Navigating the Senior Managers and Certification Regime is not for the faint-hearted. Grant Thornton is helping firms stay on track, says Paul Young, a director who has been leading on the Regime since its inception.
It should be stressed that the SM&CR is more than simple form filling. There are a number of facets, such as governance, structures and organisational issues, that must be addressed. Grant Thornton was heavily involved in Phase 1 of the Regime, which included banks, building societies and credit unions, providing organisations with advisory, assurance and resource augmentation to help address the significant and complex components of the Regime. Grant Thornton is currently in discussion with a number of organisations caught within Phase 2, which is due for implementation in 2019.
Set on the path now
Although at the moment this timeline appears generous, the major lesson learnt from Phase 1 of the Regime was that “you can never start too early”. The extensive structural, governance and business practices that need to be reviewed, aligned and clarified across the senior management and certified populations require significant time investment. This will ensure the organisation structure is fit for purpose and individuals are aware of the Regime’s requirements and impact. This becomes even more complex when organisations have international operations – the Regime has no geographic borders.
When we engage with organisations, we start by asking the simple questions, such as ‘what do you do, and who is responsible?’ These questions force organisations to provide a root and branch of roles and responsibilities. This is what SM&CR is all about. At the end of the day, individuals will be held personally accountable and therefore need to know their precise responsibilities.
Where firms have international linkages to subsidiaries or group head offices, reporting lines and organisational structures can bring in foreign individuals within the Regime. Dual reporting lines, both internationally and locally, can be a cause of confusion with regard to ultimate responsibility.
Know the risks
This added complexity can be particularly contentious when it comes to strategy discussions and international programmes. These issues need to be addressed early in the Regime’s design to ensure that all captured individuals are cognisant of their responsibilities and outcomes if some egregious issue arises within their function. These outcomes can include remunerations clawback, unlimited fines and even jail terms.
We have engaged with human resources and compliance functions to embed conduct rules and fitness assessments, as well ensuring an appropriate communications/training programme is rolled out across an organisation. The Regime requires the supporting infrastructure to include documentation retention capability for all captured individuals, e.g. qualifications, CVs, annual assessments, job descriptions and statements of responsibilities.
Policies and procedures that capture the requirements of the Regime need to be re-written and communicated across the organisation.
Nobody is out of bounds
SM&CR has an impact across the three lines of defence model in that it captures individuals from all of these lines. If an event takes place, a number of individuals may end up being associated, even tangentially. Therefore, an effective three lines of defence model would have embedded controls and safeguards to provide the SM&CR population with an infrastructure on where they can place reliance.
Some firms do have a chief controls officer (CCO) and delegated risks and controls teams within the various lines of defence to support their senior managers. Although this does provide an additional layer of control, these firms need to be clear about the roles and responsibilities of not only the CCO but also internal audit, operational risk and where applicable, Sarbanes Oxley frameworks. Duplicative testing is not necessarily a robust safeguard and value-added testing, by each function, should be the aim. Ultimately, this should enable the senior managers to gain comfort that effective controls are in place within their function.
Our experience gained through the implementation of Phase 1, places Grant Thornton in a strong position to provide help and guidance in Phase 2, as firms attempt to address the various complexities of the Regime.