Supporting SMCR with Technology- Ten Observations
Many financial services organizations are struggling to interpret and implement the Senior Managers and Certification Regime (SMCR). Technology can play a critical role in both administering the regime and monitoring compliance. As a leading software solution vendor, Corporater offers the following observations on how technology is being selected and utilized for the SMCR:
1. Understand how vendors interpret the rules in their software – and the implications
From our conversations with Companies, some software and internally developed solutions have already interpreted the rules in a way that will create considerable administrative difficulties over time. For example, mapping responsibilities to each Senior Manager rather than default mapping of responsibilities to functions. This interpretation issue has unfortunately then been ‘hard-wired’ into some company’s SMCR solutions.
In fact, from many conversations, we observe that few Companies recognize the subtleties of this interpretation or even ask about how the responsibilities interpretation/mapping is set up, let alone what the administrative consequences will be.
Many companies are considering using a patchwork of existing solutions, spreadsheets, custom code, and manual effort. This is not a sustainable solution. In the future, it is highly likely that regulators will also consider current technology best practices in their compliance assessments. Clumsy workarounds or internally developed systems that do not meet best practices in technology will need to be scrapped and replaced – with any associated investments lost. Some companies are even taking the rather naïve ‘we’ll wait until it breaks’ approach, which most senior managers and regulators would be very nervous to hear.
This regime is not just about mapping responsibilities, it is about the active management of responsibilities to clearly display reasonable steps. This can occur by tracking associated initiatives, programs, actions, alerts, commentary, risks, and mitigations over time. We observe that many of the solutions companies are considering completely fail to provide this must-have capability.
For the senior manager requirements, we expect that 80% of the solution to be out of the box with only 20% needing tailoring or configuring to the company’s unique needs. However, for certification, that ratio completely switches. Companies must develop or choose solutions for certification requirements that can be adapted to their existing requirements, and that can be rapidly configured as things change, such as changes to the organizational structure or future regime adjustments.
A purpose-built SMCR system will need to have the ability to be rapidly adapted and changed over time. We observe that companies are not factoring in this future change requirement enough. Visionary companies may even choose to select solutions that can extend beyond SMCR into other regulatory requirements.
Most discussions about SMCR technology are driven by human resources or compliance departments, with very little input from the IT function. Without knowledge of wider system capabilities, preferred IT architecture and future IT strategy, poor selection decisions may be made. Our observation is that IT needs to be a more active part of the SMCR system discussion up front.
Many software vendors expect the organization to adapt and adjust their organizational structures, controls, and processes to fit around the software’s structure. Most software vendors have a pre-defined data model that restricts and fixes how the software can be deployed and used. This is not a pragmatic and workable solution. The software must be able to fit the organizational hierarchy and data model, not the other way around.
Dynamic, live organograms, with clear demarcation of roles and responsibilities, are one of the most powerful, yet least requested areas of SMCR functionality. Any solution that cannot produce a comprehensive SMCR organogram that clearly visualizes the regime, should not be considered, as this visual format will be a critical part of communicating the status of the regime and educating leadership on the regime’s application and impact. In our view, very few companies have considered this must-have functionality.
There is a consistent theme that the SMCR solution should act as a glue between multiple systems across HR, compliance, legal and other departments, to pull in data and bring systems together. Most package software vendors in this space cannot link systems together or automatically aggregate from various sources of information.
Many software vendors have started in one aspect of the regime (such as a technology solution for human resources) and make great claims they can extend their solutions to cover the rest of the requirements. From our experience, we know that solutions need to be built from the beginning with SMCR requirements in mind. Extending a solution, built for another purpose will create numerous problems and issues. For example, learning management systems or systems built for continuous professional development (CPD) is not fundamentally designed for responsibility and business performance tracking and management. Extending and retrofitting into SMCR requirements will not work.
Many SMCR system procurement processes are disjointed and lack preparation. Few of the stakeholders really understand the SMCR requirements and the significance of needing a comprehensive solution are not understood. With few of the stakeholders involved in the selection process accountable in the regime, there is a noticeable disconnect with the realities of what regulators require, and what an SMCR software solution will really need to provide.
Without heeding such observations, we predict many companies will select the wrong SMCR solutions and will need to re-select in the future, as they gain knowledge of what is really needed to reduce administrative burden, show reasonable steps and to actively comply with this regime.