Salz Review - Wall Street Journal
Salz Review - Wall Street Journal
Salz Review - Wall Street Journal
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Salz</strong> <strong>Review</strong><br />
An Independent <strong>Review</strong> of Barclays’ Business Practices<br />
150<br />
12. Management Oversight and Risk Management<br />
12.1 What uniquely distinguishes banks from other companies is their role in risk transfer<br />
and risk management. As Walter Wriston famously said: “… managing risk … is the<br />
business of banking.” 237<br />
The Three Lines of Defence Model<br />
12.2 For any bank, the business practices associated with risk management and<br />
management oversight are critical. Banks use a ‘Three Lines of Defence model’ as<br />
the standard approach for the design and implementation of risk and control<br />
frameworks. The ‘first line’ is the business management. They are fully responsible<br />
for ensuring that a risk and control environment is established as part of day-to-day<br />
operations. The ‘second line’ comprises the control functions such as Risk,<br />
Compliance, Legal, and the non-advisory parts of Finance and HR. These functions<br />
collectively provide oversight of the control environment by setting frameworks and<br />
establishing, implementing and enforcing policies and procedures. The ‘third line’ is<br />
Internal Audit as the independent provider of assurance.<br />
12.3 While the concept is straightforward, its implementation is more difficult in complex<br />
global organisations. All the more so where the operating model is relatively<br />
decentralised, as at Barclays. Such decentralised organisations can blur the distinction<br />
between the first and second lines of defence, since control functions exist (and<br />
often report) within business units. Where control functions feel greater affinity to<br />
the business unit they are supposed to control, they can lose the degree of<br />
independence they need to perform their roles effectively.<br />
12.4 The ‘operating model’ – how authority is delegated, the degree of decentralisation,<br />
how the bank’s various businesses are managed, how decisions are made, and the<br />
role of the Group Centre at Barclays – is critical to the management oversight of risk.<br />
There have been periodic shifts in the level of decision making at the Group Centre<br />
but, for most of the past 10 to 15 years, there has been considerable delegation of<br />
authority. 238<br />
12.5 After John Varley became Group Chief Executive in 2004, he increased delegation,<br />
setting up two powerful business clusters. He described in 2007 how he<br />
“decentralised operations so that many more decisions are made locally”. 239 Each<br />
cluster had a Chief Executive who was, as John Varley put it in the 2006 Annual<br />
Report, “the single point of strategic direction and control” for the businesses in that<br />
cluster. The underlying philosophy of this operating model, for the most part, was<br />
one of ‘devolution’ with the Group Centre providing strategic leadership,<br />
237 Attributed to Walter Wriston, ex-CEO and Chairman of CitiCorp by the Economist in 1993 (“Survey of<br />
International Bankers: A comedy of errors” April 1993) though other sources also attribute the quote to<br />
John Pierpoint Morgan.<br />
238 “Since I joined Barclays in 1996, it has been run on a relatively decentralised basis”, Bob Diamond Speech<br />
to UBS Global Financial Services Conference, May 2012.<br />
239 “Barclays’ Global Acceleration”, strategy+business, May 2007; http://www.strategybusiness.com/article/07216?pg=all.