We manage operational risk based on a Group-wide consistent framework that enables us to determine our operational risk profile in comparison to our risk appetite and systematically identify operational risk themes and concentrations to define risk mitigating measures and priorities. The global operational risk framework is applicable to all risk types included in the definition for operational risk and thus also applies to each of the above defined individual risk types.
In order to cover the broad range of operational risk as outlined in the definition of operational risk, our framework applies a number of techniques. These aim to efficiently manage the operational risk in our business and are used to identify, assess and mitigate operational risk.
The applied techniques are:
- The continuous collection of operational risk loss events is a prerequisite for operational risk management including detailed analyzes, definition of mitigating actions and timely information to senior management. We collect all losses above € 10,000 in our “db-Incident Reporting System” (“dbIRS”).
- Our Lessons Learned process is required for events, including near misses, above € 1 million. This process includes but is not limited to:
- systematic risk analyzes including a description of the business environment in which the loss occurred, including previous events, near misses and event-specific Key Risk Indicators (“KRI”),
- consideration of any risk management decisions in respect of the specific risk taken,
- root cause analyzes,
- identification of control improvements and other actions to prevent and/or mitigate recurrence, and
- assessment of the residual operational risk exposure.
- The Lessons Learned process serves as an important mean to identify inherent areas of risk and to define appropriate risk mitigating actions. All corrective actions are captured and monitored for resolution via actions plans in our tracking system “dbTrack”. Performance of corrective actions is reported on a monthly basis to senior management via the ORMC.
- We systematically utilize information on external events occurring in the banking industry to prevent similar incidents from happening to us, e. g. by particular deep dive analysis or risk profile reviews.
- In addition to internal and external loss information, scenarios are utilized and actions are derived from them. The set of scenarios consists of relevant external scenarios provided by a public database and internal scenarios. The latter are generated to complete our risk profile.
- Regular operational risk profile reports at Group level for our business divisions, for the countries in which we operate and for our infrastructure functions are reviewed and discussed with the department’s senior management. The regular performance of the risk profile reviews enables us to detect changes to the business unit’s risk profiles as well as risk concentrations across the Group early and to take corrective actions.
- We assess and approve the impact of changes to our risk profile as a result of new products, outsourcings, strategic initiatives and acquisitions and divestments.
- Once operational risks are identified, mitigation is required following the “as low as reasonably practicable (ALARP)” principle by balancing the cost of mitigation with the benefits thereof and formally accepting the residual operational risk. Risks which contravene applicable national or international regulations and legislation cannot be accepted; once identified, such risks must always be mitigated.
- We monitor risk mitigating measures identified via operational risk management techniques for resolution within our tracking tool “dbTrack”. Residual operational risks rated higher than important need to be accepted by the bearing divisions and the ORMC.
- We perform top risk analyzes in which the results of the aforementioned activities are considered. The Top Risk Analyzes are a primary input for the annual operational risk management strategy and planning process. Besides the operational risk management strategic and tactical planning we define capital and expected loss targets which are monitored on a regular basis within a quarterly forecasting process.
- KRIs are used to monitor the operational risk profile and alert the organization to impending problems in a timely fashion. They allow via our tool “dbScore” the monitoring of the bank’s control culture and business environment and trigger risk mitigating actions. KRIs facilitate the forward looking management of operational risk based on early warning signals returned by the KRIs.
- In our bottom-up Self Assessment (“SA”) process, which is conducted at least annually, areas with high risk potential are highlighted and risk mitigating measures to resolve issues are identified. In general, it is performed in our tool “dbSAT”. On a regular basis we conduct risk workshops aiming to evaluate risks specific to countries and local legal entities we are operating in and take appropriate risk mitigating actions.
Additional methodologies and tools implemented by the responsible divisions are utilized to complement the global operational risk framework and specifically address the individual risk types. These include but are not limited to:
- We have created a new “Legal Risk Management” (“LRM”) function in the Legal Department. This function is exclusively dedicated to the identification and management of legal risk. In addition to being used for reporting purposes, LRM analysis’ are applied: in the context of independent portfolio management/risk appetite assessment; through remediation of highlighted issues (whether via new or existing initiatives); and also as a further means of Legal’s input being a significant decision-making criterion for our businesses. The LRM function has a mandate to undertake a broad variety of tasks aimed at proactively managing legal risk, including: devising, implementing and overseeing an Annual Legal Risk Assessment Program; agreeing and participating in resultant portfolio reviews and mitigation plans; administering the Legal Lessons Learned process (see below); and participating in our Legal Risk Appetite assessment.
- Legal Lessons Learned process: The LRM function is responsible for the Legal Lessons Learned process. On a quarterly basis, LRM receives from the Legal Department (both litigators and business-focussed lawyers) and from Divisional Operational Risk Officers (DOROs) details of potential legal risk issues arising from the Bank’s activities. Through discussion between Legal, ORM and the DOROs, any steps necessary to remediate such issues should be identified. These steps are then tracked by ORM to completion.
- The operational risk from outsourcing is managed by the Vendor Risk Management (VRM) Process and documented in the VRM database. The outsourcing risk is assessed and managed for all outsourcing arrangements individually following the Vendor Risk Management Policy in line with the overall ORM framework. A broad governance structure is established to promote appropriate risk levels.
- Fraud Risk is managed based on section 25a of the German Banking Act as well as other legal and regulatory requirements on a risk based approach, governed by the Global Anti-Fraud Policy and corresponding Compliance and Anti-Money-Laundering (AML) framework. In line with regulatory requirements a global risk assessment is performed on a regular basis. Within the general management of operational risks dedicated Fraud Risk relevant aspects are part of the Self Assessments.
- Deutsche Bank manages Business Continuity (BC) Risk with its Business Continuity Management (BCM) Program, which outlines core procedures for the relocation or the recovery of operations in response to varying levels of disruption. Within this program each of our core businesses functions and infrastructure groups institute, maintain and periodically test business continuity plans (“BC Plans”) to ensure continuous and reliable service. The BCM Program has defined roles and responsibilities, that are documented in corporate standards. Compliance with these standards is monitored regionally by dedicated business continuity teams. Reporting to the Group Resiliency Committee which is a sub-committee of the Group Operating Committee is a quarterly requirement. Furthermore, key information of the established BCM control environment is used within the general operational risks for KRIs.
- The operational risk in Technology Risk is managed within the technology area following international standards for IT management. Applications and IT infrastructure are catalogued and assessed on a regular basis and stability monitoring is established. Key outcomes of the established assessment and control environment are used within the general management or operational risks for KRIs and SAs.
- We are in process to implement an enhanced approach for assessing material operational risks stemming from process/system changes via an embedded ORM framework for change-the-bank operational risk assessments. Identified risks and mitigating actions will be tracked in Deutsche Bank’s systems as mentioned above.