Operational risk management overview (audited)
Operational Risk is defined as the risk of direct or indirect impacts resulting from human factors, inadequate or failed internal processes and systems or external events. Recognising the impact operational risk may have on the Group a new Board Conduct, Reputation and Operational Risks Committee will be created in 2013.
The management of Operational Risk has two key objectives:
- To minimise the impact of losses suffered in the normal course of business (expected losses) and to avoid or reduce the likelihood of suffering an extreme (or unexpected) loss; and
- To improve the effective management of the Barclays Group and strengthen its brand and external reputation.
Barclays is committed to the management and measurement of operational risk and was granted a waiver by the FSA to operate an Advanced Measurement Approach (AMA) for operational risk under Basel 2, which commenced in January 2008. The majority of the Group calculates regulatory capital using AMA, however, in specific areas we apply the Basic Indicator Approach. In certain joint ventures and associates, Barclays may not be able to apply the AMA.
Areas where the Group is working towards the rollout of AMA and the Basic Indicator Approach is applied are: the Africa RBB businesses, including Barclays Bank Mozambique and National Bank of Commerce (Tanzania); Barclays Bank PLC Pakistan; Barclays Investment and Loans India Limited; the new to bank business activities acquired from Lehman Brothers; and the portfolios of assets purchased from Woolworths Financial Services in South Africa, Citi Cards Portugal and Italy, Standard Life Bank, MBNA Corporate Cards, Upromise, RCI, Egg Cards, EdCon, SallreMae and Ameriprice.
Barclays works to benchmark its internal operational risk practices with peer banks and to drive the development of advanced operational risk techniques across the industry.
Organisation and structure
Operational Risk is one of four Principal Risks in the Barclays Principal Risks Policy and comprises a number of specific Key Risks defined as follows:
- CyberSecurity: Risk of loss or detriment to Barclays business and customers as a result of actions committed or facilitated through the use of networked information systems;
- External supplier: Inadequate selection and ongoing management of external suppliers;
- Financial reporting: Reporting mis-statement or omission within external financial or regulatory reporting;
- Fraud: Dishonest behaviour with the intent to make a gain or cause a loss to others;
- Information: Inadequate protection of Barclays information in accordance with its value and sensitivity;
- Legal: Failure to identify and manage legal risks;
- Product: Inadequate design, assessment and testing of products/ services;
- Payment process: Failure in operation of payments processes;
- People: Inadequate people capabilities, and/or performance/reward structures, and/or inappropriate behaviours;
- Premises & security: Unavailability of premises (to meet business demand) and/or safe working environments, and inadequate protection of physical assets, employees and customers against external threats;
- Regulatory: Failure or inability to comply fully with the laws, regulations or codes applicable specifically to the financial services industry;
- Taxation: Failure to comply with tax laws and practice which could lead to financial penalties, additional tax charges or reputational damage;
- Technology: Failure to develop and deploy secure, stable and reliable technology solutions; and
- Transaction operations: Failure in the management of critical transaction processes.
These risks may result in financial and/or non-financial impacts including legal/regulatory breaches or reputational damage. For more information on Legal, Regulatory and Taxation risks please see the Operational risk section.
The Operational Risk Framework comprises a number of elements which allow Barclays to manage and measure its Operational Risk profile and to calculate the amount of Operational Risk capital that Barclays needs to hold to absorb potential losses. The minimum, mandatory requirements for each of these elements are set out in the Group Operational Risk policies. This framework is implemented across the Group: vertically, through the organisational structure with all businesses required to implement and operate an Operational Risk framework that meets, as a minimum, the requirements detailed in these operational risk policies; and horizontally, with the Group Key Risk Owners required to monitor information relevant to their Key Risk from each Operational Risk framework element.
Barclays operates with a robust system of internal control that seeks to ensure that business is transacted and risk taken without exposure to unacceptable potential losses or reputational damage. To this end, Barclays has implemented the Group Internal Control and Assurance Framework (GICAF) which is aligned with the internationally recognised Committee of Sponsoring Organisations of the Treadway Commission Framework (COSO).
The prime responsibility for the management of operational risk and the compliance with control requirements rests with the business and functional units where the risk arises. Operational risk managers are widely distributed throughout the Group and support these areas, assisting line managers in understanding and managing their risks.
The Operational Risk Director (or equivalent) for each business is responsible for ensuring the implementation of and compliance with Group Operational Risk policies.
The Group Operational Risk Director is responsible for establishing, owning and maintaining an appropriate Group-wide Operational Risk Framework and for overseeing the portfolio of Operational Risk across the Group.
The Operational Risk Committee (ORC) is the senior executive body responsible for the oversight and challenge of Operational risk in Barclays. Group Operational Risk Executive Committee (GOREC) is a sub-committee of the ORC, the output of which is presented to the Board Risk Committee (BRC).
In addition, Governance and Control Committees (G&CCs) in each business monitor control effectiveness. The Group G&CC receives reports from these committees and considers Group-significant control issues and their remediation. The Group G&CC presents to the Board Audit Committee (BAC).
Businesses are required to report their Operational risks on both a regular and an event-driven basis. The reports include a profile of the material risks to their business objectives and the effectiveness of key controls, control issues of Group-level significance, operational risk events and a review of scenarios and capital. Specific reports are prepared on a regular basis for ORC, BRC and BAC.
The Internal Audit function provides further independent review and challenge of the Group’s operational risk management controls, processes and systems and reports to the Board and senior management.
Operational risk management framework
The Barclays Operational risk framework is a key component of GICAF and has been designed to meet a number of external governance requirements including Basel, the Capital Requirements Directive and Turnbull guidance as an evaluation framework for the purposes of Section 404(a) of the Sarbanes-Oxley Act. It also supports the Sarbanes-Oxley requirements.
The Operational risk framework includes the following elements:
Barclays identifies and assesses all material risks within each business and evaluates the key controls in place to mitigate those risks. Managers in the businesses use self-assessment techniques to identify risks, evaluate the effectiveness of key controls in place and assess whether the risks are effectively managed within business risk appetite. The businesses are then able to make decisions on what, if any, action is required to reduce the level of risk to Barclays. These risk assessments are monitored on a regular basis to ensure that each business continually understands the risks it faces.
An operational risk event is any circumstance where, through the lack or failure of a control, Barclays has actually, or could have, made a loss. The definition includes situations in which Barclays could have made a loss, but in fact made a gain, as well as incidents resulting in reputational damage or regulatory impact only.
A standard threshold is used across the Group for reporting risk events and as part of our analysis we seek to identify where improvements are needed to processes or controls, to reduce the recurrence and/or magnitude of risk events.
Barclays also uses a database of external risk events which are publicly available and is a member of the Operational risk data eXchange (ORX), a not-for-profit association of international banks formed to share anonymous loss data information. Barclays uses this external loss information to support and inform risk identification, assessment and measurement.
Key Indicators (KIs) are metrics which allow Barclays to monitor its operational risk profile. KIs include measurable thresholds that reflect the risk appetite of the business. KIs are monitored to alert management when risk levels exceed acceptable ranges or risk appetite levels and drive timely decision making and actions.
Key Risk Scenarios
By combining data from risk events, risk assessments and key indicators with that from audit findings, expert management judgement and other internal data sources, Barclays is able to generate Key Risk Scenarios (KRSs). These scenarios identify the most significant operational risks across the Group. The KRSs are validated at business and Group level to ensure that they appropriately reflect the level of operational risk the business faces.
Barclays shares and receives an anonymous sub-set of KRS information with member banks of ORX in order to compare and contrast scenario analysis with peers.
As part of its risk management approach, the Group also uses insurance to mitigate the impact of some operational risks.
Operational risk appetite
Barclays approach to determining appetite for Operational risk combines both quantitative measures and qualitative judgement, in order to best reflect the nature of non financial risks.
The monitoring and tracking of Operational risk measures is supplemented with qualitative review and discussion at senior management executive committees on the action being taken to improve controls and reduce risk to an acceptable level.
Operational risk appetite is aligned to the Group’s Risk Appetite Framework.
The ongoing monitoring and reporting of Operational risk is a key component of an effective Operational Risk Framework. Reports are used by the Operational risk function and by business management to understand, monitor, manage and control operational risks and losses.
Operational risk measurement
The Operational risk capital model uses the outputs of the risk management tools to measure Barclays operational risk exposure, and in particular, Key Risk Scenarios. The model estimates the frequency and severity of operational risk losses for each risk type to provide a distribution of potential losses over a year for Barclays as a whole. This process takes into account the possibility of correlations i.e. impacts from different risks occurring together. The model generates a regulatory capital requirement, which is determined to a level of 99.9% confidence. Once the overall level of regulatory capital for the Group has been established it is allocated, on a risk sensitive basis, to businesses.