Risk Management at the Deutsche Bundesbank March 2011 (C) Deutsche Bundesbank - Division Organisation 1
Agenda Definition of risk management [3] Factors of influence to review the RM set up [4] The Framework [5] Governance structure of the Bundesbank [6-19] Risk structure [20] Risk Management Process [21-32] (C) Deutsche Bundesbank - Division Organisation 2
Definition Risk management Risk management is a logical and systematic method of identifying, analysing, treating and monitoring risks. Risk management system Early identification of risks Handling of risks Monitoring of risks Identification of risks Evaluation of risks Communication of risks Controls Internal audit (C) Deutsche Bundesbank - Division Organisation 3
Factors of influence financial impact reputational impact by example to review the RM set up damage to persons crisis 2004 recommendations of internal & external auditors legal background (C) Deutsche Bundesbank - Division Organisation 4
The Framework Contents Aims and structure of the framework Legal background Definitions Aims and functions of risk management Risk culture Expertises and responsibilities Risk structure Risk management process Early identification of risks Identification of risks Risk evaluation Communication of risks Handling of risks Monitoring of risks Implementation after the approval by the board in March 2006 published to the staff via intranet (C) Deutsche Bundesbank - Division Organisation 5
Governance structure of the Bundesbank (C) Deutsche Bundesbank - Division Organisation 6
Governance structure of the Bundesbank (C) Deutsche Bundesbank - Division Organisation 7
Governance structure of the Bundesbank Responsibilities The Executive Board has the overall responsibility for the management of risks is basically responsible for decision making approves a risk tolerance policy and residual risks in specific risk zone receiver of aggregated risk reports (C) Deutsche Bundesbank - Division Organisation 8
Governance structure of the Bundesbank Business areas are responsible for the operational risk management according to their tasks overall the whole Bundesbank (decentralisation) The heads of departments are responsible for the identification, assessment and mitigation of their own risks. In some areas, such as the risk management of foreign reserves and other portfolios, IT- security and general security, related tasks are performed by central work units. (C) Deutsche Bundesbank - Division Organisation 9
Governance structure of the Bundesbank Office for Risk Control Department Financial Stability Area V Department Statistics This unit is dealing with market risks such as currency risks, interest rate risks, counterparty risks and liquidity risks. It is responsible for the risk management of foreign reserves and other portfolios. Office For Risk Control (C) Deutsche Bundesbank - Division Organisation 10
Governance structure of the Bundesbank IT- Security Management Department Information Technology Area VI IT- Security Management Department Markets Supports the board and the business areas in questions concerning IT-Security and is responsible for the design and maintenance of firewalls, evaluation of information from proxy server, the maintenance and enhancement of IT- security concepts. (C) Deutsche Bundesbank - Division Organisation 11
Governance structure of the Bundesbank IT Security relationship with ORM Operational risks emerging from this entity are subject to the ORM methodology Regulations/methodologies in the area of IT security are risk treatment measures Horizontal nature of IT risks have to be considered (C) Deutsche Bundesbank - Division Organisation 12
Governance structure of the Bundesbank Division Organisation Area III The Division Organisation is part of the Department Department Controlling, Accounting and Organisation Department Human Resources Department Administration & Premises Controlling, Accounting Division and Organisation. Organisation ERM Office Security and Crisis Management (C) Deutsche Bundesbank - Division Organisation 13
Governance structure of the Bundesbank Division Organisation ERM Office In context with risk management, the ERM Office is responsible for the maintenance and enhancement of the risk management framework, the methodology, documentation and coordination. In that context business areas are supported to ensure the ORM methodology is properly used, results of risk assessments are checked (plausibility check) and (C) Deutsche Bundesbank - Division Organisation 14
Governance structure of the Bundesbank Division Organisation ERM Office analyses conducted as well as reports of the business areas summarised and an annual report drawn up. Besides the ERM Office is involved in the development and rollout of an operational risk management methodology at ESCB/Eurosystem level and stays in close contact with other central banks worldwide to exchange experiences. (C) Deutsche Bundesbank - Division Organisation 15
Governance structure of the Bundesbank Division Organisation C 35: Security and Crisis Management Topic centre for questions concerning general security Design and maintenance of the security framework Business-Continuity-Planning, Crisis Management (C) Deutsche Bundesbank - Division Organisation 16
Governance structure of the Bundesbank Internal Audit Department Economics Area I Department Audit The Internal Audit is directly responsible to one of the board members of the Deutsche Bundesbank. It is as an independent entity not being involved in the working processes. (C) Deutsche Bundesbank - Division Organisation 17
Governance structure of the Bundesbank Internal audit relationship with ORM Assures the integrity of the RM system and compliance with regulations Makes proposals to enhance the RM system use of self assessment results to set up their audit plans (risk based approach) Interaction with/ consultation of ORM/ERM unit while auditing business areas Operational risks subject to the ORM methodology ORM/ERM office can be part of the internal audit [pending on internal set up and mission of the internal audit] (C) Deutsche Bundesbank - Division Organisation 18
Governance structure of the Bundesbank Internal audit IT Department ERM Office Office for Risk Control Office for Risk control (C) Deutsche Bundesbank - Division Organisation 19
Risk structure Reputational loss Financial loss Damage to persons Business Risks Operational Risks Currency Risks Interest Rate Risks Counterparty Risks Liquidity Risks Gold price Risks Employee Risks Human Failures Incorrect Conduct Misallocation Of Staff Inadequate Qualification Of Staff Technical Risks IT Risks Critical Infrastructure External Risks Primary Maintenance Risks Dependencies On Third Parties Negative Press Coverage Legal Risks Natural Risks General Security Risks (C) Deutsche Bundesbank - Division Organisation 20
Identification of risks Task of business areas Identification should be output oriented with regard to the underlying task Root causes have also to be identified and documented Helpful information could be gathered from: Audit reports (internal as well as external) Test reports (IT-systems) Incident data bases (C) Deutsche Bundesbank - Division Organisation 21
Risk assessment As a basic principle, a risk at the Deutsche Bundesbank can result in the following three categories of losses: Financial loss Damage to persons Reputational loss Each of these categories is evaluated for each risk partly in a qualitative and partly in a quantitative way Risk Event = Probability of loss occuring Event X Impact Event (C) Deutsche Bundesbank - Division Organisation 22
Risk assessment grading scales Risk likelihood grading scale Likelihood level Criteria 5 - Almost certain 4 - Likely 3 - Possible 2 - Unlikely 1 - Rare Frequency of loss events Every year or more Once every 1-2 years Once every 2-5 years Once every 5-10 years Less than once every 10 years If no observable events: Qualitative criteria (fraud and attacks oriented) Motivation Personal gain... Attracting attention ( making a point ) Skills & knowledge Basic skills sufficient, knowledge not necessary Collaboration Traceability Time and cost <1 day < EUR 100 1 year > EUR 100 000 (C) Deutsche Bundesbank - Division Organisation 23
Risk assessment grading scales Financial Impact Personal Injuries Level Definition Level Definition Very high 10.000.001-25.000.000 * high 1.000.001-10.000.000 medium 100.001-1.000.000 Very high high medium Numerous deaths Individual deaths Life-threatening injuries low 10.001-100.000 negligible 1-10.000 low negligible Major injuries Minor injuries (C) Deutsche Bundesbank - Division Organisation 24
Risk assessment grading scales Reputational Impact Level Very high high medium low negligible Definition The occurrence of an event can endanger the Bank's security for a lengthy period or cause critical damage to its interests. Examples: Criminal proceedings against individual members of the Bundesbank's governing bodies The occurrence of an event can endanger the Bank's security or cause major damage to its interests. Examples: The occurrence of an event can be of disadvantage to the Bank's interests. Examples: (C) Deutsche Bundesbank - Division Organisation 25
Risk tolerance policy Likelihood of loss occurring Almost certain rare unlikely possible likely Impact on overall loss negligible low medium high very high (C) Deutsche Bundesbank - Division Organisation 26
Risk treatment Policy of risk avoidance and risk limitation while implementing preventive measures Principles e.g. : Principle of hierarchy Editorial principle (to use a second set of eyes) Principle of separation of functions Principle that tasks, competences and responsibilities should be located within the same entity (C) Deutsche Bundesbank - Division Organisation 27
Risk treatment risk Risk and threat analysis Actual risk position Risk avoidance Concept of measures Insurances are only used in law driven issues Approval of the Executive Board Preventive measures Usually, there is no risk transfer Residual risk (C) Deutsche Bundesbank - Division Organisation 28
RMS at the Bundesbank Structure of the ORM template (C) Deutsche Bundesbank - Division Organisation 29
Communication of risks Risk reporting within the business areas Centralised risk reporting Report within business area (hierarchy) Periodical reports (e.g. daily report of market risks) Ad-hoc reporting if necessary Notification of loss Security relevant matters Compliance, money laundering, corruption Major projects... Centralised annual risk report (C) Deutsche Bundesbank - Division Organisation 30
Communication of risks Centralised annual risk report Annual risk report according to our risk management framework The business areas have to examine their risk assessment. The results were aggregated from the ERM Office. Report to the board and feedback to the business areas The board has to decide whether additional mitigation measures should be taken or not. (C) Deutsche Bundesbank - Division Organisation 31
Monitoring of risks Monitoring is part of the internal supervision by the head of each unit no formal KRI in place no centralised monitoring of KRI responsibility of business areas KRI are mainly qualitative indicators (C) Deutsche Bundesbank - Division Organisation 32