3.11. Operational risk

 Operational risk is understood as the risk of loss resulting from a mismatch or unreliability of internal processes, people or systems or external events. In accordance with the Risk Catalogue of mBank S.A. Group, operational risk includes in particular the following sub-categories:

  • legal risk,
  • IT systems risk,
  • personnel and organizational risk,
  • security risk,
  • compliance risk.

Operational risk does not include reputational risk, however materialization of operational risk may increase reputational risk.

While organizing the operational risk management process, the Bank takes into account regulatory requirements. Resolutions and recommendations of the Polish Financial Supervision Authority (in particular Recommendation M) are the starting point for preparation of framework for the operational risk control and management system in the Group.

General principle of operational risk management in the Bank is to minimize it, that is to reduce the causes of operational events, the probability of their occurrence and the severity of potential consequences. Cost vs benefits analysis is considered while deciding on an acceptable operational risk level.

Operational risk control and management consists of a set of activities aimed at identifying, monitoring, measurement, assessment, reporting as well as reduction, avoidance, transfer or acceptance of operational risk, the Bank is exposed to in particular areas of its operations. It is based on quantitative and qualitative methods and tools for operational risk control. The tools applied by the Bank intend to cause-oriented operational risk management and focus on bottom-up approach to identify risk.

Qualitative tools are aimed at establishing (within the Bank and the mBank Group) consistent qualitative assessment of internal and external factors affecting the operational risk management process.

The basic qualitative tool is the self-assessment of internal control system carried out by the Bank’s organizational units. It presents an assessment of the level of operational risk for the Bank, as well as for individual processes and organizational units. Since 2014, the Bank started to replace the existing Business Environment Assessment Surveys with the Internal Control System Self-assessment process, which will enable to identify and assess the most important operational risks and control mechanisms in the Bank, and then to develop and implement necessary corrective action plans. For the purposes of the Self-assessment, the Bank identified a list of key processes, which cover all its operations. In 2014, the first stage of the Self-assessment implementation was completed and the second stage for other key processes was started. Its completion is planned in the middle of 2015. Implementation of the Self-assessment in the Group subsidiaries will be considered after the full process rollout at the Bank. Until then, the subsidiaries will continue to use the Business Environment Assessment Surveys.

In addition, in order to control operational risk, mBank collects data about operational risk events and losses of the Group, collects and monitors key risk indicators, and develops and performs operational scenario analyses in order to identify exposure to potential high-severity events. At the same time, the communication with all areas of the Bank (business and support areas) is maintained for the purpose of monitoring and taking preventive actions once the risk of critical events has been signalled in any area.

The vast majority of Bank’s operational losses refers to the lines: trading and sales, commercial banking, retail banking.

In terms of losses on risk categories, the Bank incurs the highest losses in three categories of operational risk: crimes committed by outsiders; execution, delivery and process management; customers, products and business practices.