Salz Review - Wall Street Journal
Salz Review - Wall Street Journal
Salz Review - Wall Street Journal
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Salz</strong> <strong>Review</strong><br />
An Independent <strong>Review</strong> of Barclays’ Business Practices<br />
152<br />
business practices remain consistent with the Group’s risk appetite, standards,<br />
and values, and that matters of importance do not fall between the cracks.<br />
12.11 Management indicated to us that they recognise the need to build on the existing<br />
strengths in some aspects of the bank’s risk management and management oversight<br />
to ensure it is consistently robust across all risk types and businesses. Under the<br />
Transform Programme, a comprehensive review of the control framework is already<br />
underway. Our <strong>Review</strong> suggests this should focus on ensuring the framework covers<br />
all risk types and articulates responsibilities; improving management of operational,<br />
conduct and reputational risk; reinforcing the risk culture and business ownership of<br />
risk and embedding the risk appetite; and strengthening the control functions.<br />
First Line of Defence – Business Ownership of Risk<br />
12.12 In all large complex organisations, whether centralised or decentralised, an effective<br />
internal control environment provides assurance to senior management and the<br />
Board that business practices are as intended, including maintaining risk levels within<br />
pre-approved limits, and adhering to applicable laws and regulations.<br />
12.13 Barclays’ internal control environment is implicitly rather than explicitly based on a<br />
‘three lines of defence’ model. In our view, however, it categorises the main risks,<br />
provides a reasonably common language of risk terminology, assigns accountability<br />
for risks, and defines the process for managing the control environment. Two<br />
particular components are the Group Internal Control & Assurance Framework<br />
(GICAF) and the Principal Risks Policy (PRP).<br />
12.14 GICAF sets out the requirements to identify, measure, assess, analyse, report and<br />
manage the risks faced by the business. If there are issues with the control of these<br />
risks or with compliance with regulations Governance and Control Committees<br />
(G&CCs) govern an escalation and management process. The G&CCs include<br />
business and control representatives from the relevant business or region as well as<br />
an independent member from another business or Group.<br />
12.15 The PRP outlines the process for the management of the Principal Risks. Prior to<br />
2011 Barclays classified credit, market, and funding risks as its Principal Risks.<br />
Operational risk was added in 2012, followed by conduct and reputational risks in<br />
early 2013. Each Principal Risk is sub-divided into several Key Risks and all are<br />
assigned an owner responsible for ensuring that an appropriate risk control<br />
framework and a risk appetite to manage the risk are in place. Risk owners must also<br />
provide semi-annual attestation regarding the effective discharge of responsibility for<br />
the Key Risk. Key Risk owners are responsible for ensuring that independent checks<br />
(which Barclays calls ‘conformance testing’) are done in each business to verify the<br />
effective operation of controls.