, in line with the demarcation of reporting responsibilities. Moreover, the Compliance Department identifies compliance risk on the basis of information obtained from the legislative process, from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries received by the Department.

The systemic activities include, in particular:

• development and implementation of systemic assumptions and internal regulations consistent with those assumptions;
• recommending to other PZU Group entities solutions for the application of a consistent compliance function and a systemic approach to compliance risk management;
• monitoring of the compliance risk management process, including in particular: performing compliance risk analyses, reviewing the degree of implementation of guidelines provided by external entities in respect of compliance risk management;
• consulting on and issuing interpretations and guidelines for the application of the adopted standards of conduct and compliance risk management;
• planning and delivery of training and internal communication in the field of compliance;
• preparation of compliance risk reports and information.

In turn, activities related to ongoing risk management, include in particular:

• identification and evaluation of compliance risk in the supervised area;
• measurement of compliance risk;
• determining the instruments to provide protection and limit the number and scale of irregularities;
• reporting any threats and events in the compliance risk area to the Compliance Department;
• taking mitigation activities;
• ongoing monitoring of compliance risk.

Moreover, the Compliance Department at PZU level makes efforts aimed at ensuring consistent and uniform standards of compliance solutions in all PZU Group entities and monitors compliance risk throughout the PZU Group.

In 2017 the PZU Group entities had compliance systems adapted to the standards designated by PZU.

The provision of full information on compliance risk in each member of the Group is the responsibility of compliance units. These units are required to assess and measure compliance risk and take appropriate remedial actions aimed at mitigating the likelihood of realization of this risk.

On an ongoing basis, PZU Group entities provide information on compliance risk to the Compliance Department at PZU and PZU Życie. In turn, the tasks of the Compliance Department include the following:

• analysis of monthly and quarterly reports received from compliance units of each member of the Group;
• assessment of the impact of compliance risk on the PZU Group as a whole;
• analysis of the implementation of recommendations issued to companies pertaining to the fulfillment of the compliance function;
• provision of support to compliance units in various PZU Group entities in assessing their own compliance risk;
• preparation of reports for the PZU Management Board and Supervisory Board.

Compliance risk includes, in particular, the risk that the operations performed by PZU Group entities will be out of line with the changing legal environment. This risk may materialize as a result of the absence of clear and unambiguous laws or their non-existence manifesting itself in the form of ‘legal loopholes’. This may cause irregularities in the PZU Group’s business, which may then lead to an increase in costs (for instance, due to the imposition of financial penalties) and an increase in the level of reputation risk, thus in a drop of the Group’s trustworthiness on the market (resulting in a possible financial loss).

Due to the broad spectrum of the PZU Group’s business, reputation risk is also affected by the risk of litigation whose value varies, which is predominantly inherent in the Group’s insurance companies.

The identification and assessment of compliance risk in the Group’s entities is performed for each internal process of these companies by the heads of organizational units, in accordance with the allocation of responsibility for reporting. Moreover, compliance units in PZU Group entities identify compliance risk on the basis of information obtained from notifications to the register of conflicts of interest, gifts and irregularities, and from inquiries sent to tchem.

Compliance risk is assessed and measured by calculating the effects of risk materialization of the following types:

• financial, resulting, without limitation, from administrative penalties, court judgments, decisions issued by Office of Competition and Consumer Protection (UOKiK), contractual penalties and indemnities;
• intangible, pertaining to a loss of reputation, including damage to the PZU Group’s image and brand.

Compliance risk is monitored, in particular, through:

• analysis of reports obtained from the heads of organizational units and cells;
• monitoring of regulatory requirements and adaptation of the business to the changing legal environment of PZU Group entities;
• participation in legislative work aimed at amending the existing laws of general application;
• performing diverse activities in industry organizations;
• coordination of external control processes;
• coordination of the fulfillment of reporting duties imposed by the stock exchange (in respect of PZU) and by statute;
• increasing the level of knowledge among PZU Group staff in the field of competition law and consumer protection, tailored to the specific business areas;
• monitoring of anti-monopoly jurisprudence and proceedings conducted by the President of Office of Competition and Consumer Protection (UOKiK);
• reviews of the implementation of recommendations issued by the PZU Group’s compliance unit;
• ensuring a consistent implementation of the compliance function within the PZU Group.

Management actions in the area of response to compliance risk include in particular:

• acceptance of risks arising, without limitation, from legal and regulatory changes;
• mitigation of risks, including by: adjustment of procedures and processes to changing regulatory requirements, evaluation and design of internal regulations to suit compliance needs, participation in the process of agreeing on marketing activities;
• avoidance of risks by preventing any involvement in activities that are out of compliance with the applicable regulatory requirements or good market practices or activities that may have an unfavorable impact on the entity’s image.

As part of efforts aimed at reducing compliance risk at system level and day-to-day level, the following risk mitigation actions are undertaken:

• continuous implementation of an effective compliance function as a key function in the management system of PZU Group entities;
• participation in consultations with legislative and regulatory authorities (supervised entities within the PZU Group) at the stage of development of the regulations (social consultations);
• delegating representatives of the PZU Group’s supervised entities to participate in the work of various commissions of regulatory authorities;
• execution of implementation projects for new regulations;
• training of staff in PZU Group entities in new regulations, standards of conduct and recommended management actions;
• issuing opinions on internal regulations of PZU Group entities and recommending possible amendments to ensure compliance with the applicable laws and accepted standards of conduct;
• verifying procedures and processes in the context of their compliance with the applicable laws and accepted standards of conduct;
• anticipating adjustment of documentation to upcoming changes in legal requirements;
• systemic supervision exercised by PZU over the execution of the compliance function in PZU Group entities.

In 2017, partly in response to a significant increase in the volume of regulatory requirements, including supervisory recommendations in the area of insurance products, the development of the product compliance function was continued, aiming at supporting business operations to effectively manage compliance risk in insurance products.