A Strategic Regulatory Management Limited briefing note on SMCR

Ian Stevenson, Managing Consultant at Strategic Regulatory Management Limited gives his perspective on the UK Senior Managers and Certification Regime (SMCR) which comes into play in December.

“Greed is good” Gordon Gekko is remembered to have said in the 1987 film Wall Street.
And Michael Lewis, in his illuminating book, The Big Short, reveals US securities salesmen knowingly selling securities (leading up to the 2007 / 2008 financial crash) whose price they were sure was far too high to customers they disparaged as “the idiots in Dusseldorf”.

Obviously, no responsible business man or woman wants to be perceived in a similar manner to these fictional and real people.
And so we should be pleased when we recall that the UK Senior Managers and Certification Regime (“SMCR”) – which comes in to play for almost all of the financial services industry in December – is a framework to help regulated financial services firms to demonstrate that they have good corporate governance and risk management practices: this should help firms – and their customers, to better understand how well they are managed.

And this is critical - as if a firm doesn’t keep its business partners or its suppliers or its employees or its customers happy – then they will possibly go elsewhere – and a far lot quicker than any regulator can even think of acting.

Put simply, the SMCR is about preventing harm: firms must show that they’ve actively considered how conduct within their organisations has been and can continue to be improved to prevent harm.

• Culture
• Corporate governance
• Risk management
• Management accountability
• Honesty
• Transparency

None of these should be alien to well-run firms – whether they operate in the restaurant, sporting, travel, or financial services sectors. In fact, they should be considered as ‘basic hygiene’ factors.

Which means that the SMCR is not a ‘one-off’ process to be done and then be forgotten about, but rather an ongoing way of firms thinking about and being able to ‘show and tell’ the way they make sure that:
a) the firm is actively planning on being around, at least for the medium term – which is good for their owners, employees, and customers; and
b) that they genuinely recognise that putting their customers’ interests at the heart of their business model is nothing other than good business sense.

Because a firm that plans on surviving and thriving is much more likely to take more sensible management decisions that positively impact everyone that they come into contact with.

But what do firms actually have to do to get towards a state of SMCR nirvana?
The answer must be nuanced because, like so many questions – such as ‘how far is it to Tipperary’ the answer depends – critically – on where they’re starting from.
And it is difficult to be prescriptive – as each firm must work out how to create an environment of openness where individuals feel empowered to do the right thing and to escalate conduct risks where they observe them.

What is critical is that the senior management team ‘walk the talk’ and are seen to actively demonstrate the desired behaviours themselves – in a practical way and on a day-to-day basis. And that poor behaviour from perceived ‘star’ players - whether they are money-making traders or Premier League footballers - is evidenced to be not tolerated and be actively punished.

But returning to what needs to be done now – the answer is that often not a huge amount of effort is necessary: as much depends upon the storytelling – in that boards need to be able to easily articulate why they believe that they’re in a good place. But obviously, the story must be truthful.

The first – and most – important thing is for firms to look at their whole business model: from the board down to the most junior employee and from sales to people to finance to financial crime to distribution to business partners (especially for firms with expanded models where some (or much) of the business activities are performed by other firms) – and consider how well they can explain the basis on which they – personally and collectively – gain sufficient comfort that everything is working as it is expected to.
This is often from a combination of management information, written reports, risk or compliance assessments, verbal briefings, and walking around the office talking to people. All of these practices are common in large and small firms.
As an example, let us consider the firm’s most important asset – their people. How might a board determine if they need to do much for SMCR ?
If the firm already has a complete suite of policies and procedures that sufficiently cover how they recruit, motivate, manage, reward, monitor, and promote their people – and have enough data to make sure that they’ve got the right people, doing the right roles, and having all the skills that they need – then all the firm needs to do when it’s writing up its SMCR plan – which is really just a big covering note to what they actually do – is to say, when explaining how it manages its people, something like ‘please see the firm’s HR policies as found in the manual / on the intranet.’
As simple as that.

However, if the board think that it needs, for example, to provide greater clarity around how they motivate their people to put customers’ needs first, then the HR team (or whoever the board asks) will need to draft that policy and then get it agreed by the senior management team and the board.

And it is imperative that the firm considers all of the other relevant areas of its activities:
To help it do so, many firms now use an SMCR risk-mapping exercise to help them to identify both the various sources of their risks (such as in marketing, or finance, or financial crime); and what needs to be done; and who is going to do it; and with what resources; and by when; and who will check that it’s been completed to the standards set by the board; and what management information will be produced to enable the senior management team and the board to keep an eye on things.

But what is absolutely critical is that the policies and processes and risk management actions must be tailored to the unique circumstances of each firm.

As to take an obvious example, it would be pointless for a new consumer credit firm to have anything like the risk assessment or policies or procedures of a high street bank.
There is no ‘one size fits all’ approach – whatever some consultancies might suggest. Instead, firms should aim for a ‘fit-for-purpose’ approach that satisfies the requirements of both its regulators and its board.
Firms must be able to show the communication lines that enable information to travel up from the shop floor, ultimately to the board, as necessary for consideration – and management decisions and policies to flow in the opposite direction – with all accountable individuals identified so that, in the case of any regulatory incident, the FCA know to whom they should direct their questions, in the first instance.
And this will not normally be the firm’s compliance personnel: it will usually be the relevant business line executive(s) – such as the Sales Director or the Head of Trading.

And the best way to succeed in SMCR planning and implementation is to keep it as simple as possible. The FCA (and the PRA, if involved) will not thank you one iota for making your business look more complicated than it is.
But they will expect you to have thought through all the relevant factors that might impact upon your business model – and these should, today, include non-financial factors such as gender diversity in your senior management team(s) and workforce – as an example.

Senior regulators have commented regarding the SMCR that “Culture is like DNA. It shapes judgements, ethics and behaviours” and that successful implementation would ultimately mean that regulators eventually “find ourselves out of a job because doing the right thing has become part of the DNA” of regulated firms.
But that ideal status is probably some way ahead in the future.

The task of firms today preparing for the SMCR is to show that they are taking culture and conduct and individual accountability seriously.  As one would expect given the current lack of trust in the financial services sector and regulated firm’s critical need to show that they have heard what their customers want: much greater senior management accountability.

Does your firm need specialist risk contractors to strengthen your operational risk management?