Operational risk is the possibility of suffering loss resulting from improper or erroneous internal processes, human activities, system failures or external events.
Operational risk management has the purpose of optimizing the level of operational risk and operating efficiency in the PZU Group’s operations, leading to a reduction of losses and costs arising from such risks and ensuring adequate and effective control mechanisms. Information on operational risk levels is regularly reported to relevant internal authorities
Operational risk is identified in particular by:
- accumulation and analysis of information on operational risk incidents and the reasons for their occurrence;
- self-assessment of operational risk;
- scenario analysis.
Operational risk is assessed and measured by:
- calculating the effects of the occurrence of operational risk incidents;
- estimating the effects of possible occurrence of operational risk incidents.
Monitoring and control of operational risk is performed mainly through an established system of operational risk indicators and limits enabling assessment of changes in the level of operational risk over time and assessment of factors that affect the level of this risk in the business.
Reporting involves communicating the level of operational risk, the effects of monitoring and control to various decision-making levels. The frequency of each report and the scope of information provided therein are tailored to the information needs at each decision-making level.
Management actions involving reactions to any identified and assessed operational risks involve, in particular:
- taking actions aimed at minimizing risks, for instance by strengthening the internal control system;
- risk transfer – in particular, by entering into insurance agreements;
- risk avoidance by refraining from undertaking or withdrawing from a particular type of business in cases where too high a level of operational risk is ascertained and where the costs involved in risk mitigation are unreasonable;
- risk acceptance – approval of consequences of a possible realization of operational risk unless they threaten to exceed the operational risk tolerance level.
Business continuity plans were implemented by PZU. Actions securing correct operation of the processes included in the Plan in the event of emergency have been tested.
On 28 January 2022, the Crisis Management Team in PZU and PZU Życie, in the face of an attack by the armed forces of the Russian Federation on Ukraine, declared a crisis situation, under which ongoing monitoring of the current political and market situation is implemented and adequate measures directed in particular towards:
- safety of employees;
- business continuity of the companies and security of financial assets of the PZU Group;
- additional safety measures in terms of cybersecurity and physical safety.
PZU introduced a comprehensive care program addressed to employees of PZU Ukraine and their families evacuated to Poland. It provides, among others, accommodation, food, financial support, medical and legal aid, and professional activation plans.
The task unit of the Crisis Management Team continuously monitors the situation of Ukrainian companies, also in terms of reaching the assumptions of the “Crisis Situation Management Plan”, as prepared by Ukrainian companies.
Many charity initiatives addressed to Ukraine and its nationals are underway, taken individually or in cooperation with state administrative bodies and PZU Group.
Additional cybersafety measures were introduced to mitigate risk with increasing probability of materialization. Anomalies in terms of cyber threats, extending to subsidiaries, are under continuous 24/7 monitoring. Due to the nationwide implementation of CRP Alert Level 3 (CHARLIE-CRP) and Alert Level 2 (BRAVO), a heightened state of readiness of the physical and cyber security areas has been maintained continuously since February 2022.
The Crisis Management Team also remains on standby to address the epidemic emergency.