Strong governance and a robust risk culture are critical for meeting evolving regulatory expectations. In the UK, the introduction of the Senior Managers and Certification Regime (SM&CR) created a formal framework for accountability. As the Financial Conduct Authority (FCA) continues to focus on this area, it has the clear goal of encouraging firms to embed accountability and cultural change at every level.
What is Risk Culture and Why Does it Matter?
Risk culture can be defined as the collective values, behaviours and decision-making norms within an organisation that influence how risk is identified, managed and escalated. It is the practical expression of the firm’s attitude towards risk-taking. A weak or inconsistent risk culture can undermine even the most sophisticated policy frameworks and cause controls to fail under pressure. Cultural failings within a firm can often be the root cause of misconduct and poor customer service outcomes. For these reasons, regulators consider the culture of a firm to be a crucial leading indicator of its operational and financial resilience, as well as a breach of the firm’s Consumer Duty.
SM&CR as a Catalyst for Change
The SM&CR was introduced by the FCA in partnership with the Prudential Regulation Authority (PRA) and HM Treasury, with the goal of increasing accountability within financial services. It requires the clear allocation of specific responsibilities to senior individuals, who must be pre-approved by the regulator and are subject to ongoing fitness and propriety assessments. This creates direct, documented ownership of key risks at the most senior level. There are enhanced requirements for detailed documentation, such as Statements of Responsibilities and Management Responsibilities Maps, providing a clear audit trail of accountability. The Certification Regime and the Conduct Rules outline standards of behaviour for the entire organisation, ensuring that firms embed a culture of personal responsibility for all staff and not only senior leadership. The FCA expects that cultural change within organisations will be demonstrably led from the top down.
How Does SM&CR Implementation Affect Governance?
The SM&CR has a direct impact on the day-to-day governance processes for firms. Key activities, such as the detailed mapping of responsibilities and the requirement for Senior Managers to document the “reasonable steps” they have taken to fulfil their duties, help to demonstrate active oversight. To be effective, firms must build clear feedback loops by explicitly linking risk reporting, internal audit findings, compliance assurance results and board oversight to the Senior Managers responsible under SM&CR roles. Regular training on conduct rules and policy awareness, reinforcing the governance framework, should be undertaken by all staff.
Key Strategies for Firms to Strengthen Risk Culture
In addition to the formal requirements of the SM&CR, there are several key strategies that firms can adopt to strengthen their risk culture proactively:
- Embed risk reporting: Integrate risk reporting directly into operational and strategic decision-making frameworks
- Communicate and incentivise: Clearly communicate the firm’s values and risk profile from the top down, ensuring that remuneration and incentive structures reward positive risk behaviours
- Encourage open discussion: Create a psychologically safe environment where staff of all levels feel empowered to challenge decisions and escalate potential risks without fear of punishment
- Monitor and measure: Actively monitor and measure risk culture through tools such as staff engagement using surveys and analysis of conduct breaches
- Link culture to governance: Connect the outputs of cultural monitoring to the governance framework, identifying weaknesses to be addressed with clear action plans owned by a specific Senior Manager
Embedding a healthy culture of risk and strong governance is not a one-off task but a fundamental and structural commitment. The principles underpinning the SM&CR of personal accountability, clear governance mapping and conduct-based supervision offer valuable insights for firms seeking to build lasting resilience. By embracing these principles, firms can meet regulatory expectations, strengthen relationships with regulators and improve their long-term stability. Is your firm looking to strengthen risk culture and governance?
Speak to our experts today about embedding accountability and resilience through effective SM&CR implementation.
