- Continued to strengthen robust control and monitoring frameworks
- Raised internal awareness on a wide range of risks and our approach
- Began process of fully embedding business continuity tools
Managing critical risks such as natural disasters, cyber security breaches, or terrorist attacks is fundamental to ensuring business continuity. Our Information and Resilience Risk function monitors the likelihood of any such risks and has robust processes in place should any materialize.
Maintaining resilience of the bank day-to-day is a second line of defense (LoD) role, which is part of our Three Lines of Defense (3LoD) system, a robust risk and control framework that enables business and infrastructure teams to manage non-financial risks associated with information technology, information security, data and records, business continuity, physical security, and people safety, as well as vendors and suppliers. These risk types make up 25% of the bank’s total non-financial risk portfolio. Where significant risks are identified, they are escalated in line with the bank’s governance processes. By setting a robust control and monitoring framework, we are able to identify risks before they become disruptive incidents.
Data and information security
We manage Information Technology Risk through our first LoD IT Risk controls. For example, we identified a critical application running on ten-year-old hardware, exposing us to widespread operational, financial, and reputational risk. Our Information and Resilience Risk function worked with technology colleagues and the Chief Operating Office to raise internal understanding of the risks associated with practices like these, helping us to make the most effective and efficient investment decisions.
Our Protective Intelligence function produces country risk ratings and recommendations based on analysis of information that drives a certain risk rating. Unexpected events, such as terrorist incidents in 2016, could trigger the review of a country rating. Our risk analysis is presented to regional and country management prior to sign-off through a so-called Threat Assessment Governance Council each month. The outcome informs business decisions such as where employees can travel or whether the location of our assets is within risk tolerance levels (relevant to our Security Risk Management function). Ratings also play a role in determining the appropriate level of controls to protect client data.
Building internal awareness
Our aim is to create internal understanding and accountability for potential risks across the organization. Whether it is Information Technology Risk, Vendor Risk Management, Security Risk Management, Information Security Risk, Data Management and Records Risk, or Business Continuity Management, we increase awareness of the risks we face and help to inform investment decisions that will ultimately lead to sustainable performance, cost reduction, and risk mitigation.
To help us prioritize areas of focus, we assess those aspects of the organization that are not only critical to Deutsche Bank, but also to the banking industry as a whole. The control framework, which guides risk appetite, ensures that we protect and prioritize recovery of what is important in a disruptive event; and ensures that the risk owners—each business division and infrastructure function—understand, manage, and mitigate their risks. In doing so, we are continuously strengthening the resilience of the bank.
A consistent approach
We often need to make quick decisions on multiple risks, from the personal safety of our staff to the reputational risk of a system failure. We have an award-winning, risk-based Crisis Management Framework that enables the bank to manage any disruptive event, irrespective of the cause. The Framework enables us to manage any risk that has the potential to negatively impact the bank’s people, clients, operations, or reputation.
Outlook for 2017
Many of the tools and capabilities that we developed throughout 2016 will be fully embedded in 2017, specifically the second line challenge process. As the regulatory spotlight begins to focus more on the second line, we need to be in a position to meet that challenge through independent monitoring, oversight, escalation, and reporting, both in terms of proactive and reactive risk management. Our increasingly robust approach will be increasingly important as the bank faces a growing range of risks.