Guest Author: Michael Rasmussen, GRC Economist & Pundit, GRC 20/20 Research LLC
The UK Senior Manager’s Regime and Certification Regime (UK SMCR) is a paradigm shift in regulation and accountability. In one context, I have used the analogy that it is the “One Ring” in Tolkien’s Lord of the Rings. Instead of a ring, it is the:
One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.
UK SMCR is a significant challenge for financial services firms. This year, the Financial Conduct Authority (FCA) is applying the regulation to all firms governed by the FCA: over 58,000 organisations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. UK SMCR puts personal accountability on senior directors and executives if there is negligence or lack of due diligence in managing risk, conduct, compliance, and controls. These senior managers could go to jail or be personally fined (and their organisation cannot reimburse them). It is the UK SMCR regulation that sees that other risk and compliance is properly managed across the organisation. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR.
This is a significant shift from responsibility to accountability. The difference may seem subtle, but it is real. Accountability means ownership. Being accountable includes being responsible for something, but it is more as it means that an individual, in this case, a senior manager, is ultimately answerable for the actions of an organisation. That they own the risk, and if the organisation is not diligent, they are personally liable. This is the paradigm shift in regulatory oversight for governance, risk management, and compliance (GRC).
Compliance to UK SMCR is a huge issue and is the next wave of GRC accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Australia’s BEAR regulation (Banking Executive Accountability Regulation) is modelled after SMCR. Similar regulations are developing in Hong Kong, Singapore, Japan, Ireland, and I recently heard Spain. New York has requirements that are focused on the board of a financial services firm.
This impacts every area of GRC in financial services. The Risk Officer at an electronic trading platform firm stated this is the most significant thing keeping them up at night. The other day I had a phone call with a mid-sized financial services firm in the United Kingdom. They are seeing increased ownership of GRC processes by senior executives and directors as they are now personally accountable because of Senior Manager’s Regime and Certification Regime. They are using risk management to help these business leaders understand their business and risk exposure, and in this context track accountability. One major UK bank stated they have applied UK SMCR to third-party management, making business leaders (e.g., executives, directors) accountable and personally liable for risk and compliance in third parties.
The regulation is more than an HR issue; it is a governing umbrella of all risk and compliance activities. Foundationally, organisations have to map risk and compliance roles/responsibilities to senior executives and directors. It requires that organisations track responsibilities and accountabilities for risk and compliance to senior business leaders and track awareness and accountability of these individuals. This, in turn, drives a greater need for transparency and awareness of risk and compliance down into the business. Policy management is a critical concern to communicate conduct and related policies to senior leaders and track attestations and awareness of accountabilities. But it does not stop there. You have to be able to communicate risk, compliance, and control to these individuals. They cannot accept accountability if they have no way of measuring and being informed of risk and compliance. This makes UK SMCR (and similar legislation in other jurisdictions) the governing umbrella of all risk and compliance oversight and accountability.
UK SMCR should not be approached haphazardly in a manual process in documents, spreadsheets and emails. It will be time-consuming. It also means you will not have the proper audit trail and system of record to show clear awareness and acknowledgment of risk and compliance by senior executives. Organisations need UK SMCR software to enable the mapping of risk and compliance responsibilities to senior executives, with a robust audit trail to provide a system of record of communication and awareness, supported by risk and compliance reporting to inform senior executives who are now accountable to the exposure they face in the organisation.
Senior Managers are not alone when feeling weary and apprehensive of the accountability they are now burdened with. Accountability requires great responsibility to ensure that risk, compliance, and controls are appropriately managed throughout the organisation. This reminds me of when Frodo himself was concerned with the burden of the One Ring that was laid upon him:
Frodo: I wish the ring had never come to me, I wish none of this had happened.
Gandalf: So, do all who live to see such times but that is not for them to decide, all you have to decide is what to do with the [ACCOUNTABILITY] that is given to you.
Accountability is there and it’s not going away. It is up to the Senior Manager to accept this accountability and move forward in ensuring that the organisation is properly governed, that risk is managed, and compliance is addressed.