6.3 Organizational structure and accountability in risk management process

The risk management structure is based on four competence levels. The first three are as follows:

  • Supervisory Boards which supervise the risk management process and make assessment of the adequacy and effectiveness of the process in accordance with the decisions in the By-laws of PZU and PZU Życie and the rules of Supervisory Boards;
  • Management Boards which organize and ensure operation of the risk management system by endorsing strategies, policies, determining the risk appetite, profile and tolerance for each risk category;
  • The Committees which make decisions on reducing individual risks to a level determined by the risk appetite. Committees establish procedures and methods for reduction of individual risks and they approve limits for individual types of risks.

The fourth competence level is in respect of the operating level where risk management tasks are divided into three lines of defence:

  • First line of defense denotes day-to-day risk management at the level of individual entities and organizational units as well as decision making as part of the risk management process. Executives assume responsibility for implementation of an efficient risk management system in the area they oversee, specifically, for the design and effectiveness of risk identification and monitoring tasks as integral components of the processes carried out, ensuring appropriate response to emerging risks.
  • Second line of defense denotes risk management by specialized units responsible for risk identification, monitoring and reporting as well as controlling limits.
  • Third line of defense denotes the internal audit, whose tasks include independent control of the components of the risk management system and control activities embedded in the PZU Group’s operations.