Operational risk management

All disclosures in this section are unaudited

Operational risk

Operational risk is defined as the risk of direct or indirect impacts resulting from human factors, inadequate or failed internal processes and systems or external events. Operational risks are inherent in the Group’s business activities and are typical of any large enterprise. It is not cost effective to attempt to eliminate all operational risks and in any event it would not be possible to do so. Losses from operational risks of small significance are expected to occur and are accepted as part of the normal course of business. Those of material significance are rare and the Group seeks to reduce the likelihood of these in accordance with its risk appetite.


The management of operational risk has two key objectives:

  • To minimise the impact of losses suffered in the normal course of business (expected losses) and to avoid or reduce the likelihood of suffering a large extreme (or unexpected) loss; and
  • To improve the effective management of the Barclays Group and strengthen its brand and external reputation.

Barclays is committed to the management and measurement of operational risk and was granted a waiver to operate an Advanced Measurement Approach (AMA) for operational risk under Basel 2, which commenced in January 2008. The majority of the Group calculates regulatory capital using AMA, however, in specific areas we apply the Basic Indicator Approach. In certain joint ventures and associates, Barclays may not be able to apply the AMA.

Areas where the Group is working towards the rollout of AMA and the Basic Indicator Approach is applied are: the Africa RBB businesses, including Barclays Bank Mozambique and National Bank of Commerce (Tanzania); Barclays Bank PLC Pakistan; Barclays Investment and Loans India Limited; the business activities acquired from Lehman Brothers; and the portfolios of assets purchased from Woolworths Financial Services in South Africa, Citi Cards Portugal and Italy, Standard Life Bank, MBNA Corporate Cards, Upromise and Egg Cards.

Barclays works to benchmark its internal operational risk practices with peer banks and to drive the development of advanced operational risk techniques across the industry.

Organisation and structure

Operational risk is one of four Principal Risks in the Barclays Principal Risks Framework and comprises a number of specific key risks defined as follows:

  • External supplier risk – Inadequate selection and ongoing management of external suppliers;
  • Financial reporting risk – Reporting mis-statement or omission within external financial or regulatory reporting;
  • Fraud risk – Dishonest behaviour with the intent to make a gain or cause a loss to others;
  • Information risk – Inadequate protection of Barclays information in accordance with its value and sensitivity;
  • Legal risk – Failure to identify and manage legal risks;
  • Product risk – Inadequate design, assessment and testing of products/services;
  • Payment process risk – Failure in operation of payments processes;
  • People risk – Insufficient people /capabilities and/or inappropriate behaviours and/or unsafe working environments;
  • Premises & security risk – Unavailability of premises to meet business requirements or inadequate protection of physical assets, employees and customers against criminal, terrorist and adverse political activities;
  • Regulatory risk – Failure or inability to comply fully with the laws, regulations or codes applicable specifically to the financial services industry;
  • Taxation risk – Failure to comply with tax laws and practice which could lead to financial penalties, additional tax charges or reputational damage;
  • Technology risk – Failure to develop and deploy secure, stable and reliable technology solutions; and
  • Transaction operations risk – Failure in the management of critical transaction processes.

These risks can result in financial and/or non-financial impacts including legal/regulatory breaches or reputational damage.

The Operational Risk Framework comprises a number of elements which allow Barclays to manage and measure its Operational risk profile and to calculate the amount of operational risk capital that Barclays needs to hold to absorb potential losses. The minimum, mandatory requirements for each of these elements are set out in the Group Operational risk policies. This framework is implemented across the Group: vertically, through the organisational structure with all Business Units required to implement and operate an Operational Risk Framework that meets, as a minimum, the requirements detailed in these operational risk policies; and horizontally, with the Group Key Risk Owners required to monitor information relevant to their key risk from each Operational Risk Framework element.

Barclays operates within a robust system of internal control that enables business to be transacted and risk taken without exposure to unacceptable potential losses or reputational damage. To this end, Barclays has implemented the Group Internal Control and Assurance Framework (GICAF) which is aligned with the internationally recognised Committee of Sponsoring Organisations of the Treadway Commission Framework (COSO).

The prime responsibility for the management of operational risk and the compliance with control requirements rests with the business and functional units where the risk arises. Operational risk managers are widely distributed throughout the Group and support these areas, assisting line managers in understanding and managing their risks.

The Operational Risk Director (or equivalent) for each Business Unit is responsible for ensuring the implementation of and compliance with Group Operational Risk policies.

The Group Operational Risk Director is responsible for establishing, owning and maintaining an appropriate Group-wide Operational Risk Framework and for overseeing the portfolio of operational risk across the Group.

The Operational Risk Committee (ORC) is the senior executive body responsible for the oversight and challenge of operational risk in Barclays. The Group Operational Risk Executive Committee (GOREC) assists with this oversight. GOREC is a sub-committee of the ORC, the output of which is presented to the BRC.

In addition, Governance and Control Committees (G&CCs) in each business monitor control effectiveness. The Group G&CC receives reports from these committees and considers Group-significant control issues and their remediation. The Group G&CC presents to the Board Audit Committee (BAC).

Business units are required to report their operational risks on both a regular and an event-driven basis. The reports include a profile of the material risks to their business objectives and the effectiveness of key controls, control issues of Group-level significance, operational risk events and a review of scenarios and capital. Specific reports are prepared on a regular basis for GOREC, ORC, BRC and BAC.

The Internal Audit function provides further independent review and challenge of the Group’s operational risk management controls, processes and systems and reports to the Board and senior management.

Operational risk management

The Barclays Operational Risk Framework is a key component of GICAF and has been designed to meet a number of external governance requirements including Basel, the Capital Requirements Directive and Turnbull. It also supports the Sarbanes-Oxley requirements.

The Operational Risk Framework includes the following elements:

Risk assessments

Barclays identifies and assesses all material risks within each business unit and evaluates the key controls in place to mitigate those risks. Managers in the business units use self-assessment techniques to identify risks, evaluate the effectiveness of key controls in place and assess whether the risks are effectively managed within business risk appetite. The businesses are then able to make decisions on what, if any, action is required to reduce the level of risk to Barclays. These risk assessments are monitored on a regular basis to ensure that each business continually understands the risks it faces.

Risk events

An operational risk event is any circumstance where, through the lack or failure of a control, Barclays has actually, or could have, made a loss. The definition includes situations in which Barclays could have made a loss, but in fact made a gain, as well as incidents resulting in reputational damage or regulatory impact only.

A standard threshold is used across the Group for reporting risk events and as part of our analysis we seek to identify where improvements are needed to processes or controls, to reduce the recurrence and/or magnitude of risk events.

Barclays also uses a database of external risk events which are publicly available and is a member of the operational risk data eXchange (ORX), a not-for-profit association of international banks formed to share anonymous loss data information. Barclays uses this external loss information to support and inform risk identification, assessment and measurement.

Key indicators

Key Indicators (KIs) are metrics which allow Barclays to monitor its operational risk profile. KIs include measurable thresholds that reflect the risk appetite of the business. KIs are monitored to alert management when risk levels exceed acceptable ranges or risk appetite levels and drive timely decision making and actions.

Key risk scenarios

By combining data from risk events, risk assessments and key indicators with that from audit findings, expert management judgement and other internal data sources, Barclays is able to generate Key Risk Scenarios (KRSs). These scenarios identify the most significant operational risks across the Group. The KRSs are validated at business unit and Group level to ensure that they appropriately reflect the level of operational risk the business faces.

Barclays shares and receives an anonymous sub-set of KRS information with the ORX community in order to compare and contrast scenario analysis with peers.


As part of its risk management approach, the Group also uses insurance to mitigate the impact of some operational risks.

Operational risk appetite

Barclays approach to determining appetite for operational risk combines both quantitative measures and qualitative judgement, in order to best reflect the nature of non financial risks. This approach is applied at both an overall operational risk level and for individual key risks.

The monitoring and tracking of operational risk measures is supplemented with qualitative review and discussion at senior management executive committees on the action being taken to improve controls and reduce risk to an acceptable level.

Operational risk appetite is aligned to the Group’s Risk Appetite Framework.


The ongoing monitoring and reporting of operational risk is a key component of an effective Operational Risk Framework. Reports are used by the Operational Risk function and by business management to understand, monitor, manage and control operational risks and losses.

Operational risk measurement

The Operational Risk Capital Model uses the outputs of the risk management tools to measure Barclays operational risk exposure. KRSs are the main input to the model, which also uses the frequency and severity of operational risk losses to provide a distribution of potential losses over a year for Barclays as a whole. This process takes into account the possibility of correlations i.e. the likelihood of two key risks occurring within the same year. The model generates a regulatory capital requirement, which is determined to a level of 99.9% confidence. Once the overall level of regulatory capital for the Group has been established it is allocated, on a risk sensitive basis, to business units. This provides an incentive for the business to manage its risks within appetite levels.

Operational risk profile

A high proportion of Barclays operational risk events have a low associated financial cost and a very small proportion of operational risk events have a material impact. In 2011, 70.4% of operational losses had a value of £50,000 or less (2010: 75.0%) and accounted for 1.9% of the overall impact (2010: 3.7%). In contrast, 4.1% of the operational risk events had a value of £1m or greater (2010: 2.5%) and accounted for 91.1% of the overall impact (2010: 86.5%).

The Group monitors trends in operational risk events by size, business unit and internal risk categories (including Key Risk). For comparative purposes, the analysis below presents Barclays operational risk events by Basel 2 category. In 2011, the highest frequency of events occurred in External Fraud (42.5%) and Execution, Delivery and Process Management (36.9%). Clients, Products and Business Practices accounted for the highest proportion of losses by value, with 66% (2010: 67.9%). The continued high impact in this category was driven by the £1bn provision for PPI which was announced in May 2011. The volume of external fraud events remained broadly stable in 2011, although there was an increase in value due to a small number of high value fraud events.

Fig. 1: Operational risk events by risk category
% of total risk events by count
Operational risk events by risk category (% of total risk events by count) (bar chart)
Fig. 2: Operational risk events by risk category
% of total risk events by value
Operational risk events by risk category (% of total risk events by value) (bar chart)

Page tools

Share this page

to pagetop