You are here: Management report Risk report Operational risk


Operational risk

Risk management, quantification and reporting

Operational risks vary in line with the underlying business activities and are generally function-dependent. They are therefore managed on a decentralised basis. The regular self-assessments are one instrument used to measure operational risk. All operational risks are continually monitored and loss incidents have to be reported immediately. The operational risks are valued and aggregated centrally by the Risk Management department to form the VaR indicator for operational risks.

Apart from the physical infrastructure (especially hardware), the system architecture (for example multi-tier server structure and software) is of special importance for the comdirect group. In general, both have built-in redundancy or have a modular structure in order to guarantee a constantly high level of availability for all the required systems and components. As part of business contingency planning for IT, external providers and their business contingency plans are also taken into consideration. In this connection, comdirect group has formulated requirements with regard to availability and used them to check the business contingency measures of key service providers.

Organisational and technical measures serve to prevent or limit loss for all areas of operational risk. Organisational instructions, staff training, IT project and quality management as well as business continuity management should all be mentioned in this context. These risk mitigation measures are documented in comdirect group’s risk manual.

Personnel risks are countered by implementing suitable measures to strengthen employee loyalty and provide professional development programmes (see Personnel report).

The Legal & Compliance department at comdirect bank is responsible for preparing the company in advance for any legal changes. The department carefully follows relevant developments and if necessary, identifies any impact they may have and promptly informs the divisions concerned. comdirect bank AG’s sources of information include the bank’s membership in the Association of German Banks (Bundesverband deutscher Banken e.V.), its general circulars and membership in the working group for direct banks, reports in trade magazines as well as its cooperation with the Group Legal department of Commerzbank AG.

Potential liability risks in financial advisory services are minimised through the documentation of advisory meetings and contractual regulations. Insurance is also used on a targeted basis as an additional measure for minimising damages. Furthermore, the insurability of risks is regularly reviewed and rated economically.

Current risk situation

The VaR for operational risks (OpVaR) stood at €38.5m at the end of 2011 compared with €46.1m as of 31 December 2010. The switch to credit cards with an EMV chip and the “Verified by Visa” authentication procedure carried out in 2010 once again proved worthwhile in the reporting period. The number of credit card misuse cases reduced compared with financial year 2010; there were no major incidents. In 2011 we further enhanced our security standards with the introduction of V PAY and mobileTAN (see B2C business line ).

There were no material personnel risks or legal risks. The same applies for IT risks: the systems and technical processes used by comdirect were once again very stable. As in the previous year, system availability averaged 99.9% for the year.