The One Regulation to Rule Them All: UK SMR/CR & Cascading Regulations

Written by The GRC Pundit

Published on2018-10-09Updated on2018-10-12Discussion1 Comment on The One Regulation to Rule Them All: UK SMR/CR & Cascading Regulations

For those of you on this list that know me on a personal level, I am a huge Tolkien fan. In fact, I am just a Master’s thesis away from my M.A. in Church History and the thesis is on the influence of Medieval theology, particularly Aquinas, on J.R.R. Tolkien and his works (my particular focus in Church History in general is medieval British Church history which fascinates me).

One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.

I just got off the phone with a deep discussion on the UK SMR/CR as well as the other copy regulations coming out of Australia, Singapore, Hong Kong, Japan, Ireland, and more. I explained that the UK SMR/CR is the One Regulation to rule all other risk, compliance, and control regs. The whole point is to put personal accountability and responsibility to senior executives and directors for risk and compliance. It is the regulation that enforces all the others and binds them.

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.

Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects.

This impacts every area of GRC in financial services. One firm I talked to told me this is what is keeping them up at night from a governance, risk management, and compliance (GRC) perspective. The other day I had a phone call with a mid-sized financial services firm in the United Kingdom. They are seeing a lot of interest and ownership of GRC processes by senior executives and directors as they are now personally accountable because of UK SMR/CR. They are using risk management to help these business leaders understand their business and risk exposure, and in this context track accountability. One major UK bank told me they have applied UK SMR/CR to third party management, making business leaders (e.g., executives, directors) accountable and personally liable for risk and compliance failures in third parties. In a recent interaction I had, the Head of Risk Frameworks at a UK financial services company stated:

“SMR is the UK’s equivalent of Sarbanes Oxley and will be interesting to see what happens in Australia. But maybe it’s still early days and people think they can get by with what they have. When a high-profile executive lands behind bars or a sizeable number of fines are dished out, then I guess we’ll see the market pick up.”

This regulation is more than an HR issue, it is a governing umbrella of all risk and compliance. Foundationally, organizations have to map risk and compliance roles/responsibilities to senior executives and directors. It requires that organizations track responsibilities and accountabilities for risk and compliance to senior business leaders and track awareness and accountability of these individuals. This in turn drives greater need for transparency and awareness of risk and compliance down into the business. Policy management is a critical concern to communicate policies to senior leaders and track attestations and awareness of accountabilities. But it does not stop there. You have to be able to communicate risk, compliance, and control to these individuals. They cannot accept accountability if they have no way of measuring and being informed of risk and compliance. This makes UK SMR/CR (and other similar legislation in other jurisdictions) the governing umbrella of all risk and compliance obligations and requirements. Organizations need to map and report on risk and compliance across regulations to these roles.

Managing this process in documents, spreadsheets and emails and manual processes will be time consuming and at the end of the day not have the proper audit trail and system of record to show clear awareness and acknowledgement of risk and compliance by senior executives. Organizations need technology to enable the mapping of risk and compliance responsibilities to senior executives, with a robust audit trail to provide a system of record of communication and awareness, supported by risk and compliance reporting to inform senior executives who are now accountable to the exposure they face in the organization.

This article was originally a guest blog by GRC 20/2o @ Governor Software . . .