■
The
second
line
of
defence
are
primarily
organizational
units
in
the
risk
management
area
(Risk),
Security,
Data
Protection
Inspector
and
Compliance
function,
which
create
risk
management
strategies
for
each
risk
type,
support
and
supervise
the
Business
in
their
implementation
and
independently
analyse
and
assess
the
risk.
To
ensure
that
the
Business
is
supported
and
supervised
in an objective manner, the second line of defence operates independently of the Business;
■
The
third
line
of
defence
is
Internal
Audit,
ensuring
independent
assessment
of
activities
connected
with risk management performed by the first and the second line of defence.
3.2.1.
Risk culture
Risk
culture
is
the
norms,
attitudes
and
behaviours
that
relate
to
risk
awareness,
risk
taking,
risk
management and the controls that shape risk decisions.
Risk
culture
is
a
key
element
of
effective
risk
management,
including
capital
and
liquidity
risk
management.
It
influences
the
decisions
made
by
management
and
employees
in
the
course
of
day-to-day
operations
and the risks they take.
mBank
recognizes
that
a
proper
risk
culture
contributes
to
a
more
sustainable
business
model,
which
is
especially
important
when
banks
are
facing
economic,
financial
and
geopolitical
difficulties.
Therefore,
mBank develops it, promotes it and monitors it.
Risk
culture
at
mBank
is
part
of
its
organizational
culture.
Therefore,
the
basis
for
further
development
of
risk culture is:
■
mBank
values
define
culture
of
trust
and
positive
intentions:
authenticity,
empathy,
courage,
responsibility,
cooperation.
These
values
define
the
most
important
behaviours
from
the
Bank's
perspective and its further development,
■
Code
of
Conduct,
which
defines
minimum
standards
that
apply
to
all
employees
in
relations
with
each other and in relations with customers and business partners.
In
order
to
properly
develop
the
risk
culture
and
use
properly
selected
tools,
mBank
must
be
aware
of
its
current
status.
Therefore,
mBank
assesses
it
in
a
comprehensive
and
multi-faceted
manner
through
the
analysis
of
five
areas,
for
which
mBank
defines
indicators.
The
indicators
can
be
quantitative
or
qualitative
in
order
to
best
reflect
norms,
attitudes
and
behaviours
in
mBank.
Indicators
are
created
and
evaluated
based
on
internal
regulations
for
assessing
risk
culture.
In
assessing
risk
culture,
mBank
incorporates
the
results
of
a
survey
examining
sentiment,
satisfaction
and
commitment
among
employees,
which
is
a
horizontal
and
qualitative
component
of
the
assessment.
It
reflects
a
broad
view
of
relevant
culture
topics
among all employees and at all levels of management.
Detailed
rules
for
assessing
and
monitoring
risk
culture
are
described
in
the
Risk
Management
Strategy
and internal regulation for Risk Culture Assessment.
3.2.2.
Division of responsibilities in the risk management process
Supervisory
Board
supervises
the
Bank's
activities
with
regard
to
the
risk
management
system
and
evaluates
its
adequacy
and
effectiveness.
The
Supervisory
Board
considers
regular
and
comprehensive
information
on
all
important
matters
concerning
the
Bank's
activities
provided
by
the
Management
Board,
the
risks
associated
with
its
activities
and
the
ways
and
effectiveness
of
managing
these
risks.
In
particular,
the
Supervisory
Board
approves
the
mBank
Group
Risk
Management
Strategy
and
supervises
its
implementation.
Risk
Committee
of
the
Supervisory
Board
exercises
constant
supervision
over
the
credit,
market,
liquidity
and
non-financial
including
operational
risks.
In
particular,
the
Risk
Committee
issues
recommendations
regarding
approval
of
risk
management
strategies,
including
the
Risk
Management
Strategy,
by
the
Supervisory
Board.
In
addition,
the
Risk
Committee
issues
recommendations
in
terms
of
individual counterparty risk, in accordance with the parameters defined by the Supervisory Board.
Management
Board
of
the
Bank
designs,
implements
and
ensures
the
operation
of
the
risk
management
system.
In
particular
the
Management
Board
defines
and
implements
the
Risk
Management
Strategy
of
the
Group
and
is
responsible
for
defining
and
implementing
the
principles
of
managing
individual
risk
types
and
for
their
consistency
with
the
Risk
Management
Strategy.
The
Management
Board
establishes
the
organizational
structure
of
the
Bank
and
allocates
tasks
and
responsibilities
to
individual
organizational
units,
ensuring
the
appropriate
distribution
of
roles
in
the
risk
management.
The
Management
Board
is
also
responsible
for
developing,
implementing,
effectiveness
and
updating
written
strategies,
policies
and
procedures
for:
risk
management
system,
internal
capital
adequacy
assessment
process,
capital
management and capital planning, and internal control system.
Chief
Risk
Officer
is
responsible
for
integrated
risk
and
capital
management
of
the
Bank
and
the
Group
in
the
scope
of
defining
strategies
and
policies,
measuring,
controlling
and
independent
reporting
on
all
risk
types
(in
particular
credit
risk,
market
risk,
liquidity
risk,
non-financial
risk
including
operational
risk),
approving
limits
(in
accordance
with
internal
regulations),
and
for
processes
of
managing
the
risk
of
the
retail credit portfolio and corporate portfolio.