The risk management system at PZU and PZU Życie is based on three elements:
- organizational structure – comprising the demarcation of responsibilities and tasks performed by the individual organizational units in the risk management process;
- actions taken with the use of hedging and risk transfer techniques in order to adjust the risk profile and appetite for risk to strategic plans;
- methods for identifying, measuring, assessing, monitoring and reporting risk.
The risk management organizational structure is based on four competence levels (the same in both companies).
The first three competence levels comprise:
- the Supervisory Board, which supervises the risk management process and assesses its adequacy and effectiveness as part of its decision-making powers defined in the Company’s Articles of Association and the Supervisory Board rules and regulations;
- the Management Board, which organizes the risk management system and ensures its functionality through approving the Strategy and policies and defining the appetite for risk, the risk profile and tolerance for individual categories of risk;
- the Committees (ALCO and CRC), which make decisions to reduce individual risks to the levels defined by the appetite for risk. The Committees implement the procedures and methodologies for mitigating the individual risks and accept individual risk limits.
The fourth level of responsibility is related to the operating level, at which the risk management activities are divided among the three lines of defense:
- the first line of defense – ongoing risk management at the business unit and organizational unit level and decision-making as part of the risk management process. The managers are responsible for implementing an effective risk management system in the areas of the Company’s operations they supervise; in particular, they are responsible for design and effective operation of risk identification and monitoring measures, which are integral components of the processes guaranteeing adequate response to the risks as they arise;
- the second line of defense – risk management by specialized units responsible for risk identification, monitoring and reporting and controlling the limits. Within the second line of defense, the units which play an important role in the process are the Risk Department, the Compliance Department, the Planning and Controlling Department, the Actuarial Department, the Reinsurance Department, the Legal Department, the Security Department, the HR Department and the Technology Function;
- the third line of defense – comprises internal audit, which conducts independent audits of the elements of the risk management system, as well as control activities embedded in the Company’s activities. This function is performed by the Internal Audit Department.