Definition of Operational Risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. It includes legal risk but excludes business and reputational risk.
We have categorized operational risks into the following risk types for our 2014 self assessment process:
- Origination & Execution Risk is the risk that deficiencies and/or errors in the origination of products/services/transactions, their execution, inappropriate business practices, or contractual obligations will result in losses.
- Fraud Risk is the risk of incurring losses as a result of an intentional act or omission by an employee or by a third party involving dishonesty, for personal and/or business gain, to avoid personal and/or business loss, or to conceal improper or unauthorized activity. This includes the falsification or alteration of records and reports, facilitation, breach of trust, intentional omission, misrepresentation, concealment, misleading, and the abuse of one’s position.
- Business Continuity Risk is the risk of incurring losses resulting from the interruption of normal business activities, i.e. interruptions to our infrastructure as well as to the infrastructure that supports our businesses (including third party vendors) and the communities in which we are located.
- Regulatory Compliance Risk is the risk of incurring regulatory sanctions (including restrictions on business activities, fines or enhanced reporting requirements), financial and/or reputational damage arising from our failure to comply with applicable laws, rules and regulations.
- Information Technology Risk is the risk that our information technology will lead to quantifiable losses due to inadequate information technology and processing in terms of manageability, exclusivity, integrity, controllability, and continuity.
- Information Security Risk is the risk of an event which could result in the compromise of organizational assets, including, but not limited to, unauthorized use, loss, damage, disclosure or modification of organization assets. It includes the risk of cyber threats on the organization.
- Vendor Risk arises from adverse events and risk concentrations due to failures in vendor selection, insufficient controls and oversight over a vendor and/or services provided by a vendor, and other impacts to the vendor itself.
- Fiduciary Service Risk is the risk to fail to act in the best interest of our clients when advising, investing, accounting for or safeguarding client assets, including the failure to prevent, detect or correct negligence and/or violations of fiduciary responsibilities, and the failure to appropriately address fiduciary conflicts of interests that may arise.
- Financial Reporting and Recording Risk is the risk that a mis-reporting or mis-recording in the financial statements results in an operational risk related event and, potentially, an operational risk related loss.
- Real Estate Risk or Facilities and Infrastructure risk is the risk of incurring a loss resulting from damage to or the loss-of-use of the bank’s Facilities/Infrastructure.
- Staff Risk is the risk that shortcomings in processes and procedures related to the employment of internal staff either directly generate a loss or indirectly contribute to the occurrence of events in other risk categories.
- Tax Compliance Risk describes operational risk related to the filing of tax returns and other tax related tasks, e.g. failure to file advance tax returns, being subject to a tax audit, or incurring tax payments etc.
- Transaction Processing Risk is the risk that deficiencies in transaction processing or in our internal processes or controls result in losses. The risk is caused by human error, IT applications system failure and inadequate process design.
Legal Risk may materialize in any of the above risk types due to the fact that in each type, we may be the subject of a claim or proceedings alleging non-compliance with contractual or other legal or statutory responsibilities; or we may otherwise be subject to losses allegedly deriving from other legal circumstances. For details on provisions please refer to Note 29 of our consolidated financial statements.
We will migrate to a new risk taxonomy covering non-financial risks such as transaction processing risk, project and transformation risk and reputational risk through the course of 2015 to support the risk assessment process.
Organizational & Governance Structure
The Head of Operational Risk Management (“ORM”) chairs the Operational Risk Management Committee (“ORMC”), which is a permanent sub-committee of the Risk Executive Committee and is comprised of those responsible for managing operational risk from our divisions and infrastructure functions. It is the main decision-making committee for all operational risk management matters.
While the day-to-day management of operational risk is the primary responsibility of our business divisions and infrastructure functions, the ORM function manages the cross divisional and cross regional operational risk as well as risk concentrations and promotes a consistent application of our operational risk management framework across the bank. Through our business partnership model, we aim to maintain close monitoring and high awareness of operational risks.
Strengthening controls through “Three Lines of Defense”
The Three Lines of Defense program is an integral part of Deutsche Bank’s strategic agenda. It was initiated in the fourth quarter of 2013 by the Management Board in the context of heightened regulatory standards. The program builds on lessons learned from past control failures and aims to reinforce Deutsche Bank’s non-financial risk management capabilities and compliance culture across all corporate divisions and infrastructure functions. Furthermore, it is intended to maintain consistency across the ongoing control enhancement initiatives throughout the bank.
Deutsche Bank defines the Three Lines of Defense as follows:
- The First Line of Defense includes all corporate divisions and selected infrastructure functions. First Line of Defense units are ultimately accountable for all risks and controls in their business processes.
- The Second Line of Defense encompasses all control functions such as Risk, Compliance, Legal, Human Resources, Finance and Tax. These are responsible for the design of Deutsche Bank’s policy framework and independent risk assessment. Second Line of Defense units are independent from the First Line of Defense.
- The Third Line of Defense is Group Audit which is responsible for providing independent and objective assurance on the effectiveness of risk management, internal controls and governance processes.
In 2014, the program performed a systematic review of Deutsche Bank’s non-financial risk and control organizations and supporting management processes. This led to the following changes:
- The Bank established dedicated control units in each First Line of Defense to reinforce the division’s accountability for the management of their control environment.
- The risk and control responsibilities across the Second Line of Defense control functions were realigned within a common risk and control framework. For selected risks new initiatives were launched to further strengthen Deutsche Bank’s control framework.
- The risk and control assessment approach was enhanced towards an integrated framework shared by all three Lines of Defense to ensure the use of common standards.
Key themes for 2015 are the further build-out of the control organization, the rollout of the enhanced risk and control assessment framework as well as continuing the work across all three Lines of Defense regarding specific control enhancements. This also includes the rollout of the enhanced Three Lines of Defense model into the regions.