The PZU Group distinguishes the six main areas of risk it faces: actuarial risk, market risk, credit risk, concentration risk, operational risk and compliance risk.
The most important factors influencing PZU Group’s risk profile in 2015
The key event from the viewpoint of the PZU Group’s risk profile was integrating the risk management process in the PZU Group’s insurance companies and implementing the requirements of the Solvency II system and the regulatory authority’s guidelines, especially the Office of the Polish FSA in these companies.
- Underwriting risk
It is the risk of a loss or an adverse change in the value of liabilities as a result of improper assumptions regarding valuation and the establishment of technical provisions.
The process of risk identification starts with the idea of creating an insurance product and it lasts until the related liabilities expire. Underwriting risk identification is carried out, e.g. by means of:
- analysis of general insurance terms and conditions in respect of the accepted risk and compliance with generally applicable provisions of law;
- monitoring of the existing products;
- analysis of the policies relating to underwriting, tariffs, provisions and reinsurance, as well as the claims and benefits handling process.
Underwriting risk assessment involves recognizing the degree of exposure or a group of exposures related to the possibility of incurring a loss and analyzing the risk elements in order to make a decision on whether PZU should accept a risk for insurance and assume liability. The aim of the risk assessment (underwriting) is the assessment of future claims and the reduction of adverse selection.
Underwriting risk measurement is based in particular on:
- analysis of selected indicators;
- scenario method – analysis of impairment arising from an assumed change in risk factors;
- factor method – a simplified version of the scenario method, reduced to one scenario per risk factor;
- statistical data.
Monitoring and controlling of underwriting risk includes the analysis of the level of risk by means of a set of reports including selected indicators.
The reporting aims to ensure efficient underwriting risk communication and supports underwriting risk management at different levels of decision-making process from the employee level to the Supervisory Board. The frequency of individual reports and the scope of information are tailored to meet the information needs at different decision-making levels.
Management activities in the underwriting risk management process are carried out, in particular by:
- specifying underwriting risk tolerance level and monitoring thereof;
- business decisions and sales plans;
- calculating and monitoring the adequacy of technical provisions;
- pricing strategy, as well as monitoring existing estimates and assessing the premiums adequacy;
- process of assessment, measurement and acceptance of underwriting risk;
- use of underwriting risk mitigation techniques, including, in particular, reinsurance and prevention.
Furthermore, in order to reduce the underwriting risk associated with the ongoing activities the following actions, in particular, are undertaken:
- definition of the scopes of liability and exclusions in the general terms of insurance;
- reinsurance activities;
- adequate pricing policy;
- application of appropriate methodology of provisions calculation;
- appropriate underwriting process;
- appropriate claims handling process;
- sales decisions and plans;
- Market Risk
Risk of a loss or an adverse change in the financial standing, which directly or indirectly arises from fluctuations and changes in market prices of assets, credit spread, value of liabilities, and financial instruments.
The nature of the process of credit spread risk management and concentration risk varies from management process of other subcategories of market risk and has been defined in the next section (Credit and concentration risk) along with the process of managing counterparty default risk.
The identification of market risk involves recognizing the actual and potential sources of this risk. In the case of assets, the market risk identification process begins when a decision is made to commence transactions on a given type of financial instrument. The units which decide to start transactions on a given type of a financial instrument prepare the description of the instrument, including, in particular, the description of the risk factors. The description is then submitted to the risk management unit which uses it to identify and assess the market risk.
The process of identifying market risk related to insurance liabilities starts simultaneously with the process of creating an insurance product and involves identifying the relationship between the amount of cash flows associated with this product and the market risk factors. Identified market risks are assessed in terms of materiality, i.e. based on whether the materialization of a risk would be related to a loss that could affect the financial standing.
The market risk is measured using the following measures of risk:
- VaR, i.e. Value at Risk - a risk measure quantifying the potential economic loss, which will not be exceeded over a period of one year with a 99.5% probability under normal market circumstances;
- exposure and sensitivity measures;
- accumulated monthly loss.
The following stages of the market risk measurement process can be distinguished:
- collection of information on assets and liabilities that generate market risk;
- calculation of the value of the risk.
The risk measurement is performed:
- for the measures of exposure and sensitivity of instruments;
- using a partial internal model.
Monitoring and control of the market risk involves analysing the risk levels and the utilization of limits.
Reporting consists of communicating the level of market risk and the effects of monitoring and control to the different decision-making levels. The frequency of individual reports and the scope of information are tailored to meet the information needs at different decision-making levels.
Management actions regarding market risk include, in particular:
- concluding transactions to mitigate market risk, such as selling a financial instrument, closing out a transaction on a derivative, and purchasing a hedging derivative;
- diversifying the portfolio of assets, in particular with respect to market risk categories, maturities of instruments, concentration of exposure in one entity, geographical concentration;
- setting market risk restrictions and limits.
The setting of limits is the main management tool for maintaining risk positions within acceptable risk tolerance levels. The structure of limits for the individual market risk categories and the organizational units is defined by dedicated Committees in line with the risk tolerance.
- Credit risk and concentration risk
Credit risk is the risk of loss or adverse change of the financial standing resulting from fluctuations of reliability and creditworthiness of issuers of instruments, counterparties and debtors, which materializes in the default of counterparty or an increase in credit spread.
Concentration risk is a risk arising from lack of diversification in the portfolio of assets or from high exposure to the risk of default by a single issuer of securities or a group of related issuers.
Identification of the credit and concentration risk takes place at the stage of making a decision to invest in a new type of financial instrument or to involve in the credit exposure to a new entity. Identification is based on an analysis of whether a given investment is related to credit or concentration risk, on which its level and volatility depends. The actual and potential sources of credit and concentration risk are identified.
Risk assessment is based on estimating a probability that the risk occurs and a potential impact of such an occurrence on the financial standing.
Credit risk is measured with the use of the following tools:
- exposure measures (the amount of the gross and net credit exposure and maturity-weighted net credit exposure);
Concentration risk measurement for a single entity is calculated as the product of the following two values:
- amount of exposure to this entity over the excessive concentration level;
- concentration risk ratio set for every internal rating.
The total concentration risk is measured as the sum of concentration risks of individual entities. In the case of related related, concentration risk is specified for all related entities cumulatively.
Monitoring and controlling of the credit and concentration risk involve analysing the current risk level, assessing creditworthiness and determining the level of utilization of the limits set.
Monitoring is conducted for:
- financial insurance exposures;
- reinsurance exposures;
- exposure limits and VaR limits.
Reporting consists of communicating the level of credit and concentration risk and the effects of monitoring and control to the different decision-making levels. The frequency of individual reports and the scope of information are tailored to meet the information needs at different decision-making levels.
Management actions with respect to credit risk and concentration risk include, in particular:
- setting limits of exposure to a single entity, group of entities, sectors or states;
- diversifying a portfolio of financial assets and insurance, mainly with respect to the state, sector;
- accepting collateral;
- concluding transactions aimed at mitigating credit risk, such as selling a financial instrument, closing out a derivative transaction or purchasing a hedging derivative, restructuring of the granted debt;
- reinsuring a financial insurance portfolio;
The structure of credit and concentration risk limits for the individual issuers is determined by dedicated Committees in line with the risk tolerance.
- Operational Risk
Is a risk of loss resulting from incorrect or erroneous internal processes, human actions, operation of systems or external factors.
Identification of the operational risk is carried out, in particular, by means of:
- collecting and analysing information on operational risk incidents;
- operational risk self-assessment.
- scenario analysis.
Assessment and measurement of the operational risk is carried out by means of:
- identifying the results of operational risk incidents;
- estimating the results of potential operational risk incidents which may occur in the course of business activity.
Monitoring and controlling of the operational risk is carried out mainly by established operational risk indicators which make it possible to assess the change of operational risk level, and the factors that influence the risk level in business activities.
Reporting consists of communicating the level of operational risk and the effects of monitoring and control to the different decision-making levels. The frequency of individual reports and the scope of information are tailored to meet the information needs at different decision-making levels.
Management actions in response to identified and assessed operational risk involve in particular:
- risk mitigation by taking actions aimed at minimizing the risk, e.g. by strengthening the internal control system;
- risk transfer – in particular by means of concluding an insurance agreement;
- risk avoidance by not engaging in or withdrawing from particular business activity when excessive operational risk is detected and its restriction would be too costly to make the venture profitable;
- risk acceptance – approval of consequences of a possible materialization of operational risk if its level does not exceed the tolerance level for operational risk.
The business continuity plans were implemented in the key companies of PZU Group. The companies tested also the actions that secure correct operation of processes covered by the plans in the case of a breakdown.
- Compliance Risk
Risk that the Company or persons related to the Company violate or fail to comply with the provisions of law, internal regulations, or standards of conduct adopted by the Company, including ethical norms which result or may result in suffering by the Company or persons acting on its behalf legal sanctions, financial losses, or loss of reputation or credibility.
Compliance risk is identified and assessed for individual internal processes of PZU and PZU Życie by the managers of entities and organizational units, in line with the division of reporting responsibilities. Additionally, the compliance unit identifies risks on the basis of entries in the register of conflicts of interest, gifts, benefits and irregularities, as well as the enquiries received.
In 2015, PZU Group companies implemented Methodology for compliance risk identification and assessment, in accordance with solutions adopted at PZU; the methodology was used to perform first compliance risk identification and assessment.
The compliance units are responsible for delivering complete information on compliance risk at the Group’s companies. Such units assess and measure compliance risk and take appropriate remedial actions which will prevent the materialization of such risk and will not adversely impact the PZU Group’s image.
PZU Group companies deliver up-to-date information on compliance risk to the PZU and PZU Życie Compliance Bureau. The Compliance Bureau conducts e.g. the following actions:
- analysis of monthly and quarterly reports received from compliance units from the Group companies;
- assessment of impact of the companies’ compliance risk on PZU Group;
- analysis of implementation of recommendations given to the companies with regards to realizing the compliance function;
- supporting compliance units at PZU Group companies at compliance risk assessment process;
- reporting to the Management Board and Supervisory Board of PZU.
Compliance risk covers especially the risk of non-compliance of PZU Group companies’ operation with a changing legal environment. The risk may be materialized as a result of absence of clear and unambiguous provisions or any provisions at all, i.e. so-called legal loophole. This may cause irregularities in PZU Group operations, which may in turn contribute to a cost increase (e.g. due to financial penalties), as well as higher risk of reputation loss, and what follows deteriorated credibility of the Group on the market (and a potential possibility to suffer financial loss).
Due to a wide scope of PZU Group’s operations, reputation loss risk is also influenced by the risk of court proceedings of variable value which pertain mostly to insurance companies within the Group.
Compliance risk in the Group’s companies is identified and assessed for the individual internal processes by the managers of organizational units of such companies, in line with the division of reporting responsibilities. Additionally, the compliance units in PZU Group companies identify risks on the basis of entries in the register of conflicts of interest, gifts, benefits and irregularities, as well as the enquiries received.
Compliance risk is assessed and measured by determining the effects of materialization of the following risks:
- financial, resulting e.g. from administrative penalties, court verdicts, Office of Competition and Consumer Protection (UOKiK) decisions, contractual penalties, and damages.
- intangible, such as loss of reputation, including damage to PZU Group’s image and brand.
Compliance risk is monitored mainly through:
- analysis of reports received from the managers of the entities and organizational units;
- monitoring of regulatory requirements and compliance of PZU Group companies’ operation to a changing legal environment;
- participation in legislative work on amending the generally applicable regulations;
- participation in the activities of professional organizations;
- coordination of external control processes;
- coordination of fulfilling the reporting requirements arising from the stock exchange regulations (PZU) and the statutory law;
- popularizing knowledge on competition law in PZU Group and verification of employees’ knowledge on anti-trust law in selected fields;
- monitoring of anti-trust rulings and proceedings conducted by the President of the Office of Competition and Consumer Protection;
- review of the recommendations of PZU Group’s compliance unit;
- ensuring coherent realization of compliance function in PZU Group.
Management actions taken in response to the compliance risk comprise in particular:
- acceptance of risk, e.g. in connection with legal or regulatory changes;
- mitigation of risk, including adjustment of procedures and processes to regulatory requirements, issuing opinions and drafting internal regulations from the point of view of compliance, participating in the process of agreeing marketing activities;
- avoiding risk through the prevention of involvement in activities which do not comply with regulatory requirements or good market practices or which could have an adverse effect on the image.
Under compliance risk mitigation on a system and current level, among others the following mitigating activities have been implemented:
- current realization of effective compliance function as one of the key functions in the management system at PZU Group companies;
- participating in consultations with legislative and supervision bodies (PZU Group’s supervised companies) upon drafting regulations (public consultation);
- delegating representatives of PZU Group’s supervised companies to participate in committee works at supervision bodies;
- conducting implementation projects for new regulations;
- training employees of the Group’s companies in the field on new regulations, standards of conduct, and recommended remedial actions;
- engaging independent external advisors in the process of adjusting new and drafted regulations;
- issuing opinions on internal regulations of PZU Group companies and recommending potential changes with regards to compliance with legal provisions and accepted standards of conduct;
- verification of procedures and processes with regards to compliance with legal provisions and accepted standards of conduct;
- advance adjustment of documentation to upcoming changes of legal requirements;
- monitoring claims handling procedures (with regards to their impact of future court proceedings);
- improving and monitoring legal representation procedures in court proceedings;
- systemic supervision of PZU SA over realization of compliance function in PZU Group companies.