MaRisk: The Pillars of Modern Banking Risk Management

The MaRisk (Minimum Requirements for Risk Management) are binding administrative instructions issued by BaFin (Federal Financial Supervisory Authority) for credit institutions, financial services providers, insurance companies, and other financial enterprises engaged in banking business.

MaRisk specify the requirements of the German Banking Act (KWG), particularly Section 25a KWG, implement qualitative requirements from capital adequacy regulations, and translate statutory duties into auditable and implementable requirements for governance, controls, and risk management (BaFin: Circular 06/2024 (BA) – MaRisk; Bundesbank: MaRisk overview page).

The Development of MaRisk

Since their initial publication in 2005, MaRisk have been amended several times to integrate new risk landscapes and EU guidelines. Current milestones include:

  • 7th Amendment (2023): Included stronger requirements regarding credit processes and ESG risks (as a framework requirement in risk management).
  • 8th Amendment (May 29, 2024): Published as BaFin Circular 06/2024 (BA); the focus was on implementing EBA guidelines on Interest Rate Risk in the Banking Book (IRRBB) and Credit Spread Risk in the Banking Book (CSRBB).
  • MaRisk 2026: Industry associations and market observers expect further adjustments ("Ninth Amendment"). This is intended to reduce complexity and strengthen proportionality through a new classification of institutions.

Core Module AT 9: Outsourcing

AT 9 MaRisk regulates the outsourcing activities of credit institutions. The objective is to ensure that outsourced activities do not create uncontrollable risks and that the ability to steer, control, and audit remains intact at all times.

AT 9 is particularly relevant in practice because outsourcing in banking—especially IT and Cloud services—acts simultaneously as a risk driver and an efficiency lever.

AT 9 MaRisk requires, among other things:

  • The classification of outsourcing based on materiality (critical or important functions) and the corresponding intensity of management and control measures.
  • Risk-oriented due diligence reviews before concluding outsourcing agreements.
  • Compliance with mandatory minimum contract content, with a heavy focus on audit and access rights, sub-outsourcing, as well as exit and transition scenarios.
  • Maintaining a central and up-to-date outsourcing register, as well as ongoing monitoring of outsourced services using suitable KPIs and KRIs, along with regular reporting to senior management.

Interface with DORA (Digital Operational Resilience Act)

The Digital Operational Resilience Act (DORA) has been applicable EU-wide since January 17, 2025. It establishes a uniform framework for ICT services, digital services, and data services with the goal of strengthening digital resilience.

DORA complements MaRisk—in practical terms, this means that outsourcing and ICT controls must consistently satisfy "MaRisk + DORA" requirements.

Practical Insight: AT 9 MaRisk does not regulate technical access controls itself. In practice, however, supervisors and auditors expect robust evidence regarding access, privileged accounts, authentication, and incident response. Within the framework of ICT compliance, for instance, access controls must be implemented via Identity and Access Management (IAM) for consistent strong authentication and secure user login.

A typical audit point in the context of outsourcing and DORA regulations is the auditing of privileged access and the application of modern IAM standards, such as the Zero Trust model.

Modules AT 8.0, 8.1, and 8.2 – Processes & Structures

In addition to daily operations, MaRisk addresses the question: How does risk management remain effective when products, markets, and organizations change? This is exactly what AT 8 (Adaptation Processes) covers:

  • AT 8.1 (New Product Process, NPP): Before introducing new products or entering new markets, a structured risk analysis involving relevant functions (Risk Controlling, Compliance, Internal Audit, etc.) and documented approval are required.
  • AT 8.2 (Significant Changes): Before major organizational or IT-related changes, the impact on control and risk structures must be assessed and documented.

Best Practices for Implementation

Experience in MaRisk implementation projects shows that formal rulebooks alone are insufficient. The decisive factor is a consistent, practical integration of the requirements.

1. Clearly Structure Governance – "Three Lines of Defense (TLoD)"

Robust governance is the foundation of any MaRisk-compliant organization. The TLoD model has proven effective:

  • First Line: Business units responsible for operational risks.
  • Second Line: Risk Management, Compliance, and Information Security (oversight and control).
  • Third Line: Internal Audit (independent testing).

2. Manage Outsourcing Systematically and Scalably

Outsourcing is one of the most audit-intensive MaRisk topics. Best practice involves the "industrialization" of outsourcing management to ensure quality:

  • Standardized risk analysis templates.
  • Predefined contractual modules (audit rights, exit clauses).
  • Exit exercises to critically test actual recoverability.

3. Establish Identity & Access Controls as Audit Anchors

In MaRisk audits, Identity & Access Controls play a central role. They are considered highly revealing because they measure the intersection of governance, IT security, and operational execution. Key measures include Privileged Access Management (PAM) and role-based authorization concepts.

4. Anchor Monitoring and Training

Institutions should establish structured Regulatory Monitoring to identify changes early. Equally important is awareness: departments must understand why requirements exist so that MaRisk compliance does not degrade into mere "paper compliance."

Conclusion: MaRisk as a Framework for Digital Resilience

The MaRisk guidelines form the central regulatory framework for German banking risk management. Their practical importance continues to grow with increasing outsourcing, cloud usage, and the DORA regime. Institutions that manage outsourcing according to AT 9, document adaptation processes per AT 8, and anchor technical controls within an overarching governance structure will strengthen their operational resilience and audit readiness.