The diversity of our business model requires us to identify, measure, aggregate and manage our risks effec- tively, and to allocate our capital among our businesses appropriately. We operate as an integrated group through our divisions, business units and infrastructure functions. Risk and capital are managed via a frame- work of principles, organizational structures and measurement and monitoring processes that are closely aligned with the activities of the divisions and business units:
— Core risk management responsibilities are embedded in the Management Board and appropriately dele- gated to senior risk management committees responsible for execution and oversight. The Supervisory Board regularly monitors the risk and capital profile.
— We operate a three-line of defense risk management model whereby front office functions, risk manage- ment oversight and assurance roles are played by functions independent of one another.
— Risk strategy is approved by the Management Board on an annual basis and is defined based on the Group Strategic and Capital Plan and Risk Appetite in order to ensure alignment of risk, capital and per- formance targets.
— Cross-risk analysis reviews are conducted across the group to validate that sound risk management prac- tices and a holistic awareness of risk exist.
— All major risk classes are managed in a coordinated manner via risk management processes, including: credit risk, market risk, operational risk, liquidity risk, business risk, reputational risk and risk concentra- tions.
— Appropriate monitoring, stress testing tools and escalation processes are in place for key capital and li- quidity thresholds and metrics. Where applicable modeling and measurement approaches for quantifying risk and capital demand are implemented across the major risk classes.
— Effective systems, processes and policies are a critical component of our risk management capability.
Risk Governance
From a supervisory perspective, our operations throughout the world are regulated and supervised by relevant authorities in each of the jurisdictions in which we conduct business. Such regulation focuses on licensing, capital adequacy, liquidity, risk concentration, conduct of business as well as organisation and reporting requirements. The BaFin and the Deutsche Bundesbank (the German central bank) act in cooperation as our primary supervisors to ensure our compliance with the German Banking Act and other applicable laws and regulations. The German Banking Act and the rules and regulations thereunder implement, in addition, certain recommendations of the Basel Committee on Banking Supervision, as well as certain European Union directives relating to banks. German banking regulators assess our capacity to assume risk in several ways, which are described in more detail in section “Regulatory Capital”.
From an internal governance perspective, we have several layers of robust management to provide strong and cohesive risk governance:
— The Supervisory Board monitors our risk and capital profile regularly via its designated committee, the Risk Committee of the Supervisory Board. The chair of the Risk Committee reports on items discussed during the Risk Committee’s meetings to the Supervisory Board.
— The Risk Committee of the Supervisory Board meets regularly. At these meetings, the Management Board reports to the Risk Committee on credit, market, country, liquidity, operational, strategic, regulatory as well as litigation and reputational risks. It also reports on loans requiring a Supervisory Board resolution pursu- ant to law or the Articles of Association, questions of capital resources and matters of special importance due to the risks they entail. The Risk Committee deliberates with the Management Board on issues of the aggregate risk disposition and the risk strategy.
— Our Management Board provides overall risk and capital management supervision for the consolidated Group and is exclusively responsible for day-to-day management of the company with the objective of cre- ating sustainable value in the interest of our shareholders, employees and other stakeholders. The Man- agement Board is responsible for defining and implementing comprehensive and aligned business and risk strategies, as well as ensuring well-defined risk management functions and operating processes are in place to ensure that our overall performance is aligned to our business and risk strategy. The Management Board has delegated certain functions and responsibilities to relevant senior governance committees to support the fulfillment of these responsibilities, in particular to the Capital and Risk Committee (“CaR”) and Risk Executive Committee (“Risk ExCo”) whose roles are described in more detail below.
For further information on how we ensure that our overall performance is aligned to our risk strategy please refer to section below “Risk Strategy and Appetite”
Chart: Risk Management Governance Structure of the Deutsche Bank Group.
The following functional committees are central to the management of Risk in Deutsche Bank:
— The CaR oversees and controls integrated planning and monitoring of our risk profile and capital capacity, providing an alignment of risk appetite, capital requirements and funding/liquidity needs with Group, divi- sional and sub-divisional business strategies. It provides a platform to discuss and agree strategic issues impacting capital, funding and liquidity among Risk Management, Finance and the business divisions. The CaR initiates appropriate actions and/or makes recommendations to the Management Board. It is also re- sponsible for monitoring our risk profile against our risk appetite on a regular basis and ensuring appropri- ate escalation or actions are taken. The CaR monitors the performance of our risk profile against early
Ri sk S trat egy / A ppet ite / Dec is io ns Management Board Supervisory Board
Risk Committee of the Supervisory Board
Inf or m at ion Specialized sub-committees Capital & Risk Committee
Specialized sub-committees Risk Executive Committee Integrated planning and monitoring of
Deutsche Bank's risk profile and capital capacity as well as defining the Internal Capital Adequacy Assessment Process
Identification, analysis & mitigation of risks, risk policy, organisation & governance of risk management and day-
to-day risk and capital management Overall Risk and
Capital Management Supervision Regular monitoring of Risk and Capital Profile
warning indicators and recovery triggers, and provides recommendations to the Management Board to in- voke defined process and/or actions under the recovery governance framework if required.
— Our Risk ExCo, as the most senior functional committee of our risk management, identifies controls and manages all risks including risk concentrations at group level, and is a center of expertise concerning all risk related topics of the business divisions. It is responsible for risk policy, the organization and govern- ance of risk management and ensures and oversees the execution of risk and capital management includ- ing identification, analysis and risk mitigation, within the scope of the risk and capital strategy (Risk and Capital Demand Plan) approved by the Management Board. The Risk ExCo is supported by sub-
committees that are responsible for dedicated areas of risk management, including several policy commit- tees, the Cross Risk Review Committee (“CRRC”) and the Group Reputational Risk Committee (“GRRC”). — The CRRC supports the Risk ExCo and the CaR with particular emphasis on the management of group-
wide risk patterns. The CRRC, under a delegation of authority from the CaR has responsibility for the day- to-day oversight and control of our Internal Capital Adequacy Assessment Process (“ICAAP”). The CRRC also oversees the inventory of stress tests used for managing our risk appetite, reviews the results and proposes management action, if required. It monitors the effectiveness of the stress test process and drives continuous improvement of our stress testing framework. It is supported by a dedicated Stress Test- ing Oversight Committee which has the responsibility for the definition of the group-wide stress test sce- narios, ensuring common standards and consistent scenarios across risk types, and reviewing the group- wide stress test results.
Recovery management governance is part of our overall risk management framework to support that we can proactively identify and respond to severe stress or the threat of a severe stress. The key elements of the re- covery management planning and governance include:
— Clear roles and responsibilities which include Management Board oversight;
— A dedicated set of early warning indicators and recovery triggers to monitor potential risks and stimulate management action;
— An enhanced regime of severe stress tests and defined strategic recovery measures to enable proactive management of our risk profile; and
— A dedicated sub-committee of the CaR to ensure ongoing monitoring and process readiness.
Multiple members of the CaR are also members of the Risk ExCo which facilitates a constant and comprehen- sive information flow between the two committees.
Following changes to the structure and composition of our Management Board in 2012, the coverage of risks has been more widely distributed at the level of the Management Board, as the following risk management units, which previously had reported directly to the Chief Risk Officer, now report to other Management Board members: Compliance, Corporate Security & Business Continuity, Government & Regulatory Affairs, Legal and Treasury. Our Chief Risk Officer (“CRO”), who is a member of the Management Board, remains responsible for the identification, assessment and reporting of risks arising within operations across all business and all risk types as well as for the direct management responsibility of the following Risk management divisions: Credit Risk Management, Market Risk Management, Operational Risk Management and Strategic Risk and Enter- prise-wide Risk Management. Our governance structure and mechanisms ensure that group wide oversight of risk continues unchanged.
With respect to the day-to-day management and oversight of risk, there are dedicated Risk and Treasury units established with the mandate to:
— Ensure that the business conducted within each division is consistent with the risk appetite that the CaR has set within a framework established by the Management Board;
— Formulate and implement risk and capital management policies, procedures and methodologies that are appropriate to the businesses within each division;
— Conduct periodic portfolio reviews to ensure that the portfolio of risks is within acceptable parameters; and — Develop and implement risk and capital management infrastructures and systems that are appropriate for
each division.
The Deputy Chief Risk Officer (“DCRO”) leads a Strategic Risk and Enterprise-wide Risk Management function whose mandate is to provide an increased focus on holistic risk management and comprehensive, cross-risk oversight to further enhance our risk portfolio steering. The objectives of the Strategic Risk and Enterprise-wide Risk Management unit are to:
— Drive key strategic cross-risk initiatives and establish greater cohesion between defining portfolio strategy and governing execution, including regulatory adherence;
— Provide a strategic and forward-looking perspective on the key risk issues for discussion at senior levels within the bank (risk appetite, stress testing framework);
— Strengthen risk culture in the bank; and
— Foster the implementation of consistent risk management standards.
Our Finance and Audit departments operate independently of both, our business divisions and of our Risk function. The role of the Finance department is to help quantify and verify the risk that we assume and ensure the quality and integrity of our risk-related data. Our Audit department performs risk-based reviews of the de- sign and operating effectiveness of our system of internal controls.
Based on the domination agreement, we have introduced further changes to the governance of the Risk func- tions across Deutsche Bank and Postbank. The main changes were:
— Functional reporting lines from the Postbank Risk Management to Deutsche Bank Risk Management have been established. These changes did not affect the disciplinary reporting lines within the Postbank CRO organization;
— Postbank’s key risk committees were enlarged with voting members from Deutsche Bank from the respec- tive risk functions and vice versa; and
— Key group risk policies have been implemented at Postbank.
The key risk management committees of Postbank, in all of which Postbank’s Chief Risk Officer as well as senior risk managers of Deutsche Bank are voting members, are:
— The Bank Risk Committee, which advises Postbank’s Management Board with respect to the determina- tion of overall risk appetite and risk allocation;
— The Credit Risk Committee, which is responsible for limit allocation and the definition of an appropriate limit framework;
— The Market Risk Committee, which decides on limit allocations as well as strategic positioning of Post- bank’s banking and trading book and the management of liquidity risk; and
— The Operational Risk Committee which defines the appropriate risk framework as well as the capital allo- cation for the individual business areas.