Keep up to date with the trending topics
from our industry experts

5 key technology considerations for managers to meet SM&CR standards

Written by Bryn Morgan

Friday, 8 March, 2024

Webinar: This is your Microsoft Copilot speaking, we’re ready for financial services take off

On demand

Learn how this powerful AI tool can help you create, analyse and communicate better with your data.

Microsoft Copilot Webinar

The Senior Managers and Certification Regime (SM&CR) is in place to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence within financial service organisations.

Depending on the size of your business, responsibility for certain key areas of risk can be outsourced however in all these instances, accountability still stays with your firm and in line with SM&CR, with senior members of staff personally.

When looking at information technology and cyber security, Senior Management Responsibilities sit in the following 2 areas:

  1. Overall accountability – As ultimate accountability remains with the senior management of the business, be clear when selecting a partner that they can manage your regulatory responsibilities, as well as manage appropriate levels of risk for the outsourced service. Ensure you have a clear view of what you are asking to be managed and be clear that the provider has a mature process to discuss levels of risk with you and your company continually throughout their contract, as technology systems or services change.
  2. Prescribed responsibilities – As senior managers you may be assigned responsibilities relating to your IT and cyber security related to your outsourcing arrangements. It is therefore important to take these seriously and ensure they are managed to the correct level and at the right cadence of repetitive requirements.

Here we highlight the 5 key considerations for management:

1. Risk management

Risk assessment – Firms must regularly conduct a thorough risk assessment of their IT and cyber providers. These assessments not only need to be done at the outset of taking on a new provider but also during the contracted term.

Documentation – Clear documentation of risk assessments, risk mitigation strategies and the rationale for outsourcing is essential. This documentation will serve as evidence of due diligence in the case of regulatory scrutiny.

2. Contractual considerations

Clear contracts – Ensure any contract you are entering into clearly specifies roles and responsibilities without ambiguity. Ensure the contract allows you to comply with relevant regulations, security standards and requirements such as data protection which should be clearly outlined.
Right of access – Both your clients, investors and ultimately the regulator will need to have audit rights over your provider. Be clear from the outset about what could be required and where your provider can assist you with these requirements for your business.

3. Business continuity and contingency planning

Business continuity – You are accountable for ensuring your business has the relevant plans in place in case of a disaster scenario. You are accountable for making sure your IT provider has their parts of your service covered in this respect, so be clear they understand their responsibilities and have the technology disaster recovery plans in place for either a disaster in your business or importantly theirs.

Contingency planning – Develop contingency plans for the potential termination or transition of your IT and security services. You should understand the steps for moving to a new provider or to bring the service in-house. This should also be clear within your contractual exit framework.

4. Training and awareness

Be sure to understand what training individuals need in your organisation, whether it be general or for specific roles holding accountability. By doing this your staff can be clear of the regulatory requirements and stay abreast of best practices.

5. Stay informed on regulatory changes

Regulation changes all the time so it is important to keep abreast of what is changing within the marketplace. Regularly update procedures and ensure a clear communication plan within your business to cascade these changes into your organisation. Encourage others to keep ahead of changes specifically within their specialism.

Financial services firms and partners working together

In summary, SM&CR has huge implications when it comes to Information technology and cyber security. In an ever-changing technology and regulatory landscape, it is essential for both financial service companies and those who work within them that both responsibilities and accountability are understood in detail. It is important to form and manage clear processes to navigate the complexity of outsourcing.

Would you like to understand more about the considerations required for SM&CR when looking at IT?

Our services

Our 4 pillars for a complete choice of managed IT services - all tailored to the needs of financial services firms in London and the UK.

Finance Forward 365 - Microsoft 365 cloud services supported by experts

Finance Forward 365

Microsoft modern workplace & cloud technology for digital transformation.

Compliant Teams -  Microsoft Teams phone system with call recording and archiving

Compliant Teams

Increased productivity & collaboration with call recording whilst reducing costs.
Cyber security solutions for financial services

Cyber Security

Keep your data secured against rapidly changing threats within Financial Services.

Responsive IT managed services for financial services

Power BI

Business Intelligence transformation and support tailored for Financial Services.


Join the community for financial services businesses

  • Stay updated with industry trends and peers
  • Get invites to webinars and exclusive events
  • Gain access to useful tools and templates