GE Money Bank S.A. Group Risk Report 2008

GE Money Bank S.A. Group Risk Report 2008

Appendix to the Resolution of GE Money Bank S.A. Management Board no ZB/TO/20/2009 September 30, 2009 GE Money Bank S.A. Group Risk Report 2008

2 CONTENTS: INTRODUCTION . . 3 1. Aims and principles of risk management policy . . 4 2. Information on the used prudent norms . . 18 3. Information on own funds . . 19 4. Information on compliance with capital requirements that are mentioned in art. 128 of the Polish Banking Law act . . 21 5. Information on credit risk and dilution risk . . 29 6. Information on counterparty risk . . 36 7. Information on usage of standardised method for RWA calculation .

. 38 8. Information on calculation of risk weight exposure using internal rating method...40 9. Information on using value at risk method in capital requirements calculation . . 40 10. Information on operational risk . . 40 11. Information on capital exposures not included in the trading book . . 40 12. Information on exposure on interest rate risk of position qualified to the banking portfolio . . 42 13. Information on capital requirements calculation for amounts of risk weighted securitization exposures . . 45 14. Information on risk weighted exposures according to internal ratings-based method .

. 45 15. Information on credit risk mitigation techniques . . 45 16. Information on advanced method of operational risk measurement . . 46

3 INTRODUCTION The day of 31st December 2007 is the beginning of so called Pillar 3 of the New Capital Accord appliance. Pillar 3, that is “Market Discipline”, obliges credit institutions to announce information about their risk profile, the way of the risk management and the level of capital maintained to cover risks occurring in their activity. Transparent and consolidated rules, openness of the probability level to exposure the credit institutions to the risks taking place in their activity, openness of the applied risk mitigation techniques as well as applied methods to manage individual risks are going to result in achieving transparency and market discipline.

It should ensure the state of fair competition among individual banks in the whole sector. In the calendar year 2008 GE Money Bank S.A. became the European Union parent entity according to the resolution no 6/2007 of the Commission of Banking Supervision as of 13th March 2007 on specific rules and the means for Banks’ disclosures of qualitative and quantitative information regarding the capital adequacy and the scope of the information being disclosed, therefore, the report is the first consolidated report that embraces GE Money Bank S.A. (the parent entity) and subsidiaries as follows: a) HoldCo 77 B.V.

registered in Amsterdam, the Netherlands; b) Bank BPH S.A. Group , including: - Bank BPH S.A.; - BPH PBK Zarządzanie Funduszami Sp. z o.o.; - BPH Towarzystwo Funduszy Inwestycyjnych S.A. This document constitutes fulfilment of §8 resolutions of the updated Information Policy Principles in GE Money Bank S.A., introduced by the disposition of the President of GE Money Bank S.A. Management Board on 16th July 2009, concerning the scope of the published qualitative and quantitative information presenting the Bank’s approach to risk management.

Whenever in this document below terms are used, they should be understood as: Resolution in re the Capital Adequacy – resolution no 1/2007 the Commission of Banking Supervision as of 13th March 2007 “on the scope and the detailed principles of setting out the capital requirements with regard to individual kinds of risk, including the scope and the conditions of the use of statistical methods and the scope of information enclosed to the application for the permission for their use, including the agreements for the transfer of debt, the subparticipation agreements, credit derivatives agreements as well as other agreements than the agreements for the transfer of debt and the subparticipation agreements, for the purposes of calculating the capital requirements, the conditions and the means of use of the assessments granted by External Credit Assessment Institutions, as well as by Export Credit Agencies, the means and detailed principles of calculating bank’s solvency ratio, the scope and means of inclusion of bank’s operations in holdings in the calculation of capital requirements and solvency ratio, as well as specifying additional balance positions that are included in bank’s own funds in the calculation of capital adequacy and the scope, the means and the conditions for their specification”.

Resolution in re Banks’ own funds - resolution no 2/2007 the Commission of Banking Supervision as of 13th March 2007 “on other reduction of primary capital, their amount, scope and the condition for their reduction, other positions of the Bank’s balance sheet included in supplementary capital, their amount, scope and the condition for their inclusion and the scope and manner of accounting for Bank’s operation in a holding with regard to the calculation of own funds’.

4 1. Aims and principles of risk management policy. 1.1 Risk management structure in GE Money Bank S.A. Capital Group Understanding the risk and transparency of the size of taken risks are key elements of the business strategy of GE Money Bank S.A. Capital Group (hereinafter referred to as „ the Group”) as well as the Group’s ambition to be a reliable partner for its clients and other entities cooperating with the Group. Therefore, the banking risk management is one of the basic activities constituting the whole management processes conducted by the Group’s Management Board and their effectiveness is of crucial importance for the level of return on the capital employed by owner and for retaining financial stability in the long perspective.

The key element in the risk management process in the Group is the Risk Management System, defined as a set of rules and mechanisms regulating decision-making and control processes concerning risk identification, measurement and monitoring in the Group’s activity. In compliance with the principles of corporate governance accepted by the Group, the Group’s Management Board is responsible for the establishment, functioning and development of the risk management system. The Management Board ensures the cohesive and effective functioning of the management system and its grounding on complete and transparent documentation, i.e.

its functioning on the basis of internal strategies, policies, procedures and instructions drawn up in writing and approved by suitable Group’s authorities, in particular the Group’s Management Board or committees appointed by the Group’s Management Board.

1.1.1 GE Money Bank S.A. 1.1.1.1 General rules GE Money Bank S.A. defines risk as: „the probability of suffering losses connected with making a given business decision. Risk is a measure of uncertainty of profit, expected in the future as a result of a particular capital investment”. In order to concentrate the Bank’s risk management activity on the most significant areas, the Bank introduced a term of „material risk”, which means: „every risk for current or future profits, net assets or the Bank’s cash flows, which can have, or has, a significant influence on the activity run by the Bank, its reputation, rate of return, profitability or net assets, due to its volume or frequency, or both”.

Risk management is one of the basic activities constituting the whole management processes conducted by the Bank’s Management Board or by appropriate Bank’s organizational unit by authorization granted by Management Board. It takes place in a way ensuring the achievement of the aims of the Bank’s business strategy and, at the same time, in accordance with the rules of cautious and stable Bank management. The level of the risk management system complexity is adjusted to the volume and complexity of the activity that is carried out and reflects the Bank’s risk structure. Moreover, due to the role of the risk management that is understood as a set of general rules, principles, definitions describing the risk management system, risk profile and the approach to banking risk management applied by the Bank.

1.1.1.2 Responsibility Units participating in the risk management process at GE Money Bank S.A. include: - the Supervisory Board; - the Management Board; - Risk Management Committee; - Risk Management Division; - Legal and Compliance Department; - Treasury.

5 The aim of cooperation between the above mentioned bodies is to ensure the effective management of risk to which the Bank is exposed and, at the same time, to maintain the continuous performance of the Bank's material functions. Particularly, duties of each unit include: The Supervisory Board approves the strategy and the principles of cautious and stable Bank management. It supervises the consistency and compliance of the risk management strategy with the Bank’s functioning strategy and financial plan, and the actions of the Management Board aimed at supervising the risk management process.

The Management Board periodically informs the Supervisory Board about the level of the Bank’s risk exposure in a clear and transparent manner. The Management Board ensures the establishment, implementation and revision of written policies and procedures relating to risk management in the Bank’s activity and is responsible for a regular verification of the policies and procedures in order to adjust them to the changes in the Bank’s risk profile and in the external environment in which the Bank runs its activity. The Management Board ensures and supervises the effectiveness of the risk management process in the Bank.

The Risk Management Committee together with the subordinate second-level and third-level Committees, supervises the current functioning of the risk management system. It is responsible for monitoring the risk level, including the level of adjustment of the existing structures, procedures and applied instruments to the profile and scale of risk the Bank takes.

The Risk Management Division forms the targets and tools of the credit risk and operational risk management policy. It examines the influence of risk and analyses the risk by means of previously prepared and approved methodology as well as it generates reports on activity which are presented to the members of the Risk Management Committee and its relevant subordinate Committees. It also organises activity of those Bank units that ensure the compliance of the Bank’s risk management policy with the requirements of a bank supervision institution or other supervisory institutions on a country and international scale, as well as cooperation with the Legal and Compliance Department.

Legal and Compliance Department is responsible for the current analysis of legal risk and mitigating the impact of this kind of risk, gives an opinion on legal act projects and agreements concluded by Bank, it provides opinions, legal advice and explanations within the scope of law application and also inform the Bank’s units about applicable law and resulting from it obligations within the scope of the Bank’s activities. Compliance Office in Legal and Compliance Department is responsible for the current analysis of compliance risk and reputation risk identified in the Bank’s activity. The Department monitors the Bank’s operational processes in the sphere of obeying internal and external requirements and presents information about minimising and avoiding the occurrence of compliance risk to relevant Committees, especially the Compliance Risk Committee.

Treasury forms the tools of exchange rate risk, liquidity risk and interest rate in the banking book risk management process, monitors the level of the Bank’s exposure due to the aforementioned risks as well as generates reports on activity which are presented to the members of the Risk Management Committee and its relevant subordinate Committees, in particular to the Asset and Liability Management Committee. In the process of risk and capital management internal audit also plays an essential role. The Bank has a system of internal control of which procedures and mechanisms of functioning are revised and evaluated by the Internal Audit Department.

The Internal Audit Department examines also the level of compliance of the performed activities with the approved risk management policy and the adequacy of procedures and methods applied to the profile and scale of risk to which the Bank is exposed. 1.1.1.3 Main risk types The Bank identifies and classifies the following types of risks: - credit risk; - operational risk, - market risk - liquidity risk;

6 - hard-to-measure risks. 1.1.2 Bank BPH S.A. 1.1.2.1 General rules The risk management process in Bank BPH S.A. is based on the following fundamental rules: - accountability: the management and personnel must understand the risk and are accountable for it within their responsibilities; - management involvement: the Management Board and the Supervisory Boards are actively involved in risk management; - balancing and profitability: the risk management process promotes rational business decision making based on the principle of balancing risk vs. profitability; - caution: in unclear risk-taking situations or in doubt as to the methodology the rule of caution prevails.

- compliance: all activities of the Bank must be compliant with the supervisory requirements and internal regulations; - new products: the introduction of new business lines or products is always preceded by a risk review in a given operation. The risk management process is based on written procedures that name organisational units and officers responsible for each step of this process, complete with their scope of responsibilities. 1.1.2.2 Responsibility The Management Board of Bank BPH S.A. defines the risk policy adopts risk control and management rules and defines the policy for setting limits for the relevant risk types as well as risk control procedures.

In pursuing those objectives, the Management Board is supported by individual committees, as well as independent risk control and management units. The key support role for the Management Board’s responsibility for delivering a highly efficient risk management is played by the Chief Risk Officer (CRO) who performs a comprehensive supervisory role for credit, market, liquidity and operating risks. CRO’s position in the Bank’s organisational structure and his responsibilities guarantee an independence and ensure that risk management constitutes a key component of all business decisions.

The Assets and Liabilities Committee (ALCO) of Bank BPH S.A. is responsible for managing balance-sheet structure items and controlling the market risk of the trading book. Credit risk is assessed by credit committees at various decision-making levels of Bank. Additionally, there is the Operational Risk Committee. 1.1.2.3 Main types of risks For the purpose of risk monitoring, auditing and management the Bank defines processes specifically for the following risk categories: - market risk (currency, interest rate and share pricing risks); - liquidity risk; - credit risk; - operational risk. 1.2 Risk management process in GE Money Bank S.A.

Capital Group 1.2.1 Credit risk 1.2.1.1 GE Money Bank S.A. 1.2.1.1.1 Definition Credit risk is defined as a total or partial loss in case the borrower does not repay a loan with due interest and other fees before the contractual date. Within the credit risk the Bank distinguishes: - single credit risk - concerns an individual credit agreement;

7 - total risk due to Bank’s credit activity - an accumulated risk of individual credits whose volume depends also on the correlation between individual credits; - concentration risk - a risk of loss due to the connection or positive correlation between exposures; - residual risk - a risk resulting from the Bank’s inability to realize the values of approved collaterals, as a result of a decrease in their price, in the condition of mass problems with the fulfillment of liabilities by the Bank’s customers.

1.2.1.1.2 General rules of credit risk management The Bank’s policy is to optimize credit risk through maintaining in its management activities proper balance between striving for lowering the level of loss and maintaining high quality of credit portfolio and its profitability and stable growth.

The Bank manages risk at different levels of exposure granulation during the credit product lifetime and during the relation with a customer and within the scope of drawn up management and control processes.

1.2.1.1.3 Credit risk monitoring Main tool for credit risk monitoring in Bank is monthly process called Portfolio Quality Review (PQR). Within the process reports (PQR reports) are prepared. PQR reports consists of the set of measures which enables Bank to monitor quality of credit action and portfolio in particular product lines. Process PQR shows state of credit portfolio in division into product The objective of the PQR process is portfolio quality analysis with regard to paying credit obligations in a timely manner, in particular: - control of present portfolio performance and assessment of the level of the accepted operating plans realisation; - analysis of trends of delinquency indicators for particular portfolio; - assessment of reserve level adequacy (as a criteria forecast of credit losses is taken); - examination of Bank’s operating processes impact on portfolio quality; - examination of Bank’s counterparties impact on portfolio quality; - planning activities towards profitability improvement; - summiting proposals for changes in underwriting process; - for commercial loans - classification of Bank’s exposures according to particular risk segments (apart from delinquency indicators financial standing is monitored).

PQR process outcomes are presented monthly at the Risk Management Committee meetings. 1.2.1.1.4 Credit decisions In the process of making a credit decision the Bank introduces and develops verification tools enabling comprehensive assessment of risk connected with a particular transaction. The Bank collects and processes all information about the customer and his credit history obtained from internal and external sources and permitted by law in order to perform relevant risk analyses. The Bank uses advanced IT systems that make it possible to automate the verification process and contribute to its flexibility and the control over the tools used as well as particular stages of the process.

The quickness and efficiency of the Bank’s actions in its contact with the customer is one of the elements of achieving competitive advantage. 1.2.1.1.5 Exposure management at the level of credit portfolio The Bank applies the cautious approach to the valuation of credit assets and the calculation of the financial result. For this purpose the cyclical process of review and assessment of the credit portfolio value, with special attention paid to the creation of special purpose reserve, is carried out. Additionally, for the purpose of the overall measurement of the credit risk the Bank creates and develops the portfolio models of risk assessment, including: the economic capital model, reserve and planning models.

The strategic decisions are supported by the structural model of credit risk assessment which is the basis for carrying out the stress tests that include simple sensitivity analyses as well as static models checking the spread of losses taking into account assumed scenarios of forming of the variables used in the model.

8 1.2.1.1.6 Credit risk reduction techniques and residual risk The Bank applies standard techniques of reducing the credit risk in the form of insurance agreements and property collateral, in particular: - the insurance of own contributions for mortgage loans; - the insurance of receivables until the establishment of property mortgage; - mortgages (bail and ordinary ones); - the assignment of rights from the agreement on the insurance of property which serves as a collateral; - the registered pledge and the assignment of rights from insurance agreement (AC) for the auto credits.

The Bank manages the residual risk which results from the application of risk reduction techniques in a procedural way, that is, by introducing effective operational procedures and their controlling processes, which ensure among others: - the compulsory nature of collateral application for the chosen credit products, - concluding insurance contracts with a reputable insurance company, - the so-called legal reliability of received collaterals, - the efficient legal service in the process of collaterals execution, - commissioning of property valuations to reliable real estate appraisers, - applying the principles of cautious property appraisal in the case of internal valuations, - applying control valuations 1.2.1.2 Bank BPH S.A.

1.2.1.2.1 Factors generating credit risk Undertaking banking activities, Bank BPH S.A. offers loans, advances, guarantees forms of financing to its clients. Such a kind of activity leads to an exposure to risk that a given loan or other form of the Bank’s credit exposure will not be repaid or settled by the borrower according to contractual terms. The risk is inherent in all forms of financing. The main source of the risk is the lack of ability to fulfil financial obligations by a client due to worsening of his financial standing.

1.2.1.2.2 General rules of credit risk management Building a flexible and customized to the customers’ needs credit offer and striving to mitigate the credit risk, the Bank develops a system of credit risk management. The utmost aim of credit risk management is ensuring high quality of the credit portfolio and minimization of credit losses while simultaneous assurance of adequate profitability of credit transactions and most economic capital allocation. To reach this aim, the Bank applies credit risk management methods, which are subject to ongoing verification and development. The structure and organisation of the credit process as well as the procedures and tools for identifying, measuring and controlling credit risk, both at the level of a single exposure and the portfolio are adjusted to the requirements of the current supervision resolutions and recommendations.

1.2.1.2.3 Responsibility in credit risk management The Bank’s Management Board establishes the strategy and the rules of credit risk management at the Bank as well as policies and procedures crucial for managing the credit risk (the system of credit authorities, rating models, credit exposure measurement models and processes). Subsequently they are subject to approval of the Supervisory Board, which, inter alias, is responsible for the supervision of the risks inherent in the Bank’s portfolio. Responsibility for the implementation and functioning of the complex credit risk management system is held by CRO (Chief Risk Officer), who exercises the control over credit, market and operational risks of the Bank.

CRO is also responsible for operating credit risk management. The CRO is also responsible for the operating management of the credit risk and in order to avoid a conflict of interest it has no individual credit authority.

1.2.1.2.4 Credit risk monitoring

9 In Bank BPH S.A. credit risk is being monitored, quantified and reported within a regular, cyclical process, whose main element is system comprising adequate procedures and tools, i.e. rating system, early warning system) of intensive monitoring and default identification and flagging mechanism. The basic assessment of credit risk is supported by rating and scoring systems which apart from wide use in credit risk management are also essential part of reporting system in Bank. Monitoring and reporting, that take into account quality of retail portfolio, in respect to exposures of clients from Natural Persons and SME areas is conducted basing on Management Information System, that consists of wide range of embedded, standard detailed reports and analysis prepared in monthly cycle.

Results of Management Information System are the basis for formulating effective methodology of retail client’s credit risk assessment. They have also impact on constructing particular products and constitute also key element of decisioning process within the scope of implementation of sales campaign. Basing on the same results information for Management Board and Supervisory Board is prepared in quarterly cycle.

Corporate portfolio is the subject to more individual approach, where apart from basic data about quality, also all kind of concentrations are reported, including compliance with concentration limits according to Banking law, internal credit limits established to diversify portfolio and to limit credit risk concentration, Bank’s engagement in particular branch financing, types of collateral, groups of clients, type of transaction, currency, geographical region etc. Reports on portfolio concentration are prepared at least quarterly and are presented to Management Board and Credit Committee in the Bank.

Management information system for treasury transactions burdened with credit risk base on following reports: - weekly report of evaluation of concluded derivatives transactions with non-banking clients and its impact on granted treasury limit; - monthly report about position of Bank’s risk in operations with banking contractors; - daily report on utilisation of treasury limits for banking contractors and optionally exceeding of limits; - daily report on utilisation of treasury limits for non-banking contractors and report on utilisation of limit above 75%; - bi-weekly report on simulation of contractor market exposure; - monthly report on utilisation of countries’ limits.

1.2.1.2.5 Credit risk assessment, rating/scoring system Before granting a loan, the Bank assesses credit standing of a customer analyzing his financial data and – in case of customers applying for business financing purposes – qualitative data regarding his market position, organizational and ownership structure, business sector characteristics, etc. The Bank assesses also the purpose and economic rationales for the loan. The assessment of credit risk is supported by rating and scoring system fed with the customer’s specific data. The systems – their rules, models and IT platforms are designed, built and supervised by specialized unit in the Risk Management Division.

The master 27-step scale used by the Bank, calibrated on the basis of statistical analyses of defaults that occurred in the Bank’s portfolio, enables comparison of single exposures or sub-portfolios both within the Bank, as well as with external sources (ratings).

Rating/scoring systems are widely used within the credit risk management process and constitute a vital part of the Bank’s reporting system. The rating assessment is important parameter in credit approval authority system. 1.2.1.2.6 Credit decisions making Credit decisions are made based on ‘four eyes’ principle; credit decision is made by at least two persons having individual approval limits, but decisive vote belongs to representatives of the Risk Management Division. The total Bank's exposure to the customer/group, the risk profile of the customer and the financed transaction, as well as the level of the so-called unsecured exposure (not covered by tangible collateral value determined according to internal collateral measurement rules) serve as the criterion determining the authority level taking the credit decision.

10 Credit decisions related to significant exposures, long-term exposures, selected type of products or customer segments’ are made on the level of the Bank Head Office. 1.2.1.2.7 Credit risk mitigation The Bank grants loans to customers who are creditworthy - the loan amount and the terms of repayment are adjusted to the customer's needs and abilities, and are verified in line with the current standards and methods of the Bank and using dedicated tools. Collateral is obtained in order to limit the potential loss due to the failure to repay the loan if the borrower's standing deteriorates and a default occurs.

The Bank uses and accepts all permissible legal forms of collateral and varied assets offered for this purpose. The required collateral is either defined in the lending standards in the case of mass products of the consumer finance type or individually specified when lending to entrepreneurs/companies. When deciding to collateralise a specific transaction, the Bank takes into account the level and the profile of the customer's risk and the risk of the transaction (amount, duration, transaction structure, relationship between the customer and the Bank). Collateral taken must be adequate to the risk level incurred by the Bank.

The catalogue of collateral accepted by the Bank includes: a) personal collateral, such as: guarantees, securities issued by entities with good economic and financial standing, bills of exchange, credit orders, letters of comfort, debt enterings, credit insurance; b) material collateral: - financial collateral – established on cash or securities (bonds, treasury bills, commercial bills, participation certificates, investment certificates, deposit certificates, shares) in the form of bail, blocking bank account or securities account, registered pledge/pledge/ financial pledge, ownership transfer; - on real estate – mortgages; - on tangible fixed assets – established in the form of registered pledge/ ownership transfer; - on receivables – established in the form of assignment of receivables.

In order to limit specific transaction risk or the risk resulted from changes in the borrower's standing, the Bank also includes in credit agreements a number of special covenants of a protective and/or financial nature in accordance with the official standard of the Bank developed and strictly verified by the Risk Management Division and the Bank's legal services.

The Bank implemented and continues to develop a consistent collateral management system, comprising procedures of collateral constitution, standard templates of legal documentation, internal rules for collateral valuation, rules for collateral registration in the Bank’s operating systems, as well as their value and lawful enforcement monitoring and criteria for considering of collateral when calculating the capital requirement for credit risk. 1.2.1.2.8 Concentration management Regardless of credit exposures concentration limits resulting from the Banking Law, the Bank establishes internal credit limits in order to ensure credit portfolio diversification and mitigation of credit risk.

These limits relate to the Bank’s credit exposure towards particular industry sectors and mortgage-secured credit exposures. In general, in the segment of corporate customers the Bank’s credit exposures towards particular industry sector should not exceed 10% of the corporate loan portfolio. Limits on mortgage- secured credit exposures are established in relation to the Bank’s own funds. The limits are monitored regularly. System of limits includes also procedures defining actions in case of exceeding of established limits. The Bank monitors the credit portfolio structure by group of customers, types of transactions, currencies, geographical regions, and – in the case of potential excessive concentration – takes decisions to introduce suitable limits taking into account the scale of this exposure, the portfolio quality and other factors significant from the point of view of the concentration.

As part of the guidelines, policies and other tools controlling the operating management of credit risk, which form the basis for taking credit decisions, the Bank also imposes limits of exposure to individual entities or groups of companies, as appropriate for the risk profile of the relationship, the acceptable level of a single transaction or the concentration of the largest exposures in the portfolio.

11 1.2.1.2.9 Contingency plans To prevent changes in the macroeconomic situation from unfavourably impacting the Bank's credit portfolio, the Bank has developed suitable procedures allowing it to estimate the scale of impact of those changes and, if this is justified, to take specific steps. The Bank regularly runs stress tests. Their results are used to review the credit risk management policy, and if the likelihood of unfavourable, critical changes in the macroeconomic environment becomes significant, test results are used to develop adequate contingency plans.

1.2.1.2.10 Credit risk identification and measurement The Bank BPH S.A.

performs the assessment of a default event on the basis of a rating model (for corporate borrowers) and rating and application and behavioral scoring models for retail borrowers. Rating/ scoring assigned to a given borrower/ transaction allows defining probability of default within 1 year horizon. There are 24 rating categories with assigned probability of default and 3 categories differentiating borrowers/ exposures in case of which the risk of default has materialized (i.e. default event has occurred, impairment trigger has been identified).

Detailed information on particular elements of credit portfolio are presented in the note 45 to the Annual Consolidated Financial Statement of GE Money Bank S.A. Group for the financial year ending on 31st December 2008. 1.2.2 Operational risk 1.2.2.1 GE Money Bank S.A. 1.2.2.1.1 Definition The Bank defines the operational risk as the risk of loss resulting from inadequacy or unreliability of the internal processes people and technical systems, or external events. Operational risk includes the legal risk and compliance risk and recognizes the reputation risk as the consequence of an operational event.

On the other hand, it excludes the strategic risk.

Compliance risk is defined as the risk of the Bank’s potential suffering of legal or regulatory sanctions, financial losses or reputation losses as the result of non-compliance with the law, supervisory regulations, generally accepted codes of conduct and ethical standards in business activities, as well as with the Bank’s internal policies and procedures. Reputation risk is defined as the risk of potential worsening of the opinion on the sector the Bank operates in, or of a poor opinion on the Bank’s practices of its internal organization and control, which results in shrinking of the customer base, decrease in the revenues, or the Bank’s deteriorated liquidity.

Legal risk is defined as the threat resulting particularly from changes to, however also from non-compliance with the valid legal regulations or poorly designed agreements.

1.2.2.1.2 General rules of operational risk management The Bank’s policy is to minimize its exposure to the operational risk. The policy is implemented by preventing the occurrence of operational losses and mitigating their effects, if the risks materialize. The goals of managing the operational risk are pursued within the comprehensive system of managing the operational risk. The Bank maintains and develops two basic levels of the operational risk management system. Level one consists of policies and procedures relating to mitigating the exposure to the operational risk, reducing the losses and costs, and improving the operational processes in the Bank’s specific areas managed under a matrix system, i.e.

it is performed by organisational units from particular Bank’s divisions. Simultaneously actions across the entire Bank are taken by the Operational Risk Bureau of the Risk Management Division in the comprehensive management of the operational risk. The program of

12 managing the operational risk complements and is an element ensuring a comprehensive and integrated approach to mitigating the risks of operational nature. The main program elements are as follows: - the Process of Risk Control Self Assessment (RCSA); - Loss Data Collection (LDC); - Operational risk monitoring on the basis of Key Risk Indicators (“KRI”). 1.2.2.1.3 The process of RCSA (Risk and Control Self Assessment) The bank measures the operational risk at the level of business processes. For the purpose of performing this task the Bank introduces a cross-functional process of identification and assessment of risks, to which it is exposed, and identification of control mechanisms.

The character of the process resembles a scenario analysis, in which the eventuality of the occurrence of various possible events that result in losses is examined.

1.2.2.1.4 Operational losses data registering The Bank has a process of recording data of the events resulting from operational factors. In the process the Bank systematically collects data on the operational losses, operational incidents, and other operational events which did not field a loss but were deemed significant from the point of view of exposure to an operational loss. The data are stored in the Bank’s centralized registers. 1.2.2.1.5 Operational risk monitoring on the basis of key risk indicators The Bank has an early warning system which cautions of the potential exposure to the operational risk.

The system is based on the so-called Key Risk Indicators (KRI). KRI are a set of business process parameters which reflect in advance the scale of the exposure to the risk, and changes in the operational risk profile of specific processes.

1.2.2.1.6 Continuity maintenance planning and emergency plans The Bank manages continuity of the business functions by creating continuity/emergency plans for all key business processes, systems and locations. The role of the continuity management is to introduce uniformity and consolidated all initiatives aimed at improving the Bank’s security and ensuring continuity of its operations in case of an emergency situation. Therefore, the Bank has an extensive system of business continuity plans (BCPs) forming a set of cohesive and mutually interrelated processes, documents, procedures and plans, which define the course of action for the worst likely event scenario.

1.2.2.1.7 Compliance risk management The Bank runs its activities in the compliance with law and the highest business ethical standards, irrespective of the changing competitive environment. In realization of the shareholder’s policy the Bank applies the „zero tolerance” rule with respect to the non-compliance risk, which means that any exposure to the risk is deemed significant and requires immediate elimination.

In the Bank the Compliance Office in the Legal and Compliance Department is responsible for the monitoring of the compliance risk. In separate areas of the compliance risk management, regular reporting mechanisms function, and the results of term reports are the subject of presentations and analyses in the forum of respective Committees and the Management Board of the Bank. Integrated information and indices concerning the entire field of legal and compliance risk and the reputation risk is submitted to the Management Board of the Bank in a quarterly cycle.

1.2.2.1.8 Legal risk management The Bank’s legal risk is generated in particular by changes to the binding law.

This is coupled with the risk of the Bank’s non-compliance or incorrect application of the binding law, which may consequently lead to litigation. The monitoring and mitigation of the legal risk is entrusted to the Legal and Compliance Department. Legal risk is minimized through the following actions: - issuing opinions on the current acts of law;

13 - notifying the organizational units of the duties ensuing from the amendments to the binding law, particularly with respect to the banking business; - issuing opinions on the current contracts signed with external entities. Within the legal risk, the Bank identifies the risk connected with outsourcing to the external entities and considers it one of the most vital exposures in the area of the operational risks. The causes lie primarily in the Bank’s limited control over the service providers. The basic instrument of mitigating the outsourcing risk consists of detailed policies and procedures which regulate the most important aspects of outsourcing.

1.2.2.2 Bank BPH S.A.

1.2.2.2.1 Structure and the process of operational risk management. The aim of operational risk management is to identify threats connected with operational risk and taking actions for mitigating operational risk. In Bank BPH S.A. functions system of control and management of operational risk, which is regulated by document „Rules and structure of operational risk management at Bank BPH.” According to implemented regulations all levels of Bank’s management are responsible for managing operational risk, from Bank’s Management Board to Operational Risk Committee and Operational Risk Officers (ORO) which are responsible for operational risk activities within supervised divisions/areas/departments.

Market and Operational Risk Department is responsible for operational risk controlling process. The Management Board is responsible for effectiveness of risk controlling and management process. Operational Risk Committee is a decision-making body, recommending actions regarding risk management. Committee consists of the representatives of the business divisions and support areas/departments. During its meetings, the Committee analyses the current operating risk situation within the entire Bank, takes necessary decisions and issues recommendations to persons responsible for operating risk management.

The Committee meets on a regular basis to analyze current risk situation and to recommend activities needed to be taken in the various areas. ORO appointed for each business division and support areas is responsible for operational risk activities within managed areas. Market and Operational Risk Department is responsible for operational risk controlling process, in particular for monitoring risk in the whole Bank, development and introduction of appropriate risk methods and instruments. The Internal Audit Department regularly conducts independent controls of operational risk management and control system.

Identification of operational risks took place from the lowest level of Bank’s organisational structure. Information is transferred to appropriate Operational Risk Officers, who are responsinle for current managing and controlling of operational risk in supervised areas basing on information from supervised organisational units. Key elements of identification and risk measurement are RCSA, KRI, operational risk losses database.

Control Self Assessment is the method for assess future exposure on operational risk with the use of standarised questionnaire. Survey is completed by ORO within the scope of risks that can occur in areas supervised by them and within the scope of risks monitored in their areas in the entire Bank’s scale. Survey is used i.a. to determine amount of risk when existing preventive and control mechanisms are taken into account, to access quality of used risk mitigation techniques and to propose new ones when existing are not sufficiently effective.

1.2.2.2.2 Risk indicators Also operational risk indicators are used to assess risk.

This are statistics and measures (for example financial), basing on which it is possible to define Bank’ sensitivity to operational risk. Those indicators are defined basing on periodic (monthly) data. Analysis of risk indicators has to warn the Bank about changes in the level of operational risk. 1.2.2.2.3 Incidents database Bank collects information on operational risk incidents in dedicated IT application. Database is dedicated to collect, store and manage information about operational incidents in the entire Bank.

14 Information collected in database is used to determine realistic level of loss from operational risk divided into business lines and incidents category. 1.2.2.2.4 Scope and type of reporting systems and operational risk measurement Operational risk reporting system consist of quarterly reports prepared by ORO on risk in supervised by them areas and of synthetic reports on level of risk in entire Bank prepared by Market and Operational Risk Department. Basing on information collected in incidents database, KRI indicators and quarterly reports prepared by ORO, Market and Operational Risk Department prepares quarterly synthetic reports on level of operational risk in entire Bank.

Reports are presented to Operational Risk Committee. And consists of: - level/profile of operational risk in given quarter in entire Bank – risk map; - the most material events that impact the level of operational risk; - incidents registered in database in given quarter, in particular taking into account major incidents; - the most important activities in particular areas of Bank connected with operational risk management; - key risk indicators (KRI). Apart from above mentioned periodical reports are prepared for the Bank’s Supervisory Board and for Management Board, in it yearly report for Management Board on managing and controlling of operational risk and on activity of Operational Risk Committee.

1.2.2.2.5 Rules of operational risk mitigation and processes of monitoring effectiveness of collaterals of operational risk mitigation methods Implementation of the operational risk management process in Bank was not a substitution of existing regulations for reducing losses and costs and operating process enhancing but was its supplement and at the same time the element that ensure holistic and integrated approach to mitigating operational risks. In particular following solution are used in the Bank to mitigate operational risk: - control instruments; - physical collaterals; - insurance; - outsourcing; - contingency and continuity plans; - trainings.

Wide range of policies and procedures that can have impact on operational risk mitigating, among others they define issues connected with : - Bank’s security; - Information security; - Personal data security; - IT systems security; - Business continuity management (BCM); - Anti-fraud in Bank; - Anti money laundering and counteraction against terrorism financing. 1.2.3 Market risk 1.2.3.1 GE Money Bank S.A. Market risk is the risk of changes in the value of assets and/or liabilities having effect on the Bank’s income statement or shareholders’ equity and arising from changes in the market factors.

The risk comprises a loss in the value of the market position as the result of changes in the interest rates, exchange rates, and prices of the capital market instruments, as well as the risk of their negative impact on the financial result. The Bank recognizes the following sub-risks within market risk:

15 - currency risk; - interest rate risk. Market risk management is carried out within the specific market risks management policies adopted by the Bank’s Risk Management Committee. The Assets and Liabilities Management Committee (ALCO) is responsible for the organization of the specific Bank’s activities in the field of market risks management (i.e. currency risk and interest rate risk) and the liquidity risk management. The ALCO is the Bank’s unit organizing the Bank’s activities in the area of specific issues of asset and liability management, liquidity risk and market risk management. The activities in the above areas are carried out by the Treasury Office in the Finance Division, within the authority given by the ALCO.

Regular reports on the market risk are discussed at the meetings of ALCO and presented to the Bank’s Management Board.

1.2.3.1.1 FX risk FX risk is defined as the risk of adverse impact on the financial situation of the Bank due to unfavorable changes in foreign currency exchange rates. The basic goal of the Bank’s fx risk management policy is maintaining the exposure resulting from unmatched assets and liabilities denominated in foreign currencies at a level securing the Bank from significant profit margin fluctuations caused by foreign exchange rate changes. Therefore fx risk is taken by the Bank only to the extent necessary to support the Bank’s credit activities. The Bank has no speculative positions in foreign currencies and all currency transactions are concluded only for the Bank’s purposes, in particular in order to: - ensure cash on income generating assets financing; - hedge open currency positions; - reduce interest rate risk.

FX risk management in GE Money Bank is performed in compliance with policy and procedures of fx risk management approved by the Risk Management Committee and the Assets and Liabilities Management Committee. The policies define in particular the rules of currency risk monitoring, reporting obligations, competences and system of limits adopted to limit the risk in the Bank activities, including the maximum value of open foreign currency positions. The Treasury Office is responsible for conducting fx risk management. The Office monitors fx risk exposure on a regular basis within the management process.

The Bank’s exposure to fx risk undergoes daily control and reporting. On a monthly basis the Assets and Liabilities Management Committee receives information on the position on currency markets, the Bank’s currency position, limits usage and possible impact of the extreme changes in value of the domestic currency on the Bank’s financial position.

1.2.3.1.2 Interest rate risk The Bank defines the interest rate risk as the risk resulting from the negative impact of changes in the market interest rates on the Bank’s interest margin, its profitability and market value. Within this risk, the Bank identifies: - mismatch risk – related to a mismatch of the revaluation terms of the assets and liabilities, and the off-balance sheet positions at a specific point in time; - yield curve risk – resulting from the changes in the shape of the yield curve; - base risk – resulting from imperfect correlation between the interest rates charged for the assets and those charged on the Bank’s liabilities financing the assets; - option risk – is the risk stemming from the options open to the client under the contract, e.g.

the option (right) to make early loan repayment, which may be realized in response to interest rate changes.

The Bank’s policy is to limit interest rate risk exposure in order to protect its interest margin from an unfavorable impact of the market interest rate changes. Within this policy, the Bank resorts to the principle of matching the sources of finance so that assets with fixed/variable interest rates are financed with liabilities with fixed/variable interest rates. Additionally, they are matched in terms of the currency, amount, maturity, or indices they are correlated with, as well as their interest repricing periods.

You can also read