Is SMR & CR, the UK Financial Services biggest challenge for 2018?
GRC Economist & Pundit
Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects.
This impacts every area of GRC in financial services. One firm I talked to told me this is what is keeping them up at night from a governance, risk management, and compliance (GRC) perspective. The other day I had a phone call with a mid-sized financial services firm in the United Kingdom. They are seeing a lot of interest and ownership of GRC processes by senior executives and directors as they are now personally accountable because of UK SMR/CR. They are using risk management to help these business leaders understand their business and risk exposure, and in this context track accountability. One major UK bank told me they have applied UK SMR/CR to third party management, making business leaders (e.g., executives, directors) accountable and personally liable for risk and compliance failures in third parties. In a recent interaction I had, the Head of Risk Frameworks at a UK financial services company stated:
“SMR is the UK's equivalent of Sarbanes Oxley and will be interesting to see what happens in Australia. But maybe it's still early days and people think they can get by with what they have. When a high-profile executive lands behind bars or a sizeable number of fines are dished out, then I guess we'll see the market pick up.”
This regulation is more than an HR issue, it is a governing umbrella of all risk and compliance. Foundationally, organizations have to map risk and compliance roles/responsibilities to senior executives and directors. It requires that organizations track responsibilities and accountabilities for risk and compliance to senior business leaders and track awareness and accountability of these individuals. This in turn drives greater need for transparency and awareness of risk and compliance down into the business. Policy management is a critical concern to communicate policies to senior leaders and track attestations and awareness of accountabilities. But it does not stop there. You have to be able to communicate risk, compliance, and control to these individuals. They cannot accept accountability if they have no way of measuring and being informed of risk and compliance. This makes UK SMR/CR (and other similar legislation in other jurisdictions) the governing umbrella of all risk and compliance obligations and requirements. Organizations need to map and report on risk and compliance across regulations to these roles.
Managing this process in documents, spreadsheets and emails and manual processes will be time consuming and at the end of the day not have the proper audit trail and system of record to show clear awareness and acknowledgement of risk and compliance by senior executives. Organizations need technology to enable the mapping of risk and compliance responsibilities to senior executives, with a robust audit trail to provide a system of record of communication and awareness, supported by risk and compliance reporting to inform senior executives who are now accountable to the exposure they face in the organization.
Governor Software provides the SM&CR regulations as a set of maps that can be used by clients to understand the various obligations and then to link their policies and controls to those items to evidence the completeness of their “Reasonable Steps Framework”. As the FCA updates the SM&CR regulations, Governor will provide our clients with updates to their maps and the system will automatically notify the relevant staff (policy owners, control owners, etc.) of the changes. Click here to find out more and see a short demo
Governor Software will be exhibiting at the upcoming infoline conference prior to running a workshop in conjunction with Infoline and Trailight on September 19th on "Becoming SM&CR Compliant".