Our latest From the Archives blog post looks back at developments around accountability regulation in the financial services sector. This piece, first published in The Risk Universe magazine in April 2015, provides a step-by-step guide to building a comprehensive accountabilities matrix within your firm.
On July 30, 2014, the UK’s Financial Conduct Authority (FCA) and the Bank of England’s Prudential regulatory Authority (PRA) jointly issued a consultative paper, CP1413/CP1414, entitled Strengthening accountability in banking: a new regulatory framework for individuals. The paper was developed as a consequence of concerns that the behaviour, conduct and ethics within banks before, during and since the global financial crisis led to the erosion of trust by the public in banking. One consequence of the paper is a refocus on individual accountability and the need for an accountabilities matrix. Here, we provide guidance on how to establish such a matrix within the firm.
HOLDING INDIVIDUALS TO ACCOUNT
In the introduction to CP1413/CP1414, the two regulators suggest that the statutory and regulatory framework in place at the time of the global financial crisis and at present does not focus on clear and unambiguous individual accountability, believing that holding individuals to count is the most appropriate medium of regulation to counter such behaviour and conduct. The paper thus proposes changes to the existing framework, focussing on a new “Senior Managers Regime” (SMR), a “Certification Regime” and a new set of “Conduct Rules”.
The paper intends to encourage individuals within firms to take responsibility for their actions and to make it easier for the firm itself, as well as the regulators, to hold individuals to account for the consequences of their actions. To achieve this, the paper introduces several “new” concepts, many of which are adaptations of previous regulatory concepts or industry practice. They include the concept of a “Senior Management Function” or SMF (previously known as a Significant Influence Function under the Approved Persons Regime), which includes the functions of the board of directors, board committees, executive committees, roles responsible for important business, control or conduct-focussed functions and any function where the responsible individual(s) makes risk-related decisions or participates in such decisions. The regulators will have the authority to designate any function they deem appropriate as a SMF, with 18 types of SMF identified in the paper, covering some 27 key functions and including 20 prescribed responsibilities.
STATEMENT OF RESPONSIBILITIES
Any person who will hold a SMF will have to be pre-approved by the regulator(s) before they can take office in that function. When applying for such approval, the firm has to provide a “Statement of Responsibilities” reflecting what the individual will be responsible for managing. If any individual fills more than one function deemed SMF, separate applications for each SMF have to be lodged, reflecting the intention that accountability is function-related, not individual. The paper also introduces the concept of a “significant harm function”, a function subordinate to a SMF but which may still, if not appropriately executed, generate significant harm to the firm. Each firm is required to identify all such functions and to implement an internal certification process for individuals in such roles, undertaking at least annually an assessment of the fitness and proprietary of all employees in such functions. The paper also proposes that there be a “presumption of responsibility” with SMF, whereby in the event of some contravention of accountability or responsibility, the Senior Manager will be presumed responsible for the contravention, with potential criminal liability, unless that Senior Manager can prove they took “reasonable steps” to prevent the contravention from occurring.
CP1411/CP1414 also introduces the concept of a “Responsibilities Map”, a firm’s overall framework for how accountability and the responsibilities of individuals are allocated, along with governance and management arrangements over the framework. The paper requires that the firm must prepare, maintain and keep updated its Responsibilities Map, as a single document, showing how responsibilities are allocated and ensuring no gaps in accountability, with an annual attestation by the board of directors to the regulators that there are no gaps in the firm’s Responsibility Map.
It is worth pausing for a moment to reflect upon the difference between “accountability” and “responsibility”. Essentially, accountability is inherent in a role or function which an individual fulfills, for example, as a parent, you are accountable for the actions of your minor children. Accountability is thus assumed when one accepts a specific role, function or position and is accompanied by the authority to act in the most appropriate manner necessary to fulfill that accountability.
Responsibility, on the other hand, is usually assumed by an individual, either voluntarily or upon acceptance when conferred by another, often irrespective of that individual’s function. Returning to the parental example, it is the natural consequence of becoming a parent that makes one accountable for the children, you do not voluntarily accept responsibility, unless in an adoption, foster or step-child situation. Because responsibility is accepted, responsibility can also be rejected or re-allocated to someone else, whereas accountability can only be removed when the individual no longer performs the function from that point in time forward – accountability for actions while in the role remain. Based on these key differences, we advocate that what CP1413/CP1414 really refers to is an “accountabilities map” or, given that such a representation is multidimensional, an “accountabilities matrix”.
Before exploring how a firm can go about creating an accountabilities matrix, it is also useful to consider another associated element of a senior manager’s accountability and responsibility, namely the concept of delegations of authority and limitations on delegated authority. It used to be common practice in most banks and today is still common practice in most corporate organisations, for delegations of authority to be very clearly defined, often included into the job description for a specific function. A typical delegation of authority is clear and states exactly what the function has the authority to do, implying what its accountabilities are, for example, “the senior loans officer has the authority to review and approve loan applications for unsecured loans from customers”. This authority does not include other types of product, nor does it include approving staff loans. Most delegations of authority are accompanied by limits on the delegated authority, usually both with regard to sub-delegation (can or cannot) and to value, duration and specific characteristics, so the above example would more likely read “the senior loans officer has the authority to review and approve loan applications at predefined interest rates for unsecured loans of less than 12 month duration from customers up to a maxim amount of USD 10,000”.
As accountability is inherent in a given role or function, the delegation of authority to that function incorporates both that accountability as well as confers the authority to act in a manner necessary to meet one’s accountability. Note however, that where authority is sub-delegated to another function, ultimate accountability remains with the delegator and can never be transferred.
UNDERSTANDING OWNERSHIP STRUCTURE OF THE FIRM
So how does a firm go about creating an accountabilities matrix, accompanied by appropriate delegations of authority and limitations on delegated authority? Firstly, it is important to understand the ownership structure of the firm, the type of legal entity and the rights and powers of both owners and management, as this affects your starting point. In most structures where the firm is an independent legal entity distinct from its owners, the ultimate management function will be some form of board, either of directors or of some supervisory nature, with which certain legal authorities lie, conferred upon establishment of the legal entity. This forms the highest level of accountability, answerable usually to the state from a legal perspective, for example, under the UK Companies Act, and to the owners, if acting as their appointed management. It is from this function (the board), that accountability and authority is then delegated downwards to the next level of management, then sub-delegated and sub-sub-delegated onwards.
- CREATE AN ACTIVITIES INVENTORY
Starting with the highest level of management within the firm, create a cascading inventory of every core activity undertaken by the firm. Note that this is not the same as an inventory of processes, which would be at a far lower level of detail and which would typically include product, channel, client type and location variations of the same process. Focus on those core activities that require decision-making with the potential to affect the firm’s achievement of its objectives, which may result in non-compliance with internal rules or external regulations, or which could affect the reputation of the firm, in other words, “significantly influencing” activities or “significantly harmful” activities. If the firm already has a process type or business activity taxonomy hierarchy, that hierarchy is useful to classify the activities inventory. In creating the activities inventory, take note of any existing defined delegations of authority, as well as limitations on delegated authority. Review business entity terms of reference or mandates, managerial and supervisory job descriptions and relevant corporate policy for any reference to accountability or authority. Review any available process inventory to see whether there may exist decision-making (or taking) processes, control processes or reporting processes which could provide an indication of accountability or authority. Check for all function to function reporting lines and note what reporting lines arise from which activity.
2. EVOLVE ACTIVITY INTO ACCOUNTABLITIES
Once you have developed a clear and complete activities map, identify what authority is required to perform the activity, which function or role should possess that authority to perform the activity and what accountabilities accompany the performance of the activity. This should generate a three dimensional matrix of activity x function x accountability, with authorities expressed as a sub-structure of the accountability dimension. While doing so, ensure that you do not embed matrix reporting lines into the accountabilities matrix – accountability can only flow from one function to one or more functions. The moment a function or role reports on the same accountabilities to multiple other functions or roles, you have created a loophole for the incumbent of that function to avoid accountability or, as CP1413/CP1414 calls it, providing sufficient reason to avoid the presumption of responsibility. It is perfectly acceptable for there to be different starting points for the cascade of accountability across the organisation; some accountability will flow from the board to the chief executive or executive committee down to heads of business and onwards, while others may flow from the board to board committees to heads of key functions (audit and risk being key examples) and onwards. Note too that accountability resides in the function, the role, the position and not in the individual currently in that function. All too often firms build organisation structures/silos around the individual, leading to a wide variety of potential operational and business risk issues, rather than building a structure good for the business and staffing it accordingly. Conversely, responsibility tends to reside with the individual and not with the function.
3. ESTABLISH LIMITS AND RESTRICTIONS
Within your accountabilities matrix, it should become apparent at which level within the organisation the sub-delegation of accountability and authority should cease; delegating further implies a level of authority inappropriate to the function or role. These “frontiers” of accountability should be identified and flagged and on a periodic basis, the firm should revisit the frontiers under changing business and economic conditions to ensure they remain appropriate. However, beyond these absolute limits to delegation, other limits and restrictions may be necessary at functions further up the organisational hierarchy. The most common of these are financial limits, usually relating to incurring credit exposures, trading exposures and liquidity exposures for the firm, as well as limits on expenditure. These usually are denominated in monetary terms and are accompanied by a clear escalation process for items exceeding the limit to be referred back to the delegator of authority for attention. Other forms of restriction may relate to who can make public statements of different types, who can sign different things for the firm, who may conduct recruitment interviews, who may investigate items of different sensitivity, etc. Remember that, as a parallel activity, you should be establishing a register of items to be reviewed periodically, with such limits and restrictions included into that schedule.
4. EMBODY THE ACCOUNTABILITIES MATRIX INTO JOB DESCRIPTIONS
Irrespective of what the firm calls them, every individual employed or otherwise retained by the firm should be provided with a job description which details their accountabilities, delegated authority, limits and restrictions on authority, reporting lines and primary activities which the individual is expected to perform, given the function they are appointed into. Job descriptions should be clear and concise, be unambiguous and be signed-off by the incumbent upon appointment. The incumbent should attest on an annual basis as to their adherence to their job descriptions.
5. LIVE YOUR ACCOUNTABILITIES MATRIX
Communicate accountabilities to the firm, ensure individuals understand and accept the accountabilities applicable to their function, then on an ongoing basis, monitor adherence to the accountabilities matrix, including the use of escalation and referral back up the delegation chain. Where necessary, enhance or improve the accountabilities matrix and periodically, review the appropriateness as the nature of business changes. This should provide the firm the basis to comply with all the probable requirements of CP1413/CP1414 in full.
For the latest information on the requirements of the Senior Managers Regime, click here.