We often advise senior managers on how to evidence that they are fulfilling their personal regulatory duties to avoid becoming the subject of regulatory enforcement action. Here are the five key steps you should take to best protect yourself.
After years of planning, the Senior Managers and Certification Regime (SM&CR) came into force for banks in March 2016 and has since been rolled-out to cover the wider financial services sector.
As the deadline for the final implementation of the certification regime and conduct rules for FCA solo-regulated firms looms on 31 March, the trigger for the SM&CR following the financial crisis – ensuring individual accountability – rings as true today as ever.
The FCA and PRA continue to launch large numbers of investigations into the conduct of senior managers, and recent FCA figures indicate that they have significantly more open investigations into individuals than firms; a trend that is set to continue this year as the fallout from the pandemic continues.
Here are five key steps to protect yourself.
Step 1 – Initial assessment
We recommend carrying out a documented initial assessment of the risk management framework in place for your area of the business, within the first two/three months of taking up your role. The purpose of this exercise is to satisfy yourself that robust processes are in place to identify and assess each of the various material risks that your area of the business is exposed to.
This is likely to involve arranging meetings with the people in the business who have the best knowledge of how your area was managed before your appointment (ideally including your predecessor) and how it will be managed going forward. It should also involve meetings with Compliance, Risk and Internal Audit.
Step 2 - Ongoing reassessment
During your tenure, we advise you adopt a mindset of continuous assessment. In particular, we recommend carrying out documented annual reassessments of the risk management framework for your business area, even if nothing is going wrong.
These reassessments may include:
- Checking that the organisational structure is operating effectively.
- Checking that risks are being identified effectively within the framework.
- Reviewing the competence and capability of your direct reports.
- Assessing whether the management information you are getting and producing is appropriately detailed.
Step 3 - Reasonable Steps Assurance Framework
In order to evidence the ‘reasonable steps’ taken to discharge their regulatory duties, senior managers are increasingly producing written Reasonable Steps Assurance Frameworks. Such frameworks can detail the ways in which you identify, manage and escalate risks in relation to your area of responsibility. It can also set out the type of records that may evidence the reasonable steps you take.
Regulatory investigations often commence many years after the event in question and your memory of the steps you took at the time will likely have faded. Having a document like this in place can provide a very useful aide-memoire in those circumstances.
Step 4 - Identify “red flags”
A red flag can take many forms. It may arise, for example, from a matter escalated by direct reports or others in the business, a whistleblowing report, a critical internal audit report, a skilled person report or a concern raised by the regulators (either firm specific or sector wide). It is important that any potential red flag is identified, assessed and actioned appropriately. A red flag may trigger the need to take immediate action – see Step 5 below.
Step 5 – Take prompt action when issues arise
If a problem arises in the area of the business for which you are responsible:
These reassessments may include:
- Ensure pro-active steps are taken to investigate and understand it. Where an issue raises significant concerns, act quickly and decisively.
- Ensure that any concerns are appropriately escalated (including to the relevant risk committees, the board, and/or the regulator).
- Highlight concerns to internal or external auditors and, if necessary, request that they examine the operation of the relevant controls or business functions.
- Immediately, and on an ongoing basis, assess steps to remediate or address the problem.
- Consider whether the issue has wider implications in respect of the suitability of the risk management framework.
- Keep a written record (with sufficient detail) of your actions, the outcome and the reasoning behind your decisions.
The UK regulatory enforcement focus on senior managers remains extremely high and it is therefore critical that senior managers can evidence to regulators that they are complying with their individual obligations. Following these five steps should assist senior managers in proving they took reasonable steps to discharge their regulatory duties; in particular, if the worst happens, and they become the subject of a personal regulatory investigation.