In December 2019, Financial Conduct Authority (FCA) applied the regulation to all firms governed by the FCA – reaching over 48,000 organizations, with further requirements hitting firms in December 2020.
The UK SMCR is the model regime that is influencing other regimes around the world, such as Australia BEAR, Ireland SEAR, and Hong Kong’s MIC.
This regulation enforces accountability on senior managers and executives for their organizations' risk and compliance actions and puts the responsibility on the senior directors for any willful misconduct as well as potential negligence, or a lack of due diligence in the management of compliance, controls, and risk. A breach of said regulation could potentially warrant jail time (for willful misconduct) or a personal fine of these senior directors (in the context of negligence or lack of due diligence).
Much has been said about UK SMCR since its inception. Tackling the regulation has proven to be a difficult and daunting task for many organizations. Some have described it as the regulation of all regulations - helping oversee that all risk and compliance activities are properly managed across the board.
Regardless, all monumental and discouraging tasks are meant to be handled in phases. The first and one of the most important, steps is mapping senior management functions (SMFs) throughout the organization, as well as their responsibilities and defined roles within the organizations. It is a formative and foundational step in your organizations UK SMCR journey.
This requires that organizations have a defined map and business model of all their SMFs, their roles, and accountability matrix/functions. Organizations must track the responsibilities and accountabilities for compliance and emerging or potential risks to senior managers, as well as track the overall awareness and accountability of these individual directors. This allows for greater awareness of risk, compliance, and control throughout the organization and an increase in transparency.
A thorough understanding of the business is essential to UK SMCR and other accountability regime regulations. Mapping the business and its SMFs with defined roles and responsibilities is the foundation that everything else in UK SMCR compliance is built upon. Leveraging business process modeling software to map SMFs and accountabilities provides the regulators with underpinning compliance documentation for the rest of UK SMCR.
Another critical aspect of UK SMCR, beyond the responsibility maps, is the communication of conduct rules to all SMFs and certification staff (employees responsible for critical risk, compliance, and control functions). Conduct rules are essentially policies that need to be communicated and attested to (acknowledged). This task was required to be complete in December 2019 and done periodically thereafter.
However, the communication of conduct rules expands this year when all employees of the organization have to read and acknowledge conduct rules (except for ancillary staff such as receptionists and caterers). This involved communicating policies to these roles and gathering attestations to all employees. It also involves laying down the process, often with workflow, tasks, and documentation of these communications in a defensible system of record.
It is paramount for financial service firms to leverage technology within this process to improve efficiency, agility, and effectiveness in UK SMCR. As we continue to get deeper into 2020, the scope of the regulations is expected to expand and clarify. This regulation significantly expands the number of activities, attestations, and communications to employees throughout the entirety of the organization. Approaching this through siloed and unagile manual processes is facing a nightmare scenario in terms of managing and reporting. Manual processes also lack a sufficient trail of evidence to provide assurance to the organization that the reporting is correct. Whereas a technology architecture leaves you with a firm evidence trail and records, as well as a more efficient, agile, and effective UK SMCR processes that tracks workflow and tasks, as well as automates reporting to the regulators.
Financial service firms need to leverage a technology architecture in order to fully make these processes efficient and effective in meeting requirements and achieving improved accountability with senior management. These firms also need technology to make compliance agile as the organization, its employees, and SMFs are constantly changing. This is not a comply once and walk away, but something that has to be kept current to reflect organization and staff changes.
UK SMCR needs to be made sustainable within the organization as it is not going away at any point soon. This requires that financial services firms address the requirements and process, as well as leverage technology to make these processes efficient – and to reduce time and cost. But also making them agile as the organization is dynamic and roles and risks change, and accountability and processes need to be kept current in a dynamic organization.
Every financial services firm needs to take the time to contemplate the roles and accountabilities of SMFs within risk, controls, and compliance. Reporting on each of these functions is essential in knowing that the organization manages all the different domains of risk effectively and properly, without any negligence or lack of due diligence that could open up a senior director to legal liability.
Make no mistake, this journey towards accountability is never-ending. Organizations are in a constant state of flux and change. Employees come and go, senior management functions are altered, risks evolve, and new regulations are made. Modern business is a very dynamic and volatile environment and UK SMCR needs to be sustainable throughout this volatility. Integrated information and technology architecture is critical for organizations to manage UK SMCR throughout this volatility within the context of this change.