Senior Managers and Certification Regime: are you resilient?

  • Describe how to ensure there is accountability in advice companies for the resilience of operational services ready for SMCR.
  • List what to do to mitigate risks from outside the company.
  • Identify the cyber risk to the business and prepare for it.
Senior Managers and Certification Regime: are you resilient?

The December 2019 extension of the Senior Managers and Certification Regime (SMCR) is now looming. 

From that point, the regulation will apply to Financial Conduct Authority solo-regulated companies, pushing them to put a renewed focus on operational and cyber resilience.

There is an expectation from the regulators that operational resilience and cyber security will be taken seriously and that senior managers will be held accountable for them.

Article continues after advert

Its importance was underlined in the jointly published Prudential Regulation Authority, FCA and Bank of England Operational Resilience discussion paper which re-iterated the need for operational resilience to be on an equal footing with financial resilience.

A recently published Bank of England Financial Stability Report then made it clear that, under SMCR, the Chief Operations Senior Management Function (SMF 24) will be the individual responsible for the resilience of operations.

In light of this, firms now need to take a number of steps to make sure they are prepared.

Key questions

Make sure there is accountability for the resilience of your most critical services.

Regulators expect firms to understand the criticality of the services they provide in the context of the customers and markets they serve.

To take a simple example, the ability to sell a mortgage may not be considered as critical as a mortgage drawdown. The failure of the latter can hugely disrupt an individual’s life and possibly the wider market, while the former is likely to only impact the firm commercially.

You then need to understand the different components that make up a resilient service and recognise that having a single and senior point of accountability helps to answer the key questions in each of them.

The first question to ask is whether the technology is reliable. Is it patched and tested?

Then you need to consider if there are skill gaps in the teams who support the service and ask, what are the key people risks? That includes looking at your suppliers and checking whether they are acting to promote resilience.

It is also important to consider risks to the current service and any changes that could disrupt it.

Testing is essential in this process and managers need to check if they have tested the resilience of the service recently and that they know what to do if things go wrong.

Resilience is multi-faceted and dealing with each of these questions is likely to need specialist teams to help answer them.

However, without accountability at a senior level where someone looks across all the component parts, several minor problems may go unnoticed but which could then end up being catastrophic for the resilience of the service.

Advice companies also need to think carefully about who they make accountable.