Oliver Vistisen, GRC Products Director at SureCloud explores the forthcoming extension to the SMCR regulation, and why organizations should be looking to technology to reduce its impact.
Despite being in place since 2016, the Senior Managers & Certification Regime (SMCR) has received plenty of renewed attention over recent months, and for a good reason! This blog will outline the changes to SMCR and some steps to take you towards compliance.
As of December 2019, the SMCR regulation was extended to cover all FCA Solo-Regulated firms, an additional 50,000 businesses. Previously, only the top 350 firms such as banks, building societies, credit unions, the largest investment firms and UK branches of foreign banks had to comply. Now even the smallest organisations and sole traders will have to be concerned, as will those branch owners residing beyond the UK.
Whilst the challenges posed by SMCR has been limited for larger firms who have more experience and capacity to deal with the demands of the regulations, the resources needed to support the processes and documentation required can be substantial for smaller businesses. These firms will need to quickly assess their governance and compliance management facilities and determine how these would need to adapt to address SMCR’s requirements.
To the firms experiencing the SMCR for the first time, the first step is to identify what parts of the regulation are applicable. To do so, they will need to establish which tier of the company they belong to: Limited Scope, Core and Enhanced. Depending on which level their organisation is, they will need to scour through the FCA’s 80-page handbook to determine what they do and don’t need to do. And that is just for solo-regulated firms – insurers have a separate guide altogether.
Coupled with the broader complexities of an increasing number of regulatory compliance frameworks, along with increasingly dynamic and evolving approaches to governance, these challenges mean that financial organisations will be under pressure. They will be pressurized to build extra administration into every working day and to ensure that all the records they keep are accurate and up to date.
One traditional approach to recording regulatory compliance activity is with the humble spreadsheet. They are the foundation for a vast array of core businesses processes and can unlock valuable intelligence and insights. While they are widely used for a reason, organisations should think carefully before building their approach for SMCR compliance around them.
Spreadsheets, like any other document-based processes, rely at least in part, on manual data entry by individual users. This may be appropriate and unproblematic for some tasks; however, it may cause problems for tasks encompassing particularly large volumes of dynamic data, such as SMCR compliance – which will need to account for the staff churn within the organisation. Where information regularly needs updating or amending, they can become cumbersome and error prone.
Remember, that the SMCR does not just apply to senior managers and certified persons – it will require all personnel in the applicable organisation to undergo some training. This training then needs to be recorded and evidenced, and this is before we even get onto all of the technical and process boxes that need to be ticked by senior managers. Are spreadsheets really the most appropriate format for capturing this information – and keeping it updated on an ongoing basis?
When different stakeholders need to access and, crucially, update the same centralized data source, spreadsheet data can be inconsistent, with errors made in the entry. This can cause problems in terms of consistency and efficiency. They can slow organisations down rather than speeding them up. Neither businesses nor the regulators themselves want regulatory compliance processes to become a substantial brake on business innovation and growth.
As recently reported in the Financial Times, an accurate understanding of management responsibilities is a key starting point for SMCR compliance, and senior managers will also need enhanced management information. In other words, comprehensive visibility of consistent information is the vital foundation of SMCR compliance – and this should direct organisations building up to the SMCR, towards more specialist technology solutions than manual spreadsheets and emails.
Most technology suppliers working in the SMCR compliance field take one of two broad approaches. They either focus on reconciling – that is, guiding their customers through the various requirements of the compliance framework in question, or they focus on HR – that is, profiling the employees within the organisation. This approach clearly focuses more closely on the training and education side of the SMCR, enabling organisations to gain a top-level view of all staff, and where their compliance training is up to. Such an approach needs to account for continually adding new employee profiles as new individuals join the business.
Organisations can strike the perfect balance between being guided through the technical processes they need to undertake and keeping track of the training and development all of their staff need to undergo. Compliance software that approaches financial organisations as legal entities with their own internal personnel hierarchies can help them achieve this.
The most useful approach will be to choose software that focuses on building a centralized register of all the roles and responsibilities within the organisation, the employees that hold them, and how those roles map onto functions defined within the regime. In turn, this would facilitate the technical processes necessary to achieve and maintain compliance, and ensure that the appropriate training and education stipulated by the framework is applied to roles rather than individuals. As employees move into different positions, or leave, or join the organisation, the software solution is still in place to guide the organisation through compliance.
This is far quicker, more accurate and less cumbersome than using a series of spreadsheets, emails, and communication channels to manage these particularly personal aspects of SMCR compliance. Spreadsheets are still a vital business tool – just not when it comes to SMCR.
SureCloud connects the dots with Integrated Risk Management solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset.