On 9 December 2019, 47,000 Financial Conduct Authority (FCA) solo regulated firms became subject to the Senior Managers and Certification Regime (SMCR), harmonising requirements across the industry. The key objective of the SMCR is to drive individual accountability for effective management and control across all areas of the business. Whilst the SMCR has introduced a number of specific new requirements and strengthened the core aspects and principles of the original accountability regimes, it isn’t about making wholesale changes to an organisation, or its governance structures. Rather, it has been a useful prompt for firms and Senior Management Function holders (SMFs) to review current management and oversight structures and frameworks.
In doing this, firms have looked to address a number of challenges:
- Managing the additional business as usual administration brought about by the SMCR, for example:
- Tracking and overseeing the SMF and Certified Staff populations and ongoing changes to these;
- Managing regulatory approvals, ongoing regulatory documentation and notification requirements; and
- Ensuring that the organisational, governance and individual role changes (including Overall and Other Responsibilities) are reflected accurately and remain up to date.
- Practical and sustainable approaches for senior managers, and the functions that support them, to address the ‘Duty of Responsibility’. This includes the obligations under the Senior Manager Conduct Rules to take ‘reasonable steps’, for example:
- Inconsistent or unwieldy SMF ‘reasonable steps’ documentation that lacks adequate supporting evidence;
- Gaps in supporting governance and committee disciplines, including management information (MI) that fails the ‘so what?’ test;
- Unclear ownership of decisions, challenge and/or actions documented in minutes or MI, and poor action management; and
- Lack of entity focus, where a firm is part of a wider group, particularly where there are key dependencies on group governance or activities.
- Conduct Rule breach identification, assessment and management. Many firms continue to review, evolve and calibrate their approaches including:
- Identification and awareness of potential Conduct Rules breach triggers across the organisation;
- Alignment and enhancements to the disciplinary processes to determine Conduct Rule breaches; and
- Updating regulatory references following determination of a breach.
There are practical and proactive steps that firms can and are taking to drive focus on Conduct Rules and individual responsibility through effective business and risk management. Here are some examples of tools and initiatives to support an integrated approach to the SMCR:
- SMF Duty of Responsibility and reasonable steps:
- Guidance on the roles and responsibilities of SMFs and supporting functions including company secretariat, business risk teams and personal assistants.
- Templates and guidance on documenting and evidencing reasonable steps and Conduct Rule compliance which help focus on individual SMF and prescribed responsibilities. This facilitates links to wider firm governance and risk management frameworks, a consistent standard of documentation across the SMF population, and regular review.
- Some firms have considered how they streamline this process with their handover policy.
- Governance procedures:
- The company secretariat (CoSec) function, in conjunction with Chairs, has reviewed the processes and procedures which support the firm’s Boards/committees.
- SMF responsibility and legal entity (or multiple entities/a group) relevance is clearly attributed in MI and minutes, including risks, decisions, challenges and actions.
- Where there are multiple entities covered by a Board or Committee, this is clear in terms of references and minutes and a proportionate and balanced allocation of time to each entity can be evidenced. Potential conflicts of interest between group and individual entities are proactively identified, documented and managed.
- SMFs are clear on how they document and manage decision making that happens outside the formal governance framework (e.g. through one to one discussions).
- SMCR framework:
- SMCR roles and responsibilities are defined and agreed across all lines of defence, including HR, Risk, Compliance, Risk and CoSec.
- Minimum standards are defined and communicated to support monitoring and reporting of ongoing compliance prescribed responsibilities.
- End-to-end SMCR processes and procedures are documented (incorporated into an organisation’s process catalogue), setting detailed standards, requirements, and templates. Processes include triggers and handoffs, stakeholder/functional ownership and interactions and key controls, including review, sign offs and record keeping.
- Oversight mechanisms are in place to manage the complex interrelationships and cross functional engagement in relation to regulatory documentation (Responsibilities Maps, Statements of Responsibly) and interactions.
- Technological solutions are considered to support regulatory documentation management and to address the administrative burden and risks inherent in manual record keeping.
- Conduct Rules, risk management and awareness:
- Conduct and Conduct Rules are integral to a firm’s risk management framework and processes.
- Risk universe/taxonomy is aligned to Conduct Rules and prescribed responsibilities. This supports regular risk and control monitoring and assurance across the three lines of defence, for example controls testing in the first line or Compliance end to end process reviews.
- A ‘conduct lens’ is applied to risk assessment, root cause analysis and incident management processes. Conduct-related risks and issues are explicitly recorded and tracked and support the conduct breach management and reporting processes.
- Conduct Rules are integrated into the firm’s code of conduct and culture initiatives. Conduct communications, feedback, breaches and incidents are incorporated into a firms wider culture metrics.
- The SMCR and the Conduct Rules are a component of training at induction and through ongoing learning for all employees. Training is tailored by role and incorporated into wider learning management processes and plans.
We have worked with over 100 firms to shape and review their SMCR implementation, embedding activities and providing practical, pragmatic input and support. At Deloitte, we can bring a breadth of skills and expertise, to scope and deliver review and assurance activities and to design and build tailored training and awareness support.
For further information on the SMCR or how the team can support, please do not hesitate to reach out to one of the contacts below for further insights or support.
- Cindy Chan, Partner, Risk Advisory
- Nikki Lovejoy, Partner, Risk Advisory
- David Clements, Partner, Risk Advisory
- Lyndsey Fallon, Partner, Audit and Assurance
- Dominic Graham, Director, Risk Advisory
- Julia Fachon, Director, Risk Advisory
- Rebecca Walton, Senior Manager, Risk Advisory
You can also read more in our latest SMCR report.