Organisation of capital, liquidity and risk management

3. Organisation of capital, liquidity and risk management

Risk taxonomy

The prerequisite for risk management and the management of equity resources of VP Bank is the identification of all significant risks and their aggregation to an overall bank risk exposure.

Significant risks are identified based on the business model and related offerings of financial products and services of VP Bank.

The following chart provides an overview of the risks to which VP Bank is exposed in the context of its business activities. These are allocated to the risk groups of strategic and business risks, financial risks, non-financial risks (operational risks, compliance risks and information security risks) and reputational risks.

Strategic and business risks encompass the risk of a potential decline in profitability as a result of an inadequate corporate orientation in relation to the market environment (political, economic, social, technological, ecological, legal) and can arise from unsuitable strategic positioning or the absence of effective countermeasures in case of changes. This includes the risk that the attractiveness of location-related factors recedes or the significance and/or weighting of individual business areas undergo change by virtue of external framework conditions. It also includes the risk that the launch of new products, the distribution of existing products, market access or the conduct of business will be rendered difficult or impossible by regulations or will entail disproportionately high costs or be unprofitable. Finally, adverse developments may arise in connection with target markets as a result of political or geopolitical influences.

Financial risks (liquidity risk, market risk, non-traditional asset risk and credit risk) are deliberately entered into in order to generate income or to safeguard business policy interests.

Liquidity risks comprise market liquidity risk and idiosyncratic liquidity risk. In the case of market liquidity risk, the risk lies in the fact that the bank may be unable to procure the required liquidity due to market distortions on the money or capital markets or can do so only on inadequate terms and conditions. For example, the market for securities, which can normally be sold at market value, might not be sufficiently liquid, or the interbank market might not be available, or only to a limited extent, for short-term liquidity procurement. Idiosyncratic liquidity risk, on the other hand, represents the risk that the bank may not be able to procure liquidity for VP Bank-specific reasons or can do so only on inadequate terms and conditions.

Market risk refers to the risk of potential present value losses in the banking and trading book that emerge due to unfavourable changes in market prices (interest rates, foreign exchange rates, share prices, commodity prices, credit spreads) or other price-influencing parameters such as volatility.

Credit risk includes default/creditworthiness, liquidation, counterparty, country and idiosyncratic risks. Default risk refers to the risk of a financial loss which may occur following the default of a debtor or loan collateral. Liquidation risks include potential losses incurred by the bank not due to the debtors themselves, but due to a lack of opportunities to liquidate collateral. Counterparty risk refers to the risk of financial loss resulting from the default of a counterparty in a derivative transaction or from non-performance by a counterparty (settlement risk). Country risk is a result of uncertain political, economic or social conditions as well as payment transaction restrictions in the risk domicile (so-called transfer risks). Idiosyncratic risks include potential losses incurred by the bank from a lack of diversification in the loan portfolio (concentrations in debtors and/or collateral).

Non-traditional asset risks result from alternative investments that cannot be allocated to traditional asset classes, such as equities, bonds or money market products, and are subject to other risk drivers. This category includes, for example, investments in private debt, private equity, real estate (securitised), infrastructure projects and other investment opportunities outside the traditional investment spectrum.

Operational risk is the risk of incurring losses or loss of profit arising from the inappropriateness or failure of internal procedures, individuals or systems, or as a result of external events. These are to be avoided by appropriate controls and measures before they materialise or, if that is not possible, be reduced to a level set by the bank. Operational risk can also arise in all organisational units of the bank, whereas financial risk can only arise in risk-taking units.

Compliance risk is understood to be breaches of statutory and regulatory provisions that can cause significant damage to VP Bank’s reputation or result in sanctions, fines or even in the bank’s licence being withdrawn. VP Bank's compliance risks consist in particular of the fact that VP Bank does not or does not sufficiently recognise the compliance risks of its clients and counterparties, such as money laundering or other illegal client activities, and has not established suitable monitoring and control processes for identifying, managing and limiting cross-border compliance risks as well as tax and investment compliance risks.

Information security risk (including cyber risk) refers to the circumstances in which inappropriate infrastructure design or infrastructure failure results in losses, or to the risk, in an information technology context, of sophisticated and targeted attacks that are difficult to detect and defend against. From the perspective of data security, there is a risk for VP Bank that failure to adhere to national and international data protection requirements will result in financial and reputational losses, as well as having legal consequences.

ESG and climate-related financial risks represent the risk of negative economic impacts for VP Bank that may arise from environmental, social or governance factors. Climate-related financial risks are part of environmental risks and arise from the effects of climate change and measures to decarbonise the economy.

Reputational risk describes the risk that the confidence of employees, clients, shareholders, regulatory authorities or the public is weakened and the public image and/or reputation of the bank is impaired as a result of other types of risk or through various events. It can exhibit itself in the bank suffering monetary losses, a decline in earnings or liquidity shortages.

Duties, powers and responsibilities

The chart (→ above graphic) shows the key duties, powers and responsibilities of the bodies, organisational units and committees involved in the risk management process. The roles and structures of risk steering and risk monitoring are separated, which avoids conflicts of interest between the risk-taking and monitoring units. Management, monitoring and verification of risks takes place over three lines of defence:

First line of defence: risk steering
Second line of defence: risk monitoring
Third line of defence: internal audit

The Board of Directors bears overall responsibility for capital, liquidity and risk management within the Group. Its remit is to establish and maintain an appropriate structure of business processes and organisation as well as an internal control system (ICS) for an effective and efficient management of capital, liquidity and risk, thereby ensuring the risk-bearing capacity of the bank on a sustainable basis. The Board of Directors defines and approves the risk tolerance, the risk policy and the risk strategies. It monitors their implementation, sets the risk tolerance at Group level and establishes the target values and limits for the management of equity resources, liquidity and risk. In assuming these tasks, the Board of Directors is assisted by the Risk Committee.

In addition, the Board of Directors receives reports from the internal auditors and the external auditors on all exceptional and material incidents, including significant losses or serious disciplinary errors. In assuming this task, the Board of Directors is supported by the Audit Committee.

Group Internal Audit is responsible for the internal audit function within VP Bank Group. Organisationally, it forms an autonomous organisational unit which is independent of operations and is responsible for the periodic audit of structures and processes of relevance in connection with the risk policy as well as compliance with applicable requirements.

Group Executive Management is responsible for the implementation of and compliance with the risk policy approved by the Board of Directors. One of its central tasks is to ensure the functional capability of the risk management process and the internal control system (ICS). Furthermore, it is responsible for the composition and assignment of duties, responsibilities and competencies of the Asset & Liability Committee, the allocation of objectives and limits set by the Board of Directors to the individual subsidiary companies as well as the group-wide management of strategy, business, financial, compliance, operational and reputational risk.

The Asset Liability Committee (ALCO) is responsible for risk- and return-oriented balance sheet management as well as for the management of financial risks in compliance with the relevant statutory and regulatory provisions. It assesses the Group’s situation with respect to financial risks and initiates remedial steering measures whenever necessary.

The Group Operational Risk Committee (ORC) manages all operational risks and information security risks (including cyber risks). The Group Opreational Risk Committee is responsible for the identification, assessment, management, monitoring and reporting of operational risks and information security risks (including cyber risks) of VP Bank Group.

The Group Credit Committee (GCC) is responsible for the management of credit risks. This includes in particular the assessment and approval of credit applications within the scope of delegated powers.

The Group Reputational Risk Committee (GRRC) decides on client relationships which could represent a material reputational risk for VP Bank Group.

Group Treasury & Execution bears the responsibility for the steering and management of financial risks within the objectives and limits laid down by the Board of Directors and Group Executive Management. This is done while also taking into account the Group’s risk-bearing capacity, as well as its compliance with statutory and regulatory provisions.

Group Credit Consulting is responsible as the first line of defence for credit risk structuring and assessment of all credit applications at group level, as well as for the monitoring process of credit exposure on the individual loan level with regard to cover and limits. Group Credit Consulting is represented by units in all Group locations. For non-standard credit applications, Group Credit Risk reviews the risk analysis initially prepared by Group Risk Consulting. In addition, the unit approves loans on its own authority or forwards them to the relevant competence centres for assessment.

The Chief Risk Officer heads the risk management function and is responsible within Group Executive Management for the independent risk monitoring of VP Bank Group and the individual group companies. The Chief Risk Officer ensures that existing legal, regulatory and internal bank regulations on risk management are complied with and that new regulations on risk management are implemented.

Group Credit Risk is responsible as the second line of defence for assessing the credit risk of the Group's largest individual credit exposures. This applies to all credit exposures that exceed the authority of Group Credit Consulting and, based on defined risk criteria, trigger an additional credit assessment by the second line of defence. The unit is also responsible for all material credit risk standards of the VP Bank Group and their IT implementation. These include all guidelines, risk concepts, the lending methodology and its underlying lending parameters. Furthermore, Group Credit Risk, in close cooperation with Group Financial Risk, regularly prepares credit risk reports for the attention of Group Executive Management and the Board of Directors. Group Credit Consulting and Group Credit Risk also initiate and support all development projects related to VP Bank Group's lending business, including regulatory projects.

Group Financial Risk is responsible as the second line of defence for the independent monitoring of financial risks (market risks, risks from non-traditional investments, liquidity risks and credit risks from a portfolio perspective). It is responsible for defining and assessing risk methods and models for financial risks, reporting on these risks, and monitoring economic risk-bearing capacity.

Group Compliance & Operational Risk is responsible as the second line of defence for the independent monitoring of operational and compliance risks. In addition, risk inventory and related risk reporting fall within its area of responsibility.

Group Information Security is responsible as the second line of defence for the independent monitoring of cyber and information security risks. Its tasks include defining security guidelines, conducting IT risk analyses, monitoring IT and cyber security incidents, and reporting on risks within its area of responsibility.

The responsible departments are regularly informed by the Chief Risk Officer's office about the risk situation, developments and compliance with limits through risk reports.

Process monitoring / Group Internal Audit

Process to ensure risk-bearing capacity

The primary objective of the ICAAP and ILAAP is to comply with the regulatory requirements in order to assure continuation of the bank as a going concern. The risks of banking operations are to be borne by the available risk coverage potential. The components of the risk management process established at VP Bank for all material risks are explained below:

Determination of the risk strategies: The risk strategies for each risk group (strategic and business risks, financial risk as well as non-financial risks) are derived from the business strategy of VP Bank and provide the framework conditions for risk management of the respective types of risk. The risk policy represents the basic framework for the individual risk strategies.
Determining the risk coverage potential and setting the risk tolerance: In the risk-bearing capacity calculation, a distinction must be made between a regulatory and a value-oriented perspective. With both perspectives, the identification of the risk-bearing capacity is based on consideration of appropriate risk buffers. On the basis of the risk-bearing capacity calculation, the Board of Directors determines the limits and objectives for a rolling risk horizon of one year. All significant risks and the available risk coverage potential are compared with each other (risk-bearing capacity).
Risk identification (risk inventory): With the annual risk inventory to be undertaken as part of the review of the framework and risk strategies, it is ensured that all significant risks of the Group (quantifiable, not quantifiable or difficult to quantify) are identified. The analysis is carried out on a top-down and/or bottom-up basis using both quantitative and qualitative criteria. Significant risks are integrated fully into the risk management process and backed by risk capital. Insignificant risks are reviewed and monitored at least annually within the scope of the risk inventory. As part of the risk inventory, potential risk concentrations in all significant risk types are evaluated.
Risk measurement: From a regulatory perspective, risk-bearing capacity is assessed on the basis of eligible capital and regulatory capital. From a value-oriented perspective, risk-bearing capacity is determined by the present value of equity, taking into account operating costs, a buffer for other risks and the economic capital requirement. To determine the economic capital requirement , all risk types classified as material in VP Bank's annual risk inventory are taken into account and possible unexpected losses in value are considered. To determine the economic capital requirement, all material risks are aggregated into an overall risk assessment.
Assessment of risk-bearing capacity: Risk-bearing capacity is given when the existing risk coverage potential is greater than the risks incurred at any given time. Early warning levels enable early course correction to ensure that the bank's continued existence is not jeopardised.
Risk steering encompasses all measures on all organisational levels to actively influence the bank’s risks identified as being significant. In this respect, the objective is the optimisation of the risk return ratio within the limits and objectives set by the Board of Directors and Group Executive Management to ensure the risk-bearing capacity of the Group while also complying with statutory and legal supervisory provisions. Risk management is performed at strategic as well as operating levels. Based upon the juxtaposition of risks and limits on the one hand, as well as of regulatory and economically required capital and risk coverage potential on the other, countermeasures are taken in case of a negative variance.
Independent risk monitoring (control and reporting to Group Executive Management and the Board of Directors): Risk steering is accompanied by comprehensive risk monitoring, which is functionally and organisationally independent of risk steering. Risk monitoring covers control and reporting. As part of the monitoring of financial risks, steering impulses can be derived from a routine target-to-actual comparison. The target is derived from the limits and objectives set, as well as from legal and supervisory-law provisions. For review of the extent to which limits are used (actual), early-warning stages are also deployed in order to take timely steering measures for any risks before they materialise.

As non-financial risks can also arise as a result of internal control gaps in the course of ongoing business activities, key controls for significant risks are audited by the respective manager in all organisational units of VP Bank.

From a risk-monitoring perspective, risk-based checks for compliance and operational risks are carried out on an ongoing basis by Group Compliance & Operational Risk, while the respective business units are responsible for management of compliance and operational risks.

Reputational risks can result from financial risks, non-financial risks (operational risks, compliance risks, information security risks (including cyber)), ESG risks, and strategy and business risks. Strategy and business risks, as well as any reputational risks, are handled by Group Executive Management.

The results of the controls are regularly prepared in a transparent manner as part of the reporting process. The preparation takes place ex ante for decision-making purposes, ex post for control purposes – in particular to analyse any deviations from the planned figures – and ad hoc in the event of sudden and unexpected risks.

The process of ensuring the risk-bearing capacity of VP Bank Group is presented in the figure on the previous page.