GOVERNANCE, PROCESS AND CONTROL MAPPING
The UK’s new Senior Managers and Certification Regime has the potential to become a global blueprint for accountability. Smart banks are using it as a catalyst to change their culture and processes and make their relationships with regulators more transparent. The SMCR is an opportunity to improve the clarity, process and documentation of governance frameworks and to simplify them to create more efficient and effective controls.
In preparing for the SMCR each firm is required to determine who are the Senior Management Function holders and document the governance structure, including Control Functions. The end product of the design exercise will be the Responsibilities Map.
The Responsibilities Map must be kept up-to-date as personnel change and the firm’s operations and structure evolve. Firms should have a process to review and sign off any changes and appropriate record keeping to retain copies of which version of the Map was in force at any point in time.
STATEMENTS OF RESPONSIBILITY
Once the Responsibilities Map has been created individual Statements of Responsibility for each Senior Manager are required, making reference to the PRA list of ‘Prescribed Responsibilities’ and the FCA list of ‘Key Functions’.
When the detailed Statement of Responsibilities are complete individual attestations must be collected for all SMF holders.
Any subsequent changes will need to be version controlled and documented and stored in an auditable way to ensure that an appropriate evidence trail is created.
WHAT IS REQUIRED ON AN ON-GOING BASIS?
The SMCR covers all key senior members of a firm and the Responsibilities Map and Statements of Responsibility should cover all governance structures, operational entities, processes and controls in the firm albeit at a high level.
The Senior Manager Conduct Rules require that a Senior Manager must take “reasonable steps” to:
- Control the business effectively
- Comply with regulatory expectation
- Delegate authority to competent people
- Disclose bad conduct or reckless behaviour to the Regulators (‘Whistleblowing Clause’)
For a Senior Manager to be able to confidently attest to the fact that their area of responsibility is controlled effectively and complies with relevant requirements and standards of the regulatory system they need to be able to demonstrate that they understand the processes and controls within the areas they are responsible for.
The regime requires robust and well-evidenced governance frameworks including clear articulation of legal entity-level committee structures and their respective roles and responsibilities. Enhanced management information, escalation routes will be necessary to achieve an effective and integrated organisational structure.
ALIGNMENT OF OBJECTIVES AND RISK APPETITE
For individual Senior Managers to discharge their ‘duty of responsibility’ under the Senior Managers Regime their individual objectives and risk appetite should be aligned to that of the Bank overall, as determined by the Board and the Executive.
GLOBAL VERSUS LOCAL GOVERNANCE
The SMCR views management responsibility and accountability in terms of legal entity governance, but most global banking businesses are managed in global business lines that cut across legal entity structures. Large global banks will have to demonstrate how they manage risks at a local legal entity level rather than just at a global level.
PROCESS EXECUTED BY THIRD PARTIES
The growing trend of process out-sourcing, use of industry utilities, etc means that a range of processes for which a Senior Manager is ultimately responsible will be executed by third-party firms of which the Senior Manager is a customer rather than an executive manager. The Senior Manager will need to demonstrate that the processes executed by the third-party are understood and the interfaces and controls between bank and third-party are effective.
ANNUAL APPROVAL OF CERTIFIED MANAGERS
Senior Manager Conduct Rule 3 requires that “any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively”.
Firms will require a robust governance structure around this and will have to evidence the certification decisions made. It is likely that individuals who have previously been told to improve their standards in an assessment review might now be removed from their jobs or reported to the FCA for breach of conduct rules, either within a year or, if the issues were serious enough, immediately.
PROCEDURES AND CONTROLS
The SMCR will require robust oversight and assurance processes through the three lines of defence model. Clearly identifying the risks to regulatory and strategic outcomes and being able to track these through the organisation will not only improve compliance and governance, but most importantly, enable better performance.
Reporting, processes and controls should be clearly aligned to the firms’ governance and risk structures.
PROCESS AND CONTROL MAPPING
Processes and controls must be understood, mapped to governance structures and demonstrably adequate in terms of the governance, risk appetite and risk management frameworks of the firm. Are there documented controls for all processes and are they regularly tested?
Cross-entity, cross-jurisdictional, third-party and manual processes and controls require specific focus. Manual processes and controls should be mapped out and mechanisms in place to test and demonstrate their effectiveness.
Procedural change should be version-controlled and introduced in a controlled manner.
The requirement is to demonstrate that the operation is “controlled effectively”.
RISK ASSESSMENT AND CONTROLS EFFECTIVENESS ASSESSMENT
The monitoring and management of risk and the regular use of risk and control assessments is essential and results must be documented and followed up.
CAPTURE, MAPPING AND REPORTING OF OPERATIONAL LOSSES
It is necessary to assign or map operational losses/incidents to an Individual Senior Manager.
CAPTURE OF CONDUCT RULE BREACHES
The capture, mapping and reporting of Conduct Rule Breaches is also required as is assignment to a responsible Senior Manager.
EVIDENCE THAT SMFS HAVE DISCHARGED THEIR ‘DUTY OF RESPONSIBILITIES’
The SMR creates a ‘duty of responsibility’ on Senior Managers to take reasonable steps to prevent breaches of regulatory requirements by their firms from occurring.
A key requirement is therefore for Senior Managers to be able to provide a complete set of information that demonstrates that they have effectively discharged their duty of responsibility when making decisions and in managing and controlling the operations they are responsible for.
The use of attestations has become a regular part of the UK regulatory landscape. Personnel covered by the Senior Managers Regime, the Certification Regime and the Conduct Rules all need a mechanism to confirm and evidence that they understand their regulatory obligations and have carried them out effectively.
PERFORMANCE AND RISK OF KEY ‘SMR RELATED’ PROCESSES
HR processes such as pre-employment due diligence, on-boarding, transfer of responsibilities and exiting processes must be clear and create a documented audit-trail. Risks around these processes must be clearly understood and managed.