Operational Risk

Definition of Operational Risk

Operational risk is the potential for failure (incl. the legal component) in relation to employees, contractual specifications and documentation, technology, infrastructure failure and disasters, external influences and customer relationships.

Particular prominent examples of operational risks are the following:

  • Fraud Risk arises from an intentional act or omission involving dishonesty, for personal and/or business gain or to avoid personal and/or business loss such as falsification and/or alteration of records and/or reports, facilitation, breach of trust, intentional omission, misrepresentation, concealment, misleading, and abuse of position in order to obtain personal gain, business advantage and/or conceal improper/unauthorized activity.
  • Business Continuity Risk is the risk of incurring losses resulting from the interruption of normal business activities. Interruptions can be caused by: deliberate acts such as sabotage, terrorism, bomb threats, strikes, riots and assaults on the bank’s staff; natural calamities such as hurricanes, snow storms, floods, and earthquakes; or other unforeseen incidents such as accidents, fires, explosions, utility outrages, and political unrest.
  • Regulatory Compliance Risk is the potential that we may incur regulatory sanctions (such as restrictions on business activities or enhanced reporting requirements), financial and/or reputational damage arising from its failure to comply with applicable laws, rules and regulations.
  • Information Technology Risk is the risk that our Information Technology will lead to quantifiable losses. This comes from inadequate information technology and processing in terms of manageability, exclusivity, integrity, controllability, and continuity.
  • Outsourcing (Vendor) Risk arises from adverse events and risk concentrations due to failures in vendor selection, insufficient controls and oversight over a vendor and/or services provided by a vendor and other impacts to the vendor which could not happen to us by nature, severity or frequency.

Legal Risk can materialize in any of the above risk categories. This is due to the fact that in each category we may be the subject of a claim or proceedings alleging non-compliance with legal or statutory responsibilities and/or losses allegedly due to inaccurately drafted contracts.

Operational risk excludes business and reputational risk.

Organizational Structure

The Head of Operational Risk Management (“ORM”) chairs the Operational Risk Management Committee (“ORMC”), which is a permanent sub-committee of the Risk Executive Committee and is composed of the operational risk officers from our business divisions and our infrastructure functions. It is the main decision-making committee for all operational risk management matters.

While the day-to-day operational risk management lies with our business divisions and infrastructure functions, the Operational Risk Management function manages the cross divisional and cross regional operational risk as well as risk concentrations and promotes a consistent application of our operational risk management strategy across the bank. Based on this Business Partnership Model we aim to maintain close monitoring and high awareness of operational risk.

Managing Our Operational Risk

We manage operational risk based on a group-wide consistent framework that enables us to determine our operational risk profile in comparison to our risk appetite and systematically identify operational risk themes and concentrations to define risk mitigating measures and priorities. The global operational risk framework is applicable to all risk types included in the definition for operational risk and thus also applies to each of the above defined individual risk types. The newly established business division NCOU fully applies our global operational risk framework.

In order to cover the broad range of operational risk as outlined in the definition of operational risk, our framework applies a number of techniques. These aim to efficiently manage the operational risk in our business and are used to identify, assess and mitigate operational risk.

The applied techniques are:

  • The continuous collection of operational risk loss events is a prerequisite for operational risk management including detailed analyses, definition of mitigating actions and timely information to senior management. We collect all losses above € 10,000 in our “db-Incident Reporting System” (“dbIRS”).
  • Our Lessons Learned process is required for events, including near misses, above € 1 million. This process includes but is not limited to:
    • systematic risk analyses including a description of the business environment in which the loss occurred, including previous events, near misses and event specific Key Risk Indicators (“KRI”),
    • consideration of any risk management decisions in respect of the specific risk taken,
    • root cause analyses,
    • identification of control improvements and other actions to prevent and/or mitigate recurrence, and
    • assessment of the residual operational risk exposure.
    The Lessons Learned process serves as an important mean to identify inherent areas of risk and to define appropriate risk mitigating actions. All corrective actions are captured and monitored for resolution via actions plans in our tracking system “dbTrack”. Performance of all corrective actions and their resolution status is reported on a monthly basis to senior management via the ORMC.
  • We systematically utilize information on external events occurring in the banking industry to prevent similar incidents from happening to us, e. g. by particular deep dive analysis or risk profile reviews.
  • In addition to internal and external loss information, scenarios are utilized and actions are derived from them. The set of scenarios consists of relevant external scenarios provided by a public database and internal scenarios. The latter are generated to complete our risk profile.
  • Regular operational risk profile reports at group level for our business divisions, the countries in which we operate and our infrastructure functions are reviewed and discussed with the department’s senior management. The regular performance of the risk profile reviews enables us to detect changes to the business unit’s risk profiles as well as risk concentrations across the Group early and to take corrective actions.
  • We assess and approve the impact of changes to our risk profile as a result of new products, outsourcings, strategic initiatives and acquisitions and divestments.
  • Once operational risks are identified, mitigation is required following the “as low as reasonably practicable (ALARP)” principle by balancing the cost of mitigation with the benefits thereof and formally accepting the residual operational risk. Risks which contravene applicable national or international regulations and legislation cannot be accepted; once identified, such risks must always be mitigated.
  • We monitor risk mitigating measures identified via operational risk management techniques for resolution within our tracking tool “dbTrack”. Higher than important residual operational risks need to be accepted by the ORMC.
  • We perform top risk analyses in which the results of the aforementioned activities are considered. The Top Risk Analyses are a primary input for the annual operational risk management strategy and planning process. Besides the operational risk management strategic and tactical planning we define capital and expected loss targets which are monitored on a regular basis within a quarterly forecasting process.
  • KRIs are used to monitor the operational risk profile and alert the organization to impending problems in a timely fashion. They allow via our tool “dbScore” the monitoring of the bank’s control culture and business environment and trigger risk mitigating actions. KRIs facilitate the forward looking management of operational risk based on early warning signals returned by the KRIs.
  • In our bottom-up Self Assessment (“SA”) process, which is conducted at least annually, areas with high risk potential are highlighted and risk mitigating measures to resolve issues are identified. In general, it is performed in our tool “dbSAT”. On a regular basis we conduct risk workshops aiming to evaluate risks specific to countries and local legal entities we are operating in and take appropriate risk mitigating actions.

Additional methodologies and tools implemented by the responsible divisions are utilized to complement the global operational risk framework and specifically address the individual risk types. These include but are not limited to:

  • Legal Risk Lessons Learned process: The Legal Department is responsible for managing the legal and reputational risk associated with the bank’s litigation and regulatory enforcement matters. The Legal Department discharges this responsibility through the management and supervision of these matters by the litigation and regulatory enforcement attorneys (“LRAs”) assigned to them, and the regional and global supervision of those LRAs within the Legal Department. The LRAs day-to-day management and oversight of litigation and regulatory enforcement matters may provide a unique perspective on historical practices, possible legal and reputational risk that may result from such historical practices and possible steps that may be taken to mitigate such future risks. Within the operational risk management framework a specific Lessons Learned process for Legal losses is conducted to consider the lessons learned from litigation and regulatory enforcement actions. This includes permanent involvement of Legal, ORM and the Divisional Operational Risk Officers (“DOROs”).
  • The operational risk in Outsourcing Risk is managed by the Internal Relocation and Outsourcing (“IRO”) Process and documented in the IRO database. The outsourcing risk is assessed and managed for all outsourcing arrangements individually following the Smartsourcing Risk Management Policy and the overall ORM framework. A broad governance structure is established to promote appropriate risk levels.
  • Fraud Risk is managed based on section 25a of the German Banking Act as well as other legal and regulatory requirements on a risk based approach, governed by the Global Anti Fraud Policy and corresponding Compliance and Anti-Money-Laundering (AML) framework. In line with regulatory requirements a global risk assessment is performed on a regular basis. Within the general management of operational risks dedicated Fraud Risk relevant aspects are part of the Self Assessments.
  • We manage Business Continuity (“BC”) Risk with our Business Continuity Management (“BCM”) Program, which outlines core procedures for the relocation or the recovery of operations in response to varying levels of disruption. Within this program each of our core businesses functions and infrastructure groups institute, maintain and periodically test business continuity plans (“BC Plans”) to promote continuous and reliable service. The BCM Program has defined roles and responsibilities, which are documented in corporate standards. Compliance with these standards is monitored regionally by dedicated business continuity teams. Reporting to the Group Resiliency Steering Committee (the delegated authority from the Management Board) is a quarterly requirement. Furthermore, key information of the established BCM control environment is used within the general operational risk management for KRIs.
  • The operational risk in Technology Risk is managed within the technology area following international standards for IT management. Applications and IT infrastructure are catalogued and assessed on a regular basis and stability monitoring is established. Key outcomes of the established assessment and control environment are used within the general management or operational risks for KRIs and SAs.

Measuring Our Operational Risks

We calculate and measure the regulatory and economic capital for operational risk using the internal Advanced Measurement Approach (“AMA”) methodology. Our AMA capital calculation is based upon the loss distribution approach (“LDA”). Gross losses from historical internal and external loss data (Operational Riskdata eXchange Association (“ORX”) consortium data), adjusted for direct recoveries, and external scenarios from a public database complemented by internal scenario data are used to estimate the risk profile (that is, a loss frequency and a loss severity distribution). Thereafter, the frequency and severity distributions are combined in a Monte Carlo simulation to generate losses over a one year time horizon. Finally, the risk mitigating benefits of insurance are applied to each loss generated in the Monte Carlo simulation. Correlation and diversification benefits are applied to the net losses in a manner compatible with regulatory requirements to arrive at a net loss distribution at the Group level covering expected and unexpected losses. Capital is then allocated to each of the business divisions and both a qualitative adjustment (“QA”) and an expected loss deduction are made.

The qualitative adjustment reflects the effectiveness and performance of the day-to-day operational risk management activities via KRIs and Self Assessment scores focusing on the business environment and internal control factors. The qualitative adjustment is applied as a percentage adjustment to the final capital number. This approach makes qualitative adjustment transparent to the management of the businesses and provides feedback on their risk profile as well as on the success of their management of operational risk. It thus provides incentives for the businesses to continuously improve the management of operational risks in their areas.

The expected loss (“EL”) for operational risk is based on historical loss experience and expert judgment considering business changes denoting the expected cost of operational losses for doing business. To the extent it is considered in the divisional business plans it is deducted from the AMA capital figure. The unexpected losses per business division (after QA and expected loss) are aggregated to produce the Group AMA capital figure.

Economic capital is derived from the 99.98 % percentile and allocated to the business divisions and used in performance measurement and resource allocation, providing an incentive to manage operational risk, optimizing economic capital utilization. The regulatory capital operational risk applies the 99.9 % percentile.

Since December 2007, we have maintained approval by the BaFin to use the AMA. In 2012, the integration of Postbank into our group-wide framework was finalized. We are waiting for regulatory approval to integrate Postbank into our regulatory capital calculation.

The economic capital usage for operational risk increased by € 172 million, or 3.5 %, to € 5 billion as of December 31, 2012.

Economic Capital Usage for Operational Risk by Business Division



2012 increase (decrease) from 2011

in € m.

Dec 31, 2012

Dec 31, 2011

in € m.

in %

Corporate Banking & Securities





Global Transaction Banking





Asset & Wealth Management





Private & Business Clients





Non-Core Operations Unit





Total economic capital usage for operational risk





The increase is primarily due to higher industry operational risk loss experience, the integration of BHF-BANK into our AMA model in the first quarter 2012, as well as a model refinement in the second quarter 2012. The capital continues to include the safety margin applied in our AMA model, which was implemented in 2011 to cover unforeseen legal risks from the current financial crisis.

At the beginning of 2012, the sub-allocation methodology within CB&S was changed and increased the capital for the part that was later merged into NCOU.

Our Operational Risk Management Stress Testing Concept

We conduct stress testing on a regular basis and separate from our AMA methodology to analyze the impact of extreme situations on our capital and the profit-and-loss account. In 2012, Operational Risk Management took part in all firm-wide stress test scenarios and assessed and contributed the Operational Risk impact to the various stress levels of the scenarios. The Operational Risk impact to stress test scenarios has been moderate and remained in the expected range in regards to capital, but intense for simulated low-frequency high-impact event hits to the Consolidated Statement of Income.

Our AMA Model Validation and Quality Assurance Review Concept

We independently validate all our AMA model components such as but not limited to scenario analysis, KRIs and Self Assessments, Expected Loss and internal loss data individually. The results of the validation exercise are summarized in validation reports and issues identified are followed up for resolution. This promotes enhancement of the methodologies. The validation activities performed in 2012 showed that our AMA model components are valid and regulatory compliant.

Quality Assurance Reviews are performed for management decisions as well as AMA components requiring data input provided by business divisions and result in capital impact. The AMA components data and documentation is challenged and compared across business divisions to help us maintain consistency and adequacy for any capital calculation.

Role of Corporate Insurance/Deukona

The definition of our insurance strategy and supporting insurance policy and guidelines is the responsibility of our specialized unit Corporate Insurance/Deukona (CI/D). CI/D is responsible for our global corporate insurance policy which is approved by our Management Board.

CI/D is responsible for acquiring insurance coverage and for negotiating contract terms and premiums. CI/D also has a role in the allocation of insurance premiums to the businesses. CI/D specialists assist in devising the method for reflecting insurance in the capital calculations and in arriving at parameters to reflect the regulatory requirements. They validate the settings of insurance parameters used in the AMA model and provide respective updates. CI/D is actively involved in industry efforts to reflect the effect of insurance in the results of the capital calculations.

We buy insurance in order to protect ourselves against unexpected and substantial unforeseeable losses. The identification, definition of magnitude and estimation procedures used are based on the recognized insurance terms of “common sense”, “state-of-the-art” and/or “benchmarking”. The maximum limit per insured risk takes into account the reliability of the insurer and a cost/benefit ratio, especially in cases in which the insurance market tries to reduce coverage by restricted/limited policy wordings and specific exclusions.

We maintain a number of captive insurance companies, both primary and re-insurance companies. However, insurance contracts provided are only considered in the modeling/calculation of insurance-related reductions of operational risk capital requirements where the risk is re-insured in the external insurance market.

The regulatory capital figure includes a deduction for insurance coverage amounting to € 474 million as of December 31, 2012. Currently, no other risk transfer techniques beyond insurance are recognized in the AMA model.

CI/D selects insurance partners in strict compliance with the regulatory requirements specified in the Solvency Regulations and the Operational Risks Experts Group recommendation on the recognition of insurance in advanced measurement approaches. The insurance portfolio, as well as CI/D activities, is audited by Group Audit on a risk-based approach.

Key figures comparison

Compare key figures of the past years. more