Efficiency & Agility in Accountability Compliance – SMCR, BEAR, SEAR, MIC, GIAC
Accountability is More Than Responsibility
There is a difference between accountability and responsibility. An individual or organization can outsource or delegate responsibilities, but one cannot do so with accountability. To address the breadth of compliance and ethics failures, as well as risk management, in financial services there have been a growing array of accountability regulations sweeping the world.
It all started with the United Kingdom’s Senior Manager Regime & Certification Regime (UK SMCR). This put accountability on senior management functions (SMFs) for failures in risk, compliance, control, and ethics. If there is willful wrongdoing these SMFs can go to jail. If there is negligence or lack of due diligence in compliance, risk, control, or ethics these SMFs can be personally fined from their personal bank accounts. This framework has sped around the world in Australia’s Banking Executive Accountability Regulation (BEAR), Ireland’s Senior Executive Accountability Regulation (SEAR), Hong Kong’s Managers in Charge Regulation (MIC), and now the stringent requirements in Singapore’s Monetary Authority’s Guidelines on Individual Accountability and Conduct (GIAC). These regulations have a global impact, I have talked to several financial services headquartered in the USA that are struggling with compliance with accountability regulations as they have operations in these countries.
I am a J.R.R. Tolkien fan, so I have characterized accountability regulations as the one ring in Tolkien’s Lord of the Rings. It is the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them. Accountability regulations are the uber regulation that puts the sharp teeth of personal accountability to enforce other regulations and ethical practices. I will be presenting on this in the webinar Escaping the SMCR Quagmire.
There are various stages of compliance. In the context of UK SMCR (noting there are other regimes I have mentioned) solo-regulated firms are just coming into the spotlight. Larger firms have been dealing with this for the past few years but at various stages. Even these large firms have a looming requirement coming up (postponed by the FCA from December 2020 to March 2021) to communicate conduct rules (which are policies) to all employees (except ancillary staff like receptionists and caterers). This requires communicating a policy(ies) to every employee and documenting communication (e.g., attestation). Already these firms have had to document SMFs, certify staff, get approval from regulators, and regularly communicate conduct rules to SMFs and certification staff. Now it extends to all employees (except ancillary staff).
Making Accountability Compliance Efficient, Effective, and Agile
What is becoming apparent is that the ongoing management of accountability regulations, the reporting to regulators, the certification of SMFs, the communication of conduct rules on a regular basis with documentation of communication and attestation, the definition and maintenance of accountability and responsibility maps . . . this is not going away. As financial services firms grapple with ongoing and continuous compliance they are now looking for ways to automate the process.
The approach many firms have taken to accountability regulations is very typical of other regulations, such as when Sarbanes Oxley first hit us in 2002. For the first year or two firms use manual processes involving lots of documents, spreadsheets, and emails. Then as they build their process, address compliance, and realize that this obligation for oversight and reporting is not going away but continuing, they then start to look for technology to automate the process and make it more efficient, effective, and agile. The regulators also crackdown as the audit trails (system of record) are weak and not defensible in manual processes when relying on documents, spreadsheets, and emails. On top of this, business is changing minute-by-minute and second-by-second. Processes change, management changes, employees change, risk changes, regulations change. This all means that accountability compliance has to be agile in a dynamic, distributed, and disrupted business environment. Manual processes with documents, spreadsheets, and emails are cumbersome, slow the organization down, and certainly are not agile.
Technology for accountability compliance falls into three areas:
- Solutions focused on aspects of the regulations. Organizations here look for solutions to manage and automate aspects of the regulation, but not the entire regulation. This most often is a policy management solution to communicate conduct rules and track attestations to those rules to provide a documented system of record of these communications. Think about it, if you are a firm with thousands of employees, then manually communicating, tracking, monitoring, and reporting on the communication of conduct rules becomes very time consuming quickly.
- Solutions for full accountability compliance. These are solutions built for the regulations (e.g., UK SMCR, BEAR, SEAR, MIC, GIAC). The solutions are designed to manage the process of defining senior management/accountable functions, building responsibility/accountability maps, certifying functions and staff, reporting and interacting with the regulators for approvals of staff, and communicating conduct rules/policies to all employees.
- Solutions BECAUSE of accountability compliance. This is the interesting one that has come up a lot this past year. These are not solutions to manage the specific requirements of compliance in the accountability regulation. These are solutions BECAUSE of the regulation. Think about it, if you are an SMF that is personally accountable for an area of ethics, compliance, risk, control – such as vendor risk, GDPR, or operational resiliency – then you will want to make sure your organization is properly managing this area and want visibility into this. After all, it is your personal bank account on the line (or possible prison time).
The good news is that technology delivers across these functions. Technology relieves the burden of ongoing compliance monitoring and reporting. It makes accountability compliance efficient in reduction of human and financial resources, more effective in a strong system of record and audit trail with fewer things sipping through cracks, and agile to keep compliance current in a dynamic business environment where risks, processes, regulations, and particularly employees such as SMFs are changing constantly. Again, I will be presenting on this in the webinar Escaping the SMCR Quagmire (which the details here can also be applied to BEAR, SEAR, MIC, and GIAC).
How is your organization approaching accountability compliance?
I had not seen the concept of “Solutions BECAUSE of Accountability Compliance” articulated like that before. I like the clarity it brings. This idea is part of what is driving complexity for GRC technology vendors. No solution can hope to provide your first two levels as well as all of the ‘because of’ solutions. It means that integration is becoming increasingly critical. GRC solutions need to be more open and connected. They need to amalgamate information to bring it to the executive and board level; but cannot hope to do all these functions themselves. To date, this has been difficult because of the sheer variety of systems we need to integrate together. But the technology of integration is developing rapidly and is now available to make connecting all these systems possible at a reasonable cost for the first time.