XML 99 R56.htm IDEA: XBRL DOCUMENT

Risk Report: Risk and Capital Framework	12 Months Ended
Dec. 31, 2017
Risk and Capital Framework [Abstract]
Risk & Capital Framework [text block]	Risk and Capital Framework Risk Management Principles The diversity of our business model requires us to identify, assess, measure, aggregate and manage our risks, and to allocate our capital among our businesses. Our aim is to help reinforce our resilience by encouraging a holistic approach to the management of risk and return throughout our organization as well as the effective management of our risk, capital and reputational profile. We actively take risks in connection with our business and as such the following principles underpin our risk management framework: Risk is taken within a defined risk appetite; Every risk taken needs to be approved within the risk management framework; Risk taken needs to be adequately compensated; and Risk should be continuously monitored and managed. Risk and capital are managed via a framework of principles, organizational structures and measurement and monitoring processes that are closely aligned with the activities of the divisions and business units: Core risk management responsibilities are embedded in the Management Board and delegated to senior risk managers and senior risk management committees responsible for execution and oversight. We operate a Three Lines of Defense (“3LoD”) risk management model, in which risk, control and reporting responsibilities are defined. The 1st Line of Defense (“1st LoD”) refers to those roles in the Bank whose activities generate risks, whether financial or non-financial. The 2nd Line of Defense (“2nd LoD”) refers to the risk type controller roles in the Bank who facilitate the implementation of a sound risk management framework throughout the organisation. The 2^nd LoD defines the risk appetite and risk management and control standards for their risk type, and independently oversees and challenges the risk taking and risk management activities of the 1st LoD. The 3rd Line of Defense (“3rd LoD”) is Group Audit, which is accountable for providing independent and objective assurance on the adequacy of the design and effectiveness of the systems of internal control and risk management. The risk strategy is approved by the Management Board on an annual basis and is defined based on the Group Risk Appetite and the Strategic and Capital Plan in order to align risk, capital and performance targets. Cross-risk analysis reviews are conducted across the Group to validate that sound risk management practices and a holistic awareness of risk exist. All material risk types, including credit risk, market risk, operational risk, liquidity risk, business risk and reputational risk, are managed via risk management processes. Modeling and measurement approaches for quantifying risk and capital demand are implemented across the material risk types. For more details, refer to section “Risk and Capital Management” for the management processes of our material risks. Monitoring, stress testing tools and escalation processes are in place for key capital and liquidity thresholds and metrics. Systems, processes and policies are critical components of our risk management capability. Recovery and contingency planning provides the escalation path for crisis management and supplies senior management with a set of actions designed to improve the capital and liquidity positions in a stress event. Resolution planning is the responsibility of our resolution authority, the Single Resolution Board. It provides a strategy to manage Deutsche Bank in case of default. It is designed to prevent major disruptions to the financial system or the wider economy through maintaining critical services. We apply an integrated risk management approach that aims at Group-wide consistency in risk management standards, while allowing for adaptation to local or legal entity specific requirements. We promote a strong risk culture where employees at all levels are responsible for the management and escalation of risks. We expect employees to exhibit behaviors that support a strong risk culture in line with our Code of Business Conduct and Ethics. To promote this, our policies require that risk-related behavior is taken into account during our performance assessment and compensation processes. In addition, our Management Board members and senior management frequently communicate the importance of a strong risk culture to support a consistent tone from the top. In 2017, we also introduced a principles-based assessment of risk culture, in particular focusing on risk awareness, risk ownership and management of risk within risk appetite. Assessment results are incorporated into existing risk reporting, reinforcing the message that risk culture is an integral part of effective day-to-day risk management. Risk Governance Our operations throughout the world are regulated and supervised by relevant authorities in each of the jurisdictions in which we conduct business. Such regulation focuses on licensing, capital adequacy, liquidity, risk concentration, conduct of business as well as organizational and reporting requirements. The European Central Bank (the “ECB”) in connection with the competent authorities of EU countries which joined the Single Supervisory Mechanism via the Joint Supervisory Team act in cooperation as our primary supervisors to monitor our compliance with the German Banking Act and other applicable laws and regulations as well as the CRR/CRD 4 framework and respective implementations into German law. European banking regulators assess our capacity to assume risk in several ways, which are described in more detail in the section “Regulatory Capital” of this report. Several layers of management provide cohesive risk governance: The Supervisory Board is informed regularly on our risk situation, risk management and risk controlling, as well as on our reputation and material litigation cases. It has formed various committees to handle specific tasks (for a detailed description of these committees, please see the “Corporate Governance Report” under “Management Board and Supervisory Board”, “Standing Committees”). At the meetings of the Risk Committee, the Management Board reports on key risk portfolios, on risk strategy and on matters of special importance due to the risks they entail. It also reports on loans requiring a Supervisory Board resolution pursuant to law or the Articles of Association. The Risk Committee deliberates with the Management Board on issues of the overall risk appetite, aggregate risk position and the risk strategy and supports the Supervisory Board in monitoring the implementation of this strategy. The Integrity Committee, among other responsibilities, monitors the Management Board’s measures that promote the company’s compliance with legal requirements, authorities’ regulations and the company’s own in-house policies. It also reviews the Bank’s Code of Business Conduct and Ethics, and, upon request, supports the Risk Committee in monitoring and analyzing the Bank’s legal and reputational risks. The Audit Committee, among other matters, monitors the effectiveness of the risk management system, particularly the internal control system and the internal audit system. The Management Board is responsible for managing Deutsche Bank Group in accordance with the law, the Articles of Association and its Terms of Reference with the objective of creating sustainable value in the interest of the company, thus taking into consideration the interests of the shareholders, employees and other stakeholders. The Management Board is responsible for establishing a proper business organization, encompassing appropriate and effective risk management. The Management Board established the Group Risk Committee (“GRC”) as the central forum for review and decision on material risk and capital-related topics. The GRC generally meets once a week. It has delegated some of its duties to individuals and sub-committees. The GRC and its sub-committees are described in more detail below. Risk Management Governance Structure of the Deutsche Bank Group The following functional committees are central to the management of risk at Deutsche Bank: The Group Risk Committee (GRC) has various duties and dedicated authority, including approval of new or materially changed risk and capital models, review of risk exposure developments and internal and regulatory Group-wide stress testing results, and monitoring of risk culture across the Group. The GRC also reviews risk resources available to the business divisions and high-level risk portfolios (for example on a country or industry level) and sets related risk appetite targets, for example in the form of limits or thresholds. In addition, the GRC reviews and recommends items for Management Board approval, such as key risk management principles, the Group Recovery Plan and the Contingency Funding Plan, over-arching risk appetite parameters, and recovery and escalation indicators. The GRC also supports the Management Board during Group-wide risk and capital planning processes. The Non-Financial Risk Committee (NFRC) oversees, governs and coordinates the management of non-financial risks in Deutsche Bank Group and establishes a cross-risk and holistic perspective of the key non-financial risks of the Group. It is tasked to define the non-financial risk appetite tolerance framework, to monitor and control the non-financial risk operating model and interdependencies between business divisions and control functions and different risk type control functions. The Group Reputational Risk Committee (GRRC) is responsible for the oversight, governance and coordination of reputational risk management and provides for an appropriate look-back and a lessons learnt process. It reviews and decides all reputational risk issues escalated by the Regional Reputational Risk Committees (“RRRCs”) and RRRC decisions which have been appealed by the business divisions, infrastructure functions or regional management. It provides guidance on Group-wide reputational risk matters, including communication of sensitive topics, to the appropriate levels of Deutsche Bank Group. The RRRCs which are sub-committees of the GRRC, are responsible for the oversight, governance and coordination of the management of reputational risk in the respective regions on behalf of the Management Board. The Enterprise Risk Committee (ERC) has been established with a mandate to focus on enterprise-wide risk trends, events and cross-risk portfolios, bringing together risk experts from various risk disciplines. As part of its mandate, the ERC approves the annual country risk portfolio overviews and specified country risk thresholds, establishes product thresholds, reviews risk portfolio concentrations across the Group, monitors group-wide stress tests used for managing the Group’s risk appetite, and reviews topics with enterprise-wide risk implications like risk culture. The Financial Resource Management Council (FRMC) is an ad-hoc governance body to support the decision-making in a period of anticipated or actual capital or liquidity stress. It is a forum to discuss and recommend mitigating actions, thereby bringing together in one forum the tasks of the former Liquidity Management Committee and the crisis-related tasks previously assigned to the GRC. Specifically, the FRMC is tasked with analysing the bank’s capital and liquidity situation, advising on the capital and liquidity strategy, and making recommendations on specific business level capital and liquidity targets and/or countermeasures that are necessary to successfully execute the strategy. This includes the recommendation whether or not to invoke the Contingency Funding Plan and the right to oversee the execution of related decisions. Our Chief Risk Officer (“CRO”), who is a member of the Management Board, has Group-wide, supra-divisional responsibility for the management of all credit, market, liquidity and operational risks as well as for the continuing development and enhancement of methods for risk measurement. In addition, the CRO is responsible for monitoring, analyzing and reporting risk on a comprehensive basis. The CRO has direct management responsibility for the Risk function. Risk management & control duties in the Risk function are generally assigned to specialized risk management units focusing on the management of Specific risk types Risks within a specific business Risks in a specific region. These specialized risk management units generally handle the following core tasks: Foster consistency with the risk appetite set by the GRC within a framework established by the Management Board and applied to Business Divisions; Determine and implement risk and capital management policies, procedures and methodologies that are appropriate to the businesses within each division; Establish and approve risk limits; Conduct periodic portfolio reviews to keep the portfolio of risks within acceptable parameters; and Develop and implement risk and capital management infrastructures and systems that are appropriate for each division. Additionally, Business Aligned Risk Management (BRM) represents the Risk function vis-à-vis specific business areas. The CROs for each business division manage their respective risk portfolio, taking a holistic view of each division to challenge and influence the division’s strategy and risk ownership and implement risk appetite. The specialized risk management functions are complemented by our Enterprise Risk Management (ERM) function, which sets a bank-wide risk management framework seeking to ensure that all risks at the Group and Divisional level are identified, owned and controlled by the functional risk teams within the agreed risk appetite and risk management principles. ERM is responsible for aggregating and analysing enterprise-wide risk information and reviewing the risk/return profile of portfolios to enable informed strategic decision-making on the Bank’s resources. ERM has the mandate to: Manage enterprise risk appetite and allocation across businesses and legal entities; Integrate and aggregate risks to provide greater enterprise risk transparency to support decision making; Commission forward-looking stress tests, and manage Group recovery and resolution plans; and Govern and improve the effectiveness of the risk management framework. The specialized risk management functions and ERM have a reporting line to the CRO. While operating independently from each other and the business divisions, our Finance and Risk functions have the joint responsibility to quantify and verify the risk that we assume. The integration of the risk management of our subsidiary Deutsche Postbank AG is promoted through harmonized processes for identifying, assessing, managing, monitoring, and communicating risk, the strategies and procedures for determining and safeguarding risk-bearing capacity, and corresponding internal control procedures. Key features of the joint governance are: Functional reporting lines from Postbank Risk Management to Deutsche Bank Risk; Participation of voting members from Deutsche Bank from the respective risk functions in Postbank’s key risk committees and vice versa for selected key committees; and Alignment to key Group risk policies. The key risk management committees of Postbank are: The Bank Risk Committee, which advises Postbank’s Management Board with respect to the determination of overall risk appetite and risk and capital allocation; The Credit Risk Committee, which is responsible for limit allocation and the definition of an appropriate limit framework; The Market Risk Committee, which decides on limit allocations as well as strategic positioning of Postbank’s banking and trading book and the management of liquidity risk; The Operational Risk Management Committee, which defines the appropriate risk framework as well as the limit allocation for the individual business areas; and The Model and Validation Risk Committee, which monitors validation of all rating systems and risk management models. The Chief Risk Officer of Postbank or senior risk managers of Deutsche Bank are voting members of the committees listed above. Following the announcement in March 2017 to merge Postbank with the German Private and Business Clients business and as part of the overarching integration project, the Risk division has also commenced the analyses and work on establishing an appropriate Risk function for the planned merged legal entity which will remain connected into to the Group as described above.

Risk Report: Risk and Capital Framework

12 Months Ended

Dec. 31, 2017

Risk and Capital Framework [Abstract]

Risk and Capital Framework

Risk Management Principles

The diversity of our business model requires us to identify, assess, measure, aggregate and manage our risks, and to allocate our capital among our businesses. Our aim is to help reinforce our resilience by encouraging a holistic approach to the management of risk and return throughout our organization as well as the effective management of our risk, capital and reputational profile. We actively take risks in connection with our business and as such the following principles underpin our risk management framework:

Risk is taken within a defined risk appetite;
Every risk taken needs to be approved within the risk management framework;
Risk taken needs to be adequately compensated; and
Risk should be continuously monitored and managed.

Risk and capital are managed via a framework of principles, organizational structures and measurement and monitoring processes that are closely aligned with the activities of the divisions and business units:

Core risk management responsibilities are embedded in the Management Board and delegated to senior risk managers and senior risk management committees responsible for execution and oversight.

We operate a Three Lines of Defense (“3LoD”) risk management model, in which risk, control and reporting responsibilities are defined.
The 1st Line of Defense (“1st LoD”) refers to those roles in the Bank whose activities generate risks, whether financial or non-financial.
The 2nd Line of Defense (“2nd LoD”) refers to the risk type controller roles in the Bank who facilitate the implementation of a sound risk management framework throughout the organisation. The 2^nd LoD defines the risk appetite and risk management and control standards for their risk type, and independently oversees and challenges the risk taking and risk management activities of the 1st LoD.
The 3rd Line of Defense (“3rd LoD”) is Group Audit, which is accountable for providing independent and objective assurance on the adequacy of the design and effectiveness of the systems of internal control and risk management.

The risk strategy is approved by the Management Board on an annual basis and is defined based on the Group Risk Appetite and the Strategic and Capital Plan in order to align risk, capital and performance targets.
Cross-risk analysis reviews are conducted across the Group to validate that sound risk management practices and a holistic awareness of risk exist.
All material risk types, including credit risk, market risk, operational risk, liquidity risk, business risk and reputational risk, are managed via risk management processes. Modeling and measurement approaches for quantifying risk and capital demand are implemented across the material risk types. For more details, refer to section “Risk and Capital Management” for the management processes of our material risks.
Monitoring, stress testing tools and escalation processes are in place for key capital and liquidity thresholds and metrics.
Systems, processes and policies are critical components of our risk management capability.
Recovery and contingency planning provides the escalation path for crisis management and supplies senior management with a set of actions designed to improve the capital and liquidity positions in a stress event.
Resolution planning is the responsibility of our resolution authority, the Single Resolution Board. It provides a strategy to manage Deutsche Bank in case of default. It is designed to prevent major disruptions to the financial system or the wider economy through maintaining critical services.
We apply an integrated risk management approach that aims at Group-wide consistency in risk management standards, while allowing for adaptation to local or legal entity specific requirements.

We promote a strong risk culture where employees at all levels are responsible for the management and escalation of risks. We expect employees to exhibit behaviors that support a strong risk culture in line with our Code of Business Conduct and Ethics. To promote this, our policies require that risk-related behavior is taken into account during our performance assessment and compensation processes. In addition, our Management Board members and senior management frequently communicate the importance of a strong risk culture to support a consistent tone from the top.

In 2017, we also introduced a principles-based assessment of risk culture, in particular focusing on risk awareness, risk ownership and management of risk within risk appetite. Assessment results are incorporated into existing risk reporting, reinforcing the message that risk culture is an integral part of effective day-to-day risk management.

Risk Governance

Our operations throughout the world are regulated and supervised by relevant authorities in each of the jurisdictions in which we conduct business. Such regulation focuses on licensing, capital adequacy, liquidity, risk concentration, conduct of business as well as organizational and reporting requirements. The European Central Bank (the “ECB”) in connection with the competent authorities of EU countries which joined the Single Supervisory Mechanism via the Joint Supervisory Team act in cooperation as our primary supervisors to monitor our compliance with the German Banking Act and other applicable laws and regulations as well as the CRR/CRD 4 framework and respective implementations into German law.

European banking regulators assess our capacity to assume risk in several ways, which are described in more detail in the section “Regulatory Capital” of this report.

Several layers of management provide cohesive risk governance:

The Supervisory Board is informed regularly on our risk situation, risk management and risk controlling, as well as on our reputation and material litigation cases. It has formed various committees to handle specific tasks (for a detailed description of these committees, please see the “Corporate Governance Report” under “Management Board and Supervisory Board”, “Standing Committees”).
At the meetings of the Risk Committee, the Management Board reports on key risk portfolios, on risk strategy and on matters of special importance due to the risks they entail. It also reports on loans requiring a Supervisory Board resolution pursuant to law or the Articles of Association. The Risk Committee deliberates with the Management Board on issues of the overall risk appetite, aggregate risk position and the risk strategy and supports the Supervisory Board in monitoring the implementation of this strategy.
The Integrity Committee, among other responsibilities, monitors the Management Board’s measures that promote the company’s compliance with legal requirements, authorities’ regulations and the company’s own in-house policies. It also reviews the Bank’s Code of Business Conduct and Ethics, and, upon request, supports the Risk Committee in monitoring and analyzing the Bank’s legal and reputational risks.
The Audit Committee, among other matters, monitors the effectiveness of the risk management system, particularly the internal control system and the internal audit system.
The Management Board is responsible for managing Deutsche Bank Group in accordance with the law, the Articles of Association and its Terms of Reference with the objective of creating sustainable value in the interest of the company, thus taking into consideration the interests of the shareholders, employees and other stakeholders. The Management Board is responsible for establishing a proper business organization, encompassing appropriate and effective risk management. The Management Board established the Group Risk Committee (“GRC”) as the central forum for review and decision on material risk and capital-related topics. The GRC generally meets once a week. It has delegated some of its duties to individuals and sub-committees. The GRC and its sub-committees are described in more detail below.

Risk Management Governance Structure of the Deutsche Bank Group

The following functional committees are central to the management of risk at Deutsche Bank:

The Group Risk Committee (GRC) has various duties and dedicated authority, including approval of new or materially changed risk and capital models, review of risk exposure developments and internal and regulatory Group-wide stress testing results, and monitoring of risk culture across the Group. The GRC also reviews risk resources available to the business divisions and high-level risk portfolios (for example on a country or industry level) and sets related risk appetite targets, for example in the form of limits or thresholds. In addition, the GRC reviews and recommends items for Management Board approval, such as key risk management principles, the Group Recovery Plan and the Contingency Funding Plan, over-arching risk appetite parameters, and recovery and escalation indicators. The GRC also supports the Management Board during Group-wide risk and capital planning processes.
The Non-Financial Risk Committee (NFRC) oversees, governs and coordinates the management of non-financial risks in Deutsche Bank Group and establishes a cross-risk and holistic perspective of the key non-financial risks of the Group. It is tasked to define the non-financial risk appetite tolerance framework, to monitor and control the non-financial risk operating model and interdependencies between business divisions and control functions and different risk type control functions.
The Group Reputational Risk Committee (GRRC) is responsible for the oversight, governance and coordination of reputational risk management and provides for an appropriate look-back and a lessons learnt process. It reviews and decides all reputational risk issues escalated by the Regional Reputational Risk Committees (“RRRCs”) and RRRC decisions which have been appealed by the business divisions, infrastructure functions or regional management. It provides guidance on Group-wide reputational risk matters, including communication of sensitive topics, to the appropriate levels of Deutsche Bank Group. The RRRCs which are sub-committees of the GRRC, are responsible for the oversight, governance and coordination of the management of reputational risk in the respective regions on behalf of the Management Board.
The Enterprise Risk Committee (ERC) has been established with a mandate to focus on enterprise-wide risk trends, events and cross-risk portfolios, bringing together risk experts from various risk disciplines. As part of its mandate, the ERC approves the annual country risk portfolio overviews and specified country risk thresholds, establishes product thresholds, reviews risk portfolio concentrations across the Group, monitors group-wide stress tests used for managing the Group’s risk appetite, and reviews topics with enterprise-wide risk implications like risk culture.
The Financial Resource Management Council (FRMC) is an ad-hoc governance body to support the decision-making in a period of anticipated or actual capital or liquidity stress. It is a forum to discuss and recommend mitigating actions, thereby bringing together in one forum the tasks of the former Liquidity Management Committee and the crisis-related tasks previously assigned to the GRC. Specifically, the FRMC is tasked with analysing the bank’s capital and liquidity situation, advising on the capital and liquidity strategy, and making recommendations on specific business level capital and liquidity targets and/or countermeasures that are necessary to successfully execute the strategy. This includes the recommendation whether or not to invoke the Contingency Funding Plan and the right to oversee the execution of related decisions.

Our Chief Risk Officer (“CRO”), who is a member of the Management Board, has Group-wide, supra-divisional responsibility for the management of all credit, market, liquidity and operational risks as well as for the continuing development and enhancement of methods for risk measurement. In addition, the CRO is responsible for monitoring, analyzing and reporting risk on a comprehensive basis.

The CRO has direct management responsibility for the Risk function. Risk management & control duties in the Risk function are generally assigned to specialized risk management units focusing on the management of

Specific risk types
Risks within a specific business
Risks in a specific region.

These specialized risk management units generally handle the following core tasks:

Foster consistency with the risk appetite set by the GRC within a framework established by the Management Board and applied to Business Divisions;
Determine and implement risk and capital management policies, procedures and methodologies that are appropriate to the businesses within each division;
Establish and approve risk limits;
Conduct periodic portfolio reviews to keep the portfolio of risks within acceptable parameters; and
Develop and implement risk and capital management infrastructures and systems that are appropriate for each division.

Additionally, Business Aligned Risk Management (BRM) represents the Risk function vis-à-vis specific business areas. The CROs for each business division manage their respective risk portfolio, taking a holistic view of each division to challenge and influence the division’s strategy and risk ownership and implement risk appetite.

The specialized risk management functions are complemented by our Enterprise Risk Management (ERM) function, which sets a bank-wide risk management framework seeking to ensure that all risks at the Group and Divisional level are identified, owned and controlled by the functional risk teams within the agreed risk appetite and risk management principles. ERM is responsible for aggregating and analysing enterprise-wide risk information and reviewing the risk/return profile of portfolios to enable informed strategic decision-making on the Bank’s resources. ERM has the mandate to:

Manage enterprise risk appetite and allocation across businesses and legal entities;
Integrate and aggregate risks to provide greater enterprise risk transparency to support decision making;
Commission forward-looking stress tests, and manage Group recovery and resolution plans; and
Govern and improve the effectiveness of the risk management framework.

The specialized risk management functions and ERM have a reporting line to the CRO.

While operating independently from each other and the business divisions, our Finance and Risk functions have the joint responsibility to quantify and verify the risk that we assume.

The integration of the risk management of our subsidiary Deutsche Postbank AG is promoted through harmonized processes for identifying, assessing, managing, monitoring, and communicating risk, the strategies and procedures for determining and safeguarding risk-bearing capacity, and corresponding internal control procedures. Key features of the joint governance are:

Functional reporting lines from Postbank Risk Management to Deutsche Bank Risk;
Participation of voting members from Deutsche Bank from the respective risk functions in Postbank’s key risk committees and vice versa for selected key committees; and
Alignment to key Group risk policies.

The key risk management committees of Postbank are:

The Bank Risk Committee, which advises Postbank’s Management Board with respect to the determination of overall risk appetite and risk and capital allocation;
The Credit Risk Committee, which is responsible for limit allocation and the definition of an appropriate limit framework;
The Market Risk Committee, which decides on limit allocations as well as strategic positioning of Postbank’s banking and trading book and the management of liquidity risk;
The Operational Risk Management Committee, which defines the appropriate risk framework as well as the limit allocation for the individual business areas; and
The Model and Validation Risk Committee, which monitors validation of all rating systems and risk management models.

The Chief Risk Officer of Postbank or senior risk managers of Deutsche Bank are voting members of the committees listed above.

Following the announcement in March 2017 to merge Postbank with the German Private and Business Clients business and as part of the overarching integration project, the Risk division has also commenced the analyses and work on establishing an appropriate Risk function for the planned merged legal entity which will remain connected into to the Group as described above.