SMCR Responsibilities – Documenting Risks and Controls

In light of the turbulence caused by the Covid-19 pandemic, SMCR may have been pushed down the priority list for most firms for now. The disruption has however given rise to a number of practical and compliance challenges which have a direct and imminent impact on SMCR.

The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) in recognising this, issued a joint statement reminding firms of their obligations in these challenging times. A separate statement was also issued by the FCA setting out their expectations for solo-regulated firms.

At the core of these statements is recognition by the regulators that the current operational challenges could result in significant changes to Senior Managers’ responsibilities. In the event of any such changes, firms have an ongoing obligation to revise and resubmit Statements of Responsibilities. Additionally, there is a requirement that firms continue to ensure that Senior Managers are fully briefed on their areas of responsibility and:

Identify instances where the current situation might lead to emerging risks in a Senior Manager’s area of business
Evaluate the effectiveness of any controls used to manage identified or emerging risks.

Whilst there is no prescriptive approach to documenting risks and controls linked to a Senior Manager in SMCR, reliance on spreadsheets and disparate manual and electronic folders may have a detrimental impact on a firm’s ability to demonstrate compliance should any issues or breaches arise in future.

How do you articulate and document your firm’s overall risk management and control framework?

The following is a non-exhaustive set of practical considerations around the documentation of risks and controls for Senior Managers and any stakeholders responsible for managing compliance with the regime, especially in these challenging and turbulent times:

Do SMFs have sufficient visibility over key risks and controls in their areas of responsibility?
How are risks and controls currently documented – in Excel spreadsheets or PowerPoint files?
Is there a comprehensive library of controls in place to mitigate all SMCR related risks and business areas?
Are risks and controls appropriately linked back to corresponding SMF responsibilities?
How are regulatory and individual conduct breaches tracked?
How do you identify, monitor and remedy gaps caused by regulatory changes?

These are unprecedented and challenging times; the key message from the Regulators to firms is that they continue to develop and implement mitigating actions and operate an effective control environment to support current processes which may have been reliable historically but may not prove effective in the current climate.

Our goal at Ruleguard is to work with SMCR project leads and compliance teams to eliminate the inefficiencies associated with the manual maintenance of large risk and control frameworks. Simple matrices for small firms can arguably be maintained by hand, but for larger firms a manual approach presents a lose-lose scenario: completeness without practical utility, or vice versa. At Ruleguard we work with some of the largest global firms to support both objectives: a complete risk and control framework that is practical, usable and delivers daily governance benefits.