Risk Management Framework
The diversity of our business model requires us to identify, assess, measure, aggregate and manage our risks, and to allocate our capital among our businesses. We operate as an integrated group through our divisions, business units and infrastructure functions. Risk and capital are managed via a framework of principles, organizational structures and measurement and monitoring processes that are closely aligned with the activities of the divisions and business units:
- Core risk management responsibilities are embedded in the Management Board and delegated to senior risk management committees responsible for execution and oversight. The Supervisory Board regularly monitors the risk and capital profile.
- We operate a three-line of defense risk management model whereby front office functions, risk management oversight and assurance roles are played by functions independent of one another.
- Risk strategy is approved by the Management Board on an annual basis and is defined based on the Group Risk Appetite and Strategic and Capital Plan in order to align risk, capital and performance targets.
- Cross-risk analysis reviews are conducted across the Group to validate that sound risk management practices and a holistic awareness of risk exist.
- All major risk classes are managed via risk management processes, including: credit risk, market risk, operational risk, liquidity risk, business risk, reputational risk, model risk and compliance risk (MaRisk, i.e., minimum requirements for risk management). Modeling and measurement approaches for quantifying risk and capital demand are implemented across the major risk classes. Non-standard risks (reputational risk, model risk, compliance risk) are implicitly covered in our economic capital framework, primarily within operational and strategic risk.
- Monitoring, stress testing tools and escalation processes are in place for key capital and liquidity thresholds and metrics.
- Systems, processes and policies are critical components of our risk management capability.
- Recovery planning provides the escalation path for crisis management governance and supplies senior management with a list of actions designed to improve the capital and liquidity positions in a stress event.
- Resolution planning is closely supervised by our home resolution authority. It provides a strategy to manage Deutsche Bank in case of default. It is designed to prevent the need for tax payer bailout and strengthen financial stability by the continuation of critical services delivered to the wider economy.
From a supervisory perspective, our operations throughout the world are regulated and supervised by relevant authorities in each of the jurisdictions in which we conduct business. Such regulation focuses on licensing, capital adequacy, liquidity, risk concentration, conduct of business as well as organizational and reporting requirements. The European Central Bank in connection with the competent authorities of EU countries which joined the Single Supervisory Mechanism via the Joint Supervisory Team act in cooperation as our primary supervisors to monitor our compliance with the German Banking Act and other applicable laws and regulations as well as, from January 1, 2014, the CRR/CRD 4 framework, as implemented into German law, as applicable.
From an internal governance perspective, we have several layers of management to provide cohesive risk governance:
- The Supervisory Board is required to be informed regularly and – as necessary – on special developments in our risk situation, risk management and risk controlling, as well as on our reputation and material litigation cases. It has formed various committees to handle specific tasks.
- At the meetings of the Risk Committee, the Management Board reports on credit, market, liquidity, operational as well as litigation and reputational risks. It also reports on credit risk strategy, credit portfolios, loans requiring a Supervisory Board resolution pursuant to law or the Articles of Association, questions of capital resources and matters of special importance due to the risks they entail. The Risk Committee deliberates with the Management Board on issues of the aggregate risk disposition and the risk strategy.
- The Integrity Committee monitors the Management Board’s measures that promote the company’s compliance with legal requirements, authorities’ regulations and the company’s own in-house policies. It also reviews the Bank’s Code of Business Conduct and Ethics, monitors and analyzes the Bank’s legal and reputational risks and advocates their avoidance.
- The Audit Committee monitors, among other matters, the effectiveness of the risk management system, particularly the internal control system and the internal audit system.
- The Management Board is responsible for managing Deutsche Bank Group in accordance with the law, the Articles of Association and its Terms of Reference with the objective of creating sustainable value in the interest of the company, thus taking into consideration the interests of the shareholders, employees and other stakeholders. The Management Board is responsible for establishing a proper business organization, encompassing an appropriate and effective risk management. In agreement with the Supervisory Board and with the aim to ensure an effective governance of resources and risk, the Management Board has established the Capital and Risk Committee (“CaR”) and the Risk Executive Committee (“Risk ExCo”) whose roles are described in more detail below.
For further information on how we aim to ensure that our overall performance is aligned to our risk strategy, please refer to the sections “Risk Appetite and Capacity” and “Strategic and Capital Plan” below.
Risk Management Governance Structure of the Deutsche Bank Group
The following functional committees are central to the management of risk in Deutsche Bank:
- The CaR oversees and controls integrated planning and monitoring of our risk profile and capital capacity, providing an alignment of risk appetite, capital requirements and funding/liquidity needs with Group, divisional and sub-divisional business strategies. It provides a platform to discuss and agree strategic issues impacting capital, funding and liquidity among Risk, Government & Regulatory Affairs, Finance and the business divisions. The CaR initiates actions and/or makes recommendations to the Management Board. It is also responsible for monitoring our risk profile against our risk appetite on a regular basis and ensuring escalation or other actions are taken. The CaR monitors the performance of our risk profile against early warning indicators and recovery triggers, and provides recommendations to the Management Board to invoke defined processes and/or actions under the recovery governance framework if required.
- Our Risk ExCo, as the most senior functional committee of our risk management, identifies, controls and manages all risks including risk concentrations at Group level. It is responsible for risk policy, the organization and governance of risk management and oversees the execution of risk and capital management including identification, assessment and risk mitigation, within the scope of the risk and capital strategy (Risk and Capital Demand Plan) approved by the Management Board. The Risk ExCo is supported by sub-committees that are responsible for dedicated areas of risk management, including several policy committees, the Portfolio Risk Committee (“PRC”) and the Group Reputational Risk Committee (“GRRC”). In February 2015, it was agreed to move the GRRC from a sub-committee of the Risk ExCo to report directly into the Management Board.
- The PRC supports the Risk ExCo and the CaR with particular emphasis on the management of Group-wide risk patterns. The PRC, under a delegation of authority from the CaR has responsibility for the day-to-day oversight and control of our Internal Capital Adequacy Assessment Process (“ICAAP”). The PRC also oversees our Group-wide stress tests, reviews the results and proposes management action, if required. It monitors the effectiveness of the stress test process and drives continuous improvement of our stress testing framework.
- The Living Wills Committee (“LWC”) is the dedicated sub-committee of the CaR with focus on recovery and resolution planning. It oversees the implementation of our recovery and resolution plans and enhancements to the Group’s operational readiness to respond to severe stress or the threat of a severe stress.
- The Regulatory Capital Committee is a further sub-committee of our Capital and Risk Committee. It is tasked with oversight on our risk quantification models. To promote a comprehensive oversight, it is supported by several sub-committees that cover certain kinds of models and model-related matters.
Multiple members of the CaR are also members of the Risk ExCo which facilitates the information flow between the two committees.
Our Chief Risk Officer (“CRO”), who is a member of the Management Board, has Group-wide, supra-divisional responsibility for the management of all credit, market and operational risks as well as for the comprehensive control of risk, i.e. including liquidity risk, and continuing development of methods for risk measurement. In addition, the Chief Risk Officer is responsible for monitoring, analyzing and reporting risk on a comprehensive basis, including asset and liability gap, capital, liquidity, legal, compliance and regulatory risks.
The CRO has direct management responsibility for the following risk management functions: Credit Risk Management, Market Risk Management, Operational Risk Management and Liquidity Risk Control.
These are established with the mandate to:
- Support that the business within each division is consistent with the risk appetite that the CaR has set within a framework established by the Management Board;
- Determine and implement risk and capital management policies, procedures and methodologies that are appropriate to the businesses within each division;
- Approve credit, market and liquidity risk limits;
- Conduct periodic portfolio reviews to keep the portfolio of risks within acceptable parameters; and
- Develop and implement risk and capital management infrastructures and systems that are appropriate for each division.
In addition to the heads for these risk management functions, dedicated regional Chief Risk Officers for Germany, for the Americas and for Asia-Pacific, and divisional Chief Risk Officers for Deutsche AWM and NCOU have been appointed to establish a holistic risk management coverage.
The heads of the aforementioned risk management functions as well as the regional and divisional Chief Risk Officers have a direct reporting line into the CRO.
Furthermore, several teams within the risk management functions cover overarching aspects of risk management. Their mandate is to provide an increased focus on holistic risk management and cross-risk oversight to further enhance our risk portfolio steering. Key objectives are to:
- Drive key strategic cross-risk initiatives and establish greater cohesion between defining portfolio strategy and governing execution, including regulatory adherence;
- Provide a strategic and forward-looking perspective on the key risk issues for discussion at senior levels within the bank (risk appetite, stress testing framework);
- Strengthen risk culture in the bank; and
- Foster the implementation of consistent risk management standards.
Our Finance, Risk and Group Audit functions operate independently of our business divisions. It is the responsibility of the Finance and Risk departments to quantify and verify the risk that we assume and maintain the quality and integrity of our risk-related data. Group Audit examines, evaluates and reports on the adequacy of both the design and effectiveness of the systems of internal control including the risk management systems.
The integration of the risk management of our subsidiary Deutsche Postbank AG is promoted through harmonized processes for identifying, assessing, managing, monitoring, and communicating risk, the strategies and procedures for determining and safe guarding risk-bearing capacity, and corresponding internal control procedures. Key features of the joint governance are:
- Functional reporting lines from the Postbank Risk Management to Deutsche Bank Risk;
- Participation of voting members from Deutsche Bank from the respective risk functions in Postbank’s key risk committees and vice versa for selected key committees; and
- Implementation of key Group risk policies at Postbank.
The key risk management committees of Postbank, in all of which Postbank’s Chief Risk Officer or senior risk managers of Deutsche Bank are voting members, are:
- The Bank Risk Committee, which advises Postbank’s Management Board with respect to the determination of overall risk appetite and risk and capital allocation;
- The Credit Risk Committee, which is responsible for limit allocation and the definition of an appropriate limit framework;
- The Market Risk Committee, which decides on limit allocations as well as strategic positioning of Postbank’s banking and trading book and the management of liquidity risk;
- The Operational Risk Management Committee, which defines the appropriate risk framework as well as the limit allocation for the individual business areas; and
- The Model and Validation Risk Committee, which monitors validation of all rating systems and risk management models.
The main focus of this work is to comply with the agreed regulatory IRBA roadmap and to further develop our joint risk management infrastructure. In 2013, the group-wide AMA model for operational risk was approved by the regulator to be used in Postbank.
In 2014, the full integration of large clients has been completed. These are now centrally managed on our credit platform and the regulator extended acceptance for the use of the joint model parameters for large caps and financial institutions. The other client types (small and medium enterprises, retail, corporate real estate) are areas of focus for 2015 and beyond.
We seek to promote a strong risk culture throughout our organization. A strong risk culture is designed to help reinforce our resilience by encouraging a holistic approach to the management of risk and return throughout our organization as well as the effective management of our risk, capital and reputational profile. We actively take risks in connection with our business and as such the following principles underpin risk culture within our group:
- Risk is taken within a defined risk appetite;
- Every risk taken needs to be approved within the risk management framework;
- Risk taken needs to be adequately compensated; and
- Risk should be continuously monitored and managed.
Employees at all levels are responsible for the management and escalation of risks. We expect employees to exhibit behaviors that support a strong risk culture. To promote this our policies require that behavior assessment is incorporated into our performance assessment and compensation processes. We have communicated the following risk culture behaviors through various communication vehicles:
- Being fully responsible for our risks;
- Being rigorous, forward looking and comprehensive in the assessment of risk;
- Inviting, providing and respecting challenges;
- Trouble shooting collectively; and
- Placing Deutsche Bank and its reputation at the heart of all decisions.
To reinforce these expected behaviors and strengthen our risk culture, we conduct a number of group-wide activities. Our Board members and senior management frequently communicate the importance of a strong risk culture to support a consistent tone from the top. To further strengthen this message, we have reinforced our targeted training. In 2014, our employees attended more than 88,000 mandatory training modules globally including, for example, Global Information Security Awareness, An Introduction to MaRisk and the newly introduced ‘Tone from the Top’ module. As part of our ongoing efforts to strengthen our risk culture, we review our training suite regularly to develop further modules or enhance existing components.
In addition, along with other measures to strengthen our performance management processes, we have designed and implemented a process to tie formal measurement of risk culture-related behaviors to our employee performance assessment, promotion and compensation processes. This process has been in place in our CB&S and GTB divisions since 2010 and has subsequently been rolled out to all divisions and functions, with PBC Germany being the latest to have implemented the process in January 2015. This process is designed to further strengthen employee accountability.
We have also developed a dashboard to measure risk culture at a divisional and regional level. This was piloted in CB&S and AWM in 2014 and will be further developed over the coming months.
Further measures are already being reviewed and will be added to the program in 2015.
Risk Appetite and Capacity
Risk appetite expresses the level of risk that we are willing to assume within our risk capacity in order to achieve our business objectives, as defined by a set of minimum quantitative metrics and qualitative standards. Risk capacity is defined as the maximum level of risk we can assume in both normal and distressed situations before breaching regulatory constraints and our obligations to stakeholders.
Risk appetite is an integral element in our business planning processes via our Risk and Capital Demand Plan, to promote the appropriate alignment of risk, capital and performance targets, while at the same time considering risk capacity and appetite constraints. We leverage the stress testing process to test the compliance of the plan also under stressed market conditions. Top-down risk appetite serves as the limit for risk-taking for the bottom-up planning from the business functions.
The Management Board reviews and approves our risk appetite and capacity on an annual basis, or more frequently in the event of unexpected changes to the risk environment, with the aim of ensuring that they are consistent with our Group’s strategy, business and regulatory environment and stakeholders’ requirements.
In order to determine our risk appetite and capacity, we set different group level triggers and thresholds on a forward looking basis and define the escalation requirements for further action. We assign risk metrics that are sensitive to the material risks to which we are exposed and which are able to function as key indicators of financial health. In addition to that, we link our risk and recovery management governance framework with the risk appetite framework. In detail, we assess a suite of metrics under stress (CRR/CRD 4 fully loaded Common Equity Tier 1 (“CET 1”) ratio, Internal Capital Adequacy (“ICA”) ratio, and Stressed Net Liquidity Position (“SNLP”)) within the regularly performed benchmark and more severe group-wide stress tests and compare them to the Red-Amber-Green (“RAG”) levels as defined in the table below.
Risk Appetite Thresholds for key metrics
CRR/CRD 4 fully loaded CET1 ratio
Internal capital adequacy
Stressed net liquidity position
> 8.0 %
> 135 %
> € 5 billion
8.0 % – 5.5 %
135 % – 120 %
€ 5 billion – € 0 billion
< 5.5 %
< 120 %
< € 0 billion
Reports relating to our risk profile as compared to our risk appetite and strategy and our monitoring thereof are presented regularly up to the Management Board. Throughout the year 2014, our actual risk profile has remained in the normal levels as defined in the table above. In the event that our desired risk appetite is breached under either normal or stressed scenarios, a predefined escalation governance matrix is applied so these breaches are highlighted to the respective committees, and ultimately to the Chief Risk Officer and the Management Board. Amendments to the risk appetite and capacity must be approved by the Chief Risk Officer or the full Management Board, depending on their significance. As part of our annual risk appetite thresholds calibration exercise, we have furthermore adjusted our normal level of CRR/CRD 4 fully loaded CET1 ratio to 8.5 % and our ICA ratio to 140 % effective 2015 onwards. Therefore, the upper bound of the critical level for CRR/CRD 4 fully loaded CET1 ratio and ICA ratio will be adjusted for these changes as well.
Strategic and Capital Plan
We conduct an annual strategic planning process which lays out the development of our future strategic direction as a group and for our business areas/units. The strategic plan aims to create a holistic perspective on capital, funding and risk under risk-return considerations. This process translates our long term strategic targets into measurable short to medium term financial targets and enables intra-year performance monitoring and management. Thereby we aim to identify optimal growth options by considering the risks involved and the allocation of available capital resources to drive sustainable performance. Risk specific portfolio strategies complement this framework and allow for an in-depth implementation of the risk strategy on portfolio level, addressing risk specifics including risk concentrations.
The strategic planning process consists of two phases: a top-down target setting and a bottom-up substantiation.
In a first phase – the top down target setting – our key targets for profit and loss (including revenues and costs), capital supply, and capital demand as well as leverage and funding and liquidity are discussed for the group and the key business areas by the Group Executive Committee. In this process, the targets for the next three years are based on our global macro-economic outlook and the expected regulatory framework. Subsequently, the targets are approved by the Management Board.
In a second phase, the top-down objectives are substantiated bottom-up by detailed business unit plans, which for the first year consist of a month by month operative plan; years two and three are annual plans. The proposed bottom-up plans are reviewed and challenged by Finance and Risk and are discussed individually with the business heads. Thereby, the specifics of the business are considered and concrete targets decided in line with our strategic direction. The bottom-up plans include targets for key legal entities to review local risk and capitalization levels. Stress tests complement the strategic plan to also consider stressed market conditions.
The resulting Strategic and Capital Plan is presented to the Group Executive Committee and the Management Board for discussion and approval. Following the approval of the Management Board, the final plan is presented to the Supervisory Board.
The Strategic and Capital Plan is designed to support our vision of being a leading client-centric global universal bank and aims to ensure:
- Balanced risk adjusted performance across business areas and units;
- High risk management standards with focus on risk concentrations;
- Compliance with regulatory requirements;
- Strong capital and liquidity position; and
- Stable funding and liquidity strategy allowing for the business planning within the liquidity risk appetite and regulatory requirements.
The Strategic and Capital Planning process allows us to:
- Set earnings and key risk and capital adequacy targets considering the bank’s strategic focus and business plans;
- Assess our risk-bearing capacity with regard to internal and external requirements (i.e., economic capital and regulatory capital); and
- Apply an appropriate stress test to assess the impact on capital demand, capital supply and liquidity.
The specific limits e.g. regulatory capital demand and economic capital are derived from the Strategic and Capital Plan to align risk, capital and performance targets at all relevant levels of the organization.
The targets of a fully loaded CET 1 ratio of higher than 10 % and a leverage ratio of 3.5 % by year end 2015 are monitored on an ongoing basis in appropriate management committees. Any projected shortfall from targets is discussed together with potential mitigating strategies seeking to ensure that we remain on track to achieve our targets. Amendments to the strategic and capital plan must be approved by the Management Board. Achieving our externally communicated solvency targets ensures that we also comply with the Group Supervisory Review and Evaluation Process requirements as articulated by our home supervisor (CET 1 ratio of at least 10 % on a phase-in basis at all times).
Recovery and Resolution Planning
The 2007/2008 financial crisis exposed banks and the broader financial market to unprecedented pressures. These pressures led to significant support for certain banks by their governments and to large scale interventions by central banks. The crisis also forced many financial institutions to significantly restructure their businesses and strengthen their capital, liquidity and funding bases. This crisis revealed that many financial institutions were insufficiently prepared for a fast-evolving systemic crisis and thus were unable to act and respond in a way that would avoid potential failure and prevent material adverse impacts on the financial system and ultimately the economy and society.
In response to the crisis, the Financial Stability Board (FSB) has published a list of global systemically important banks (G-SIBs) and has advised its member institutions to mandate and to support the development of recovery and resolution plans within G-SIBs. Corresponding legislation has been enacted or proposed, as the case may be, in several jurisdictions, including the member states of the European Union (EU), Germany, UK and the U.S. As we have been identified as one of the G-SIBs, we have developed the Group’s recovery plan (Recovery Plan) and submitted this to our relevant regulators. The Recovery Plan is updated at least annually to reflect changes in the business and the regulatory requirements.
The Recovery Plan prepares us to restore our financial strength and viability during an extreme stress situation. The Recovery Plan’s more specific purpose is to outline how we can respond to a financial stress situation that would significantly impact our capital or liquidity position. Therefore it lays out a set of defined actions aimed to protect us, our customers and the markets and prevent a potentially more costly resolution event. In line with regulatory guidance, we have identified a wide range of recovery measures that will mitigate different types of stress scenarios. These scenarios originate from both idiosyncratic and market-wide events, which would have led to severe capital and liquidity impacts as well as impacts on our performance and balance sheet. The Recovery Plan, including its corresponding policy, is intended to enable us to effectively monitor, escalate, plan and execute recovery actions in the event of a crisis situation.
The Recovery Plan’s key objective is to help us to recover from a crisis situation by selecting appropriate recovery actions to stay sufficiently capitalised and funded. This plan extends beyond our risk management framework and can be executed in extreme scenarios where crises may threaten our survival (i.e., substantial loss of capital or inability to access market liquidity when needed). The Management Board determines when the Recovery Plan has to be invoked and which recovery measures are deemed appropriate.
The Recovery Plan is designed to cover multiple regulations including those of the FSB, EU, Germany and other key jurisdictions. Furthermore, the plan incorporates feedback from extensive discussions with our Crisis Management Group (CMG), formed by key home and host authorities. We report to this CMG with the objective of enhancing preparedness for, and facilitating the management and resolution of a cross-border financial crisis affecting us. This CMG is also intended to cooperate closely with authorities in other jurisdictions where firms have a systemic presence.
We are also working closely with our home resolution authority to create a Group Resolution Plan for Deutsche Bank as set out in the Banking Recovery and Resolution Directive and the German Recovery and Resolution Act (“Sanierungs- und Abwicklungsgesetz” or “SAG”).
In addition, title I of the Dodd-Frank Wall Street Reform and Consumer Protection Act and the implementing regulations issued by the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (“FDIC”) require each bank holding company with assets of U.S. $ 50 billion or more, including Deutsche Bank AG (“DBAG”), to prepare and submit annually a plan for the orderly resolution of subsidiaries and operations in the event of future material financial distress or failure (the “Title I US Resolution Plan”). For foreign-based covered companies such as DBAG, the Title I US Resolution Plan only relates to subsidiaries, branches, agencies and businesses that are domiciled in or conducted in whole or in material part in the United States. In addition to the Title I US Resolution Plan, in 2014, Deutsche Bank Trust Company Americas (“DBTCA”), one of DBAG’s insured depository institutions (“IDIs”) in the United States, was subject to the FDIC’s final rule requiring IDIs with total assets of U.S. $ 50 billion or more to submit periodically to the FDIC a plan for resolution in the event of failure under the Federal Deposit Insurance Act (the “IDI Rule”). DBTCA exceeded the IDI Rule’s threshold of U.S. $ 50 billion in average total consolidated assets during 2013 and DBAG expanded its 2014 Title I US Resolution Plan to also be responsive to the IDI Rule requirements (the Title I US Resolution Plan together with the IDI Plan, the “US Resolution Plan”).
The core elements of the US Resolution Plan are Material Entities (“MEs”), Core Business Lines (“CBLs”), Critical Operations (“COs”) and, for purposes of the IDI Plan, Critical Services. The US Resolution Plan lays out the resolution strategy for each ME, defined as those entities significant to the activities of a CO or CBL and demonstrates how each ME, CBL and CO, as applicable, can be resolved in a rapid and orderly manner and without systemic impact on U.S. financial stability. The US Resolution Plan also discusses the strategy for continuing Critical Services in resolution. Key factors addressed in the US Resolution Plan include how to ensure:
- Continued access to services from other U.S. and non-U.S. legal entities as well as from third parties such as payment servicers, exchanges and key vendors;
- Availability of funding from both external and internal sources;
- Retention of key employees during resolution; and
- Efficient and coordinated close-out of cross-border contracts.
The US Resolution Plan is drafted in coordination with the U.S. businesses and infrastructure groups so that it accurately reflects the business, critical infrastructure and key interconnections.