Below Francis Kean, Executive Director, and Alasdair Wood, Director, at Finex, Willis Towers Watson, discuss what the latest SMCR changes mean for businesses, and how there needs to be a universal improvement in business culture.
The Senior Managers and Certification regime (SMCR) came into effect for the UK’s banking industry on 7th March 2016 and will be extended during 2018 to some 47,000 companies in the financial services sector. It was designed to hold senior managers accountable for conduct failings in their designated areas of responsibility and was the FCA’s response to the 2013 Parliamentary Commission on Banking Standards report, ‘Changing Banking for Good’.
In a recent speech Jonathan Davidson, Financial Conduct Authority (FCA) director of supervision for retail and authorisations addressed culture and conduct in financial services by reference to this new regime. The themes of culture and conduct and personal accountability resonate well beyond financial services. The nature of their interrelationship and in particular the question as to whether regulatory focus on one necessarily leads to better outcomes on the other should be of general interest.
One of the challenges behind using personal accountability as a means of delivering better corporate culture is its capacity to engender fear among board members. The courts have long recognised this and judges have always taken care not to make their own, retrospective judgements on the business decisions taken by directors. What matters is that directors act in good faith, within their authority, and that they exercise due skill and care. By contrast, under the SMCR, the FCA may seek to hold managers “personally accountable”, in the event of a bad outcome. In other words, the new weapons available to regulators, such as the duty of responsibility on individual managers to discharge their personal management functions and the duty to inform regulators appropriately of everything of which they would reasonably expect notice are likely to take regulatory enforcement actions into territory left deliberately uncharted by the courts.
There is a danger that the collective wisdom and experience of a group of people chosen, one hopes, for their diversity and independence, will be sacrificed or at least bent to the will of the individual board member who risks personal liability if the decision under consideration turns out badly. Is it not also likely that board decisions will be more conservative and risk-averse, or that good executives and non-executives alike will be more cautious about taking up a board position?
Leaders in denial
To overcome this, boards need a way to start to actively manage conduct and culture. While organisations invest heavily in policies and procedures, very few understand what is driving conduct and broader risk culture. It is only by understanding the attitudes, beliefs and motivations of employees that companies can understand what drives behaviour, and how organisational policy may affect their attitudes to risk.
We believe there are four actionable pillars to help boards create the right risk culture and most importantly, ensure that employees’ actions support it.
Tone from the top.
This has been a focus for regulators and the behaviours leaders exhibit determine the way employees perceive their own responsibilities for managing risk.
Psychometric leadership risk assessments acknowledge a leader’s strengths, but also the impact they have when overplayed. Considering leadership group risk profiles can help get leadership mix right. Diversity is about more than having a broad mix of backgrounds – it also includes diversity of thought, personality, ways of working, and experience. Reviewing leadership through this lens helps prevent ‘group think’ and reluctance to challenge, ensuring that risks are more quickly identified.
Understanding employee opinion.
To drive change you need to understand how organisational policies are understood by employees, and what might drive them to employ risky behaviours regardless of well-intentioned HR processes and risk management frameworks.
An anonymous employee survey can help surface the hidden aspects of culture that dictate behaviour. The survey also helps answers a key question: do your people policies reinforce your risk strategy, or contradict it?
Despite a focus on incentives among regulators, organisations continue to reward employees based primarily on outputs and less on how they achieve them. When looking at incentives alongside business strategy and the risk framework, organisations must ask themselves: what are the unintended consequences of our incentive programmes? Are incentives:
Aligned with strategy and risk management frameworks?
Promoting a focus on short term success rather than sustainable growth?
Governance and controls
Many organisations have prioritised investment in control systems – but do employees follow them? Too often we see Risk, businesses and HR working in isolation. Instead they should work to understand how employee experience impacts how they interact with controls.
- How clear are individual responsibilities?
- Is workload causing employees to take the path of least resistance?
- Do the compliance and risk functions have the right capabilities?
What can be done?
We suggest four pillars which underpin effective risk culture. By focusing on one or more, we believe company boards can start to get a handle on culture and start to improve it over time without become too internally focused and risk averse. In the context of the SMCR – but also more broadly in all sectors, risk culture is something that can no longer be left on the list of things that are too big to manage.