Is SMR & CR, the UK Financial Services biggest challenge for 2018?
Guest Author: Michael Rasmussen
GRC Economist & Pundit
The UK Senior Manager's Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay's CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.
Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects.
This impacts every area of GRC in financial services. One firm I talked to told me this is what is keeping them up at night from a governance, risk management, and compliance (GRC) perspective. The other day I had a phone call with a mid-sized financial services firm in the United Kingdom. They are seeing a lot of interest and ownership of GRC processes by senior executives and directors as they are now personally accountable because of UK SMR/CR. They are using risk management to help these business leaders understand their business and risk exposure, and in this context track accountability. One major UK bank told me they have applied UK SMR/CR to third party management, making business leaders (e.g., executives, directors) accountable and personally liable for risk and compliance failures in third parties. In a recent interaction I had, the Head of Risk Frameworks at a UK financial services company stated:
“SMR is the UK's equivalent of Sarbanes Oxley and will be interesting to see what happens in Australia. But maybe it's still early days and people think they can get by with what they have. When a high-profile executive lands behind bars or a sizeable number of fines are dished out, then I guess we'll see the market pick up.”
This regulation is more than an HR issue, it is a governing umbrella of all risk and compliance. Foundationally, organizations have to map risk and compliance roles/responsibilities to senior executives and directors. It requires that organizations track responsibilities and accountabilities for risk and compliance to senior business leaders and track awareness and accountability of these individuals. This in turn drives greater need for transparency and awareness of risk and compliance down into the business. Policy management is a critical concern to communicate policies to senior leaders and track attestations and awareness of accountabilities. But it does not stop there. You have to be able to communicate risk, compliance, and control to these individuals. They cannot accept accountability if they have no way of measuring and being informed of risk and compliance. This makes UK SMR/CR (and other similar legislation in other jurisdictions) the governing umbrella of all risk and compliance obligations and requirements. Organizations need to map and report on risk and compliance across regulations to these roles.
Managing this process in documents, spreadsheets and emails and manual processes will be time consuming and at the end of the day not have the proper audit trail and system of record to show clear awareness and acknowledgement of risk and compliance by senior executives. Organizations need technology to enable the mapping of risk and compliance responsibilities to senior executives, with a robust audit trail to provide a system of record of communication and awareness, supported by risk and compliance reporting to inform senior executives who are now accountable to the exposure they face in the organization.
Governor Software provides the SM&CR regulations as a set of maps that can be used by clients to understand the various obligations and then to link their policies and controls to those items to evidence the completeness of their “Reasonable Steps Framework”. As the FCA updates the SM&CR regulations, Governor will provide our clients with updates to their maps and the system will automatically notify the relevant staff (policy owners, control owners, etc.) of the changes.
Would you like to learn more about SM&CR - Why not join Governor Software and Trailight at the Infoline event on September 18th.
Governor Software will be exhibiting at the upcoming infoline conference prior to running a workshop in conjunction with Infoline and Trailight on September 19th on "Becoming SM&CR Compliant". To learn more about the conference agenda you can visit the conference website here.
As a Sponsor - Governor Software are able to offer those who wish to register a 30% discount to take advantage of this discount please email email@example.com.
Find our more about Governor Software in the attached GRC 20/20 Review
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC). With 24+ years of experience, Michael helps organizations improve GRC processes and choose technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in 2002 while at Forrester.