Operational risk management

Operational risk is the risk of direct or indirect losses resulting from human factors, external events, and inadequate or failed internal processes and systems. Operational risks are inherent in Barclays operations and are typical of any large enterprise. Major sources of operational risk include: operational process reliability, IT security, outsourcing of operations, dependence on key suppliers, implementation of strategic change, integration of acquisitions, fraud, human error, customer service quality, regulatory compliance, recruitment, training and retention of staff, and social and environmental impacts.

Barclays is committed to the advanced management of operational risks. In particular, it has implemented improved management and measurement approaches for operational risk to strengthen control, improve customer service and minimise operating losses. Barclays was granted a Waiver to operate an Advanced Measurement Approach (AMA) under Basel II, which commenced in January 2008.

The Group’s operational risk management framework aims to:

– Understand and report the operational risks being taken by the Group.

– Capture and report operational errors made.

– Understand and minimise the frequency and impact, on a cost benefit basis, of operational risk events.

Barclays works closely with peer banks to benchmark our internal Operational Risk practices and to drive the development of advanced Operational Risk techniques across the industry. It is not cost effective to attempt to eliminate all operational risks and in any event it would not be possible to do so. Events of small significance are expected to occur and are accepted as inevitable; events of material significance are rare and the Group seeks to reduce the risk from these in a framework consistent with its agreed Risk Appetite.

Organisation and structure

Barclays has a Group Operational Risk Framework, which is consistent with and part of the Group Internal Control and Assurance Framework. Minimum control requirements have been established for all key areas of identified risk by ‘Principal Risk’ owners (see page 85). The risk categories relevant to operational risks are Financial Crime, Financial Reporting, Taxation, Legal, Operations, People, Regulatory, Technology and Change. In addition the following risk categories are used for business risk: Brand Management, Corporate Responsibility and Strategic.

Responsibility for implementing and overseeing these policies is positioned throughout the organisation. The prime responsibility for the management of operational risk and the compliance with control requirements rests with the business and functional units where the risk arises. Frontline risk managers are widely distributed throughout the Group in business units. They service and support these areas, assisting line managers in managing these risks.

Business Risk Directors in each business are responsible for overseeing the implementation of and compliance with Group policies. Governance and Control Committees in each business monitor control effectiveness. The Group Governance and Control Committee receives reports from the committees in the businesses and considers Group-wide control issues and their remediation.

In the corporate centre, each Principal Risk is owned by a senior individual who liaises with Principal Risk owners within the businesses. In addition, the Operational Risk Director oversees the range of operational risks across the Group in accordance with the Group Operational Risk Framework.

Business units are required to report on both a regular and an event-driven basis. The reports include a profile of the key risks to their business objectives, control issues of Group-level significance, and operational risk events. Specific reports are prepared on a regular basis for the Group Risk Oversight Committee, the Board Risk Committee and the Board Audit Committee. In particular, the Group Operational Risk Profile and Group Operating Committee Report is provided quarterly to the Group Risk Oversight Committee. The Internal Audit function provides further assurance for operational risk control across the organisation and reports to the Board and senior management.

Operational risk measurement and capital modelling

Barclays applies a consistent approach to the identification and assessment of key risks and controls across all business units. Managers in the businesses use self-assessment techniques to identify risks, evaluate control effectiveness and monitor capability. Business management determines whether particular risks are effectively managed within business risk appetite and otherwise takes remedial action. The risk assessment process is consistent with the principles in the integrated framework published by the Committee of Sponsoring Organisations of the Treadway Commission (COSO).

A standard process is used Group-wide for the recognition, capture, assessment, analysis and reporting of risk events. This process is used to help identify where process and control requirements are needed to reduce the recurrence of risk events. Risk events are loaded onto a central database and reported monthly to the Operational Risk Executive Committee.

Barclays also uses a database of external public risk events and is a member of the Operational Risk Data Exchange (ORX), an association of international banks that share anonymised loss data information to assist in risk identification, assessment and modelling.

By combining internal data, including internal loss experience, risk and control assessments, key indicators and audit findings, with external loss data and expert management judgement, Barclays is able to generate Key Risk Scenarios (KRSs), which identify the most significant operational risks across the Group. The KRSs are validated at business unit and at Group level to ensure that they appropriately reflect the level of operational risk. It is these that are the main input to our capital model.

Operational risk capital is allocated, on a risk sensitive basis, to business units in the form of economic capital charges, providing an incentive to manage these risks within appetite levels.

Operational Risk Events

A high proportion of Barclays operational risk events have a low financial cost associated with them and a very small proportion of operational risk events have a material impact. Figure 1 shows that in 2007, 79% of reported operational loss events had a value of £50,000 or less. Figure 2 shows that this 79% of risk events by count only amounted to 15% of risk events by value. In contrast, 2% of the operational risk events had a value of £1m or greater but accounted for 50% of the overall loss. This was consistent with 2006 risk events and, from our analysis of external data, is in line with industry experience.

Analysis of Barclays operational risk events in 2007 by Basel II category, as shown in figure 3, highlights that the highest frequency of events occurred in External Fraud (54%) and Execution, Delivery and Process Management (37%). These two areas also accounted for the majority of losses by value (figure 4), with Execution, Delivery and Process Management accounting for 52% of total operational risk losses and External Fraud accounting for 24%. This again was consistent with 2006 internal risk events and, from our analysis of external data, is in line with industry experience.

Barclays has been granted a waiver by the UK FSA to apply an Advanced Measurement Approach (AMA) for Group-wide consolidated and solus regulatory capital reporting. Barclays has applied the AMA Group-wide. The two areas where roll-out of AMA is still continuing are Banco Austral (Mozambique) and National Bank of Commerce Limited (Tanzania), where the Standardised Approach is currently applied. In certain joint ventures and associates, Barclays may not be able to apply the Advanced Operational Risk Framework. Barclays does not currently use insurance or expected losses to offset its regulatory capital requirement.