The objective of the PZU Group’s risk management system is to ensure early identification and adequate management of material risks associated with the activities of the PZU Group and its individual entities. Risk management is one of the key internal processes in the PZU Group. The risk management system in place in PZU is based on three lines of defense. Its framework reflects the standards prevailing in the insurance sector and the guidelines laid down in regulatory regulations.

The risk management system in the PZU Group

PZU exercises supervision over the PZU Group’s risk management system by the power of cooperation agreements entered into with other Group entities and the information provided thereunder. It manages risk at the PZU Group level on an aggregate basis, especially in terms of capital requirements. The cooperation agreements signed with the PZU Group subsidiaries enable the collection and processing of information necessary for appropriate and effective management of risk at the PZU Group level. They also guarantee that the various risks generated by the individual PZU Group entities are assessed and are based on the same standards, taking into account the requirements and restrictions arising from the applicable law. The main elements of the PZU Group’s risk management system have been implemented to ensure sectoral consistency and the execution of the various entities’ strategic plans and the overall PZU Group’s business objectives.

The Risk Management Strategy in the PZU Group is the basis of operation of the risk management system in the PZU Group. The Group has introduced risk management rules for the affiliates identified in the strategy. The rules constitute a recommendation issued by PZU regarding the organization of the risk management system in subsidiaries. Additionally, guidelines regulating the various risk management processes in the PZU Group entities are also issued from time to time. The management boards of PZU Group companies from the financial sector are responsible for fulfilling their own duties in accordance with the generally applicable provisions of national and international law. In particular, they are responsible for the implementation of an adequate and effective risk management system.

Subsidiaries from outside of the financial sector introduce the risk management rules including the allocation of roles and responsibilities and the catalog of risks associated with the relevant activity.

The determination of the appropriate level of risk in each company is the management board’s responsibility, whereas a review of the risk management system, especially the risk appetite level, is conducted once a year by the unit responsible for risk, with all actions being coordinated at the PZU Group level.

Internal Control System

Effective risk management is supported by the Internal Control System implemented in PZU, which offers solutions for three levels:

includes risk management by business process owners in the course of operations;

includes risk management by specialized cells responsible for risk identification, measurement, monitoring and reporting and controlling the limits;

includes internal audit which conducts independent audits of the individual elements of the risk management system, as well as of control procedures.

The risk management process consists of the following stages:

The process commences with a proposal to develop an insurance product, buying a financial instrument, modifying an operating process, as well as whenever some other event occurs that may potentially lead to the emergence of risk. The identification process continues until the expiration of liabilities, receivables or activities associated with the risk. Risk identification involves identification of actual and potential sources of risk, which are later analyzed in terms of significance.

Conducted depending on the nature of the risk type and its significance level. Risk measurement is carried out by specialized units. Risk units in each company are responsible for the development of tools and the measurement of risk in terms of risk appetite, risk profile and risk tolerance.

Risk monitoring and control consists in the ongoing analysis of deviations from benchmarks (limits, threshold values, plans, figures from prior periods, recommendations and guidelines).

Allows for effective communication on risk and supports risk management on various decision-making levels.

They include, among others, risk avoidance, risk transfer, risk mitigation, acceptance of risk level, as well as implementation of supporting tools, such as limits, reinsurance programs or regular review of internal regulations.

Chart of the organizational structure for the risk management system

Risk appetite

Risk appetite is defined in the PZU Group Risk Management Strategy as the minimum value of the PZU Group’s solvency ratio on a consolidated basis and PZU on a standalone basis.

In addition, PZU as the leading entity in the PZU Group Financial Conglomerate manages risk concentration at the level of the overall conglomerate. The leading entity has established the risk concentration management standards, in particular through introduction of rules for identification, measurement and assessment, monitoring and reporting of significant risk concentration and making managerial decisions.

Once a year, the internal audit unit prepares an annual activity report, which includes, in particular, an evaluation of the internal control system and the risk management system. The procedure for preparing the report and its scope are governed by separate internal regulations. For the purposes of report, the risk unit prepares information as to the adequacy and effectiveness of the risk management system.

In 2023, initiatives were continued to improve the identification, measurement, assessment and monitoring of the risks associated with sustainable development, in particular with climate changes. The main risks in this area are transition risks and physical risks, which are managed as part of individual risk categories specified below in this Report. Furthermore, selected ESG risks are subject to separate assessment within the framework of the risk analysis process and the key risk identification process.

The management process for various risk categories comprises requirements of sustainable development, and the same applies at the level of each PZU Group subsidiary, in compliance with prevailing provisions of law and individually defined PZU Group internal policies, including the ESG Strategy which constitutes an integral part of the PZU Group Strategy.

  • 2-12

Risk management – subsidiaries

Risk management responsibility, including the climate impact risk

The consistent split of powers and tasks in the PZU Group and in its various financial sector subsidiaries covers four decision-making levels: Supervisory Board, Management Board, Committees and various operating units within the three lines of defense.

  1. .Supervision over the risk management systems in the various financial sector entities is exercised by supervisory boards. PZU designates its representatives to the supervisory boards of its subsidiaries, including in particular the Alior Bank Group and the Pekao Bank Group.
  2. The management boards of PZU Group entities are responsible for executing their own duties in accordance with the generally applicable provisions of national and international law. In particular, they are responsible for implementation of an adequate and effective risk management system. The Management Board organizes the risk management system and ensures that it is operational by adopting strategies and policies, setting the level of risk appetite, defining the risk profile as well as tolerance levels for the individual categories of risk.
  3. Committees decide about limiting the levels of individual risks to fit the risk appetite framework they have defined, adopt procedures and methodologies for mitigating the individual risks and accept the limits for individual risk types. Selected members of the Management Boards sit in the Committees.
  4. The fourth decision-making level pertains to operational measures in the various business units divided into three lines of defense.
  • 3-3
  • 2-12
  • GOV-5
  • SBM-3

ESG risks

Key ESG risks

From the perspective of the impact on issues related to social, employee, environmental, human rights and prevention of corruption, compliance risk and operational risk are of special importance.

ESG risk management is an integral part of the overall risk management process. Therefore, individual ESG risks are classified into major risk categories. Issues in the social and corporate governance areas are primarily operational and compliance risks. For environmental issues, it’s also business, credit, market and actuarial risks.

PZU’s operational and compliance risk management principles and structure are based on established regulations. Operational risks are controlled on multiple levels in the organization. Risk management is overseen by independent, dedicated units within the Company’s structure – the Risk Department for operational risk and the Compliance Department for compliance risk.

Key ESG risks – monitoring

The key tool used to monitor operational risk are the operational risk indicators, covering areas with special exposure to operational risk. They are subject to regular reviews: at least once a year.

Compliance risk is assessed at the Company as part of ongoing management processes and systemic assessment carried out on a semi-annual basis; it is also monitored monthly and quarterly based on selected risk indicators.

Detailed references to these risks are described in the following sections of this report:

Risks Detailed information
Risks pertaining to disclosure of personal data and data subject to insurance secrecy to unauthorized persons
Risks of corruption associated with inappropriate implementation in the Group’s structure of anti-corruption procedures, including the lack of protection for whistleblowers
Risk of conflict of interest
Risks associated with inadequate design and implementation of solutions in the area of crime prevention and failure to implement them correctly
Reputational risk associated with the identification of PZU’s activities with money laundering and terrorist financing or the risk of using PZU’s activities for money laundering or terrorist financing, compliance risk associated with inadequate implementation of the AML/CFT law into business and operational processes and failure to implement them correctly
Reputational risk associated with the identification of PZU’s activities with violations of compliance with international sanctions, compliance risk associated with inadequate implementation of Polish, EU and international laws governing the area of international sanctions into business and operational processes and failure to implement them correctly

Risks Detailed information
Reputation risk and compliance risk in connection with direct environmental impact
Physical risk
Transition risk

Risks Detailed information
The risk associated with difficulties in recruiting qualified staff. It pertains, in particular, to areas characterized by narrow specialization and those where candidates with unique competences are sought
Risk of failure to ensure a safe and healthy work environment. Putting employees at risk of accidents at work
Risk of overrunning the personnel budget, i.e. risk related to the need to hire an employee for an amount higher than budgeted in connection with lack of qualified employees in the labor market. Unbudgeted employee hiring
Risk of misselling, i.e., the risk of dishonest communication with clients regarding the PZU Group’s offers to purchase products that do not meet their needs or do so in a manner that is not suitable to their nature
Compliance risk concerning the generally prevailing laws and guidelines of state authorities and reputational risk

 

  • 3-3
  • 2-12
  • 2-23
  • 2-24
  • MDR-P

ESG risk management – policies

The main element of risk management in the PZU Group is detailed regulations, adopted at the level of companies and functional offices.

The document governing these issues is the cooperation agreement (as of 21 March 2017) between PZU and the subsidiaries. The starting point for regulations adopted in subsidiaries is the area of competence of the PZU parent company, where the relevant units are responsible for preparing the substantive relevant provisions for policies in subsidiaries. Under the agreement, regulated were issues in the fields of: procurement, risk management, IT management, internal audit, strategy, projects, marketing and brand management, consulting and legal assistance, security management, human resources management, corporate communication, tax policy, corporate governance, actuarial services, accounting, planning and controlling, compliance, reinsurance, customer experience management, claims and benefits handling, sustainable business development (ESG), tariffrelated actuarial services, analysis of insurance evolution and tariffs, sales technologies development, sales and non-motor underwriting of business insurance products.

Listed below are selected regulations in force at PZU, which are key to building a consistent approach within the framework of policies and procedures adopted collectively, in the area of ESG risk management (within the group of operational and compliance risks).

Regulations Detailed information
Security Policy in PZU SA and PZU Życie SA
Information Security Procedure of PZU SA and PZU Życie SA
Information Security Procedure of PZU SA and PZU Życie SA
Anti-Corruption Program in PZU SA and PZU Życie SA
Whistleblowing Procedure in PZU SA and PZU Życie
Rules for managing conflicts of interest in PZU SA and PZU Życie
Rules for acceptance and giving of gifts in PZU SA and PZU Życie SA
Security Procedure in counteracting crime in PZU SA and PZU Życie SA
Security procedures in the area of counteracting money laundering and terrorism financing in PZU Życie and the PZU Group
Rules for the protection of employees and affiliates of PZU Życie performing activities related to the implementation of certain duties in the field of counteracting money laundering and terrorism financing
Sanction Policy in PZU SA and Życie SA
Whistleblowing System in PZU and PZU Życie

Regulations Detailed information
PZU Group Environmental Policy
Sustainable Investment Policy in PZU and PZU Życie
PZU Green Standard

Regulations Detailed information
Human resource management policy PZU SA and PZU Życie
Procedure for counteracting undesirable behavior in the work environment – mobbing and discrimination – in PZU and PZU Życie
Occupational health and safety policy at PZU and PZU Życie
Remuneration policy in the PZU Group
Financial Planning Procedure in the PZU Group
Rules and Regulations of the Company Social Benefit Fund (ZFŚS)
Principles concerning the product management system in PZU and PZU Życie
Code of Ethics in Advertising
Policies for managing effective communication in PZU
Client experience management policy in PZU and PZU Życie
PZU Group’s Human Rights Policy

 

  • SBM-3

ESG opportunities

According to the Polish Insurance Association’s 2023 report, building an image as a socially responsible company is prevalent among the most common motivations for companies in the insurance sector to make ESG-related changes. These actions are aimed not only at increasing customer confidence, but also at attracting investors for whom sustainability issues are becoming increasingly important. In addition, insurers recognize that a consistent approach to ESG can contribute to real positive impacts on climate change and human rights. By promoting better habits, these companies are not only meeting community expectations, but also supporting global sustainability efforts. Moreover, capitalizing on ESG opportunities provides insurance companies with a potential opportunity to differentiate themselves from the competitors, resulting in improved customer relations. Investments in ESG areas, as it is noted, can also help improve employee relations, increase employee engagement and create a healthier, more sustainable work environment. As a result, the ESG approach becomes an integral part of business strategy, benefiting both the organization and society as a whole.

Source: report by the Polish Insurance Association (PIU) entitled Climate of Increasing Losses – The role of insurance in climate protection and the energy transition 2023

Integrating ESG criteria into the PZU Group’s value chain

From a management perspective, the PZU Group seeks to make the most effective use of new opportunities by increasingly integrating ESG criteria into its value chain – in the evaluation process for customers, providers, investments and products. This approach makes it possible to identify sustainable activities, while minimizing risks associated with unethical practices, negative social and environmental impacts. Implementing ESG criteria not only establishes lasting relationships based on shared values, but also supports the development of products and investments that comply with global sustainable business standards, which contributes to value creation for both the organization and its stakeholders. Moreover, ESG criteria are customized taking into account the risks and opportunities to which the nature of the business is exposed. Evaluation considering ESG factors is conducted at PZU on a cyclical basis, in accordance with internal procedures.

The results of evaluating ESG criteria depend on a variety of factors, primarily on the characteristics of a particular industry. The differences between economic sectors mean that requirements and expectations for sustainability can vary significantly. For example, industries with a high environmental impact, such as manufacturing or energy, will be subject to stricter criteria regarding greenhouse gas emissions and energy efficiency. Service-oriented sectors, on the other hand, may focus on social issues such as workers’ rights or wage equality. Therefore, in the process of evaluating suppliers against ESG criteria, it is important to tailor the analysis to industry specifics, thus taking into account companies’ varying challenges and levels of commitment to sustainability.

ESG criteria used to evaluate customers/providers/investments/products
K –
Customers D – Providers, I – Investments, P – Product

Sample ESG criteria Group under evaluation
K D I P
Greenhouse gas emission management/monitoring/reduction. X X X X
Responsible and efficient waste management, including waste reduction and recycling, and hazardous waste disposal. X X X X
Promoting the development of renewable energy sources including, but not limited to, the selection of energy from renewable sources, reducing the consumption of raw materials from non-renewable sources, the rational use of natural resources. X X X
Building positive influence/promoting activities/education for environmental protection and biodiversity among staff and contractors. X X X
Management and minimization of electricity, heat and water consumption. X X X
Having a unit in the organizational structure responsible for environmental/ESG issues. X
Climate and environmental impacts. X X
Adaptation to climate change. X
Tackling climate change. X
Monitoring of the environmental burden of operations. X
Choosing technologies that are less harmful to the environment. X
Offering sustainability supporting products. X X
Identifying and managing environmental risks. X
Preparing reports and/or publishing information on environmental activities. X
Managing environmental impacts through company’s environmental management systems, policies and business strategy. X
Supporting circular economy. X
Taxonomic crieria. X

 

Sample ESG criteria Group under evaluation
K D I P
Occupational health and safety management. X X X X
Countering discrimination, bullying and other forms of harassment. X X X
Ensuring respect for and observance of human rights. X X X
Community outreach activities and CSR area management. X X
Working and employment conditions – including, but not limited to, gender pay equality, employee competence development, workplace ergonomics. X X X
Responsible workplace management – including, but not limited to, balancing opportunities, supporting diversity, equal treatment, dialogue with employees. X X
Promoting mental health, wellbeing, work-life balance. X X
Prohibition of slave labor, forced labor and child labor. X
Having mechanisms to communicate and report human rights violations. X
Standards for customer service, sales contracts and external communications.
Nurturing the reputation and trust of stakeholders, especially customers, employees, business partners and investors, and avoiding actions that negatively affect the company’s image. X
Managing product quality, the impact of the product on the employees, customers, suppliers, other stakeholders. X X
Positive impact of the product on the customers’ healh. X

 

Sample ESG criteria Group under evaluation
K D I P
Information security management – including ICT system security, information security breaches, protection of confidential information, protection of personal data, compliance with the GDPR. X X X X
Anti-corruption and bribery, the number of verified cases, managing this area. X X X X
Following and developing business ethics and compliance. X X X X
Selecting our own contractors that meet ESG requirements. X
Risk management and risk minimization efforts. X X
ESG risk analysis. X
Minimizing ESG risks in the value chain. X
Executive board compensation policies. X
Impact of ESG factors on offerings and investments. X
Applying the best business standards and fair competition. X
Respect for intellectual property. X
Taking responsibility for the Company’s assets and avoiding misuse, including misappropriation, devastation, theft, and preventing the use of official position for personal benefits. X
Preparing for disruptions in the economic and administrative system. X
Maintenance of business process continuity during social crises such as war or pandemic. X
Compliance with laws and implementation of anti-trust measures. X
Building relationships with stakeholders, fostering organizational transparency, responsible marketing activities and reliable external communications.   X

 

The analysis of ESG criteria in the value chain allows us to include into Group strategy the elements that will have a positive long-term effect in the form of increased corporate value, image or economic benefits. In particular, these will include activities related to product offerings, risk management approaches and social and environmental responsibility.

  1. The product area has already included a number of products protecting against climate change, including natural disaster insurance, climate insurance, and insurance for sustainability-oriented businesses. Both new products in this area are currently under development and modifications to existing offerings are planned, which could be important both for new sales and for retaining current customers.
  2. In the area of investments, it will be important to increase involvement in renewable energy sources and innovative green technologies, which may contribute to boosting the company’s reputation and attracting customers interested in sustainable development. Diversifying the investment portfolio, implemented by including ESG-related assets, will also be beneficial, potentially reducing financial risks associated with traditional sectors exposed to regulatory changes.
  3. In the area of corporate social responsibility (CSR), it will be important to expand financial education programs, public health initiatives and community projects, which will strengthen relationships with customers, employees or local communities. Increasing public awareness of ESG issues through educational programs and outreach activities will also provide benefits.
  4. In the labor area, an increase in employee well-being activities are expected to play an important role, which can contribute to both an improved workplace atmosphere and increased organizational productivity and efficiency.
  5. In the climate change adaptation domain, another ESG area will be important to integrate into risk management processes, as well as to expand climate scenario analysis, which should contribute to increasing the organization’s climate resilience and generate new business opportunities, especially in the perspective of closing the insurance gap. Data from the European Insurance Supervisory Authority (EIOPA) shows that insurers’ coverage for climate-related catastrophe losses in Europe is only 25%. The insurance sector perceives the insurance gap as an opportunity for its industry, which can play a key role in achieving the sustainable development goals. It is vital to take preventive measures and raise consumer awareness of the relevance of insurance, especially in the context of the growing risks associated with climate change and the need to protect against the financial consequences of natural disasters. Supporting consumers and businesses in protecting themselves from the effects of climate change becomes therefore a priority. Introducing new standards, raising awareness and effective cooperation may contribute to reducing the gap and better managing risks, bringing long-term benefits to all stakeholders.