Financial and
ESG report 2020

Risk management goals and strategy

The mission of risk management in the Bank Millennium Group is to ensure that all types of risks are managed, monitored and controlled as required for the risk profile (risk tolerance), nature and scale of the Group's operations.

23 23

Rules management goals

Important principle of risk management is the optimization of the risk and profitability trade-off – the Group pays special attention to ensure that its business decisions balance risk and profit adequately.

The goals of the risk management mission are achieved through implementation of the following actions:

  • Development of risk management strategies, credit policy, processes and procedures defining the principles for acceptance of the allowable level of particular types of risk,
  • Increasingly wider implementation of the IT tools for risks identification, control and measurement,
  • Increasing awareness of employees as regards their responsibility for proper risk management at every level of the Group’s organisational structure.

Risk management is centralized for the Group and takes into account the need to obtain the assumed profitability and to maintain proper risk-capital relationship, in the context of having proper level of capital to cover the risk. Within risk management system, a broad range of methods is used, both qualitative and quantitative, including advanced mathematical and statistical tools supported by adequate IT systems.

When defining the business and profitability targets, the Group takes into account the specified risk framework (Risk Appetite) in order to ensure that business structure and growth will respect the risk profile that is targeted and that will be reflected in several indicators such as:

Loan growth in specific products / segments

Structure of the loan portfolio

Asset quality indicators

Cost of risk

Capital requirements / Economic capital

Amount and structure of liquidity needed.

The risk management and control model at the Group’s level is based on the following main principles:

  • ensuring the full-scope quantification and parameterization of various types of risks in the perspective of optimizing balance sheet and off-balance sheet items to the assumed level of profitability of business activity. The main areas of analysis encompass credit risk, market risk, liquidity risk and operational risk;
  • all types of risks are monitored and controlled in reference to the profitability of operations and the level of capital necessary to ensure the safety of operations from the point of view of capital adequacy. The results of risk measuring are regularly reported as part of the management information system;
  • the segregation of duties between risk origination, risk management and risk control.

Risk management process of the Group is presented in the below diagram:

The split of competence in the field of risk management is as follows:

  • The Supervisory Board is responsible for overseeing the compliance of the Group’s risk-taking policy with the Group’s strategy and its financial plan. Within the Supervisory Board acts the Committee for Risk Matters, which supports it in realization of those tasks, among others. issuing opinion on the Group’s Risk Strategy, including the Group’s Risk Appetite;
  • The Management Board is responsible for the effectiveness of the risk management system, internal capital estimation process, for reviewing the internal capital calculation and maintenance process and the internal control systems;
  • The Credit Committee, the Capital, Assets and Liabilities Committee, and the Liabilities at Risk Committee are responsible for current management of different areas of banking risk, within the framework determined by the Management Board;
  • The Risk Committee and the Processes and Operational Risk Committee are responsible for defining the policy and for monitoring and control of different areas of banking risk, within the framework determined by the Management Board;
  • The Validation Committee is responsible for confirmation of risk models validation results and follow-up in the implementation of the measures defined by the Models Validation Office;
  • The Risk Department is responsible for risk management, including identifying, measuring, analysing, monitoring and reporting on risk within the Bank. The Risk Department also prepares risk management policies and procedures as well as provides information and proposes courses of action necessary for the Capital, Assets and Liabilities Committee, Risk Committee and the Management Board to make decisions with respect to risk management;
  • The Rating Department is mainly responsible for risk rating assignment for Corporate clients (based on the evaluation of clients’ creditworthiness) as well as for rating monitoring and potential revision during the period of its validity. Rating assignment process is independent from credit decision process;
  • The Corporate Credit Underwriting Department, Mortgage Credit Underwriting Department and Consumer Finance Credit Underwriting Department have responsibility, within the Corporate Customer segment and Retail Customer segment, respectively, for the credit decision process, including analyzing customers’ financial situation, preparing credit proposals for the decision-making levels and making credit decisions within specified limits;
  • The Retail Liabilities Monitoring and Collection Department and Retail Liabilities Restructuring and Recovery Department have responsibility for monitoring repayment of overdue debts by retail customers and their collection;
  • The Corporate Recovery Department develops specific strategies with respect to each debtor from recovery portfolio, which aims to maximize timely collection of the outstanding debt and minimize the risk incurred by the Group. This approach is constantly revised to reflect updated information, and the best practices and experiences regarding collection of overdue debts;
  • The Treasury Control and Analyses Office has responsibility for monitoring the use of part of the Group’s limits, including counterparty and stop-loss limits, the Group’s FX position, results of active trading and control of operations of the treasury segment;
  • The Models Validation Office has responsibility for qualitative and quantitative models analysis and validation, independent from the function of models development; development of the models validation and monitoring tools; activities connected with issuing opinions on the adequacy of the models for the segment, for which they were developed; preparing reports for the Validation Committee needs;
  • Fraud Risk Management Team in the Security Department has responsibility for implementation and monitoring the Bank policy execution in the scope of fraud risk management in cooperation with others Bank units. Team constitutes a competence center for anti-fraud process;
  • The Compliance Department has the responsibility to ensure compliance with legal regulations, related regulatory standards, market principles and standards as well as internal organization regulations and codes of conduct.

The Group has prepared a comprehensive guideline document for the risk management policy/strategy: “Risk Strategy for 2021-2023”. The document takes a 3-year perspective and is reviewed and updated annually. It is approved by the Bank’s Management Board and Supervisory Board. The risk strategy is inextricably linked to other strategic documents. such as: Budget, Liquidity Plan, Capital Plan.

The Risk Strategy bases on the two concepts defined by the Group:

  1. Risk profile – current risk profile in amount or type of risk the Group is currently exposed. The Group should also has a forward looking view how their risk profile may change under both expected and stress economic scenarios in accordance with risk appetite.
  2. Risk appetite – the maximum amount or type of risk the Group is prepared to accept/tolerate to achieve its financial and strategic objective. Three zones are defined in accordance with warning / action required level.

Risk strategy is one of the crucial features that determines the risk profile of the Bank/Group.

Risk appetite has to ensure that business structure and growth will respect the forward risk profile. Risk appetite was reflected through defined indicators in several key areas, such as:

  • Solvency
  • Liquidity and funding
  • Earnings volatility and business mix
  • Franchise and reputation.

The Group has a clear risk strategy, covering retail credit, corporate credit, markets activity and liquidity, operational (including legal risk and court cases) and capital management. For each risk type and overall the Group clearly defines the risk appetite.

Risk management is defined mainly through the principles and targets defined in Risk Strategy and complemented in more detail by the principles and qualitative guidelines defined in the following documents:

  1. Capital Management and Planning Framework
  2. Credit Principles and Guidelines
  3. Rules on Concentration Risk Management
  4. Principles and Rules of Liquidity Risk Management
  5. Principles and Guidelines on Market Risk Management on Financial Markets
  6. Principles and Guidelines for Market Risk Management in Banking Book
  7. Investment Policy
  8. Principles and Guidelines for Management of Operational Risk
  9. Policy, Rules and Principles of the Model Risk Management
  10. Stress tests policy.

Within Risk appetite, the Bank and Group have defined tolerance zones for its measures (build up based on the “traffic lights” principle). As for all tolerance zones for risk appetite, it have been set:

  • Risk appetite status – green zone means a measure within risk appetite, yellow zone means an increased risk of risk appetite breach, red zone means risk appetite breach;
  • Escalation process of actions/decisions taken – management bodies / organizational entities responsible for decisions and actions in a particular zones;
  • Actions taken – defining a typical actions and decisions aiming at getting back / maintaining a metric within Risk appetite monitoring process;
  • Mitigation plan formulation – defining a responsible organizational entities;
  • Mitigation plan approval – defining a responsible management bodies;
  • Risk appetite breach notification (entry into yellow or red zone) regarding breach description, high-level mitigation plan and timeline for breach resolution – defining a management bodies to which information is provided;
  • Mitigation plan monitoring – defining a responsible management bodies.

Changes in any defined metric that will be higher than 10% should be consider an alert level and should be monitor by Management Board and reported to Committee for Risk Matters whenever there is material risk of financial stability or achievement of the planned results of the Bank.

Zone thresholds and metrics are defined and revised on a yearly basis.

Monitoring of Risk appetite is a part of Supervisory Board (Committee for risk matters of Supervisory Board), Management Board and Risk Committee. Risk appetite dashboard review is a constant topic of these bodies meetings, including information on breaches and mitigation plan reporting/review (if applicable).

Bank and Group have in place an integrated management information system that enables them to generate reports on identification, measurement and control measures relating to the management of individual risk types.

Bank and Group have defined the risk exposure reporting policy for management purposes, which sets forth the general rules for preparing and distributing information used to manage different risks. The unit responsible for preparing reports on exposure to different risks is mainly the Risk Department. The frequency and information content of the reports is adjusted to the level of powers and responsibilities of their recipients and also to the changes in the Bank’s and the Group’s risk profile.

Information contained in internal reports enable reliable evaluation of the risk exposure and support the decision-making process in the bank’s risk management area.

The reports also include information on exposure to risks in the business activity of the subsidiaries.

Risk exposure reports for management purposes are addressed to:

  • Supervisory Board (reports approved by the Bank’s Management Board)
  • Bank’s Management Board
  • Committees dedicated to risk management – Risk Committee, Capital, Assets and Liabilities Committee, Credit Committee, Liabilities at Risk Committee, Validation Coommittee, Processes and Operational Risk Committee
  • Members of the Bank’s Management Board
  • Risk Department (internal reports)

The risk exposure reporting policy defines the following for each addressee:

  • Information content (e.g. synthetic information about the credit portfolio, including key risk parameters, change in revaluation charges in the profit and loss account. etc.).
  • Information format
  • Information frequency (CRR 435.2.e).

In respect to individual disclosures made pursuant to Article 435.1 of CRR. the following:

  • the structure and organization of the relevant risk management function including information on its authority and statute. or other appropriate arrangements;
  • the scope and nature of risk reporting and measurement systems;
  • the strategy for hedging and mitigating risk. and the strategies and processes for monitoring the continuing effectiveness of hedges and mitigants,

have been discussed in risk management chapters in the Yearly Financial Report and the Management Board Report.

The declarations on the adequacy of risk management arrangements providing assurance that the risk management systems put in place are adequate with regard to the profile and strategy are presented at the end of this document. (CRR 435.1.e)

Discussion of the overall risk profile. with key indicators and figures. have been included in the Yearly Financial Reports and the Management Board Reports, in the chapters on risk management. (CRR 435.1.f)

Every Board Member holds 1 directorship. (CRR 435.2.a)

The Bank has established a separate risk committee: Bank Millennium SA Risk Committee. In 2020 the Committee held 18 meetings. (CRR 435.2.d).

Informations in that chapter and in another indicated above documents are disclosed compliant with the requirements of the Table EU OVA – Institution risk management approach (EBA/GL/2016/11).

Search results