No notes
Empty basket

Risk Management

The risk management system in our bank is defined in keeping with the banking sector standards and regulatory guidance and recommendations of supervisory authorities. Permanent supervision over the risk management system is exercised by the Supervisory Board, supported by the Audit and Compliance Committee of the Supervisory Board and the risk Committee.

Risk Committee
Supervisory Board of Santander Bank Polska
Audit and Compliance CommitteeManagement Board of Santander Bank Polska

Internal Audit Area

Risk Control Committee
Risk Management Committee
Risk Management Sub-Committee

Risk Management Forum
Credit Risk Panel
Market and Investment Risk Panel
Models and Methodology Panel
Credit Committee
Provisions Committee
Recovery Committee
Information Management Committee
Cyber Risk Committee
Capital Committee
Disclosure Committee
Regulatory and Reputational Risk Committee
Local Marketing and Monitoring Committee
General Compliance Committee
Anti-Money Laundering and Counter-Terrorism
Financing Committee

Risk identification, measurement, monitoring and mitigation are the responsibilities of all units of the bank which form so called three lines of defence.

First line of defence

The first line of defence is focused on management of risks in the bank’s operational activity and is based on business units which, as part of their dayto-day activities, generate risks that affect achievement of the bank’s objectives.

The first line includes activities performed by each employee to ensure the quality and correctness of the completed tasks.

The first line of defence checks the compliance with procedures and responds to any identified irregularities.

The rules of independent monitoring as part of this line of defence are established by the Management Board member in charge of a Division or a bank/Area Director or the President of the Management Board of a subsidiary in the form of relevant internal regulations, taking into account the segregation of duties.

Second line of defence

The second line of defence involves risk management by employees in dedicated roles or organisational units and the operations of the compliance unit.

Risk management as part of the second line of defence is independent from risk management in the first line of defence.

The second line of defence comprises functions which support the bank’s managers in identification and management of risks. To that end, the second line of defence provides relevant tools, develops internal regulations and techniques for managing, monitoring, verifying, testing and reporting risks.

The units of the second line of defence conduct independent vertical monitoring in order to verify whether the first line of defence takes effective measures and applies the required controls.

Third line of defence

The third line of defence is formed by the Internal Audit function which provides independent and objective examination and assurance of the first and second tier controls as well as assesses the management system of the bank and its subsidiaries, including the effectiveness of managing the risk related to the operations of the bank and its subsidiaries.

  • [102-11] Precautionary Principle or approach Precautionary Principle or approach

    Go to GRI list

In the bank and in the Group, risk profile is determined and approved by the Risk Management Committee. The acceptable risk level (risk appetite) is defined in the Risk Appetite Statement approved by the Management Board and the Supervisory Board.

The following risks have been identified in the risk management system as significant:

  • credit risk

  • market risk

  • liquidity risk

  • capital risk

  • models risk

  • business risk

  • risk of excessive leverage

  • operational risk

  • compliance risk (which encompasses regulatory risk and conduct risk)

  • money laundering and terrorism financing risk

  • reputational risk

Social and environmental risks in the risk management system

From the point of view of negative impact of those risks on society, environment, employees, human rights and anti-corruption measures, particular importance is attached to operational risk, compliance risk and reputational risk. In addition, the bank has identified social and environmental risks related to financing.

Risk description Risk management Possible significant negative impact on:
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The bank and the Group apply the Operational Risk Management Strategy. In addition, detailed policies, procedures and guidelines are used to define how risks are identified, estimated, monitored and mitigated. The responsibility for setting operational risk management standards rests with the Operational Risk Management Committee (ORMCO).

(regulatory risk, conduct risk and money laundering and terrorism financing risk).

Risk description Risk management Possible significant negative impact on:
Compliance risk is defined as the risk of legal or regulatory sanctions, significant financial loss influencing the results or having negative impact on reputation that the bank may suffer due to its failure to comply with the law, internal regulations and market standards. Compliance risk is managed at the bank and in the Group as part of several processes, namely:

  • identification of compliance risk
  • assessment of identified risk
  • use of controls
  • monitoring the risk size and profile
  • results reporting.

Compliance assurance, as part of the control function, encompasses implementation of controls, independent monitoring of their observance and reporting.

The control function is performed under the so-called three lines of defence:

1. At the first line of defence, compliance risk is managed as part of business areas (conduct of business), and in other areas of the bank’s operations (non-conduct of business).

The second line of defence includes on-going vertical verification and vertical testing, the scope of which is adapted to the process characteristics and the risk level.

2.The tasks of the second line of defence are carried out by the compliance function or another organisational unit operating in accordance with internal regulations, and in particular:

  • for labour law responsibilities – HR unit governance unit
  • for commercial companies law responsibilities – corporate
  • for health and safety responsibilities – health and safety unit
  • for accounting, reporting and tax responsibilities – financial, accounting and tax units
  • for prudential requirements – risk units.

3.The third line of defence is the internal audit function. In addition, risk management is supported by specialist committees, such as the General Compliance Committee, the Regulatory Risk Committee, the Local Marketing and Monitoring Committee and the Anti-Money Laundering and Counter- Terrorism Financing Committee. The key policies are the General Code of Conduct and the Rules for preventing criminal responsibility.

(an element of compliance risk)

Risk description Risk management Possible significant negative impact on:
The risk of deterioration of the bank’s and Santander Group’s image from the point of view of the bank’s and Group’s customers, employees, shareholders and communities in a broad sense, as a result of other types of risk, including individual categories of compliance risk. Reputational risk is owned by the Corporate Communication and Marketing Area and by the Compliance Area, which use a number of mechanisms, including the bank’s Disclosure Policy, the Reputational Risk Management Policy, the risk appetite for reputational risk, the Compliance Policy of Santander Bank Polska, the Procurement Policy, the Supplier Selection Procedure, the Media Monitoring Policy, the Code of Conduct in the Securities Markets, customer satisfaction surveys and mystery shopping.
Risk description Risk management Possible significant negative impact on:
Social and environmental risks resulting from customers’ activities in sensitive sectors, constituting elements of reputational risk. The key document on social and environmental risks is the Sustainability (CSR) Policy of Santander Bank Polska, which covers the whole Santander Bank Polska Group. The Policy is supplemented by policies on sectoral risk management for such sensitive sectors as defence, energy or soft commodities as well as the sensitive sectors financing policy. Each sectoral policy defines the scope of its application, prohibited or restricted activities in relation to individual sectors, approval limits for transactions and the responsibility for each policy and its maintenance.

Furthermore, in this area the bank respects international best practices concerning social aid and environmental protection, particularly the Equator Principles.

S – Society, Em – Employees, En – Environment, HR – Human Rights, AC – Anti-Corruption

Risk Culture

In order to strengthen the risk management system, the bank conducts activities that reinforce risk awareness among employees, making sure that each staff member is responsible for risk management and knows how to respond to risk materialisation.

The risk management culture promoted by our organization is called Risk Pro and consists of five key principles:
  1. accountability,
  2. resilience,
  3. simplicity,
  4. challenge, and
  5. customer focus.

Activities implemented within this culture include: education of the bank’s employees as part of the Risk pro Banking School, including training in risk management (over 100 training sessions organised in 2018); awareness-raising activities among employees relating to risks encountered in day-to-day work; providing channels for anonymous reporting of issues of concern; and features of the incentive system encouraging employees to adhere to the risk culture values.

One of the activities aimed at promoting the risk management culture across our organization is the “Risk Culture Week”. In 2018 the event was held in September. During the week a range of various risk-related activities took place, including the ones focusing on cybersecurity and ethics.

Risk Culture Week


  • We learned names of the Risk Heroes competition winners in which employees are awarded for their risk attitudes and behaviours. All Santander Bank Polska’s employees can take part in the competition. In the first stage, employees are encouraged to nominate their colleagues who demonstrated performance consistent with the Risk pro principles. Each nomination must be supported by examples of such behaviours. Subsequently, the jury selects 20 finalists based on the number of nominations, number of Risk pro principles complied with and the submitted justifications. In the final stage, the finalists’ profiles are presented on the intranet and the employees vote to choose five winners.

  • The bank’s employees were also encouraged to participate in the Cybersecurity Champion competition in which they could prove their knowledge about the rules of cybersecurity. Everyday new questions and challenges were published and the winners received attractive awards.


  • What do cybersecurity and health have in common? The bank’s employees learned the answer from a video prepared by the Risk Department.

  • During the Ethics Day, the employees were offered a chance to take part in interesting workshops promoting ethical attitudes at work. Dedicated e-learning materials and infographics were prepared for that purpose.

Meetings and discussions

  • A recording of the debate on ethical data use which took place during the BankITup hackathon was circulated among the employees.

  • Interesting meetings and discussion about risk and quality were led in the branch network. Special infographics were also prepared for those occasions.

The results of the Employee Engagement Survey for 2018 showed that 97% of the bank’s employees were able to identify correctly the risks they encountered in daily work and were fully accountable for them.


of the bank’s employees are able to identify correctly the risks

Did you know …?
  • We distinguish between 17 risk categories in our risk management system.
  • In 2018, we organised more than 100 training sessions in risk management.