ING Bank Śląski S.A. manages operational and anti-fraud risk pursuant to the laws, recommendations and resolutions of the Polish Financial Supervision Authority and other regulatory bodies as well as abiding by the standards developed by ING Group.
Operational risk is recognised at ING Bank Śląski S.A. as the risk of suffering direct or indirect material loss or loss of reputation resulting from inadequate or failing internal processes, people, technical systems or external events.
Having obtained the Supervisory Board’s approval, the Bank Management Board outlined the strategy for managing operational and anti-fraud risks by implementing a coherent set of internal prescriptive documents governing the scope, principles and duties of Bank employees related to mitigation of effects and probability of incidents’ occurrence in that area.
The Bank Management Board, in agreement with the Supervisory Board, adopted the Non-Financial Risk Appetite Statement in 2014, wherein they specified the maximum acceptable limits of losses and scope of risk that the Bank would be willing to undertake when executing planned business goals abiding by law and regulatory requirements in full. The level of limits utilisation was monitored and presented to the Bank Management Board, Audit Committee and Bank Supervisory Board.
The role of the Bank Non-Financial Risk Committee and Non-Financial Risk Committees within individual business lines which support the former in performing supervisory and decision-taking functions is crucial for ensuring continuity and consistency of risk management.
In 2014, caring about the safety of funds entrusted by clients and maintenance of the acceptable operational risk level, the Bank continued its efforts to fully implement new regulatory requirements and enhance the risk management system. The most important activities in that regard are as follows:
- introducing an integrated system supporting the operational risk management process;
- testing controls mitigating key risks at the Bank,
- undertaking preparations to counteract direct attacks (APTs) on the Bank’s IT structure, the aim whereof is to damage or steal the data,
- introducing to the Bank’s practice requirements under Recommendation M of the Polish Financial Supervision Authority concerning Bank’s disclosures regarding annual operational risk loss in gross terms,
- implementing requirements under amended Recommendation D regarding the management of IT technology and security of ICT environment at banks (main works focused on data management, information technology network management and introduction of the follow-me printing system),
- improving the efficiency of counteracting cybercrimes related to payment transactions and identity theft or funds theft,
- renewing the local insurance programme of the ING Bank Śląski S.A. Capital Group as regards civil liability and property insurance adjusted to the current market situation,
- conducting preparatory works aiming at implementation of the advanced methods of operational risk measurement (AMA) for the purpose of capital requirements calculation,
- continued analysing of business applications source codes security and penetration tests for the business and IT applications,
- increasing IT infrastructure safety barriers counteracting distributed denial of service (DDoS) attacks,
- conducting a number of risk analyses of critical and key business applications and IT systems used at the Bank,
- conducting an in-depth analysis of IT systems security vulnerability (in particular e-banking systems), penetration tests and increased monitoring of the electronic banking systems, which ensured successful fraud prevention and safety of the transactions effected by the clients,
- updating the scope of scenario analyses and adapting them to the current Bank’s business strategy,
- enhancing the mechanisms ensuring business continuity of key processes and crisis management system,
- monitoring and testing of mechanisms ensuring physical security of individuals and the Bank’s property,
- raising employees’ awareness as regards effective operational and anti-fraud risks management by introducing new training courses mandatory for all Bank employees.