Senior Managers and Cer fica on Regime - WHITEPAPER - Solidatus
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
WHITEPAPER
Senior Managers and
Cer�fica�on Regime
July 2020
LONDON • SINGAPORE
Solidatus WHITE PAPER
WHITEPAPER
Solidatus for Senior Managers and Certification Regime:
Empowering ownership, accountability and governance
OUTLINE
It is reasonable to assume that senior management should take responsibility for decisions taken in their areas of
accountability. However, there have been several high-profile corporate failures where executives have avoided blame by
claiming ignorance of their responsibilities through a lack of understanding of the application of regulations to roles they
have undertaken.
As has been seen with the rapid creation of Data Privacy regulations across the world, there is now a plethora of new
senior management accountability regulations springing up globally to promote proper conduct and individual
responsibility. The best-known examples are from the U.S. Securities and Exchange Commission (SEC) releasing
Regulation Best Interest (Reg BI), the Australian Banking Executive Accountability Regime (BEAR), the Hong Kong
Manager-in-Charge (MIC) and the Monetary Authority of Singapore’s (MAS) proposed guidelines on Individual
Accountability and Conduct.
As a response to the banking crisis and the many scandals linked to the setting of LIBOR (London Inter-bank Offered
Rate), the UK’s Financial Conduct Authority (FCA) was one of the first organisations to promote personal responsibility by
Senior Management.
Based upon the information published by the FCA, The Chartered Insurance Institute and The Bank of England, the
purpose of this paper is to review the content of the recently published Senior Managers and Certification Regime (SMCR)
and examines how organisations like the FCA have proposed it should be implemented. In addition, it aims to demonstrate
how some boardroom executives have adopted innovation and introduced a new tooling to empower greater ownership,
promote better understanding and ultimately drives efficiencies, as well as cost savings.
SENIOR MANAGERS AND CERTIFICATION REGIME
The 2008 banking crisis highlighted significant conduct failings across the banking sector. In response to this, the UK
Parliament set up the Parliamentary Commission for Banking Standards (PCBS) to assess how standards might be
improved. Following on from this assessment, the PCBS published their recommendations of a new accountability
framework focused on senior management and better standards of conduct at all levels in financial services firms, the
aim being that Management takes more responsibility for employees being fit and proper.
Based on these recommendations, Parliament passed legislation leading to the Financial Conduct Authority (FCA) and
Prudential Regulatory Authority (PRA) applying the SMCR to the Banking Sector in 2016, this replaces the Approved
Persons Regime (as set out in the Financial Services and Markets Act 2000).
In brief, the SMCR created two sets of roles:
1. ‘Senior managers’ – this new function requires annual approval from the FCA and for firms to ensure senior
managers are fit to do their jobs.
2. ‘Significant harm functions’ – these do not require FCA approval but obligates firms to confirm that people
performing these roles are suitable for them at least annually.
The principle tenet of the regulation is to reduce harm to consumers and strengthen market integrity by encouraging a
culture where staff at all levels take personal responsibility for their actions, as well as making sure firms and all their
staff clearly understand and can demonstrate where their responsibilities lie.
DATA ACCOUNTABILITY IN FINANCIAL SERVICES ORGANISATIONS
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.com
Solidatus WHITEPAPER
The FCA further extended SMCR in December 2019, as personal accountability of senior staff came under increased
scrutiny from the regulator and the remit was extended to incorporate Wealth and Asset Managers. The SMCR for
Benchmark Administrators (that perform no other regulated activities) will apply from 7 December 2020.
The FCA has openly stated that the implementation of the rules should not be treated as a tick box exercise and that
they expect firms to consider how they apply these requirements and meet the following aims:
• encourage staff to take personal responsibility for their actions,
• improve conduct at all levels,
• make sure firms and staff clearly understand and can show who does what.
As part of SMCR, the most senior managers in a firm continue to require regulatory approval to undertake their roles,
known as Senior Management Functions (SMFs). All SMFs must comply with the ‘fit and proper’ test for approved
senior managers, as set out in section 61 of the Financial Services and Markets Act 2000 (FSMA), on an ongoing basis,
annually.
SMCR requires firms to record their key governance arrangements in a Management Responsibilities Map (MRM) and
for SMFs to complete individual Statement of Responsibilities (SoRs). These documents must allocate ‘prescribed
responsibilities’ (PR) across senior management, setting out their duties. They must be maintained by the organisation’s
Governance and Regulatory function.
Additionally, ‘Certification’ covers specific functions that are not SMFs, but can have a significant impact on customers,
the firm and market integrity. This means the firm must check and confirm that the person is also fit and proper to do the
job, and issue them with a certificate at least once a year.
SMFs have a statutory ‘duty of responsibility’ under the new regime to ensure that they take reasonable steps to prevent
regulatory breaches in the area of the firm for which they are responsible.
Failure to demonstrate that reasonable steps have been taken may result in the individual SMF being subject to
enforcement actions by the regulator, which could include public censure, an unlimited financial penalty and up to seven
years imprisonment. This, in turn, could also result in a company being fined, damage to the organisation’s reputation,
and depleted shareholder value.
THE SCALE OF THE PROBLEM
It is estimated that over 47,000 organisations will now fall under SMCR and have limited time until December 2020 to be
compliant. Many new wealth and asset managers will find themselves coming under the SMCR regulations for the first
time and many others will now need to transition from ‘Limited’ to ‘Core’ or from ‘Core’ to ‘Enhanced’ status.
For the majority of firms, large amounts of important business data is created, maintained and presented in tools that are
not fit for purpose. A lack of suitable tooling increases the use of Excel, Access databases, Visio diagrams and PowerPoint
decks. All of these add to the data duplication and proliferation, limit collaboration, lack control and auditability. This
complexity inadvertently masks data gaps and errors. As a result, there is a high level of mistrust in the accuracy and
reliability of the content which is also perceived as out of date.
Typically, we see organisations with multiple siloed inventories that are independently maintained, with no inter-connectivity
or standardisation for audit and control. The restricted understanding of the business dependencies and inability to identify
the golden sources of data prevents proactive and efficient maintenance of data. This, in turn, limits how senior managers
can discharge their responsibility to oversee delegated service and application owners.
Enhanced organisations have now been given a greater responsibility to their senior managers to create an Individual
Accountability Framework (IAF) for each SMF and for the first time to create a Management Responsibilities Map (MRP).
The maps we have seen so far are mainly static diagrams and are generally not linked to the underlying data. The data for
which they are created, exist in static spreadsheets updated only once or twice a year. These offer a snapshot of the
organisation at the time they are published. Whilst complying with regulation and governance process at that point in time
the static spreadsheets provide limited operational value to companies and regulation which are dynamic and
ever-changing.
Pg 2
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.comSolidatus WHITEPAPER
THE CHALLENGE
In our experience, the most common approach for an organisation is to maintain their roles, responsibilities, processes
and policies in a combination of Databases, Excel, PowerPoint and PDFs. The following list of issues reflects many of
the challenges and inefficiencies that are reported by our clients.
• Poor processes: Organisations rely on a convoluted and inefficient process to provide evidence of having discharged
critical regulatory duties.
• Inadequate tooling: A lack of suitable tooling increases the use of spreadsheets and unstructured documents.
• Human error: Typically, hundreds of documents are manually created and managed, which leads to an increased risk
of human error.
• Insufficient standards: Documents and processes differ widely between senior management functions making
consolidated reporting onerous.
• Reporting overhead: Current reporting processes take a great deal of management time to complete, maintain and
approve monthly.
• Lack of transparency: It is very difficult to spot errors or gaps due to the disparate nature of the documentation.
• Duplication: Data is often duplicated in different copies and versions, which quickly becomes ‘out of sync’.
• Controls: Control improvements are limited due to lack of resources and limited time.
• Inaccurate representation: Breaches can occur often due to change within the organisation or the implementation of
new regulations.
Organisations have recognised that these issues increase the risk of human error, are inefficient and masks gaps in data
completeness and accuracy. Many of our clients have expressed a strong desire to use the new SMCR Enhanced
regulations as a catalyst for a change and a new approach to tooling.
THE OPPORTUNITY
If an organisation could effectively manage and understand how application and ‘non-application data’ is being used in
the enterprise, there is the opportunity to build even greater benefits for the business – beyond SMCR.
Chief Operating Officer – will have access to a complete picture of how data is sourced, staged, manipulated and
used in key business reports.
Chief Risk Officer – can show a complete trace from business product, through the three lines of defence to show
adequacy and effectiveness of control.
Chief Data Officer – can have a strategic tool which will replace the reliance on offline spreadsheets to store
information assets used to run the business.
Head of Business Resilience – can map all critical assets including properties, data centres, technology and suppliers
for important services and perform interactive scenario analysis to determine end-to-end services based on one or
multiple assets being impacted by a disruption event.
Head of Regulatory Reporting – controlled segments of the data model can be shared with Regulators to evidence
control and oversight.
Pg 3
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.comSolidatus WHITEPAPER
SOLIDATUS FOR SMCR
The introduction of Solidatus, with only small process changes, can immediately improve regulatory reporting, quality, and
control. The solution is to digitise the data held in the spreadsheets, PowerPoints, PDF, Visio diagrams and other forms of
reporting documentation, and consolidate them into Solidatus models, thereby identifying gaps and eliminating duplication
and redundancy. These are easily maintained and shared, while providing full version control and audit capabilities.
Other more complicated applications can continue to be the ‘golden’ source of information and be linked automatically
to Solidatus. Connecting siloed data sources and applications in real-time ensures the participation of the relevant
stakeholders. Solidatus delivers not only a platform where inputs can be uploaded and maintained but also a map of
meaningful relationships enabling dynamic visual alerts, search capabilities and visibility. It can remove the reliance on
outdated MS Office Suite applications for all business-important, non-application data.
KEY BENEFITS: ORGANISATIONS
▶ Remove the reliance on unsuitable MS Suite applications (for all business important data).
▶ Accelerate discovery by sharing parts of the models to identified system experts.
▶ Capture the acceptance and understanding of responsibilities of the Senior Management Functions.
▶ Define access and manage role-based permissions through Single Sign-On.
▶ Provides capability to digitise complex policies, mapping to multiple organisational processes.
▶ Rapidly build, maintain and clearly articulate the impact of systems, processes and policy to all staff and promote personal
responsibility for their actions.
KEY BENEFITS: SENIOR MANAGEMENT
▶ Quickly assess compliance against requirements and standards.
▶ Ensure delegation is controlled effectively.
▶ Share quarantined read-only views to engage regulators.
▶ Demonstrate oversight and control over how data is managed and reported.
▶ Maintain standards and save time.
KEY BENEFITS: BUSINESS MANAGEMENT
▶ Efficiently maintain a full audit of changes.
▶ Assign tasks for input, review and approval.
▶ Accept or reject proposed changes.
▶ Easily access ‘point in time’ models using in-built versioning.
▶ Quickly identify gaps or errors.
▶ Create custom views for targeted audiences.
▶ Create core or custom visual rules to identify ‘scenarios’.
▶ Easily maintain links to evidence documents.
▶ Easily model future changes and use the ‘delta’ to implement it.
Pg 4
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.comSolidatus WHITEPAPER
ENABLING 'DIGITAL AGILITY'
Solidatus enables the effective management of data, people and processes, highlighting gaps, providing transparency
and a more intuitive route to implement change. Solidatus delivers this in a clear way, for the first time offering a DevOps
approach to business change and providing lasting value. Solidatus facilitates both conceptual modelling, data lineage
and business process engineering. The Solidatus model is a visual representation of any form of connected entities, be
that low-level attribute data lineage, high-level systems data lineage, process or any other business connectivity.
Whether documenting data flows or disaggregating complex workflows, Solidatus allows users to engineer clear and
elegant models.
The result is to deliver regulatory compliance and business value at the same time – using the obligatory investment to
create an advantage, building a sustainable approach where each new challenge or opportunity is easier and less costly
to achieve.
SOLIDATUS IN ACTION
The FCA, while not formally subject to SMCR, believe that firms and regulators alike should uphold the highest
professional values and have applied and published the fundamental principles of the SMCR to their senior staff for the
scrutiny of the public and their key stakeholders (Parliament and the Treasury Select Committee).
This image is taken from the document which is publicly available from the FCA:
https://www.fca.org.uk/publication/corporate/applying-smr-to-fca.pdf
Pg 5
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.comSolidatus WHITEPAPER
SOLIDATUS MODEL
Unconnected to and entirely independently, we used this document to create a Solidatus Model to show the following:
1. Senior Management Functions (eg, role, name and purpose).
2. Board and Board Committees (eg, ExCo, Regs Policy, PRA, Payments Systems and Financial Policy).
3. Responsibilities (eg, responsibility for FCA’s performance of SMRC obligations).
4. Statements of Responsibilities (eg, prescribed responsibilities).
Every aspect of the 104-page PDF document, including the images and links could be easily incorporated and
maintained into the model.
Furthermore, it can be connected to other internal systems, processes and policies to trace the impact across all
departments or highlight data privacy or other obligations.
• Personal data access, policy and control (eg, GDPR, CCPA).
• Regulatory reporting including MiFID II, BCBS 239, CCAR.
• Data Standards and Capabilities (eg, EDMC DCAM, ISO 20022).
• Transformation projects (eg, Summit, Calypso, Murex).
• Cloud migration and access (eg, GCP, AWS, Azure).
Pg 6
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.comSolidatus WHITEPAPER
KEY BENEFITS: BUSINESS MANAGEMENT
▶ Provides the capability to digitise complex policies and to map multiple other organisation processes, as well as external
regulations.
▶ Immediate outcome reports and traceability.
▶ Ability to map the impact of new regulations into the organisation processes.
▶ Existing content is not being 'overwritten' and auditability and transparency is maintained.
▶ The interface is very user friendly, flexible and can be easily searched.
▶ It requires very limited resources to maintain the solution.
▶ It has a capability to integrate with other applications within organisations and provide reporting.
▶ All metadata can be 'codified' and managed through our query language.
▶ Data Quality, glossary terms and external 'system' metadata can be automatically published, linked and overlaid on the
models to create dynamic business dashboards.
ABOUT SOLIDATUS
Award-winning Solidatus, the leader in metadata management, enables the world’s largest data-rich and regulated
organisations to effectively manage their data, people and processes, reducing complexity and risk through
transparency, automation and collaboration. We provide organisations with a solution that allows them to fundamentally
redesign their organisational data culture and capabilities by enabling the creation of a holistic organisation-wide digital
map that details all the relationships that interact and impact their data, accelerating modernisation and transformation.
The Solidatus methodology for digitally transforming organisations to be data-centric and lineage-enabled is changing
the way organisations manage their data. Quickly being adopted by organisations across the globe, including top-tier
global financial, pharmaceutical, utility and infrastructure firms and has been implemented by leading consulting and
technology firms.
To learn more visit www.solidatus.com or contact info@solidatus.com.
Pg 7
© 2020 – Threadneedle Software Limited
solidatus.com Solidatus is a registered trademark of Threadneedle Software Limited info@solidatus.comYou can also read
