You are here: Management report Risk report Operational risk  


Operational risk

Risk quantification, management and reporting

Operational risks vary in line with the underlying business activities and are generally function-dependent. They are therefore managed on a decentralised basis. The regular self-assessments are one instrument used to measure operational risk. All operational risks are continually monitored and loss incidents have to be reported immediately. The operational risks are valued and aggregated centrally by the Risk Management department to form the VaR indicator for operational risks.

Apart from the physical infrastructure (especially hardware), the system architecture (for example multi-tier server structure and software) is of special importance for comdirect. In general, both have built-in redundancy or have a modular structure in order to guarantee a constantly high level of availability for all the required systems and components. As part of business contingency planning for IT, external providers and their business contingency plans are also taken into consideration. In this connection, comdirect has formulated requirements with regard to availability and used them to check the business contingency measures of key service providers.

Organisational and technical measures serve to prevent or limit loss for all areas of operational risk. Organisational instructions, staff training, IT project and quality management as well as business continuity management should all be mentioned in this context. These risk mitigation measures are documented in comdirect’s risk manual.

Personnel risks are countered by implementing suitable measures to strengthen personnel commitment and provide professional development programmes (see Personell report).

The Legal Services & Data Protection department at comdirect is responsible for preparing the company in advance for any legal changes. The department carefully follows relevant developments and if necessary, identifies any impact they may have and promptly informs the divisions concerned. comdirect’s sources of information include the bank’s membership in the Association of German Banks (Bundesverband deutscher Banken e.V.), its general circulars and membership in the working group for direct banks, evaluation of trade magazines as well as its cooperation with the Group Legal department of Commerzbank AG.

Potential liability risks in financial advisory services are minimised through the documentation of advisory meetings and contractual regulations. We also use insurance on a targeted basis as an additional measure for minimising damages. Furthermore, the insurability of risks is regularly reviewed and rated economically.

Current risk situation

The VaR for operational risks (OpVaR) stood at €19.9m at the end of 2012, compared with €38.5m as of 31 December 2011. The number of misuse cases reduced compared with financial year 2011; there were no major incidents. To further enhance our security standards, a SMS alert system for Visa card transactions was established in the financial year and the introduction of the photoTAN procedure prepared for 2013. There were no material legal risks. The same applies for IT risks: the systems and technical process used by comdirect were once again very stable. As in the previous year, system availability averaged 99.9% for the year. Personnel risks in terms of ensuring the quality and quantity of personnel available increased against the backdrop of comdirect's continued growth course and the current labour market environment.