Deutsche Bank

Annual Report 2017

Risk Governance

Our operations throughout the world are regulated and supervised by relevant authorities in each of the jurisdictions in which we conduct business. Such regulation focuses on licensing, capital adequacy, liquidity, risk concentration, conduct of business as well as organizational and reporting requirements. The European Central Bank (the “ECB”) in connection with the competent authorities of EU countries which joined the Single Supervisory Mechanism via the Joint Supervisory Team act in cooperation as our primary supervisors to monitor our compliance with the German Banking Act and other applicable laws and regulations as well as the CRR/CRD 4 framework and respective implementations into German law.

European banking regulators assess our capacity to assume risk in several ways, which are described in more detail in the section “Regulatory Capital” of this report.

Several layers of management provide cohesive risk governance:

  • The Supervisory Board is informed regularly on our risk situation, risk management and risk controlling, as well as on our reputation and material litigation cases. It has formed various committees to handle specific tasks (for a detailed description of these committees, please see the “Corporate Governance Report” under “Management Board and Supervisory Board”, “Standing Committees”).
    • At the meetings of the Risk Committee, the Management Board reports on key risk portfolios, on risk strategy and on matters of special importance due to the risks they entail. It also reports on loans requiring a Supervisory Board resolution pursuant to law or the Articles of Association. The Risk Committee deliberates with the Management Board on issues of the overall risk appetite, aggregate risk position and the risk strategy and supports the Supervisory Board in monitoring the implementation of this strategy.
    • The Integrity Committee, among other responsibilities, monitors the Management Board’s measures that promote the company’s compliance with legal requirements, authorities’ regulations and the company’s own in-house policies. It also reviews the Bank’s Code of Business Conduct and Ethics, and, upon request, supports the Risk Committee in monitoring and analyzing the Bank’s legal and reputational risks.
    • The Audit Committee, among other matters, monitors the effectiveness of the risk management system, particularly the internal control system and the internal audit system.
  • The Management Board is responsible for managing Deutsche Bank Group in accordance with the law, the Articles of Association and its Terms of Reference with the objective of creating sustainable value in the interest of the company, thus taking into consideration the interests of the shareholders, employees and other stakeholders. The Management Board is responsible for establishing a proper business organization, encompassing appropriate and effective risk management. The Management Board established the Group Risk Committee (“GRC”) as the central forum for review and decision on material risk and capital-related topics. The GRC generally meets once a week. It has delegated some of its duties to individuals and sub-committees. The GRC and its sub-committees are described in more detail below.
Risk Management Governance Structure of the Deutsche Bank Group

The following functional committees are central to the management of risk at Deutsche Bank:

  • The Group Risk Committee (GRC) has various duties and dedicated authority, including approval of new or materially changed risk and capital models, review of risk exposure developments and internal and regulatory Group-wide stress testing results, and monitoring of risk culture across the Group. The GRC also reviews risk resources available to the business divisions and high-level risk portfolios (for example on a country or industry level) and sets related risk appetite targets, for example in the form of limits or thresholds. In addition, the GRC reviews and recommends items for Management Board approval, such as key risk management principles, the Group Recovery Plan and the Contingency Funding Plan, overarching risk appetite parameters, and recovery and escalation indicators. The GRC also supports the Management Board during Group-wide risk and capital planning processes.
  • The Non-Financial Risk Committee (NFRC) oversees, governs and coordinates the management of non-financial risks in Deutsche Bank Group and establishes a cross-risk and holistic perspective of the key non-financial risks of the Group. It is tasked to define the non-financial risk appetite tolerance framework, to monitor and control the non-financial risk operating model and interdependencies between business divisions and control functions and different risk type control functions.
  • The Group Reputational Risk Committee (GRRC) is responsible for the oversight, governance and coordination of reputational risk management and provides for an appropriate look-back and a lessons learnt process. It reviews and decides all reputational risk issues escalated by the Regional Reputational Risk Committees (“RRRCs”) and RRRC decisions which have been appealed by the business divisions, infrastructure functions or regional management. It provides guidance on Group-wide reputational risk matters, including communication of sensitive topics, to the appropriate levels of Deutsche Bank Group. The RRRCs which are sub-committees of the GRRC, are responsible for the oversight, governance and coordination of the management of reputational risk in the respective regions on behalf of the Management Board.
  • The Enterprise Risk Committee (ERC) has been established with a mandate to focus on enterprise-wide risk trends, events and cross-risk portfolios, bringing together risk experts from various risk disciplines. As part of its mandate, the ERC approves the annual country risk portfolio overviews and specified country risk thresholds, establishes product thresholds, reviews risk portfolio concentrations across the Group, monitors group-wide stress tests used for managing the Group’s risk appetite, and reviews topics with enterprise-wide risk implications like risk culture.
  • The Financial Resource Management Council (FRMC) is an ad-hoc governance body to support the decision-making in a period of anticipated or actual capital or liquidity stress. It is a forum to discuss and recommend mitigating actions, thereby bringing together in one forum the tasks of the former Liquidity Management Committee and the crisis-related tasks previously assigned to the GRC. Specifically, the FRMC is tasked with analyzing the bank’s capital and liquidity situation, advising on the capital and liquidity strategy, and making recommendations on specific business level capital and liquidity targets and/or countermeasures that are necessary to successfully execute the strategy. This includes the recommendation whether or not to invoke the Contingency Funding Plan and the right to oversee the execution of related decisions.

Our Chief Risk Officer (“CRO”), who is a member of the Management Board, has Group-wide, supra-divisional responsibility for the management of all credit, market, liquidity and operational risks as well as for the continuing development and enhancement of methods for risk measurement. In addition, the CRO is responsible for monitoring, analyzing and reporting risk on a comprehensive basis.

The CRO has direct management responsibility for the Risk function. Risk management & control duties in the Risk function are generally assigned to specialized risk management units focusing on the management of

  • Specific risk types
  • Risks within a specific business
  • Risks in a specific region.

These specialized risk management units generally handle the following core tasks:

  • Foster consistency with the risk appetite set by the GRC within a framework established by the Management Board and applied to Business Divisions;
  • Determine and implement risk and capital management policies, procedures and methodologies that are appropriate to the businesses within each division;
  • Establish and approve risk limits;
  • Conduct periodic portfolio reviews to keep the portfolio of risks within acceptable parameters; and
  • Develop and implement risk and capital management infrastructures and systems that are appropriate for each division.

Additionally, Business Aligned Risk Management (BRM) represents the Risk function vis-à-vis specific business areas. The CROs for each business division manage their respective risk portfolio, taking a holistic view of each division to challenge and influence the division’s strategy and risk ownership and implement risk appetite.

The specialized risk management functions are complemented by our Enterprise Risk Management (ERM) function, which sets a bank-wide risk management framework seeking to ensure that all risks at the Group and Divisional level are identified, owned and controlled by the functional risk teams within the agreed risk appetite and risk management principles. ERM is responsible for aggregating and analyzing enterprise-wide risk information and reviewing the risk/return profile of portfolios to enable informed strategic decision-making on the Bank’s resources. ERM has the mandate to:

  • Manage enterprise risk appetite and allocation across businesses and legal entities;
  • Integrate and aggregate risks to provide greater enterprise risk transparency to support decision making;
  • Commission forward-looking stress tests, and manage Group recovery and resolution plans; and
  • Govern and improve the effectiveness of the risk management framework.

The specialized risk management functions and ERM have a reporting line to the CRO.

While operating independently from each other and the business divisions, our Finance and Risk functions have the joint responsibility to quantify and verify the risk that we assume.

The integration of the risk management of our subsidiary Deutsche Postbank AG is promoted through harmonized processes for identifying, assessing, managing, monitoring, and communicating risk, the strategies and procedures for determining and safeguarding risk-bearing capacity, and corresponding internal control procedures. Key features of the joint governance are:

  • Functional reporting lines from Postbank Risk Management to Deutsche Bank Risk;
  • Participation of voting members from Deutsche Bank from the respective risk functions in Postbank’s key risk committees and vice versa for selected key committees; and
  • Alignment to key Group risk policies.

The key risk management committees of Postbank are:

  • The Bank Risk Committee, which advises Postbank’s Management Board with respect to the determination of overall risk appetite and risk and capital allocation;
  • The Credit Risk Committee, which is responsible for limit allocation and the definition of an appropriate limit framework;
  • The Market Risk Committee, which decides on limit allocations as well as strategic positioning of Postbank’s banking and trading book and the management of liquidity risk;
  • The Operational Risk Management Committee, which defines the appropriate risk framework as well as the limit allocation for the individual business areas; and
  • The Model and Validation Risk Committee, which monitors validation of all rating systems and risk management models.

The Chief Risk Officer of Postbank or senior risk managers of Deutsche Bank are voting members of the committees listed above.

Following the announcement in March 2017 to merge Postbank with the German Private and Business Clients business and as part of the overarching integration project, the Risk division has also commenced the analyses and work on establishing an appropriate Risk function for the planned merged legal entity which will remain connected into to the Group as described above.