Michael Rasmussen and the Mitratech GRC team are joining forces for a rather timely webinar. Our topic? How GRC managers can learn how to guard against the major SMCR compliance threat they might very well miss.
The Senior Manager and Certification Regime (known in the GRC space as SMR/CR or SMCR) requires financial organizations in the UK to map the responsibilities of senior business leaders and track their awareness and accountability. But as they rush to become compliant, these organizations may neglect to mitigate their biggest threat: their own employees.
During our webinar, which features not only Michael and myself but my expert colleague Jon Dedman, Senior GRC Consultant at Mitratech, we’ll explore these very issues.
Why are we talking about SMCR now?
In 2016, UK regulators – namely the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) – had a problem: Financial corruption was ongoing and intensifying, yet with the exception of major scandals such as the LIBOR rigging, it continued to go mostly undetected. And when it was detected, the perpetrators frequently got away with just a slap on the wrist — perhaps fined a few million pounds, or possibly a few lower-level implementers would get fired for malfeasance.
Meanwhile, the general culture of corruption went unchecked, with the leadership responsible for it staying in place. The FCA realized this culture of corruption problem needed to be confronted and checked – hence SMCR. At its inception, the overarching aim of SMCR was to deter misconduct by improving individual accountability and awareness of conduct issues across firms. Specifically, it focused on three core goals:
Focus accountability for misdeeds on a narrow number of individuals at or near the top of the hierarchies of large financial institutions.
Encourage these senior individuals to take greater responsibility for their direct actions, as well as indirect behavior that contributes to a laissez-faire culture.
Make it easier for regulators, auditors and bank employees to hold specific individuals to account for malfeasance.
The intent of SMCR is clear as day in the very language of the regulation:
“The aim of the Senior Manager and Certification Regime is to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence. As part of this, the SMCR aims to:
- encourage a culture of staff at all levels taking personal responsibility for their actions
- make sure firms and staff clearly understand and can demonstrate where responsibility lies.”
See the forest, not just the sparks
So SMCR is seen by many as the most significant piece of regulation in governance terms for a very long time, backed by consequential penalties for violators. All told, SMCR could impact more than 60,000 financial organizations by the time it’s fully in place.
Michael Rasmussen is widely regarded as the “Father of GRC,” and explains that SMCR…
“…puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks, are properly managed in the organization.”
Yet for GRC managers, the real challenge is not about what the minutiae of what the SMCR mandates, or even the penalties it imposes. Focusing on these is akin to carrying a bucket of water to put out sparks even while the forest remains dry and flammable as tinder. Our focus cannot be narrowly set on enforcing simple compliance or limiting the damage after the fact.
SMCR and other regulations – and grassroots activism and public protests – are signs of a broader, deeper current. One that has already proven fatal for the unwary. SMCR is UK regulation, but there’s a global outcry for greater corporate responsibility and personal accountability. Much as the EU’s GDPR re-set the worldwide discussion of privacy regulation, the SMCR is being emulated around the world. Ireland, Australia, Singapore, Hong Kong, and Japan all have similar regulations under development.
In other words? There are enormous societal pressures at work that will not diminish. To meet these wholly new expectations, the true hurdle for GRC professionals will be in figuring out how to profoundly change employee behaviors and effectively enforce an ethical culture within an organization. To be frank? Yesterday’s strategies and tools are unequal to that task.
Previous processes have to be left behind
If you’re a governance professional at one of those 60,000 financial institutions, you likely have a lot of unanswered questions about SMCR. Starting with, how can you best implement the strategies and best practices needed to ensure successful ongoing compliance?
The hard truth? If you’re relying on the tools and approaches that have served you well up until now, you’re actually adding risk – not mitigating it.
Because of SMCR’s breadth, taking a manual approach, or hoping to come into compliance with existing GRC tools, are not likely to be effective strategies. Trying to manage SMCR manually with emails, spreadsheets, and other documents will not only lead to unnecessary (and ruinously expensive) complexities, but would also vastly complicate putting in place the proper audit trail and system of record required and expected by FCA regulators.
SMCR calls for nothing less than best-of-breed technology solutions and use of the most current best practices in order to reduce the risk of breach or non-compliance, improve operational efficiency, and set yourself up for SMCR success.
A sea-change in acknowledging – and mitigating – risk
Achieving this demands revising one’s understanding of how shortfalls in managerial or workforce ethics occur. It isn’t about plucking out the proverbial bad apples. It can stem from a business mentality that fails to educate and engage executives, managers, and employees on a continual basis, and thus fails to gain their commitment to an ethics-driven culture.
Success in this can only be built by driving a sea-change throughout every echelon of an organization – top-down and bottom-up. Ascending to the next level of SMCR maturity means thinking beyond just meeting its stated requirements. It’s about providing effective, modernized mechanisms to help senior managers and employees navigate personal accountability and mitigate that risk.
If you’re interested in learning more about these best practice strategies and what types of technology you can utilize to easily manage many of the complexities of SMCR, please join us and Michael Rasmussen during our live webinar. It promises to be a fascinating discussion, as the implications of SMCR are just beginning to take shape.