First line of defence
Management of risks in the bank’s operational activity is based on business units which, as part of their day-to-day activities, generate risks that affect achievement of the bank’s objectives.
The first line of defence includes activities performed by each employee to ensure the quality and correctness of the completed tasks.
The first line of defence checks the compliance with procedures and responds to any identified irregularities.
The rules of independent monitoring as part of this line of defence are established by the Management Board member in charge of a Division or a bank/Area director or the President of the Management Board of a subsidiary in the form of relevant internal regulations, taking into account the segregation of duties.
Second line of defence
Risk management by employees in dedicated roles or organisational units and the operations of the compliance unit.
Risk management as part of the second line of defence is independent from risk management in the first line of defence.
The second line of defence comprises functions which support the bank’s management in identification and management of risks. To that end, the second line of defence provides relevant tools, develops internal regulations and techniques for managing, monitoring, verifying, testing and reporting risks.
The units of the second line of defence conduct independent vertical monitoring in order to verify whether the first line of defence takes effective measures and applies the required controls.
Third line of defence
This role is fulfilled by the Internal Audit function which is responsible for independent and objective examination and assessment of the adequacy and effectiveness of the first- and second-line controls and reviewing and evaluating the management system of the bank and its subsidiaries, including the effectiveness of managing the risk related to the operations of the bank and its subsidiaries.