Deutsche Bank

Annual Report 2016

Risk Governance

Our operations throughout the world are regulated and supervised by relevant authorities in each of the jurisdictions in which we conduct business. Such regulation focuses on licensing, capital adequacy, liquidity, risk concentration, conduct of business as well as organizational and reporting requirements. The European Central Bank (the “ECB”) in connection with the competent authorities of EU countries which joined the Single Supervisory Mechanism via the Joint Supervisory Team act in cooperation as our primary supervisors to monitor our compliance with the German Banking Act and other applicable laws and regulations as well as the CRR/CRD 4 framework and respective implementations into German law.

European banking regulators assess our capacity to assume risk in several ways, which are described in more detail in the section “Regulatory Capital” of this report.

Several layers of management provide cohesive risk governance:

  • The Supervisory Board is informed regularly on our risk situation, risk management and risk controlling, as well as on our reputation and material litigation cases. It has formed various committees to handle specific tasks.
    • At the meetings of the Risk Committee, the Management Board reports on key risk portfolios, on risk strategy and on matters of special importance due to the risks they entail. It also reports on loans requiring a Supervisory Board resolution pursuant to law or the Articles of Association. The Risk Committee deliberates with the Management Board on issues of the aggregate risk position and the risk strategy and supports the Supervisory Board in monitoring the implementation of this strategy.
    • The Integrity Committee, among other matters, monitors the Management Board’s measures that promote the company’s compliance with legal requirements, authorities’ regulations and the company’s own in-house policies. It also reviews the Bank’s Code of Business Conduct and Ethics, and, upon request, supports the Risk Committee in monitoring and analyzing the Bank’s legal and reputational risks.
    • The Audit Committee, among other matters, monitors the effectiveness of the risk management system, particularly the internal control system and the internal audit system.
  • The Management Board is responsible for managing Deutsche Bank Group in accordance with the law, the Articles of Association and its Terms of Reference with the objective of creating sustainable value in the interest of the company, thus taking into consideration the interests of the shareholders, employees and other stakeholders. The Management Board is responsible for establishing a proper business organization, encompassing appropriate and effective risk management. The Management Board established the Group Risk Committee (“GRC”) in April, 2016 as the central forum for review and decision on material risk topics, by merging the Capital and Risk Committee (“CaR”) and the Risk Executive Committee (“Risk ExCo”). The GRC is supported by four sub-committees: the Group Reputational Risk Committee (“GRRC”), the Non-Financial Risk Committee (“NFRC”), the Enterprise Risk Committee (“ERC”), and the Liquidity Management Committee (“LMC”), the roles of which are described in more detail below.
Risk Management Governance Structure of the Deutsche Bank Group

The following functional committees are central to the management of risk at Deutsche Bank:

  • The GRC has various duties and dedicated authority, including approval of key risk management principles or recommendation thereof to the Management Board for approval, recommendation of the Group Recovery Plan and the Contingency Funding Plan to the Management Board for approval, recommendation of overarching risk appetite parameters and recovery triggers to the Management Board for approval, setting of risk limits for risk resources available to the Business Divisions, and supporting the Management Board during group-wide Risk and Capital planning processes. Further duties include review of high-level risk portfolios and risk exposure developments, review of internal and regulatory group-wide stress testing results and making recommendations of required actions and monitoring of the development of risk culture across the Group.
  • The NFRC oversees, governs and coordinates the management of non-financial risks in Deutsche Bank Group and establishes a cross-risk and holistic perspective of the key non-financial risks of the Group. It is tasked to define the non-financial risk appetite framework, to monitor and control the non-financial risk operating model, including the 3LoD principles and interdependencies between business divisions and control functions and within control functions.
  • The GRRC is responsible for the oversight, governance and coordination of reputational risk management and provides for an appropriate look-back and a lessons learnt process. It reviews and decides all reputational risk issues escalated by the Regional Reputational Risk Committees (“RRRCs”) and RRRC decisions which have been appealed by the Business Units. It provides guidance on Group-wide reputational risk matters, including communication of sensitive topics, to the appropriate levels of Deutsche Bank Group. The RRRCs which are sub-committees of the GRRC, are responsible for the oversight, governance and coordination of the management of reputational risk in the respective regions on behalf of the Management Board.
  • The ERC has been established as a successor of the Portfolio Risk Committee (“PRC”) with a mandate to focus on enterprise-wide risk trends, events and cross-risk portfolios, bringing together risk experts from various risk disciplines. The ERC approves the annual country risk portfolio overviews, establishes product limits, reviews risk portfolio concentrations across the Group, monitors group-wide stress tests used for managing the Group’s risk appetite, and reviews topics with enterprise-wide risk implications like risk culture.
  • The LMC decides upon mitigation actions to be taken during periods of anticipated or actual liquidity stress or any relevant event. In that capacity, the committee is responsible for making a detailed assessment of the liquidity position of the Bank, including the ability to fulfill all payment obligations under market related stress, idiosyncratic stress, or a combination of both. The LMC is also responsible for overseeing the execution of liquidity countermeasures in a timely manner and monitoring the liquidity position of the Bank on an ongoing basis, during the stress period.

Our Chief Risk Officer (“CRO”), who is a member of the Management Board, has Group-wide, supra-divisional responsibility for the management of all credit, market and operational risks as well as for the comprehensive control of risk, including liquidity risk, and continuing development of methods for risk measurement. In addition, the CRO is responsible for monitoring, analyzing and reporting risk on a comprehensive basis.

The CRO has direct management responsibility for various risk management functions which are established with the mandate to:

  • Foster consistency with the risk appetite set by the GRC within a framework established by the Management Board and applied to Business Divisions;
  • Determine and implement risk and capital management policies, procedures and methodologies that are appropriate to the businesses within each division;
  • Establish and approve risk limits;
  • Conduct periodic portfolio reviews to keep the portfolio of risks within acceptable parameters; and
  • Develop and implement risk and capital management infrastructures and systems that are appropriate for each division.

In addition to the specialized risk management functions, our Enterprise Risk Management (ERM) function covers overarching aspects of risk management. Its mandate is to provide an increased focus on holistic risk management and cross-risk oversight to further enhance our risk portfolio steering. Key objectives are to:

  • Drive key strategic cross-risk initiatives and establish greater cohesion between defining portfolio strategy and governing execution;
  • Provide a strategic and forward-looking perspective on the key risk issues for discussion at senior levels within the Bank (risk appetite, stress testing framework);
  • Strengthen risk culture in the bank; and
  • Foster the implementation of consistent risk management standards.

ERM also develops the Bank-wide risk management framework aimed at identifying and controlling risks across the institution within the agreed risk appetite.

The specialized risk management functions and ERM have a reporting line to the CRO.

Our Finance, Risk and Group Audit functions operate independently of our Business Divisions. It is the responsibility of the Finance and Risk departments to quantify and verify the risk that we assume. Group Audit as our 3rd Line of Defense, independently examines, evaluates and reports on the adequacy of both the design and effectiveness of the systems of internal control including the risk management systems.

The integration of the risk management of our subsidiary Deutsche Postbank AG is promoted through harmonized processes for identifying, assessing, managing, monitoring, and communicating risk, the strategies and procedures for determining and safe guarding risk-bearing capacity, and corresponding internal control procedures. Key features of the joint governance are:

  • Functional reporting lines from the Postbank Risk Management to Deutsche Bank Risk;
  • Participation of voting members from Deutsche Bank from the respective risk functions in Postbank’s key risk committees and vice versa for selected key committees; and
  • Alignment to key Group risk policies.

The key risk management committees of Postbank are:

  • The Bank Risk Committee, which advises Postbank’s Management Board with respect to the determination of overall risk appetite and risk and capital allocation;
  • The Credit Risk Committee, which is responsible for limit allocation and the definition of an appropriate limit framework;
  • The Market Risk Committee, which decides on limit allocations as well as strategic positioning of Postbank’s banking and trading book and the management of liquidity risk;
  • The Operational Risk Management Committee, which defines the appropriate risk framework as well as the limit allocation for the individual business areas; and
  • The Model and Validation Risk Committee, which monitors validation of all rating systems and risk management models.

The Chief Risk Officer of Postbank or senior risk managers of Deutsche Bank are voting members of the committees listed above.