Barclays risk management strategy
Barclays has clear risk management objectives and a well-established strategy to deliver them, through core risk management processes.
At a strategic level, our risk management objectives are:
- To identify the Group’s significant risks.
- To formulate the Group’s Risk Appetite and ensure that business profile and plans are consistent with it.
- To optimise risk/return decisions by taking them as closely as possible
to the business, while establishing strong and independent review and challenge structures.
- To ensure that business growth plans are properly supported by effective risk infrastructure.
- To manage risk profile to ensure that specific financial deliverables remain possible under a range of adverse business conditions.
- To help executives improve the control and co-ordination of risk taking across the business.
The Group’s approach is to provide direction on: understanding the principal risks to achieving Group strategy; establishing Risk Appetite; and establishing and communicating the risk management framework. The process is then broken down into five steps: identify, assess, control, report, and manage/challenge. Each of these steps is broken down further, to establish end to end activities within the risk management process and the infrastructure needed to support it (see panel below). The Group’s risk management strategy is broadly unchanged from 2009.
Responsibility for risk management resides at all levels within the Group, from the Board and the Executive Committee down through the organisation to each business manager and risk specialist. Barclays distributes these responsibilities so that risk/return decisions are taken at the most appropriate level; as close as possible to the business, and subject to robust and effective review and challenge. The responsibilities for effective review and challenges reside with senior managers, risk oversight committees, Barclays Internal Audit, the independent Group Risk function, the Board Risk Committee and, ultimately, the Board.
The Board is responsible for approving Risk Appetite, which is the level of risk the Group chooses to take in pursuit of its business objectives. The Chief Risk Officer regularly presents a report to the Board summarising developments in the risk environment and performance trends in the key portfolios. The Board is also responsible for the Internal Control and Assurance Framework (Group Control Framework). It oversees the management of the most significant risks through the regular review of risk exposures and related key controls. Executive management responsibilities relating to this are set via the Group’s Principal Risks Policy.
The Board Risk Committee (BRC) monitors the Group’s risk profile against the agreed appetite. Where actual performance differs from expectations, the actions being taken by management are reviewed to ensure that the BRC is comfortable with them. After each meeting, the Chair of the BRC prepares a report for the next meeting of the Board. Barclays first established a separate Board Risk Committee in 1999 and all members are non-executive directors. The Finance Director and the Chief Risk Officer attend each meeting as a matter of course and the Chief Risk Officer has a dotted reporting line to the Chair. The BRC receives regular and comprehensive reports on risk methodologies and the Group’s risk profile including the key issues affecting each business portfolio and forward risk trends. The Committee also commissions in-depth analyses of significant risk topics, which are presented by the Chief Risk Officer or senior risk managers in the businesses. The Chair of the Committee prepares a statement each year on its activities (see Board Risk Committee Chairman's report).
- Establish the process for identifying and understanding business-level risks.
- Agree and implement measurement and reporting standards and methodologies.
- Establish key control processes and practices, including limit structures,
impairment allowance criteria and reporting requirements.
- Monitor the operation of the controls and adherence to risk direction and limits.
- Provide early warning of control or appetite breaches.
- Ensure that risk management practices and conditions are appropriate for the
- Interpret and report on risk exposures, concentrations and risk-taking outcomes.
- Interpret and report on sensitivities and Key Risk Indicators.
- Communicate with external parties.
|Manage and Challenge
- Review and challenge all aspects of the Group's risk profile.
- Assess new risk-return opportunities.
- Advise on optimising the Group's risk profile.
- Review and challenge risk management practices.
The Board Audit Committee receives quarterly reports on control issues of significance and a half-yearly review of the adequacy of impairment allowances, which it reviews relative to the risk inherent in the portfolios, the business environment, the Group’s policies and methodologies and the performance trends of peer banks. The Chair of the Board Audit Committee also sits on the Board Risk Committee. See Board Audit Committee Chairman's report for additional details on the membership and activities of the Board Audit Committee.
The Board Remuneration Committee receives advice from the Board Risk Committee on the management of remuneration risk, including advice on the setting of performance objectives in the context of incentive packages.
Summaries of the relevant business, professional and risk management experience of the Directors of the Board are given in Leadership and Governance. The terms of reference for each of the principal Board Committees are available from the Corporate Governance section at: www.aboutbarclays.com.
The Chief Risk Officer is a member of the Executive Committee and has overall day to day accountability for risk management under delegated authority from the Finance Director. The Finance Director must consult the Chairman of the Board Risk Committee in respect of the Chief Risk Officer’s performance appraisal and compensation as well as all appointments to or departures from the role.
Governance structure at Group level
The Chief Risk Officer manages the independent Group Risk function and chairs the Group Risk Oversight Committee, which monitors the Group’s risk profile relative to established risk appetite. Reporting to the Chief Risk Officer, and working in the Group Risk function, are risk-type heads for: retail credit risk, wholesale credit risk, market risk, operational risk, financial crime risk and capital demand. Along with their teams, the risk-type heads are responsible for establishing a Group wide framework for risk control framework and oversight. These risk-type teams liaise with each business as part of the monitoring and management processes.
In addition, each business unit has an embedded risk management function, headed by a business risk director. Business risk directors and their teams are responsible for assisting business heads in the identification and management of their business risk profiles and for implementing appropriate controls. These teams also assist Group Risk in the formulation of Group policies and their implementation across the businesses. The business risk directors report jointly to their respective business heads and to the Chief Risk Officer.
The risk type heads within the central Group Risk function and the business risk directors within the business units report to the Chief Risk Officer and are members of the Group Risk Oversight Committee.
Further details on the management of each of the principal risks.
Internal Audit is responsible for the independent review of risk management and the control environment. Its objective is to provide reliable, valued and timely assurance to the Board and Executive Management over the effectiveness of controls, mitigating current and evolving high risks and in so doing enhancing the controls culture within the Group. The Board Audit Committee reviews and approves Internal Audit’s plans and resources, and evaluates the effectiveness of Internal Audit.
An assessment by external advisers is also carried out periodically.
Governance structure by key risk type
- Reporting lines effective from January 2011, previously reported to the Group Finance Director.
In addition to the Committees shown in the chart, there is a Brand and Reputation Committee reviewing emerging issues with potentially significant reputational impact.
Risk management responsibilities are laid out in the Principal Risks Policy, which covers the categories of risk in which the Group has its most significant actual or potential risk exposures.
The Principal Risks Framework:
- creates clear ownership and accountability;
- ensures the Group’s most significant risk exposures are understood and managed in accordance with agreed risk appetite (for financial risks) and risk tolerances (for non-financial risks); and
- ensures regular reporting of both risk exposures and the operating effectiveness of controls.
Each of the Principal Risks is owned by a senior individual within Barclays, known as the Group Principal Risk Owner (GPRO). The GPRO is required to document, communicate and maintain a risk control framework which makes clear the mandated control requirements in managing exposures to that Principal Risk, for every business across the firm.
These control requirements are given further specification, according to the business unit or risk type, to provide a complete and appropriate system of internal control.
Business unit and Group centre function heads are responsible for obtaining ongoing assurance that the controls they have put in place to manage the risks to their business objectives are operating effectively. Six-monthly reviews support the regulatory requirement for the Group to make a statement about its system of internal controls (the ‘Turnbull’ statement), in the Annual Report and Accounts.
GPROs report their assessments of the risk exposure and control effectiveness to Group-level oversight committees. Their assessments form the basis of the reports that go to the Board Risk Committee.
Risk Appetite is defined as the level of risk that Barclays is prepared to sustain whilst pursuing its business strategy, recognising a range of possible outcomes as business plans are implemented. Barclays framework combines a top-down view of its capacity to take risk with a bottom-up view of the business risk profile associated with each business area’s medium term plans. The appetite is ultimately approved by the Board.
The Risk Appetite framework consists of two elements: ‘Financial Volatility’ and ‘Mandate & Scale’.
Taken as a whole, the Risk Appetite framework provides a basis for the allocation of risk capacity across Barclays Group.
Financial Volatility is defined as the level of potential deviation from expected financial performance that Barclays is prepared to sustain at relevant points on the risk profile.
The Board sets the Group’s financial volatility risk appetite in terms of broad financial objectives (ie ‘top down’) on through the cycle, 1 in 7 and 1 in 25 severity levels. The Group’s risk profile is assessed via a ‘bottom-up’ analysis of the Group’s business plans to establish the financial volatility. If the projections entail too high a level of risk (i.e breach the top-down financial objectives at the through the cycle, 1 in 7 or 1 in 25 level), management will challenge each area to rebalance the risk profile to bring the bottom-up risk appetite back within top-down appetite. Performance against Risk Appetite usage is measured and reported to the Executive Committee and the Board regularly throughout the year.
To measure the risk entailed by the business plans, management estimates the potential earnings volatility from different businesses under various scenarios, represented by severity levels:
- expected loss: the average losses based on measurements over many years
- 1 in 7 (moderate) loss: the worst level of losses out of a random sample of 7 years
- 1 in 25 (severe) loss: the worst level of losses out of a random sample of 25 years
Risk Appetite concepts (diagram not to scale)
These potentially larger but increasingly less likely levels of loss are illustrated in the Risk Appetite concepts chart above. Since the level of loss at any given probability is dependent on the portfolio of exposures in each business, the statistical measurement for each key risk category gives the Group clearer sight and better control of risk-taking throughout the enterprise. Specifically, Barclays believes that this framework enables it to:
- Improve management confidence and debate regarding the Group’s risk profile
- Re-balance the risk profile of the medium-term plan where breaches are indicated, thereby achieving a superior risk-return profile
- Identify unused risk capacity, and thus highlight the need to identify further profitable opportunities
- Improve executive management control and co-ordination of risk-taking across businesses
Mandate & Scale
The second element to the setting of risk appetite in Barclays is an extensive system of Mandate & Scale limits, which is a risk management approach that seeks to formally review and control business activities to ensure that they are within Barclays mandate (i.e. aligned to the expectations of external stakeholders), and are of an appropriate scale (relative to the risk and reward of the underlying activities). Barclays achieves this by using limits and triggers to avoid concentrations which would be out of line with external expectations, and which may lead to unexpected losses of a scale that would be detrimental to the stability of the relevant business line or of the Group. These limits are set by the independent Risk function, formally monitored each month and subject to Board-level oversight.
For example, in our commercial property finance portfolios, a comprehensive series of limits are in place to control exposure within each business and geographic sector. To ensure that limits are aligned to the underlying risk characteristics, the Mandate & Scale limits differentiate between types of exposure. There are, for example, individual limits for property investment and property development and for senior and subordinated lending. Since the onset of the global economic downturn, these limits have been reduced significantly and the frequency of review has been increased. The Group’s exposure to Ireland has been restricted through the recent reduction in Mandate & Scale limits.
Barclays uses the Mandate & Scale framework to:
- Limit concentration risk
- Keep business activities within Group and individual business mandate
- Ensure activities remain of an appropriate scale relative to the underlying risk and reward
- Ensure risk-taking is supported by appropriate expertise and capabilities
As well as Group-level Mandate & Scale limits, further limits are set by risk managers within each business unit, covering particular portfolios.
Risk Appetite and Stress Testing
Stress testing occurs throughout the Bank and it helps to ensure that our medium term plan has sufficient flexibility to remain appropriate over a multi-year time horizon during times of stress.
Stress testing allows us to analyse a specific potential economic scenario or event using defined macro and market based parameters. The results of a stress test, whether at a Group or business level, will produce an output which could be compared to a point in the curve of our Financial Volatility based statistical outcomes, although stress tests are scenario based and as such are not calibrated to a specific confidence level.
Given that the stress testing, Risk Appetite, and medium term planning timelines are all aligned, the outputs of stresses are used by risk functions throughout the Group to inform Risk Appetite (particularly at a business level). The outputs of stresses also feed into the setting of Mandate & Scale limits. For example, via the use of primary and secondary stresses in Market Risk, we identify and limit the scale of risks that DVaR would not automatically capture.
Reverse stress testing also supports our Risk Appetite framework. Reverse stress testing starts with defining a worst case set of metrics and deduces a scenario that could theoretically cause that situation to occur. This will help to ensure that we understand the tail risks across our books and explain what would have to happen to generate a change in strategy. Group reverse stress testing also identifies risks that in one business alone would not have been sufficient to be a critical event, thereby complementing the Financial Volatility and Mandate & Scale processes.
Further information on stress testing.
Modelling of risk
Barclays makes extensive use of quantitative estimates of the risks it takes in the course of its business. Risk models are used in a wide range of decisions, from credit grading, pricing and approval to portfolio management, risk appetite setting, economic capital allocation and regulatory capital calculations. The types of risks that are covered by such models include credit, market and operational risks.
The Group has a wide range of models in use, covering estimations of Probability of Default (PD), Exposure at Default (EAD) and Loss Given Default, (LGD) as well as many other types of risk besides credit risk. The models are developed and owned by each business unit. To minimise the risk of loss through model failure, the Group Model Risk Policy (GMRP) was developed. It is managed by the independent Group Risk function and is reviewed annually.
The GMRP helps reduce the potential for model failure by setting Group wide minimum standards for the model development and implementation process. The GMRP also sets the governance processes for models across the Group, which allows model performance and risk to be monitored, and seeks to identify and escalate any potential problems at an early stage.
To ensure that the governance process is effective, and that management time is focused on the more material models, each model is provided with a materiality rating. The GMRP defines the materiality ranges for all model types, based on an assessment of the impact to the Group in the event of a model error. The final level of model sign-off is based on materiality, with all of a business unit’s models initially being approved in business unit committees. The more material models are also approved at the Group Material Models Technical Committee, and the most material models require further approval by the Executive Models Committee, a sub-committee of Group Executive Committee. This process ensures that the most significant models are subject to the most rigorous review, and that senior management has a good understanding of the most material models in the Group. Although the final level of model sign-off will vary, depending on model materiality, the standards required by the GMRP do not change with the materiality level.
The GMRP also sets detailed standards that a model must meet during development and subsequent use. For new models, documentation must be sufficiently detailed to allow an expert to understand all aspects of model development such that they could reproduce the model. It must include a description of the data used for model development, the methodology used (and the rationale for choosing such a methodology), a description of any assumptions made, and details of the strengths and weaknesses of the model.
All new models are subject to validation and independent review before they can be signed off for implementation. The model validation exercise must demonstrate that the model is fit for purpose and provides accurate estimates. The independent review ensures that the model development has followed a robust process and that the standards of the GMRP have been met, as well as ensuring that the model satisfies business and regulatory requirements. In addition, the most material models are subject to independent review by Group Risk. Once implemented, all models are subject to post-implementation review. This confirms that the model has been implemented correctly and behaves as predicted.
The GMRP also sets the requirements for ongoing performance monitoring and the annual review process. Once implemented, all models within the Group are subject to ongoing performance monitoring to ensure that any deficiencies are identified early, and that remedial action can be taken before the decision-making process is affected. As part of this process, model owners set performance triggers and define appropriate actions for their models in the event that a trigger level is breached.
In addition to regular monitoring, models are subject to an annual validation process to ensure that they will continue to perform as expected, and that assumptions used in model development are still appropriate. In line with initial sign-off requirements, annual validations are also formally reviewed at the appropriate technical committee.
Within Barclays Capital, where models are used to value positions within the trading book, the positions are subject to regular independent price testing which covers all trading positions. Prices are compared with direct external market data where possible. When this is not possible, more analytic techniques are used, such as industry consensus pricing services. These services enable peer banks to compare structured products and model input parameters on an anonymous basis. The conclusions and any exceptions to this exercise are communicated to senior levels of business management.
Externally developed models are subject to the same governance standards as internal models, and must be approved for use following the validation and independent review process. External models are also subject to the same standards for ongoing monitoring and annual validation requirements.
A fundamental duty of risk management is to ensure that organisations do not neglect to prepare for the worst event as they plan for success. Stress testing helps Barclays to understand how its portfolios would react if business conditions became significantly more challenging. We generate specific forward-looking scenarios and analyse how well our profitability would be maintained, whether our levels of capital would be adequate and what managers could do in advance to mitigate the risk.
Barclays uses stress testing techniques at Group, portfolio and product level and across a range of risk types. For example, portfolio management in the US cards business employs stressed assumptions of unemployment to determine profitability hurdles for new accounts. In the UK mortgage business, affordability thresholds incorporate stressed estimates of interest rates.
In the Investment Banking division, global scenario testing is used to gauge potential losses that could arise in conditions of extreme market stress. Stress testing is also conducted on positions in particular asset classes, including interest rates, commodities, equities, credit and foreign exchange.
At the Group level, stress tests capture a wide range of macroeconomic variables that are relevant to the current environment, such as:
- asset prices; and
- interest rates.
The Board Risk Committee agrees the range of scenarios to be tested and the independent Group Risk function co-ordinates the process, using bottom-up analysis performed by the businesses. The results of the stress tests are presented to the Executive Committee, the Board Risk Committee, the Board and the UK Financial Services Authority (FSA).
In 2010, the range of stress scenarios included the stress test set out by the FSA as part of its assessment of the Group’s resilience to stressed credit risk, market risk and economic conditions over a five-year period. This stress scenario analysis took into account a wide range of factors, including:
- The Group’s revenue generation potential given stressed macroeconomic variables such as GDP and interest rates;
- The effect of the scenario on the probability of default and possible losses given default within its loan book; and
- Possible declines in the market value of assets held in the trading books caused by the stress.
Following this work and discussion with the FSA, the Group was able to confirm that its capital resources, after exposure to the stress, were expected to continue to meet the FSA’s capital requirements.
In addition, Barclays, along with 90 other banks, was included in the Committee of European Banking Supervisors’ (CEBS)a stress test performed in July 2010. The stress test was designed to assess the resilience of the EU banking sector and each of the selected banks’ ability to absorb possible shocks on credit and market risks, including sovereign risks. Under the scenario considered, results indicated that Barclays would be well-placed to withstand the stress.
In 2010, Barclays integrated ‘reverse’ stress testing into the Group wide stress testing process. Reverse stress testing aims to identify the conditions that would result in the business model no longer being viable, such as extreme macroeconomic downturn scenarios or specific idiosyncratic events. This is being used to help support the on-going risk management of the Group, for example reverse stress testing has been integrated into the Risk Appetite framework. This also supports the Group in meeting new regulatory requirements in regards to reverse stress testing.
Information on the Group’s stress testing specifically relating to liquidity risk is set out in stress testing.
- On 7th February 2011 CEBS was renamed the European Banking Authority