Issue 7 2019

12 CEO MONTHLY / ISSUE 7 2019 , ByHenryUmney, CEO, ClusterSeven Senior Manager & Certification Regime – The ‘Catch All’ Regulation Regulators continue to work smarter, as they focus on outcomes, rather taking a prescriptive approach to the compliance they demand of organisations. While the financial crisis has had a lasting impact, and regulators are wary of a repeat scenario, they are also mindful of the changing global economic environment and the larger than ever role that technology plays today in financial services. The recognition of its significance is driving the need for better operational robustness, as regulators – sensibly – assume that unforeseen disruptions will happen in the future. In the UK, the response to this centres on the current Operational Resilience (OpRes) initiative of the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). OpRes demands that Boards become responsible for the resilience of their business, which, in turn, should ensure that collectively, the financial system is resilient as a whole. While OpRes is still technically at the discussion stage, regulators are already showing their intent. Recently, the FCA and the PRA jointly fined the retail Raphael Bank £1.89 million for failings in its outsourcing model, which they believe directly impact the operational resilience of the organisation. OpRes, like any new regulatory development, adds more leverage to the Senior Manager & Certification Regime (SMCR). SMCR helps to enforce individual accountability for the C-suite and senior executives and drive a cultural shift in financial institutions towards a more proactive and positive attitude towards governance. From December 2019, the FCA is extending the SMCR to 47,000 solo-regulated financial institutions. The scope of the SMCR is also expanding to include non-financial conduct. Ultimately, the goal is to extend the regulation to all the regulated organisations that fall under the FCA’s jurisdiction. This includes approximately 59,000 financial services firms in the UK and 152,000 approved persons. In addition, the FCA is also the prudential supervisor for approximately 48,000 of these firms. SMCR is the ‘catch all’ UK regulation The C-suite must take note that due to the wide scope of this regime, because something which may not be fully appreciated by all concerned is that most, if not all regulations, ultimately lead back to the SMCR. A breach in one set of regulations, could imply a breach in the SMCR with potentially the CEOs’ and senior executives’ neck being put on the line. The challenge for many institutions, their CEOs and senior executives is that there are a wide variety of new and ever-evolving regulations and accounting standards, such as SS3/18, IFRS 9, MiFID II and OpRes – all of which fall within the remit of the SMCR. The compliance difficulty is exacerbated as the tone and scope of these regulations is constantly changing, as regulators look at the systems and processes underpinning business, alongside any regulatory or accounting reports. Take for the example of the OpRes programme. The regulators define OpRes as “the ability of firms, Financial Market Infrastructures (FMIs) and the sector as a whole to prevent, respond to, recover and learn from operational disruptions”. Financial institutions need to have procedures in place to manage the procedures and technology that underpin their critical business processes. While organisations typically have these in place, they now also need to be able to provide reporting and full auditability to auditors and regulators. Furthermore, they need to be able to identify and resolve any gaps that may put them in breach of OpRes (and so SMCR). Shadow IT impacts SMCR compliance The focus of regulatory bodies, under OpRes, is squarely on business services and impact tolerances of financial institutions. Technology is recognised as playing a critical role in enabling operations and reducing risk. At the same time, there’s also awareness of the widespread deployment of inflexible and in some instances ageing IT systems – alongside the complexity to accommodate changes to systems and processes. This reliance on technology can threaten the resilience of financial institutions and indeed SMCR compliance for the C-suite. Shadow IT, which is in widespread use, is frequently not given much consideration by the C-suite. Shadow IT covers the technology infrastructure implemented and managed by business users (e.g. spreadsheet-based processes, databases, development environments, management information systems and much else besides) that fall outside of the enterprise IT estate. While offering power and flexibility for end-users, it adds another layer of complexity to SMCR and other regulatory compliance initiatives. Due to the easy access to IT infrastructure (often through cloud computing), business users are able to independently design and develop their own processes and applications, without the aid, knowledge and control of the corporate IT team. A common example of Shadow IT adoption is modelling, as it facilitates rapid product development, dynamic portfolio management or business management and rapid decision