Strategic Shareholder Climate and Risk Financial Financial Barclays PLC 293 report information sustainability report Governance review review statements Annual Report 2022 Principal risk management (continued) Treasury and Capital Risk Committee development, monitoring, annual review, be transacted and risk taken without monitors and reviews the IRRBB risk profile independent validation and approval, exposing it to unacceptable potential losses or reputational damages. and control environment, providing change and reporting processes. The second line oversight of the management policy is supported by global standards Organisation, roles and responsibilities of IRRBB. The BRC reviews the interest covering model inventory, documentation, The prime responsibility for the rate risk profile, including review of the risk validation, testing and monitoring, management of operational risk and the appetite at least annually and the impact of overlays, risk appetite, and stress testing compliance with control requirements stress scenarios on the interest rate risk of challenger models. rests within the business and functional the Group’s banking books. The function reports to the Group CRO units where the risk arises. The operational In addition, the Group’s IRRBB policy sets and operates a global framework. risk profile and control environment is out the processes and key controls Implementation of best practice standards reviewed by management through required to identify all IRRBB risks arising is a central objective of the Group. business risk committees and control from banking book operations, to monitor committees. Operational risk issues The key model risk management activities the risk exposures via a set of metrics with escalated from these meetings are include: a frequency in line with the risk considered through the second line of • Correctly identifying models across all management horizon, and to manage defence review meetings. Depending on relevant areas of the Group, and these risks within agreed risk appetite and their nature, the outputs of these recording models in the Group Models limits. meetings are presented to the Operational Database (GMD), the Group-wide model Risk Profile Forum, the Operational Risk Model risk management inventory. Committee, the BRC or the BAC. In The potential for adverse consequences • Enforcing that every model has a model addition, specific reports are prepared by from decisions based on incorrect or owner who is accountable for the model. Operational Risk on a regular basis for the misused model outputs and reports. The model owner must sign off models GRC and the BRC. prior to submission to IVU for validation Overview Legal entities, businesses and functions and maintain that the model presented The Group uses models to support a broad are required to report their operational to IVU is and remains fit for purpose. range of activities, including informing risks on both a regular and an event-driven • Overseeing that every model is subject business decisions and strategies, basis. The reports include a profile of the to validation and approval by IVU, prior measuring and limiting risk, valuing material risks that may threaten the to being used and on a continual basis. exposures, conducting stress testing, achievement of their objectives and the assessing capital adequacy, managing • Defining model risk appetite in terms of effectiveness of key controls, operational client assets, and meeting reporting risk tolerance, and qualitative metrics risk events and a review of scenarios. requirements. which are used to track and report The Group Head of Operational Risk is model risk. Organisation, roles and responsibilities responsible for establishing, owning and The Group has a dedicated Model Risk maintaining an appropriate group-wide Operational risk management Management (MRM) function that consists Operational Risk Framework and for The risk of loss to the Group from of five teams: (i) Independent Validation overseeing the portfolio of operational risk inadequate or failed processes or systems, Unit (IVU), responsible for model validation across the Group. human factors or due to external events and approval; (ii) Group Model Risk The Operational Risk function acts in a (for example, fraud) where the root cause Governance , responsible for model risk second line of defence capacity, and is is not due to credit or market risks. governance, controls and reporting, as well responsible for defining and overseeing Overview as providing oversight for compliance of the implementation of the framework and The management of operational risk has the Model Owner community with the monitoring the Group’s operational risk three key objectives: Model Risk Framework; (iii) Framework profile. The Operational Risk function team, responsible for the Model Risk Policy • deliver an operational risk capability alerts management when risk levels and associated standards; (iv) Strategy and owned and used by business leaders to exceed acceptable tolerance in order to Transformation, responsible for inventory, enable sound risk decisions over the drive timely decision- making and actions strategy, communications and business long term by the first line of defence. management; and v) Model Risk • provide the frameworks, policies and Operational risk categories Measurement and Quantification (MRMQ), standards to enable management to Operational risks are grouped into risk responsible for the design of the meet their risk management categories to support effective risk framework and methodology to measure responsibilities while the second line of management, measurement and and, where possible, quantify model risk. It defence provides robust, independent, reporting. These comprise: Data is also responsible for the strategic and effective oversight and challenge Management Risk; Financial Reporting Validation Centre of Excellence (VCoE), • deliver a consistent and aggregated Risk; Fraud Risk; Information Security Risk; which is an independent quality assurance measurement of operational risk that Operational Recovery Planning Risk; function within MRM with the mandate to will provide clear and relevant insights, Payments Process Risk; People Risk; review and challenge validation outcomes. so that the right management actions Premises Risk; Physical Security Risk; The Model Risk Framework consists of can be taken to keep the operational risk Change Delivery Management Risk; the Model Risk Policy and standards. The profile consistent with the Group’s Supplier Risk; Tax Risk; Technology Risk; policy prescribes Group-wide, end-to-end strategy, the stated risk appetite and and Transaction Operations Risk. requirements for the identification, stakeholder needs. In addition to the above, operational risk measurement and management of model The Group operates within a system of encompasses risks associated with risk, covering model documentation, internal controls that enables business to