Literature and philosophy is laden with theories and principles that rely on seven pillars. In this blog, I won’t attempt to reconsider the seven pillars of wisdom, life or anything that highbrow, (believe me, it wouldn’t be that insightful a piece!). Instead I will focus on something far more down to earth, but no less important for those given the responsibility of preparing an organisation for the implementation and management of SM&CR and its associated records.
There is a raft of really useful information available out there on the key aspects of managing the regime, such as tips for writing statements of responsibility, click here for a great example; but in this piece I am drawing on my experience of working with multiple client and on many SM&CR implementations and what I have learned about the underlying factors, or pillars, that are required for organisations to be confident they have SM&CR under control for the long term;
SM&CR records, everything from the Management Responsibilities Map (MRM) to regulatory references for external recruits, must be visible. Sounds simple, but often firms store different elements of SM&CR records on different systems, e.g. MRM on a governance system, references within HR, notes on Reasonable Steps or Delegated Actions on email or OneNote etc. As a result, having visibility of what’s really going on, particularly in larger organisations, can be a real challenge.
It’s not unusual for firms to store some records, e.g. performance appraisal, on paper or within word documents. Beyond the issues of this crucial evidence not being visible, having some SM&CR records stored in these formats creates delays and, at worst, risks losing data.
You might also be interested to read this previous blog where I discuss the challenges of managing SM&CR records.
3. Drives Action
Whilst most SM&CR records are only changed on an ad hoc basis, e.g. committee structures, that’s not the case within the Certification element of the regime. The whole purpose of Certification is an annual attestation as to the ongoing suitability of people to continue within role, and this requires activity, oversight, MI and record keeping. Good record keeping requires action, ideally automatically through workflows driven by a system. Without workflow things will slip or, worse still, not get done at all.
4. Completion Standards
SM&CR records also need to be completed to the required standard, and you can’t force completion standards automatically through non-automated processes. However, with system solutions it is quite simple to ensure validation is in built within the system. Validation will ensure, for example, that questions don’t get missed on Fit & Proper returns or Conduct Rules attestations. Without validation, SM&CR records are at risk, e.g. ‘Yes’ answers on Fit & Proper returns requiring an explanation of the situation and what steps have been taken to remedy the situation.
Following on from completion standards, many actions in SM&CR require not only action from the individual, they also require authorisations from the immediate line manager. Additionally, with many actions secondary authorisations are required by the senior line manager or central teams. Using Fit & Proper returns as the example again, in our experience most firms require secondary sign-offs. This could be from Compliance or Risk, in addition to the individual and line manager authorisations before being deemed as completed. Finally, there needs to be a process for managing exceptions which will work easier for you when built into an automated workflow.
6. Management Information
Central to any record keeping is the need for good MI and, good MI needs to provide both summary dashboards and ‘drill down’ to individual action level, e.g. evidence of external references, in real time. As outlined earlier, if records are kept in different systems, this becomes a major challenge.
The final pillar for SM&CR record management will be history. The regulation requires firms to be able to evidence the full picture on any given date from the date of the rules were implemented. ‘Point in time’ reporting has already caused significant challenges for some banks as existing in-house systems have failed to keep up with all the changes, e.g. senior managers handing over responsibilities as their role changed, new senior managers being assigned and accepting responsibilities, records of delegated actions, conduct rules attestations etc.
The ‘mood music’ from the regulator is about SM&CR as a driver for cultural change in financial services. However, without a strong record keeping foundation firms will not only have no gauge of how cultural change is progressing, they will be unable to demonstrate control of the underlying activities that culture change depends. Hence the seven pillars!
Download the Free Worksmart Information Sheet:
5 Great Strategies for Successfully Implementing SM&CR in your Organisation