We manage operational risk based on a Group-wide consistent framework that enables us to determine our operational risk profile in comparison to our risk tolerance, to systematically identify operational risk themes and concentrations, and to define risk mitigating measures and priorities. The global operational risk framework is applicable to all risk types included in the definition for operational risk.
In order to cover the broad range of operational risk types as outlined in the definition of operational risk, our framework contains a number of operational risk management techniques. These aim to efficiently manage the operational risk in our business and are used to identify, assess and mitigate operational risks:
- The continuous collection of operational risk loss events, as a prerequisite for operational risk management, includes detailed analyses, the identification of mitigating actions, and timely information of the senior management. All losses above € 10,000 are collected in our “db-Incident Reporting System” (“dbIRS”).
- The Lessons Learned process is triggered for events, including near misses, above € 1 million. This process includes, but is not limited to:
- systematic risk analyses, including a description of the business environment in which the loss occurred, previous events, near misses and event-specific Key Risk Indicators (“KRI”),
- consideration of any risk management decisions connected with the specific risk taken,
- root cause analyses,
- review of control improvements and other actions to prevent or mitigate the recurrence, and
- assessment of the residual operational risk exposure.
- The Lessons Learned process is an important means of identifying emerging areas of risk and to define appropriate risk mitigating actions. All corrective actions are captured and monitored for resolution via actions plans in our tracking system “dbTrack”. The execution of corrective actions is reported on a monthly basis to senior management via the ORMC.
- We systematically utilize information on external loss events occurring in the banking industry to prevent similar incidents from happening to us, e. g. by particular deep dive analyses or risk profile reviews.
- In addition to internal and external loss information, scenarios are utilized and actions are derived from them. The set of scenarios consists of relevant external scenarios provided by a public database and internal scenarios. The latter are generated to complete our risk profile.
- Regular operational risk profile reports at a Group level for our business divisions, for the countries in which we operate and for our infrastructure functions, are reviewed and discussed with the departments’ senior management. Regular risk profile reviews enable us to detect changes in the business units’ risk profiles as well as risk concentrations across the Group early on, and to take appropriate corrective actions.
- We assess and approve the impact of changes on our risk profile as a result of new products, outsourcing activities, strategic initiatives, and acquisitions and divestments.
- Once operational risks are identified, mitigation is required following the “as low as reasonably practicable (ALARP)” principle by balancing the cost of mitigation with the benefits thereof, and formally accepting the residual operational risk. Risks which violate applicable national or international regulations and legislation cannot be accepted; once identified, such risks must always be mitigated.
- When we implement risk mitigating measures, we monitor them until they are resolved within our tracking tool “dbTrack”. Residual operational risks rated higher than “important” need to be accepted by the risk bearing division and the ORMC.
- We perform top risk analyses in which the results of the aforementioned activities are considered. The Top Risk Analyses are a primary input for the annual operational risk management strategy and planning process. Besides the operational risk management strategic and tactical planning, we define capital and expected loss targets which are monitored on a regular basis within a quarterly forecasting process.
- We continuously seek to enhance the process to assess whether identified issues require a broader approach across multiple entities and locations within Deutsche Bank. A review of material findings is performed in order to assess their relevance to areas of the Bank other than where they originated.
- KRIs are used to monitor the operational risk profile and alert the organization to impending problems in a timely fashion. KRIs allow the monitoring of the bank’s control culture and business environment and trigger risk mitigating actions. They facilitate the forward looking management of operational risks, based on early warning signals returned by the KRIs.
- In our bottom-up self assessment (“SA”) process, which is conducted at least annually, areas with high risk potential are highlighted, and risk mitigating measures to resolve issues are identified. On a regular basis we conduct risk workshops aiming to evaluate risks specific to local legal entities and the countries we operate in, and take appropriate risk mitigating actions.
Additional functions, methodologies and tools implemented by the responsible divisions are utilized to complement the global operational risk framework and specifically address the risk types. These include but are not limited to:
- A “Legal Risk Management” (“LRM”) function in the Legal Department was established in 2013. This function is exclusively dedicated to the identification and management of legal risk. In addition to being used for reporting purposes, LRM’s analysis is applied to our control framework as it relates to legal risk in order to promote that it is sufficiently robust, including remediation of highlighted issues (whether via new or existing initiatives); and also as a further means of Legal’s input being a significant decision-making criterion for our businesses. The LRM function has a mandate to undertake a broad variety of tasks aimed at proactively managing legal risk, including: devising, implementing and overseeing an annual Legal Risk Assessment Program; agreeing and participating in resulting portfolio reviews and mitigation plans; and administering the Legal Lessons Learned process. The LRM function also coordinates Legal’s response to DB’s Three Lines of Defense program.
- The “Legal Risk Assessment Program” enables us to analyze existing and historic legal risks and, importantly, to better assess the potential for future legal risk events. This requires the participation of the business division (represented by Divisional Control Officer, “DCO”), Legal Advisory, LRM and ORM, and involves a primary self assessment on pre-defined terms by the business and a secondary assessment by the relevant Legal Advisory teams in order to form a global view of that business’ products, activities and locations.
- The “Legal Lessons Learned process” is a means of identifying, on a quarterly basis, legal risks arising from our activities; and of devising appropriate steps to remediate, mitigate or prevent such risks in future. The Legal Lessons Learned process is a retrospective one, whereby existing or completed matters are considered with a view to identifying legal lessons that can be learned from those matters and taking such steps as may be necessary for those legal lessons to be learned. Overall management of the Legal Lessons Learned process is the responsibility of the LRM function, working with ORM, DCO and the Legal Department via its Operating Committees.
- The operational risk from outsourcing is managed by the Vendor Risk Management (VRM) Process and documented in the VRM database. The outsourcing risk is assessed and managed for all outsourcing arrangements individually, following the Vendor Risk Management Policy and in line with the overall ORM framework. A broad governance structure is established to promote appropriate risk levels.
- Fraud Risk is managed based on section 25a of the German Banking Act (KWG) as well as other legal and regulatory requirements via a risk based approach, governed by the Global Anti-Fraud Policy and corresponding Compliance and Anti-Money-Laundering (AML) framework. In line with regulatory requirements, a global risk assessment is performed on a regular basis. Within the general management of operational risks, dedicated Fraud Risk relevant aspects are part of the self assessment process.
- Deutsche Bank manages Business Continuity (BC) Risk with its Business Continuity Management (BCM) Program which outlines core procedures for the relocation or the recovery of operations in response to varying levels of disruption. Within this program, each of our core businesses functions and infrastructure groups set up, maintain and periodically test business continuity plans (“BC Plans”) to promote continuous and reliable service. The BCM Program has defined roles and responsibilities which are documented in corporate standards. Compliance with these standards is monitored regionally by dedicated business continuity teams. Reporting to the Group Resiliency Committee, which is a sub-committee of the Group Operating Committee, is a quarterly requirement. Furthermore, key information on the established BCM control environment feed into operational risk KRIs.
- The operational risk in Technology is managed within the technology area, following international standards for IT management. Applications and IT infrastructure are catalogued and assessed on a regular basis. Stability monitoring is established. Key outcomes of the established assessment and control environment are used as input for operational risk metrics such as KRIs or self assessments.
- A new Operational Risk Assessment Policy for Change-the-Bank Processes has been implemented for material systems and process changes. All material change initiatives are assessed for operational risks stemming from process/systems changes via an embedded ORM framework for change-the-bank operational risk assessments. Identified risks and mitigating actions are tracked in Deutsche Bank’s system as mentioned above.
Although we have established a comprehensive framework for managing operational risks, including specific methodologies and techniques, we nevertheless face a trend of increasing operational risk losses and capital demand as has been the case with much of our industry. In a consolidated effort to continuously enhance the operational risk management framework, we recently added top risk analyses as an additional reporting component to our management reporting:
The top risk analysis aims to identify our most critical risks and those of our respective business divisions in terms of probability and severity. With the inclusion of the top risk reporting component in the standard global operational risk management reporting, we increase the engagement of senior management in the operational risk management process by providing transparency of our operational risk portfolio for the regions in which we operate and our business divisions. It forms a comprehensive report on a global level. This facilitates senior management’s conversations on our top risks and strengthens ownership and accountability by presenting specific action plans for risk mitigation, including responsibilities and target dates, adapted to our risk tolerance.
Below we show selected examples for the usage of the top risk analysis and actions derived from this process to mitigate the inherent risks. In line with our main peers and the general situation throughout the financial industry, we currently identify among our top risks such topics that result directly or as second order effects from the financial crisis:
- Uncertainty of litigation outflow: Improper and potentially improper business practices of the past were revealed by or following the crisis and further litigation has been induced by the change in market sentiment resulting from the crisis. These have led and may in future lead to significant regulatory fines or settlements from lawsuits initiated by respective business counterparties.
- Regulatory driven change agenda: The multiplicity of new regulatory requirements, as a reaction to the financial crisis, have already placed significant burden and cost on us, but could lead to additional regulatory sanctions in case of non-compliance.
- Internally driven change agenda: In order to meet profitability targets it is necessary for us to increase efficiency. In combination with the above mentioned points this results in pressure on us to re-organize and streamline our portfolios and business processes. The respective change initiatives bear potential transition risk or could potentially expose us to new operational risks.
In response to the challenges of the financial crisis, ORM introduced a set of measures and revised tools to improve the operational risk management of the top risks by strengthening the organizational robustness and enhancing the risk management processes. The key projects are outlined below:
Operational Risk Management Target Operating Model
We are currently redefining the responsibilities for managing operational risks within the Group under adoption of the Three Lines of Defense program. Key changes and improvements within the Three Lines of Defense model affect the roles and responsibilities of the first and second lines of Defense, risk taxonomies and the organizational structure of ORM. Regarding risk taxonomies ORM takes the second line control function responsibility for the following non-financial risk types: transaction processing risk, project and transformation risk and reputational risk. This will be reflected in the organizational structure of ORM.
Self Assessment process as part of ORM’s Target Operating Model
We have initiated a project to review the self assessment processes and to enhance the resulting qualitative risk management information set. This will align, connect and integrate key non-financial risk assessment processes (e.g. for operational, compliance and legal risks).
OR assessments on change initiatives
In reaction to our comprehensive change agenda, and our inherent operational project risks, we set up a specific operational risk assessment. For critical control initiatives, i.e. those initiatives considered crucial to the success of our cultural change program, specific operational risk assessments of the internal control environment were introduced to assess the operational risk impact of such initiatives onto the Group.