Introduced in 2016, the Senior Managers and Certification Regime (SMCR) was one of the measures responding to the banking crisis and the underlying culture and behavioural failures by banking leadership and staff.
It demands that key senior managers, and other key staff, accept and demonstrate greater personal accountability for standards of conduct and outcomes. Regulators have said that they will take enforcement action against individuals if they have not taken proper accountability and reasonable steps to prevent future issues and breaches. Actions might include personal fines, bonus clawbacks or bans from the industry.
From December 2019, SMCR is being extended to all 47,000 FCA regulated firms - meaning that banks, deposit-takers, lenders, insurers, investment firms, asset managers, brokers and consumer credit firms will all now be captured. Whilst the SMCR regime will apply differently to smaller firms, certain core expectations will apply to all:
- FCA approving the appointment of the most senior individuals before they start new roles,
- A single, suitable senior individual taking 'overall responsibility' for each key business function, with other experts taking 'prescribed responsibilities' for oversight and control,
- Creating a maintaining a firm-wide map of all responsibilities and providing key individuals with a clear 'statement of responsibilities' saying what they are responsible and accountable for,
- Senior staff being able to evidence that they are taking ‘reasonable steps’ in discharging their accountabilities and responsibilities and that at least every year, they are certified that they remain suitable to do their jobs,
- Senior and key staff adhering to ‘behavioural’ conduct rules with any breaches reported to the regulators.
With careful thought and planning, the implementation of the regime is complex but manageable. Identification of in-scope populations, responsibility mapping, updates to job descriptions and contracts, provision of training are mostly straightforward. But making the real and sustained behavioural change required by SMCR is harder. In our experience there are 3 challenges:
1. Dealing with complexity
The number and overlap of day-to-day processes and controls can represent a complex web of activity, that even the most expert and diligent manager may not fully understand. Further complicated by both technology process and controls that can be hidden from view, and arm’s length relationships with third-parties outsourcers or service providers, actually understanding how each business functions operates can be near-impossible.
So how can a senior manager understand and oversee such a complex web? We think that they should:
- Challenge operations and control staff to create a clear and up-to-date view of processes and controls. Does this represent reality? Is this what is described in policies and procedures? Are all controls accurately represented in risk registers and control assurance activities?
- Identify process and control points that are key to delivering compliant and expected outcomes and ensure that these receive the most attention. Is there clear ownership of these points? Are relevant processes and procedures understood and followed? Are the controls fit for purpose and continually monitored?
- Establish a core set of indicators that provide real-time information about what’s going on and to satisfy themselves that processes are being adhered to and controls operating as expected. Is current reporting useful in achieving an ongoing view? What other data sources can be used? What is the weekly routine of oversight that provides confidence that ‘reasonable steps’ are being taken to oversee activities?
2. Dealing with delegation
All senior managers delegate aspects of their responsibilities. But doing so does not mean that they absolve themselves of their prescribed responsibility through the documentation of delegation alone. Senior managers must oversee the discharge of the delegated responsibilities.
Given the complexity described above, how can they do this in a clear and sensible way? We suggest that they:
- Ensure that the delegation is to the most appropriate person – this is specifically required by the conduct rules for senior managers. But this goes beyond delegating to the next direct report in the structure chart; delegation is not a cascade. Are the requirements and demands and standards of the task clear? Who is the most capable and qualified person for that task? Will they have all the support needed from others to carry out the task? If not, what other changes are necessary to enable them to do so?
- Ensure that any delegation of responsibilities is clearly documented to named individuals either in a formal delegation note or embedded in the job description, objective or mandate for the individual being delegated to. Unless embedded in role profiles that have been formally accepted, what else is needed to evidence acceptance of the delegation? How will the delegation be actively overseen by the senior manager? Will this be covered in formal one-on-ones? If not, what new meetings or report need to be established to evidence ongoing oversight?
3. Dealing with incidents
A key indicator that SMCR has made senior people in firms more responsible and accountable is the way that they respond to a crisis. When incidents or breaches occur, how response teams mobilise, gather facts and identify root causes, select next actions and recover normal operations, will speak volumes about how well accountabilities are allocated, understood and discharged.
It is very unlikely that every incident will fall squarely into one individual’s sphere of accountability, so how do senior managers mobilise effectively to respond? Key actions to take include:
- Ensure that incident response mechanisms are robust and effective. Are they aligned to up-to-date responsibility maps to identify the key people that need to mobilise? Has the mechanism been invoked recently? Or subject to a rigorous test? Are steps clearly understood and will they work as designed? Does the approach work in reality?
- In a crisis, amongst other immediate actions, review and assess accountable senior managers’ ‘reasonable steps’ to identify both those processes and controls that had been operating effectively and those that had not. What led to the incident? What lessons can be learnt to enhance processes and controls to prevent reoccurrence? How will remedial actions be taken, assured and signed-off?
- Ensure that the FCA is notified within 7 business days if the incident relates to a breach of the requirements by a senior manager, or otherwise consider if a Principle 11 notification is required, or whether another authority needs to be advised immediately as in the case of some data breaches. What information will be shared, by whom and when? What plans will be shared to give confidence that the response and remedial activity is prompt and complete? What actions are being taken to update ‘reasonable steps’ and management oversight to reinforce enhanced controls?
The implementation of SMCR is complex but manageable. Together with taking the clear procedural steps to identify populations, change job descriptions, etc. we believe successful implementation and embedding should consider at least the above 3 challenges.
At TORI, we help clients deal with their most important and difficult operational, technical and regulatory challenges. We work with clients to build effective control environments and make sense of the complex web of day-to-day processes and controls. We help clients create strong leadership and governance mechanisms, including the design of operating models and accountability frameworks that manage delegations. From an operational resilience point of view, we ensure that clients build and run robust incident management frameworks and test these from within and against external threats.
If you would like to explore how TORI can help you be ready for, and make a success of, SMCR then please get in touch.