Deutsche Bank

Annual Report 2017

Operational Risk Management Framework

Operational Risk means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes Legal Risk. Operational Risk excludes Business and Reputational Risk. It forms a subset of the Bank’s Non-Financial Risks, as does Reputational Risk.

The governance of our operational risks follows the Three Lines of Defence (“3LoD”) approach, to protect the Bank, its customers and shareholders against risk losses and resulting reputational damages. It seeks to ensure that all our operational risks are identified and covered, that accountabilities regarding the management of operational risks are clearly assigned and risks are taken on and managed in the best and long term interest of the Bank. The 3LoD approach and its underlying principles, i.e., the full accountability of the First Line of defence (“1st LoD”) to manage its own risks and the existence of an independent Second Line of Defence (“2nd LoD”) to oversee and challenge risk taking and risk management, applies to all levels of the organization including the Group-level, regions, countries, and legal entities.

Deutsche Bank’s Operational Risk appetite sets out the amount of Operational Risk we are willing to accept as a consequence of doing business. We take on operational risks consciously, both strategically as well as in day-to-day business. While the Bank may have no appetite for certain types of Operational Risk failures (such as serious violations of laws or regulations), in other cases a certain amount of Operational Risk must be accepted if the Bank is to achieve its business objectives. In case a residual risk is assessed to be outside our risk appetite, further risk reducing actions must be undertaken including further remediating risks, insuring risks or ceasing business.

Non-Financial Risk Management (“NFRM”) is the Risk function for the Non-Financial Risk types of the Bank, including Operational Risk and owns the overarching Operational Risk Management Framework (ORMF).

The ORMF is a set of interrelated tools and processes that are used to identify, assess, measure, monitor and remediate operational risks. Its components have been designed to operate together to provide a comprehensive approach to managing the Bank’s most material operational risks. ORMF components include the setup of the 1st and 2nd LoD as well as roles and responsibilities for the Operational Risk management process and appropriate independent challenge, the Group’s approach to setting Operational Risk appetite and adhering to it, the Operational Risk type and control taxonomies, the minimum standards for Operational Risk management processes including tools, independent governance, and the Bank’s Operational Risk capital model.

The following four principles form the foundation of Operational Risk management and the Group ORMF at Deutsche Bank:

Operational Risk Principle I: NFRM establishes and maintains the Group Operational Risk Management Framework. As the 2nd LoD control function, NFRM is the independent reviewer and challenger of the 1st LoD’s risk and control assessments and risk management activities. As the subject matter expert for Operational Risk it provides independent risk views to facilitate forward looking management of operational risks, actively engages with risk owners and facilitates the implementation of risk management standards across the Bank. NFRM provides the oversight of risk and control mitigation plans to return risk within risk appetite, where required.

Operational Risk Principle II: Risk owners as the 1st LoD have full accountability for their operational risks and have to manage these against a defined risk specific appetite.

Risk owners are those roles in the Bank that generate risks, whether financial or non-financial. The heads of business divisions and infrastructure functions must determine the appropriate organizational structure to identify their organizations’ Operational Risk profile, implement risk management and control standards within their organization, take business decisions on the mitigation or acceptance of operational risks within the risk appetite and establish and maintain risk owner (i.e. Level 1) controls.

Operational Risk Principle III: Risk Type Controllers (“RTCs”) as 2nd LoD control functions establish the framework and define risk appetite statements for the specific risk type they control. They monitor the risk type’s profile against risk appetite and exercise a veto on risk appetite breaches.

RTCs define risk management and control standards and independently oversee and challenge risk owners’ implementation of these standards as well as their risk-taking and management activities. RTCs establish independent Operational Risk governance and prepare aggregated risk type profile reporting. As risk type experts, RTCs define the risk type and its taxonomy and support and facilitate the implementation of risk management standards and processes in the 1st LoD. To maintain their independence, RTC roles are located only in infrastructure functions.

Operational Risk Principle IV: NFRM is to ensure that sufficient capital is held to underpin Operational Risk. NFRM is accountable for the design, implementation and maintenance of the approach to determine a sufficient level of capital demand for Operational Risk for recommendation to the Management Board.

To fulfil this requirement, NFRM is accountable for the calculation and allocation of Operational Risk capital demand and Expected Loss planning under the Advanced Measurement Approach (“AMA”). NFRM is also accountable for the facilitation of the annual Operational Risk capital planning and monthly review process.