Regulation 

Senior Managers and Certification Regime: are you resilient?

  • Describe how to ensure there is accountability in advice companies for the resilience of operational services ready for SMCR.
  • List what to do to mitigate risks from outside the company.
  • Identify the cyber risk to the business and prepare for it.
CPD
Approx.30min
Senior Managers and Certification Regime: are you resilient?

The December 2019 extension of the Senior Managers and Certification Regime (SMCR) is now looming. 

From that point, the regulation will apply to Financial Conduct Authority solo-regulated companies, pushing them to put a renewed focus on operational and cyber resilience.

There is an expectation from the regulators that operational resilience and cyber security will be taken seriously and that senior managers will be held accountable for them.

Its importance was underlined in the jointly published Prudential Regulation Authority, FCA and Bank of England Operational Resilience discussion paper which re-iterated the need for operational resilience to be on an equal footing with financial resilience.

A recently published Bank of England Financial Stability Report then made it clear that, under SMCR, the Chief Operations Senior Management Function (SMF 24) will be the individual responsible for the resilience of operations.

In light of this, firms now need to take a number of steps to make sure they are prepared.

Key questions

Make sure there is accountability for the resilience of your most critical services.

Regulators expect firms to understand the criticality of the services they provide in the context of the customers and markets they serve.

To take a simple example, the ability to sell a mortgage may not be considered as critical as a mortgage drawdown. The failure of the latter can hugely disrupt an individual’s life and possibly the wider market, while the former is likely to only impact the firm commercially.

You then need to understand the different components that make up a resilient service and recognise that having a single and senior point of accountability helps to answer the key questions in each of them.

The first question to ask is whether the technology is reliable. Is it patched and tested?

Then you need to consider if there are skill gaps in the teams who support the service and ask, what are the key people risks? That includes looking at your suppliers and checking whether they are acting to promote resilience.

It is also important to consider risks to the current service and any changes that could disrupt it.

Testing is essential in this process and managers need to check if they have tested the resilience of the service recently and that they know what to do if things go wrong.

Resilience is multi-faceted and dealing with each of these questions is likely to need specialist teams to help answer them.

However, without accountability at a senior level where someone looks across all the component parts, several minor problems may go unnoticed but which could then end up being catastrophic for the resilience of the service.

Advice companies also need to think carefully about who they make accountable.

CPD
Approx.30min

Please answer the six multiple choice questions below in order to bank your CPD. Multiple attempts are available until all questions are correctly answered.

  1. The jointly published PRA, FCA and Bank of England discussion paper emphasised the need for operational resilience to be on an equal footing with what?

  2. Is the following statement true or false? "Regulators expect firms to understand the criticality of the services they provide in the context of the customers and markets they serve."

  3. According to the author, it is rarely appropriate for accountability for resilience to sit entirely with which department?

  4. According to an FCA survey of 296 firms, how many said they include third parties in their resilience testing and planning?

  5. The FCA reports that in what period did poor change management cause around a fifth of reported operational incidents?

  6. What does the author describe CBEST as?

Nearly There…

You have successfully answered all the questions correctly, well done!

You should now know…

  • Describe how to ensure there is accountability in advice companies for the resilience of operational services ready for SMCR.
  • List what to do to mitigate risks from outside the company.
  • Identify the cyber risk to the business and prepare for it.

I completed this CPD in

To bank your CPD please complete the form below.

Were the stated learning objectives met?

Why weren't they met?

What did you learn from undertaking this CPD exercise?

Why did you undertake this piece of learning?

Banked!

Congratulations, you have successfully completed and banked this piece of CPD

Already Banked!

You have already banked for this article.

To bank your CPD you must or

Register

One or more questions have been incorrectly answered,
 please review your answers and try again.

Please complete all the above text fields to bank your CPD.

More Your Industry CPDSee my completed CPDSee all CPD