Why are Reasonable Steps important?
The introduction of reasonable steps under the Senior Managers & Certification Regime (SMCR) was driven by the regulators’ desire to focus accountability on a narrow set of senior individuals.
The regulator believes that holding executives to account for their actions leads to better outcomes for customers and the overall performance of the financial system. The Code of Conduct Rules is the mechanism through which the regulators plans to take enforcement action against those accountable individuals.
Obviously, the regulators view ‘reasonable steps’ to be a very broad topic which incorporates most of the actions taken by a Senior Manager in managing their area of the firm as well as collectively as part of the Senior Management Function.
We think that firms can greatly improve the help and direction provided to Senior Managers by outlining a clear set of questions around the standards to help them understand this concept and follow it in a consistent manner.
Providing this guidance mitigates the risks arising from individuals defining their own standards and limits the resulting divergence between the approaches taken and evidence retained by each Senior Manager. Ultimately, a lack of centrally provided direction on what is reasonable will unintentionally expose certain individuals or the firm itself to regulatory scrutiny in the event of a significant issue occurring.
The current COVID-19 pandemic provides an excellent example of why Senior Managers need to be able to evidence that they have taken reasonable steps in a robust and consistent manner.
Under normal circumstances, firms will usually take adequate time and care to ensure that any changes, upgrades, or improvements to processes, governance, or controls, are appropriately considered and tested to ensure the best outcome for the firm and its customers. In a major incident (e.g., IT DOS attack, Ransomware Attack) or other regulatory crisis, the same amount of time may not be available and rapid decision making, often based on minimal information, becomes critical. For example, what guidance and equipment did managers provide to their staff with regards to effective home working? How did they ensure or test that the normal risk management controls continued to operate effectively? How were products and services adapted to address the needs of customers? Have they maintained the timeliness and integrity of regulatory reporting? Do all laptops connect to the main system easily?
Once the crisis has passed, it is very likely that the regulators will look back at the decisions made and actions taken to determine whether they were ‘reasonable’. Additional scrutiny may be applied if financial markets, the firm or its customers have been negatively impacted or government expectations with regards to emergency loans, small business lending or insurance claim pay outs have not been sufficiently met.
We are happy to discuss your needs on 0800 689 0190 – even the call costs you nothing!