3.3. Principles of risk management

3.3.1 Division of responsibilities in the risk management process

1.     Supervisory Board, through its Risk Committee, exercises constant supervision of the Bank's operations in the risk taking area, which includes approving the Risk Management Strategy and supervising its execution.

2.     Management Board of the Bank develops the Risk Management Strategy and is responsible for establishing and implementing the principles of managing individual risk types and for their coherence with the Risk Management Strategy. Moreover, the Management Board defines the organisational structure of the Bank, ensuring the separation of roles, and allocates the tasks and responsibility to individual units.

The Management Board undertakes activities aiming at assuring that the Bank conducts a policy enabling a management of all types of risks essential for the Bank’s operations and has procedures to this extent, in particular including responsibility for preparing and introducing written strategies and procedures to the extent of: internal control system, risk management system, assessment process of internal capital, capital management and capital planning.

3.     Chief Risk Officer is responsible for integrated management of the risk and capital of the Bank and mBank Group in the scope of: defining strategies and policies, measuring, controlling and independent reporting on all risk types (in particular credit risk, market risk, liquidity risk, non-financial risk including operational risk), approving risks models and various limits (according to internal regulations), and for processes of managing the risk of the retail credit portfolio and corporate portfolio.

4.        Committees:

a/         Business and Risk Forum of mBank Group is a formal decision and communication platform for the risk management area and business lines of the Group.

The Business and Risk Forum is constituted by the following bodies:

  1. Retail Banking Risk Committee,
  2. Corporate and Investment Banking Risk Committee,
  3. Financial Markets Risk Committee.

The committees are composed of the representatives of business lines and respective risk management departments.

Each committee is responsible for the all types of risk generated by business activity of the given business line and performs the following tasks:

  • discussing and taking decisions concerning:

- introduction of new products/instruments,

- rules for managing the risk of products/instruments offered or planned to be offered by business lines,

- risk appetite of business lines, e.g. approval of risk limits imposed on business lines,

- approval of the risk policies applicable to particular client segments,

- client segments desired from the point of view of the expected risk portfolio structure,

- priorities and directions of changes in the organisation of processes and risk assessment tools,

  • mutual exchange of information about current and planned actions and projects, including sales plans and their implementation, sales campaigns, modifications to risk models, etc.,
  • monitoring of the following aspects on the basis of submitted reports and information:

- quality and effectiveness of the risk-bearing portfolios held by business lines,

- operational risk and other non-financial risk types,

- quality of data used in risk management processes,

- early symptoms of risk, and

- agreeing on preventive or remedial measures.

b/         Assets and Liabilities Committee of the mBank Group (ALCO) is responsible, in particular, for developing the strategy on the structure of assets and liabilities, obligations and off-balance sheet items, with the aim of optimizing funds allocation.

c/         Capital Management Committee is responsible, in particular, for managing capital, which includes also issuing recommendations for the Management Board of the Bank on measures in respect of capital management, capital level and structure, and on increasing the effectiveness of capital utilization, and recommendations on the internal procedures related to capital management and capital planning.

d/         Credit Committee of the Bank’s Management Board (till 02 November 2014) was responsible, in particular, for:

  • making credit decisions concerning companies in accordance with the decision-making matrix, depending on the rating and amount of exposure,
  • making decisions on the debt conversion into shares, stocks, etc.,
  • making decisions on taking over properties in return for debts,
  • making any other decisions going beyond the jurisdiction of the lower-level decision-making authorities.

e/         Credit Committee of the mBank Group (since 3 November 2014) is responsible, in particular, for:

  • the supervision of concentration risk and large exposures at mBank Group level,
  • credit recommendations concerning large exposures at mBank Group level, regarding common clients of the mBank Group and clients of mBank Hipoteczny, mLeasing and mFaktoring, depending on the amount of exposure,
  • making credit decisions concerning mBank’s clients in accordance with the decision-making matrix, depending on the rating and amount of exposure,
  • making decisions on debt conversion into shares, stocks, etc. (applies to the bank),
  • making decisions on taking over properties in return for debts (applies to the bank),
  • making any other decisions going beyond the jurisdiction of the lower-level decision-making authorities (applies to the bank).

f/          Credit Committee of the Retail Banking is responsible, in particular, for:

  • making individual credit decisions concerning retail clients in the case when the total exposure to such a client, the value of the transaction or the values of AIRB risk parameters (PD/LGD/EL) set for the client/transaction achieve a specified threshold set for this decision-making level,
  • making decisions on granting decision-making powers to individual employees of the Bank, or on changing or revoking those powers.

g/         Data Quality and IT Systems Development Committee is responsible for the tasks and decision making process in scope of principles and structure of operation of the data quality management system, approving operational standards of data management, assessing the effectiveness of the data quality management system, initiating actions aimed at improving data quality at the Bank, in particular, taking into account the needs related with calculating the regulatory capital requirements of the Bank under the AIRB approach.

h/         Foreign Branch Supervision Committee of mBank S.A. is responsible, among others, for issuing recommendations for the Management Board of the Bank on approval of the operational strategy and the rules for stable and prudent management of a particular foreign branch of the Bank, especially with reference to credit risk.

Other units:

1. Organisational units of the Risk Area

 The function of management at the strategic level and the function of control of credit, market, liquidity and operational risks and risk of models used to quantify the aforesaid risk types are performed in the Risk Area supervised by the Chief Risk Officer. The chart below presents the organisational structure of this area:


*organisational unit/position for developing integral structures of foreign branches at mBank S.A.

The roles played by particular units in the process of identifying, measuring, monitoring and controlling risk, which also includes assessing individual credit risk posed by clients and establishing the client selection rules, have been strictly defined. Within the scope of their powers, the units develop methodologies and systems supporting the aforesaid areas. Furthermore, the risk control units also report the risk and support the major authorities of the Bank.

Retail Risk Department:

  • development of risk management principles and processes,
  • acceptance of retail banking products, including the impact on the different types of risk and capital requirements,
  • development of reports for monitoring of risk management policies,
  • development and management of systems supporting the risk assessment and decision-making process,
  • setting up decision-making rules,
  • making credit decisions (for private individuals and micro-business clients),
  • administration of the loan portfolio,
  • collection, restructuring and development of policies for these processes,
  • credit fraud prevention and operational risk control in the credit process.

Corporate Risk Assessment Department:

  • implementation of the Bank’s credit policy regarding corporate customers, countries and financial institutions,
  • credit risk management in the Bank and the Group subsidiaries in the abovementioned areas.

Corporate Risk Processes Department:

  • organising corporate credit process and supervision over its realisation by the Bank,
  • developing corporate credit risk management strategy of mBank Group,
  • creating Bank’s credit policy and mBank’s sector policies in the scope of Industry-based Risk Appetite,
  • analysing and reporting within active management of corporate credit risk,
  • creating the methodology - and monitoring the quality – of rating models for corporate, financial and retail clients (credit risk modelling),
  • accounting of structured finance and mezzanine transactions and restructuring and collection operations.

Financial Markets Risk Department:

  • identifying, measuring and controlling market risk, liquidity risk, and interest rate risk of the banking book, in particular preparing of limits proposal for above mentioned risk types,
  • developing methods for measuring particular risk types, and integrating the control of market risk, liquidity risk, and interest rate risk of the banking book at the Bank and mBank Group,
  • measuring and controlling counterparty risk due to transactions assigned to financial markets area and derivatives transactions with bank customers, as well as preparing and developing the methods for determining credit exposure due to derivatives transactions,
  • ensuring methodological adequacy of the techniques of valuing financial instruments included in the portfolios of the Financial Markets Department, the Treasury Department, the Brokerage Bureau, the Financial Markets Sales Department and the mezzanine finance transactions of the Structured and Mezzanine Finance Department,
  • organising the following processes:
    • process of admitting to trading the financial instruments concluded by organisational units of the financial markets area,
    • process of assessing the adequacy of internal capital (ICAAP) with respect to market risk, liquidity risk, and interest rate risk of the banking book,
    • process of measuring economic capital for market risk,

and supervising their execution,

    • calculating and monitoring of P&L of business units from financial markets area,
    • market conformity of the transactions concluded by business units of financial markets area,

and reporting in this respect to the Management Board of the Bank and to collegial bodies of the Bank.

Integrated Risk and Capital Management Department:

  • integration of risk and capital within the ICAAP,
  • control of capital adequacy as well as planning and limiting risk capital,
  • integration of risk valuation (economic capital, reserves, stress tests),
  • integration of non-financial risks, including operational risk,
  • formulation of risk appetite and coordination of the process of determining strategic risk limits,
  • validation of quantitative models,
  • Internal Control System Self-assessment (ICS),
  • SREP - Supervisory Review and Evaluation Process.

Projects and Risk Architecture Management Department:

  • Risk Projects Portfolio Management,
  • competence centre in the area of process management,
  • development and optimization of the architecture of Risk processes,
  • management of the IT applications of Risk (maintenance and development),
  • risk data management and cooperation with the Finance Division within the scope of centralized management information system.

Foreign Branches Risk Department:

  • credit risk managing in the retail banking, supporting the credit risk assessment process and taking part in the decision making process regarding credits for the foreign branches,
  • credits managing/settling in the foreign branches,
  • handling the vindication process and performing the control in scope of the operational risk in the credit process for the credit products in foreign branches.

2. Organizational units outside the Risk Area are in charge of the management and control of other risks identified in mBank Group’s activity (business risk, capital risk, reputational risk, insurance risk, legal risk, IT system risk, personnel and organisational risk, security risk and compliance risk).

3. Business units take part in managing particular risk types by means of taking risk into account in business decisions, in preparing the product offer and in the client acquisition process. The units assume the ultimate responsibility for taking risk within the set limits and for developing the Bank's results

4. Control units:

  • Internal Audit Department (DAW) carries out independent review of the process of identifying, taking, measuring, monitoring and controlling risk as part of its internal control and audit function.
  • Compliance Department (DC) is responsible for establishing standards of managing the risk of non-compliance of internal regulations and standards of the Bank's operation with applicable law.

3.3.2 Risk culture

Lines of defence

Risk management roles and responsibilities in the mBank Group are organised around the three lines of defence model:

  1. The first line of defence consists of Business Lines whose task is to take risk aspects into consideration when making business decisions.
  2. The second line of defence, Risk, provides the methodological framework and is responsible for making risk decisions at the request of the Business and for measuring, limiting, monitoring and reporting
  3. The third line of defence is Internal Audit, ensuring independent assessment of Business and Risk.

Pillars of risk management

Risk management framework in mBank Group rests on three pillars concept:

1. Customer Focus – striving to understand and balance specific needs of the Risk’s diverse stakeholders (Business, Management Board, Supervisory Board, shareholders, regulators).

2. One Risk understood as an integrated approach to risk management and responsibility to the clients for all risks (defined in Risk Catalogue).

3. Risk vs Rate of Return perspective – supporting business decision-making process on the basis of long-term relationship between risk and rate of return avoiding tail risks.

Vision of Risk

Risk Area is a key partner of Business and the Management Board in creating sustainable value of the Bank by providing, over the long period, a balance between expected rate of return for shareholders and the Group’s stability.

Mission of Risk

Responsibility of Risk is realized by:

  • relevant strategy and policy of risk and capital management,
  • challenging proposals and decisions of Business,
  • independent control and risk reporting.

Implementation of Customer Focus Integrated Risk initiative

The risk control and management process in the mBank Group is subject to continuous improvement with emphasis on the improvement of customer-oriented integrated risk management. As a result, the Customer Focus Integrated Risk initiative has been introduced within the One Bank Strategy.

The initiative is realized in the following five key streams:

1. Strengthening the Business-Risk Dialogue.

2. Risk appetite.

3. Improvement of the credit process.

4. Improvement of Risk employees competences.

5. Simplification and integration of the Risk IT architecture.

Selected project examples are described below:

  • Business-Risk Dialogue Platform Project established a set of three Business-Risk Committees dedicated to business lines (Retail, Corpo & Investment, Financial Markets) smoothing decision-making process, preceded by a thorough discussion between Risk and Business.
  • Corpo Credit Process 2.0 Project introduced credit process paths differentiating credit process based on complexity of cases. The project implemented a customer assessment process based on a tool with embedded risk assessment criteria and a simple path within centralized risk assessment unit, as well as reorganized full path of credit process for large corporate clients by introducing amendments ensuring to shorten the waiting time for a decision to 15 days for complex cases.
  • Internal Control System Self-assessment (ICS)

    Implementation of ICS will allow for a comprehensive assessment of operational risk involved in the Bank’s key processes, in particular by:

    - identification of material operational risks,
    - inventory of control mechanisms dedicated to mitigate those risks,
    - assessment of adequacy and effectiveness of control mechanisms,
    - and assessment of the risk level and the development and implementation of the necessary corrective action plans.

ICS was divided into two stages. Results for the first stage were accepted by the Management Board in September 2014. The second stage is planned to be finalised till the end of June 2015.

Additionally the implementation of the ICS process within the Bank will enable to optimize and integrate the existing operational risk controlling tools in order to better match the new risk and control self-assessment process to the Bank’s business profile.

3.3.3 The risk management process documentation

The risk management process implemented in mBank and mBank Group is documented. The key documents are presented below.

Strategies and policies for managing particular risk types:

1. Risk Management Strategy of the mBank S.A. Group

The document is designed in connection with the One Bank Strategy and the Muliti-year Plan of the mBank Group and defines the risk appetite within mBank Group, including key quantitative and qualitative risk guidelines, as well as existential threats lying beyond its scope.

2. Corporate Credit Risk Management Strategy in mBank S.A. Group

The document describes issues connected with corporate credit risk in mBank Group: defines quantitative and qualitative aspect of the risk appetite within mBank Group, general principles of credit risk management and organization of the risk management area.

3. Retail Credit Risk Management Strategy in mBank S.A. Group

The document defines the general, directional guidelines regarding credit risk management in the retail area of Group’s operations, including issues such as: formal organization and responsibility for credit risk management, determination of the risk appetite, general guidelines for the functioning credit processes, decision-making models and reporting systems in place.

4. Operational Risk Management Strategy in mBank S.A. Group

The document describes the principles and components of operational risk management at the Bank, including, in particular, the following issues: operational risk profile of the Bank, the Bank's appetite for operational risk and operational risk management policies.

5. Market Risk Management Strategy of mBank S.A. Group

The document describes key issues concerning market risk management in the Group: specifies conditions influencing market risk profile, defines market risk appetite and provides framework of market risk management in the Group by identifying organisation, roles and responsibilities, defining market risk management process as well as attitude to the market risk management in the Group subsidiaries.

6. Liquidity Risk Management Strategy of mBank S.A. Group

The document describes key issues concerning liquidity risk management in the Group: specifies conditions influencing liquidity risk profile, defines liquidity risk appetite in the Group and provides framework of liquidity risk management in the Group by identifying organization, roles and responsibilities, defining liquidity risk management process as well as attitude to the liquidity risk management in the Group subsidiaries.

7. Compliance Policy in mBank SA

The document describes the process of organising compliance risk management, including the role of the Bank's authorities in the process, the role of the Compliance Department, and obligations of the Bank's employees in implementing the policy.

8. Capital Management Policy of mBank S.A. Group

The Policy contains the code of conduct that clearly specifies arrangements concerning capital management, including basic aims, principles, and methods of capital management process as well as mBank Group strategic objectives in the capital area.

9. Model Management Policy

The document specifies the participants and general rules of model management process, including issues concerning development of models in mBank Group, their approval, implementation, verification/validation, monitoring, implementation of changes and reporting.

10. Reputational Risk Management Strategy in mBank S.A. Group

The document specifies the principles and components of reputational risk management, including, in particular, the issues of reputational risk profile as well as organization and methods of reputational risk management.

Limit system:

1. Limit Book. Rules for limitation of risk in mBank Group

The document contains a description of standardized framework both for the process and system of limits, which are widely used in managing and controlling risk all over the mBank Group and ensures fine application of the risk appetite to the certain risk limiting in the particular areas, and guarantees fulfilling the regulatory requirements.

ICAAP documentation:

1. Internal Capital Adequacy Assessment Process (ICAAP) in the mBank S.A. Group – Governing Principles

The document describes the internal capital adequacy assessment process in the Group (including the Risk Bearing Capacity concept) and the course of the individual process components.

2. Document describing the rules for estimating capital for hard to quantify risks

3. The concept of Risk Coverage Potential

3.3.4 Internal capital adequacy assessment process (ICAAP)

The mBank Group adjusts the own funds to the level and type of risk, the mBank Group is exposed to, and to the nature, the scale and the complexity of its operations. For that purpose, the ICAAP (Internal Capital Adequacy Assessment Process) is realized in the mBank Group. The aim of this process is to maintain own funds at the level adequate to the profile and the level of risk in the mBank Group’s operations.

Internal capital is the amount of capital estimated by mBank and required to cover all material risks identified in the mBank Group’s operations. Internal capital is the total sum of the economic capital to cover risks included in economic capital calculation and capital necessary to cover other risks (including hard to quantify risks).

In 2014, the mBank calculated the economic capital at the 99.91% confidence level over a one-year time horizon, for all risk types. Diversification between different risks was not included while calculating total economic capital.

The internal capital adequacy assessment process is composed of six stages implemented by organizational units of the mBank and the mBank Group subsidiaries. The process includes:

  • risk inventory in the Group,
  • calculation of internal capital for coverage of risk,
  • capital aggregation,
  • stress tests,
  • planning and allocation of economic capital to business lines and the Group subsidiaries,
  • monitoring consisting in a permanent identification of risk involved in the business of the mBank Group and the analysis of the level of capital for risk coverage.

The internal capital adequacy assessment process is accepted by the Supervisory Board of the mBank. The whole internal capital adequacy assessment process is reviewed annually. The Management Board of mBank is responsible for the internal capital adequacy assessment process in mBank Group.

Material risks in mBank Group’s operations

The Management Board is taking activities for ensuring that the Group manages all material risks arising from the implementation of adopted business strategy.

As a result of risk inventory process in the Group realized on the basis of the rules specified within ICAAP, the following risk types were recognized as material for the Group in 2014:




3.3.5 Risk appetite

Risk appetite is defined within the mBank Group as the maximum risk, in terms of both amount and structure, which the Bank is willing and able to incur in pursuing its business objectives under going concern scenario. Risk appetite resulting from the available capital and funding base is the starting point in the Bank’s risk management, and thus impacts the budgeting process and the capital allocation process.

Risk appetite management framework

The risk appetite management process in mBank Group is presented in the chart below.




Risk appetite is based on assessment of the Group’s risk profile and risk capacity in the perspective of:

  • capital,,
  • funding,
  • non-financial risks,
  • Risk Adjusted Performance Measures.

Risk appetite is aimed to provide a forward looking process that establishes expectations about the Bank’s overall risk profile in a variety of circumstances.

Risk appetite is aimed to secure a practical approach for initiating and sustaining the dialogue within the organization. During the strategic discussions, the Management Board outlines directions for the development of the Group and particular business lines. Risk appetite statements are decomposed into key metrics and targets via the integrated strategic planning process and cascaded down into the organization in operational phase of planning. Documentation of risk appetite and it’s monitoring activates control mechanism for protecting Bank’s goals.

Capital buffers

Risk appetite is determined below the risk capacity determined by the minimum standards on capital adequacy and liquidity set in European and Polish regulations in order to ensure that the Group survives in the case of negative changes in the Group or in its environment thereby providing the ability to assure risk bearing capacity. Level of funding sources and capital position of the Group, both regulatory and internal (internal capital) is applied while defining the risk capacity and risk appetite. The Bank maintains capital and liquid assets on the levels, which ensure meeting regulatory requirements under normal and stress conditions.

In mBank, risk appetite covers all identified risks and key risk concentrations embedded in its business strategy by setting capital buffers for risk resulting from potential materialization of selected risk factors related to existing portfolios and planned business as well as addresses expected new regulatory requirements and potential negative macroeconomic changes.

Risk Bearing Capacity

Risk Bearing Capacity is expressed in terms of capital and funding resources available for allocation so as to ensure safety in normal and risk scenario. The maximum risk that mBank Group is willing and able to incur, while accepting existential threats resulting from mBank Group business strategy, is subject to the following conditions:

  • adequate economic risk-bearing capacity must be ensured (limits must be ensured in normal conditions),
  • the internal floor set for regulatory capital ratios must be observed,
  • it must be ensured that the Group remains financially solvent and has adequate structural liquidity at all times.

The approach of mBank Group to the assessment and control of mBank Group risk bearing capacity covers internal and regulatory requirements.

Risk limit system

To ensure effective allocation of the risk appetite the mBank Group applies a risk limit system. The structure of limits translates the risk appetite into specific constraints on risks incurred in the Group’s activity. The concept of limit structure and limit management process is described in the document “Limit book. Rules for limitation of risk in mBank S.A. Group” accepted by the Supervisory Board. Accepted limit values are presented in the Limit Book - limit register.

3.3.6 Stress tests within ICAAP

Stress tests are an essential component of the ICAAP used for managing the Bank and the Group and for capital planning. Stress tests allow an assessment of the Group’s resistance in the context of extreme, yet plausible scenarios of external events.

The integrated stress tests are conducted assuming scenario of unfavourable economic conditions that may adversely affect the Bank's financial situation in at least a full two-year time horizon (for liquidity risk in one-year horizon). The risk scenario, ie. the most plausible (in at least a full two-year time horizon) scenario of negative deviations from the base scenario, expressed in terms of macroeconomic and financial ratios is common for all risk types and is aligned with the scenario accepted at the group level of the parent entity of the Bank.

The integrated macroeconomic scenario allows for a comprehensive analysis of all the risk types covered by internal capital and analysis of its impact on the capital adequacy and liquidity of the Bank and the Group.

The stress test results include the following measures:

1/    stressed economic capital (includes capital for credit risk, market risk, operational risk and business risk),

2/    stressed potential risk coverage (RCP),

3/    the liquidity norms under stress conditions.

The internal capital under stress scenario is defined as a product of calculation performed in line with the current methodology of internal capital calculation but on the basis of input parameters typical for stress conditions.

Macroeconomic stress scenarios are updated on quarterly basis or ad hoc, if needed. Based on the stress scenarios the resulting internal capital demand as well as negative financial effects of the adverse economic scenario are simulated.

Additionally, once a year, the Bank carries out supplementary stress tests using much more severe risk scenarios and/or events. The Group and the Bank carries out so called reverse stress tests, the goal of which is to identify events potentially leading to unviability of the Group and the Bank.

The Group and the Bank take part in regulatory stress tests conducted annually by the Polish Financial Supervisory Authority (KNF), in order to determine the impact of assumed macroeconomic stress scenarios on the Group’s balance sheet and P&L as well as on external supervisory norms.

3.3.7 Capital planning

Required capital planning – strategic phase

The strategic phase of capital planning takes the form of the strategic dialogue between the Management Board, Risk, Finance and Business, resulting in the determination of the desired directions of business development to support the realization of the business goals of the mBank SA Group.

The Group plans business activities and related risk appetite within its risk bearing capacity and constraints imposed by regulatory requirements which have to be satisfied under both normal and stress conditions.

In view of the above, the planned changes in the size and structure of the Group’s business activities, as well as anticipated regulatory changes are taken into account in estimating the required capital during the planning process. The required capital is estimated using risk parameters reflecting macroeconomic expectations assumed in planning process and taking into consideration intended changes in the methodology.

Should the capital required to achieve business goals of the Group be greater than the capital available for allocation, then the said business goals need to be revised.

Following the establishment of strategic directions, the key risk concentrations arising from the current and planned risk profile are examined with the Management Board setting an acceptable level of the associated risk factors. Key risk concentrations are identified based on the reverse stress test analysis. Capital targets are set taking into account the capital needs arising from the potential materialization of key risk factors recognized in reverse stress test procedure and fixed at the levels accepted as corresponding with targeted risk tolerance. Impact of the risk factors on capital is determined through stress test calculations.

The process of setting strategic financial targets is accompanied by strategic allocation of capital resources to individual business areas taking into account longer-term return on capital.

Required capital planning – operational stage

Based on the strategic directions, general balance sheets targets are elaborated upon during operational phase of capital planning (bottom-up). At this stage the capital available is compared with the capital needed (resulting from business growth and stress test results) in order to determine an efficient capital allocation at lower levels.

Business units work out their partial plans based on accepted macroeconomic assumptions, financial targets and the assessment of business growth potential.

In order to determine an acceptable risk profile from the capital consumption perspective, the forecasted volumes (partial plans) and resulting demand for regulatory and economic capital are compared, in an iterative process, with available resources and strategic guidelines.

Limits supporting capital plan

To ensure adequate use of available resources in order to achieve its business targets limits are established which are subject to yearly update. Multilevel limit structure aims to ensure that risk appetite is translated into specific constraints put on risks of the Group’s activities in different business areas.

Available capital base

The final effect of the planning process is determination of target level of regulatory (own funds) and economic (RCP) capital base needed to cover risk concentrations of the current and planned activities, expressed by total regulatory capital requirement and total internal capital.

3.3.8 Managing particular risk types

Credit risk management

The mBank Group actively manages credit risk in order to optimise the level of profit in terms of return on risk. Analysis of the risk in the Group operations is continuous. For this purpose, uniform credit risk management rules are applied across the Bank’s structure and its subsidiaries; they are based, among others, on separation of the credit risk rating function and the sales function at all levels up to the Management Board. A similar approach is applied to administration of credit risk exposures as this function is performed in the risk area and the operating area and is independent from sales functions. The model of Group-wide risk management assumes participation in the process of Bank’s Risk Area organizational units (including, in particular, functions of the Credit Committee of the mBank Group). The segregation of responsibilities in the process is as follows:

  • The Retail Risk Department (DRY) is responsible for management of credit risk and other risk types in mBank’s retail banking. The main operational responsibilities of DRY (in the domestic market) include: credit risk rating and credit decision-making for individual exposures and transactions, mitigation of operational risk (credit frauds), supervision over the automated credit process, administration of credit agreements concluded with retail clients and their monitoring, collection of credit receivables via telephone and legal collection of credit receivables. Furthermore, DRY develops rules of credit risk rating, calculating creditworthiness of retail clients and other components of credit policy submitted for the approval by the Retail Banking Risk Committee. Solutions applied on the Polish market are also adapted in foreign branches (in the Czech Republic and Slovakia) – in this respect DRY cooperates closely with the Foreign Branches Risk Department. Moreover, the Department is responsible for implementing the assessment principles in the tools supporting the credit decision-making process, reports on the quality of the credit portfolio, and monitors the quality of data used in the risk rating process. To the extent permitted by external regulations DRY participates in the risk management process of the subsidiaries having credit risk bearing retail products in the offer.
  • The Corporate Risk Assessment Department (DOR) is responsible for management of the quality of the corporate loans portfolio of the Bank and subsidiaries of mBank Group including restructured exposures and subject to a restructuring. DOR’s key functions include: developing credit policy concerning corporate clients, countries and financial institutions as well as guidelines for credit risk strategy in the abovementioned areas; decision-making or participation in decision-making concerning performing and non-performing loans, including their impact on operational risk, reputational risk, liquidity risk and for capital requirements and return on invested capital; analysis, evaluation and control of credit risk of countries, banks, international financial institutions and non-financial clients of the Bank and the Group subsidiaries in the corporate banking area; implementation of the process of an early warning about the loss of creditworthiness of corporate clients (EW Process), including the management of the Watch List (WL) and credit risk provisions in the Bank’s corporate banking area; monitoring the structure of exposures in the risk portfolio, in particular by sector, and the related concentration risk. The more extensive scope of credit risk controlling functions at Group level is performed by a dedicated organizational unit: the mBank Group Credit Risk Division at the Corporate Risk Assessment Department. The main functions of the Division include: analysis of credit risk of new exposures of subsidiaries, monitoring credit risk of the largest exposures; participation in the projects of development and modification of the risk management strategy, policies and rules in subsidiaries.
  • Corporate Risk Processes Department (DPR) responsible for: compiling the corporate credit risk strategy, shaping the credit policy within the corporate banking area, creating through portfolio analyses, including industry-based division, products and concentration; compiling reports and statements for financial supervision bodies, the Bank’s governing bodies and the Bank’s organisational units, from the scope of credit-warranty portfolio of Bank and mBank Group entities. DPR compiles and introduces rules governing corporate risk process, monitors its efficiency, manages applications supporting credit process and provides support for their users. Within the area of the Department’s responsibilities lies development and quality control of the rating models for corporate, financial and individual clients of mBank and mBank Group entities. Additionally, DPR manages the reserves for credit risk in the area of corporate banking, conducts settlement and accounting service of credits and guarantees issued by Structured and Mezzanine Finance Department (DFS) and collected debts from Restructuring and Debt Collection Department portfolio.
  • Integrated Risk & Capital Management Department (DKR) – is responsible for the portfolio provision for loans and advances to corporates and retail, integration of risk valuation (economic capital, stress tests, total risk exposure amount (TREA)) and validation of models.

Decision-making for credit exposures in the corporate area. Credit decisions are consistent with the accepted rules set in the Corporate Risk Policy. Levels of decision-making competences are determined by a decision-making matrix. The determination of level of decision-making authority for credit decision is based on EL rating and total exposure on client/group of affiliated entities. The total exposure includes also exposures of the client/group of affiliated entities in the mBank Group’s subsidiaries.

Decision-making for credit exposures in the retail banking area. Due to a profile of retail banking clients, the accepted amount of exposure per client and standardisation of products offered to those clients, the credit decision-making process differs from that applied to corporate clients. The decision-making process is automated to a large extent, both in terms of acquiring data on the borrower from internal and external data sources, and in terms of risk assessment by means of scoring techniques and standardised decision-making criteria. The tasks, which are not automated concern mainly the verification of credit documentation and potential derogations when a decision is made with the escalation to the decision-making level in accordance with the applicable rules. In addition, in case of mortgage loans, the present value of the collateral is established and its compliance with the binding credit policy including acceptable LtV (Loan to Value) is assessed. These functions are performed by operating units located within the Retail Risk Department, in complete separation from sales functions.

In mBank Group, mortgage loans to retail customers are also granted by mBank Hipoteczny. The credit process and the principles of risk assessment are consistent with the solutions used in mBank - the main difference is another method of property valuation, i.e. the use of the mortgage lending value instead of market value.

Market risk management

Market risk management is performed in a single process by the Financial Markets Risk Department (DRR).

  • The Financial Markets Risk Department (DRR) is responsible for measurement of exposures to market risk of the Bank’s front-office units portfolios by the use of market risk measures: Value at Risk (VaR) and stress tests. DRR is responsible for control of utilisation of the limits for these risk measures established by the Management Board and the Financial Markets Risk Committee and provides daily and periodical reporting on the market risk exposure to managers of the Bank’s front-office units, to the Financial Markets Risk Committee, and directly to the Vice-president of the Management Board - Chief Risk Officer.Moreover, DRR develops market risk measurement methodologies, pre-settlement counterparty risk of derivative transactions, and establishes valuation models for financial instruments.

    Moreover the Financial Markets Risk Department is responsible for calculation and reconciliation of financial results on transactions carried out by the front-office units and provides daily valuation of financial instruments to the Finance Area. The valuation of derivative transactions with the Bank’s clients is also delivered to the business units responsible for managing clients (investment and corporate area). Valuations prepared by DRR are the basis for managing collaterals for concluded transactions on derivative instruments. DRR is responsible for the administration of the front-office IT systems, i.e. administration of users’ access rights to the systems, parameterization in the systems of financial instruments, as well as counterparties and issuers and is responsible for market data input to the systems. DRR monitors utilization of counterparty limits (pre-settlement, settlement, issuer and country risk limits) and escalates if limits are exceeded. Moreover, DRR verifies the market conformity of the transactions concluded by the front-office units and supervises the process of modification and deletion of deals in the front-office systems.

Liquidity risk management

Liquidity risk management aims at ensuring and maintaining the Bank’s and the Group’s ability to fulfil both current and future liabilities taking into account the cost of liquidity. The liquidity management process consists of procedures that aim at identification, measurement, controlling, monitoring, reducing and defining the acceptable level of exposure to risks. This process can be divided into two main elements in the operational sense: the part involving all forms of liquidity management and the part of controlling and monitoring liquidity risk. The mBank Group Assets and Liabilities Management Committee, the Financial Markets Risk Committee and the Management Board of the Bank are responsible for liquidity management on the strategic level. Below mentioned organisational units are responsible for liquidity management and control.

  • The Financial Markets Settlement and Services Department (DOF) – is responsible for operational supervision over cash flows in accounts.
  • The Treasury Department (DS) is responsible for providing necessary funds for settlements in the Bank’s accounts, implementing strategic recommendations made by the mBank Group Assets and Liabilities Management Committee, calibrating the structure of the future cash flows within the limits imposed by the Management Board and the Financial Markets Risk Committee, maintaining defined securities portfolios kept to secure liquidity within the limits imposed by the Management Board, the Financial Markets Risk Committee and the mBank Group Assets and Liabilities Management Committee. The Treasury Department is supported in these functions by the Financial Institutions Department, in relation to funding from domestic and foreign banks and international financial institutions, and the Financial Markets Department, in relation to issues of the Bank’s debt securities.
  • The Financial Markets Risk Department (DRR) is in charge of controlling and monitoring liquidity risk of the Bank on the strategic level and reporting to the Vice-president of the Management Board - Chief Risk Officer, the Financial Markets Risk Committee and the mBank Group Assets and Liabilities Management Committee. The Department monitors financial liquidity on a daily basis using methods based on cash flow analysis. Liquidity risk measurement is based on the regulatory model and an internal model, which has been established taking into consideration the specific character of the Bank, the volatility of the deposit base, the level of funding concentration, and the projected development of particular portfolios.

Operational risk management

Operational risk management is performed in mBank and, at the consolidated level, in mBank Group.

  • The Integrated Risk and Capital Management Department (DKR) is responsible for operational risk controlling and monitoring in the Bank and in mBank Group. The key functions of DKR within operational risk control cover: measurement and assessment of operational risk level, including organization of the process of collecting, monitoring and reporting data concerning operational risk events and effects, organization of the process of creating and reporting of operational risk scenarios, organization of the process of creating, monitoring and reporting of KRI (Key Risk Indicators), organization of the process and supervision over the integration and usage of information on risk from external operational risk databases, organization of the process of operational risk assessment for new products implemented to the Bank’s offer, financial instruments introduced to the trade turnover and outsourcing processes, organization of Internal Control System Self-assessment (ICS); as well as calculation of capital requirements for operational risk at the Group level and delivering data for capital planning, supervising operational risk management process and internal control system assessment in mBank Group subsidiaries in particular through setting standards of operational risk management, issuing recommendations and monitoring the level of risk, organization of reporting on the level of operational risk and assessment of internal control system in mBank and mBank Group for the purposes of internal customers (organizational units of the Bank, mBank Group subsidiaries and the parent entity) and external customers (the Polish Financial Supervision Authority, rating agencies).

Within the scope of its operational risk control function, the Integrated Risk and Capital Management Department closely co-operates with other units and projects within the Bank involved in operational risk. In particular with the Compliance Department, the Legal Department, the Internal Audit Department and the Security Department. The results of operational risk controlling and monitoring are reported to the Risk Committee of the Supervisory Board, the Management Board of the Bank, the Business and Risk Forum of mBank Group, and the Chief Risk Officer.

Business risk management

Business risk management is performed in mBank and, at the consolidated level, in mBank Group.

  • Controlling and Management Information Department is responsible for ongoing monitoring of financial results of business units and preparing forecasts of the Group’s results; development of methodology and measurement of economic capital for business risk and preparing information on the changes of its level, as well as for the stress testing of business risk.

Reputational risk management

The Bank’s business units, foreign branches, and subsidiaries are directly responsible for any reputational risk arising from their own business activities. The key role in reputational risk management is played by the Communication and Marketing Strategy Department, which is in charge of shaping the image and brand of the Bank and mBank Group.

  • Communication and Marketing Strategy Department is responsible for: development of external communication strategy of mBank and mBank Group and realisation of mBank external communication strategy; planning and realisation of marketing activities for business lines, with exclusion of retail banking (where the responsibility rests with the Retail Banking Marketing Department); planning and coordination of activities of mBank and mBank Group in regards to marketing research relating to brand positioning as well as realization of activities in the area of marketing research; development and realization of strategy relating to corporate responsibility; monitoring of activities related to the Bank’s image, reputation and identification in accordance with the Bank’s strategic positioning; management of crisis situations which bear the reputational risk for the Bank and the mBank Group.

 Substantial functions in the reputational risk management process are performed by other organizational units of the Bank, that is: Compliance Department, Employee and Organization Culture Development Department, Corporate Banking Management Department, Business Support Department, Retail Banking Business Development Department, and Integrated Risk and Capital Management Department, which is responsible for: development of reputational risk management strategy in cooperation with other organizational units and supervision over the Internal Control System Self-assessment (ICS), including also aspects of reputational risk.

Model risk management

Model risk management is coordinated by the Integrated Risk and Capital Management Department through its Validation Unit.

  • Integrated Risk and Capital Management Department (Validation Unit) performs the following tasks: develops policies and organizes the process of managing models used for the purposes of the management and measurement of credit risk, market risk, interest rate risk in the banking book, liquidity risk as well as other risks deemed material in the process of calculating regulatory and economic capital, in particular through setting standards, issuing recommendations and monitoring of the process in mBank Group, and maintains the Model Register; conducts validation of models applied in mBank for the purposes of assessment of capital adequacy and economic capital, validation of the process of application of ratings and validation of implementation of changes of models in IT systems; develops model validation methodology; performs validation services for mBank Group subsidiaries and agrees with the subsidiaries on the results of validations carried out in subsidiaries with regard to models covered by AIRB method and other models deemed material from the point of view of the Group’s operations in accordance with model management policies; organizes and monitors the process of model risk assessment in the Bank’s organizational units and the Group subsidiaries responsible for model development and ensures consistency of model risk assessment within the Group; is responsible for communication and reporting to internal and external stakeholders and the parent entity of the Bank of required information concerning changes in models.

Capital risk management

Capital risk management is performed in mBank and, at a consolidated level, in mBank Group.

  • Controlling and Management Information Department is responsible for: development of the capital management policy of mBank Group; measurement of efficiency of the capital utilization and monitoring ratios of return on capital in the Bank’s organizational units and the Group subsidiaries, and updating the respective methodology; preparation of forecast of changes of own funds and TREA, as well as capital adequacy ratios for the Bank and mBank Group.
  • Integrated Risk and Capital Management Department is responsible for: monitoring of capital adequacy, risk bearing capacity and risk profile of the Group; organization of the processes of planning, forecasting and monitoring regulatory and internal capital; development of the risk bearing capacity concept and the methodology of limiting regulatory and internal capital; monitoring regulatory requirements regarding the application of AIRB method in calculating capital requirements, sensitivity analyses, stress tests and analyses of influence of new products and new calculation methods for the level of capital requirements and regulatory capital ratios; preparation of reports and information for the statutory bodies of the mBank and for the purposes of consolidated supervision in regards to capital adequacy, risk bearing capacity and risk profile of the Bank and mBank Group.

Insurance risk management is performed in the mBank Group subsidiary – BRE Ubezpieczenia TUiR S.A., where insurance risk was deemed material in 2014.