The deadline for solo-Financial Conduct Authority regulated companies to comply with the extension of the Senior Managers and Certification Regime is now less than a year away (December 2019) and they need to be stepping up their planning.
Near final rules were published last summer and accountability and governance arrangements are high on the regulator’s agenda. The scale of the task is significant, the regime requires companies to make fundamental changes to their management and governance structures.
Large amounts of new documentation will be required, and systems and processes will need to be updated.
The clear message for companies coming into the extended regime shortly, particularly large asset managers, is that they need to prepare well in advance and incorporate the lessons learned from previous implementations.
In particular, there are three common pitfalls: failing to develop a comprehensive view of accountabilities; failing to provide supportive management information, and failing to embed cultural change.
Comprehensive view essential
An accurate understanding of management responsibilities is central to implementing the SMCR.
Without this, it will be difficult to complete the production of key regulatory products such as statements of responsibilities, which set out each senior manager’s role and responsibilities; responsibilities maps, which document the management and governance arrangements of the company; or a reasonable steps framework, which outlines how senior managers demonstrate that they have taken ‘reasonable steps’ to prevent failures or regulatory breaches in their area.
Responsibilities must be identified, understood, documented, and then appropriately assigned and agreed with senior managers.
Companies should start at the top and categorise their people individually to identify the different populations required under the regime. These are the individuals who will hold senior management functions and those who will be approved as certified persons – individuals occupying specified risk-taking positions.
Then they need to consider how each individual seeks assurance for tasks that flow through their areas of responsibility, how they escalate issues, and where their responsibilities impact or touch another area.
To add further complexity, delegation of activities is common, particularly in large companies, resulting in overlaps and splits in responsibilities. Where a senior manager has delegated tasks to another senior manager, certified persons, normal staff or a governance body, that delegation of authority should be clearly defined in the SoR.
Delegation must be balanced against the expectations of the regulator. In the case of the regime’s own prescribed responsibilities, which must also be allocated, the FCA is clear that these should be assigned to the most senior manager.
In building this comprehensive view of responsibilities, implementation programmes should collate a central source of useful, existing material such as current organisational charts, governance maps and committee terms of reference.
Engaging with senior managers early will also be crucial. Each needs to be aware of their responsibilities, and the change in the regulator’s expectations. This will embed individual accountability within the regime and will ensure success in the later stages of implementation.
Importance of information
Individuals will not, and should not, take up new SMCR responsibilities lightly, and this means potential senior managers will need enhanced management information. As many companies have antiquated approaches to producing management information this can present a significant challenge.
Management information can often be out of date, up to a year old, or be purely reactive. Yet managers will need the right management information to effectively meet their responsibilities, and provide assurance that the regime has been implemented successfully and staff are complying with its requirements.
Senior managers will want a more real-time view of risks, as well as the effectiveness of controls in their department.
This will require management information that uses both lagging and leading indicators to help identify crystallised risks, and predict risks that are likely to crystallise in the future.
This will be a key control in mitigating the danger that senior managers are unaware of high-risk activities going on within their area of responsibility, or that they could, even unwillingly, be acting in an inappropriate manner.
Innovative technologies could also be used to develop more advanced or predictive management information to identify emerging trends or potential threats to good conduct. For example, it could be used to monitor and search staff communications for references to certain terms that may indicate rogue behaviour.
Achieving effective management information will require a structured and strategic approach, as well as recognition that just providing senior managers with management information at divisional or functional levels is not sufficient. A company-wide perspective is required and this will take time.
Culture is critical
Having an agreed set of senior managers with access to effective management information will set companies up for success, but will not ensure long-term compliance.
This will require focused changes to the culture, something that has received increasing focus from the regulator in recent years. The SMCR specifically assigns responsibility for promoting a culture of integrity, risk management and compliance to senior managers.
Senior managers therefore need to be able to understand and support a culture of accountability.
Policies and processes will only get companies part of the way there. These initiatives need to be aligned with the skills, motivations and values of individuals to ensure ongoing compliance and enable people to perform in line with expected standards.
This means SMCR programmes should work closely with human resources to develop the leadership skills of senior managers, and support them in their new responsibilities.
HR will also be able to support the implementation programme by providing the system and process changes required to deliver compliance across the company.
These could include communication and training programmes, performance management processes that evaluate fitness and propriety of senior managers throughout the year and modified incentive structures.
This should be backed up by robust employee record-keeping processes and technology, as well as procedures to manage the impact of breaches and suspected breaches.
Boards and senior management must also provide the time and resources to agree the companywide values and culture, which take into account the requirements of SMCR, as well as defining how the company wants to do business and be perceived.
Compliance with SMCR is a big task. This will be harder for the solo-FCA regulated companies coming into the extended regime because they do not have the benefit of familiarity with an existing regime similar to the SMCR.
Preparing for the pitfalls and taking a pragmatic approach will be critical to ensure these companies avoid future problems.