By Ruairi Nash, Director, Head of Relationship Management & Solution Engineering (EMEA), StarCompliance
The Senior Managers and Certification Regime (SMCR) has been in place for more than six years now, but that doesn’t mean financial firms and compliance teams aren’t still experiencing challenges with the change. Initially, the main focus was on getting to the deadline, but attention has now turned to effectively embedding SMCR into an organization. Has the company done enough to implement the SMCR regulations? Has it done anything to improve the conduct of employees involving regulated activities? Does it have the right framework in place to effectively manage conduct within a team?
And with entire teams now working from home—as a result of the pandemic—implementing and maintaining an effective SMCR framework has become an increasing challenge. It takes more than ticking a box, but this is often the approach when a firm starts going through the process of embedding a new regulation into operations. If you were to look at where most firms started with the SMCR process, the approaches put into place were more like “initial interpretations” of what the regime would eventually permanently institute. In the end, it’s really about getting to a framework that fits culturally within a particular firm.
Obviously, firms have official rules and guidance to go by. However, all associated practices must work for the firm itself. If you were to view the current state from a certification standpoint, for example, how do you measure whether employees are competent and capable? You need the right metrics to fully grasp where the risk sits within the organization. In turn, this requires a means for bringing together all the data to compile evidence on whether team members are fit and proper and competent, not simply certified. Certification is not nearly enough, especially when responsibility for wrongdoing rests on the shoulders of senior managers, even if they themselves have no involvement in cases of misconduct.
With the addition of the Financial Conduct Authority (FCA) directory requirements, larger firms face huge hurdles in both cost and time getting SMCR woven properly into firm operations. Seven days may not sound like an unreasonable deadline at first, but multiple changes to the circumstances around individual roles within a company can make that turnaround time feel rather tight. If you don’t yet have an automated solution in place, manual processes will require additional resources to support the necessary oversight to meet submission deadlines. During times of high turnover, a task such as this can become increasingly burdensome and is prone to human error.
Is culture the answer to SMCR compliance?
The solution to sustaining proper SMCR oversight may come down to one factor: organizational culture. Culture impacts almost everything within an organization. It lives in the firm’s DNA and can be seen as the golden thread that runs throughout everything. So it stands to reason the same would hold true for establishing, embedding, and maintaining an SMCR framework. The culture of your firm inextricably impacts conduct.
Just consider culture in relation to retention efforts. Culture fit has long been considered the most important aspect of retaining top talent, and the main drivers of culture — at least for regulated firms — are leadership, people policies, purpose, and governance. Should any one of these factors be lacking, consider that a cultural change is necessary. For many firms, SMCR has served as the staging ground to make cultural changes possible. One recent survey found that 94% of senior managers felt that SMCR brought about positive changes to behaviors after integrating the new regulations into internal practices.
Beyond that, the talent market is getting tighter and tighter by the day. Whether active or passive, job seekers enjoy the luxury of being much more discerning in their choice of employment. The culture of your firm will be one of the factors for whether talent applies for an open role. SMCR has impacted culture, and it pays to review the effect it’s had on the people within your organization aside from their conduct.
After all, the FCA introduced the regulation to improve the overall culture of the financial industry. If you haven’t taken that change as an opportunity to reexamine your culture, the time to do so is now. A culture of compliance can be difficult to come by, and you’ll need to put in the effort to ensure that your firm effortlessly checks all the regulatory boxes without eroding any of the positive aspects of your original workplace environment.
Maintaining SMCR frameworks going forward
Even with a solid culture in place, establishing, embedding, and maintaining SMCR frameworks can still be a challenge and a high bar for many regulated firms. Fortunately, answers are available, and many of the solutions can be easily implemented into operations. The following areas are often the best places to start:
- Find the means to readily surface information.
With the responsibility of a firm’s activities shifting largely onto senior managers, a golden thread of the right information can offer the clarity needed across a network of employees, often in disparate locations. SMCR technology yields this thread. First and foremost, it can serve as a centralized repository of SMCR-related information. Consolidating all the necessary details on roles, certifications, conduct, and more within a sole platform provides greater visibility and allows stakeholders to immediately monitor whether a risk might emerge in a particular area of the company.
Readily available information, however, isn’t the only advantage of investing in the right technology. Automation capabilities have also become a critical component of compliance. Leaving more repetitive processes to software solutions not only frees up employees’ time for higher-value work, but also eliminates the potential of human error. Naturally, this provides greater protection from a regulatory standpoint. Your company is operating off reliable data, enabling senior leaders to hold team members accountable and minimize compliance risks. Should there be a need, regulatory documents are at the ready in a matter of moments.
- Delegate communication responsibilities to a trusted member of the team.
Often, SMCR compliance requires day-to-day responsibilities that are far-reaching and broad, which can be challenging for a single person to handle effectively. In these cases, it may be necessary to delegate this task to a senior member of the team, who can keep all co-workers informed and feed information to the accountable senior manager. While this can be a great solution, it’s also important to simultaneously have a protocol in place to document expectations of this process. Ultimately, it’s the senior manager who will be held accountable should something go wrong, so that person must provide the same information to all parties and provide clarity to ensure reasonable steps can be taken to mitigate risks. By creating a clear process for senior managers to follow, they also get back time they can use to focus on higher-level tasks knowing nothing is being lost in the communication stream.
- Prepare for when things go sideways.
Although risk and controls are effectively managed in a well-functioning and structured firm, it feels inevitable that things can and will go wrong. The key is to plan ahead by mapping out potential scenarios and then consider the necessary sequence of events to remedy these issues. The exercise will likely bring up questions in need of answers. Is there a reporting mechanism in place to alert stakeholders? How much of a warning will senior managers need to mitigate an issue or take action to rectify the situation? What reasonable steps should someone take in the event of scenario A, B, or C? How should the event be documented?
Compliance officers will want to review the situation to determine whether the actions taken within the first line of defense can stand up to the scrutiny of the second or third line of defense. If a training requirement need comes out of the situation then, again, the information can be linked to it. Besides, senior leaders will want accurate documentation to offer evidence of all activities surrounding the event, rather than speaking to the issue from memory.
In my earlier career, I worked in risk and control assessment. During any risk-based or thematic review, evidence was a necessity — for bad and good alike. Those same details also allowed leadership teams to work real-life scenarios into their development framework, helping to ensure that members of the team possessed a good level of competence when risk is at its highest.
- Look toward improvements.
No matter the organization, there will always be room for continuous iterative improvements. It all comes down to the review and analysis surrounding an operation. For instance, you could look at the metrics drive, and the data available might provide insights on whether a team has better behaviors and/or better performance. Then, you can start questioning what is and isn’t working: Are behaviors and performance intrinsically linked or bifurcated? Perhaps the framework requires further development, or maybe the competence of certain team members requires serious attention.
Any improvements you can make to the framework, talent, skills, and culture can be of benefit to the business. It also can be advantageous to clients. Delivering good outcomes is driven by the competence of the team, and that competence directly (or indirectly) relates to the health of organizational culture. It shouldn’t be about simply ticking a box but improving and maintaining the culture at large.
As with many aspects of any business, data will be key to overcoming any struggles your firm is currently experiencing. Data feeds key performance indicators, highlighting the true risk within a business or within a network. This then allows you to focus your resources, either on a particular theme that’s coming out of the information or just on individuals who require further support and attention. Benefits can always be found in having the steps in place to swiftly correct issues and recalibrate risk models to the current environment.
Data is also essential to delivering good outcomes. It’s not just enough to remain compliant; you must strive to provide a degree of assurance for those your firm serves. Sustainable compliance comes down to striking a balance between efficiency and effectiveness. Companywide, people must be enablers of the business as well as provide evidence that everything is still running appropriately. By prioritizing this culture transformation, you can be both competent and compliant, not just one or the other.