Operational risk - VP Bank annual report 2025

6. Operational risk

While financial risks are deliberately assumed in order to earn income, operational risks should be avoided by suitable controls and measures or, if this is impossible, should be reduced to a level set by the bank.

There is a wide variety of causes for operational risks. People make mistakes, third parties fail to provide the agreed service, external risks affect the bank or business processes do not work. It is therefore necessary to determine the factors which trigger important risk events and their impact in order to avoid or at least contain them with suitable preventive measures.

The management of operational risks is understood at VP Bank to be an integral cross-divisional function which is to be implemented across all business units and processes on a uniform group-wide basis. The following methods are used:

The internal control system of VP Bank encompasses all process-integrated and process-independent measures, functions and controls which assure the orderly conduct of business operations.
Early-warning indicators are used to recognise potential losses in a timely manner and to ensure that enough time still remains for the planning and realisation of countermeasures.
Significant loss occurrences are recorded systematically and are then evaluated centrally. The findings from the collection of loss data are integrated directly into the risk management process.
Operational risks are assessed on a top-down and bottom-up basis within the framework of annual group-wide non-financial risk assessments. Based on these assessments, Group Executive Management decides how to deal with the identified risks and, if necessary, determines proactive risk-reducing measures.

The Group Operational Risk & Methodology unit, as a part of Group Compliance & Operational Risk, is responsible for the group-wide implementation, monitoring and further development of the methods and tools used to manage operational risks.

Each person in a management position is responsible for identification and evaluation of operational risks as well as for definition and performance of key controls and measures to contain risks.

Controls are periodically assessed for adequacy and effectiveness. The current operational risk situation is reported to the Executive Board and the Board of Directors on a quarterly basis.

Operational resilience and business continuity management (BCM) are a further important sub-area of operational risk management. Operational resilience refers to the ability of the institution to hedge its critical functions against potential attacks, failures and impairments and to be able to restore them in the event of interruptions. BCM refers to a management method that uses a life cycle model to ensure the continuation of business activities under crisis conditions or at least under unpredictably difficult conditions. The objective of BCM is to systematically prepare for and test the management of extraordinary loss events, so that even in critical situations and emergencies, important processes are not interrupted or only temporarily interrupted and the economic existence of the business remains secure in spite of a loss event. For this purpose, the Board of Directors of VP Bank has clearly defined the duties, powers and responsibilities in connection with operational resilience and BCM. The group-wide crisis organisation is an integral part of VP Bank and becomes operative as soon as a business-critical loss event occurs or a corresponding situation is threatened. The members of the crisis organisation are regularly trained.