The diversity of our business model requires us to identify, assess, measure, aggregate and manage our risks, and to allocate our capital among our businesses. Our aim is to help reinforce our resilience by encouraging a holistic approach to the management of risk and return throughout our organization as well as the effective management of our risk, capital and reputational profile. We actively take risks in connection with our business and as such the following principles underpin our risk management framework:
- Risk is taken within a defined risk appetite;
- Every risk taken needs to be approved within the risk management framework;
- Risk taken needs to be adequately compensated; and
- Risk should be continuously monitored and managed.
Risk and capital are managed via a framework of principles, organizational structures and measurement and monitoring processes that are closely aligned with the activities of the divisions and business units:
- Core risk management responsibilities are embedded in the Management Board and delegated to senior risk managers and senior risk management committees responsible for execution and oversight.
- We operate a Three Lines of Defense (“3LoD”) risk management model, in which risk, control and reporting responsibilities are defined.
- The 1st Line of Defense (“1st LoD”) refers to those roles in the Bank whose activities generate risks, whether financial or non-financial.
- The 2nd Line of Defense (“2nd LoD”) refers to the risk type controller roles in the Bank who facilitate the implementation of a sound risk management framework throughout the organization. The 2nd LoD defines the risk appetite and risk management and control standards for their risk type, and independently oversees and challenges the risk taking and risk management activities of the 1st LoD.
- The 3rd Line of Defense (“3rd LoD”) is Group Audit, which is accountable for providing independent and objective assurance on the adequacy of the design and effectiveness of the systems of internal control and risk management.
- The risk strategy is approved by the Management Board on an annual basis and is defined based on the Group Risk Appetite and the Strategic and Capital Plan in order to align risk, capital and performance targets.
- Cross-risk analysis reviews are conducted across the Group to validate that sound risk management practices and a holistic awareness of risk exist.
- All material risk types, including credit risk, market risk, operational risk, liquidity risk, business risk and reputational risk, are managed via risk management processes. Modeling and measurement approaches for quantifying risk and capital demand are implemented across the material risk types. For more details, refer to section for the management processes of our material risks.
- Monitoring, stress testing tools and escalation processes are in place for key capital and liquidity thresholds and metrics.
- Systems, processes and policies are critical components of our risk management capability.
- Recovery and contingency planning provides the escalation path for crisis management and supplies senior management with a set of actions designed to improve the capital and liquidity positions in a stress event.
- Resolution planning is the responsibility of our resolution authority, the Single Resolution Board. It provides a strategy to manage Deutsche Bank in case of default. It is designed to prevent major disruptions to the financial system or the wider economy through maintaining critical services.
- We apply an integrated risk management approach that aims at Group-wide consistency in risk management standards, while allowing for adaptation to local or legal entity specific requirements.
We promote a strong risk culture where employees at all levels are responsible for the management and escalation of risks. We expect employees to exhibit behaviors that support a strong risk culture in line with our Code of Business Conduct and Ethics. To promote this, our policies require that risk-related behavior is taken into account during our performance assessment and compensation processes. In addition, our Management Board members and senior management frequently communicate the importance of a strong risk culture to support a consistent tone from the top.
In 2017, we also introduced a principles-based assessment of risk culture, in particular focusing on risk awareness, risk ownership and management of risk within risk appetite. Assessment results are incorporated into existing risk reporting, reinforcing the message that risk culture is an integral part of effective day-to-day risk management.