SMF10 Chair of Risk Committee Hiring Guide

What Is the SMF10 Senior Management Function?

Senior Management Function 10 — the Chair of the Risk Committee — is the FCA-designated accountability for the most senior board-level oversight role in a UK regulated firm’s risk governance framework. The Chair of the Risk Committee is a Non-Executive Director who holds personal regulatory accountability, under the Senior Managers and Certification Regime (SMCR), for the independence and effectiveness of the firm’s risk committee — the board-level body responsible for overseeing the firm’s risk appetite, risk management framework, and the management team’s risk-taking activities.

This guide explains the SMF10 role in depth — the regulatory framework that governs it, how the Chair of the Risk Committee operates in practice, what FCA pre-approval involves, what the candidate profile looks like, and how to run a search. It draws on the work Exec Capital does on regulated firm senior appointments across asset management, wealth management, insurance, banking, fintech, and consumer credit sectors.

The SMF10 hire is one of the most consequential governance appointments a regulated firm makes — not because the role is executive (it is not) but because the Chair of the Risk Committee provides the independent oversight that prevents the management team’s risk appetite from exceeding what the board and the FCA consider appropriate. A weak, passive, or underskilled SMF10 is a governance failure with regulatory consequences; a strong one provides genuine challenge, genuine independence, and genuine protection for the firm and its customers.

The SMCR Framework and SMF10’s Place Within It

The Senior Managers and Certification Regime (SMCR) was introduced to UK financial services in 2016 for banking firms and extended to all FCA-authorised firms in 2019. Its core principle is individual accountability: named individuals at regulated firms carry personal accountability for defined areas of the firm’s governance, and the FCA can take action against those individuals directly where they fail to meet the expected standard.

SMF10 is one of the prescribed Non-Executive Director functions under the SMCR. It sits alongside SMF9 (Chair of the Board), SMF11 (Chair of the Audit Committee), SMF12 (Chair of the Remuneration Committee), and SMF14 (Senior Independent Director) as the NED-side of the SMCR framework. Together, these functions ensure that the board’s oversight of the executive team — across risk, audit, remuneration, and overall governance — is individually accountable rather than collectively anonymous.

The prescribed responsibility attached to SMF10 is oversight of the firm’s risk management policies and procedures. This is the formal regulatory accountability that the Chair of the Risk Committee carries: ensuring that the firm has adequate risk management policies, that the risk committee’s oversight of those policies is effective and independent, and that material risk information reaches the board in a form that enables sound governance decisions. The Statement of Responsibility for an SMF10 appointment must reflect this prescribed responsibility accurately and should be drafted with legal counsel’s input before it is presented to the candidate for signature.

It is important to note that SMF10 is not required at all regulated firms. The FCA’s requirements for risk committee governance vary by firm size and type: larger firms and those in specific sectors (banking, insurance, major investment firms) are typically required to have a formal risk committee with a designated chair; smaller solo-regulated firms may not have this requirement. Firms should confirm with their legal and compliance advisers whether SMF10 is a required function before initiating the search. For the broader SMCR framework and how SMF functions are allocated, the SMF Roles: A Complete Guide provides the foundational reference.

The Chair of the Risk Committee’s Governance Role

Understanding what the Chair of the Risk Committee actually does — in practice, not just in regulatory definition — is essential context for the search brief and for the candidate conversation.

Risk committee leadership and governance. The SMF10 chairs the risk committee, which typically meets quarterly or more frequently depending on the firm’s risk profile. The Chair sets the risk committee’s agenda, manages the committee’s interactions with management (primarily the CRO and CFO), ensures that the committee’s terms of reference are followed, and produces the risk committee report for the main board. Effective chairing requires both subject matter depth — the ability to assess the quality of risk management information presented — and governance discipline — the ability to structure productive committee deliberations and produce clear, accountable outputs.

Risk appetite oversight. The risk appetite framework — the firm’s formal statement of the level and types of risk it is willing to accept in pursuit of its commercial objectives — is the risk committee’s most important governance document. The Chair oversees the development and periodic review of the risk appetite framework, ensures that it reflects the board’s genuine risk tolerance rather than simply ratifying management’s preferences, and monitors the firm’s actual risk profile against the appetite on a continuous basis. Where the firm is operating outside its risk appetite — deliberately or inadvertently — the Chair is responsible for ensuring the board is aware and that appropriate management action is taken.

CRO relationship and independence support. The Chief Risk Officer’s effectiveness depends significantly on the quality of their relationship with the Chair of the Risk Committee. The Chair is the CRO’s primary board champion — the person who ensures that the CRO has the board access, the information they need, and the independence to provide honest risk assessments without management pressure to soften them. Where the CRO’s independence is compromised — by reporting line conflicts, by management pressure, or by inadequate resourcing — the Chair is the governance failsafe. The Chair should have a regular private meeting with the CRO, without management present, to discuss the risk function’s operation and any concerns the CRO does not feel able to raise in full committee.

Regulatory liaison. The SMF10 holder may be called to engage directly with the FCA — in supervisory meetings, in response to information requests, or in enforcement contexts. The Chair of the Risk Committee should be prepared for this engagement and should understand the FCA’s current supervisory priorities and how they apply to the firm’s risk profile. In severe cases, the FCA has engaged directly with individual SMF holders about failures in their prescribed responsibility areas; the SMF10 holder should be in no doubt about the personal accountability this engagement reflects.

Horizon scanning and emerging risks. The risk committee is responsible for oversight of known risks. But the Chair also has a responsibility to ensure that the committee’s agenda includes emerging and horizon risks — climate risk, geopolitical supply chain risk, cyber threat evolution, AI and model risk — that are not yet fully embedded in the firm’s risk management framework but could become material. This forward-looking dimension of the role requires intellectual curiosity and a willingness to bring external risk intelligence into the committee’s deliberations.

The Chair-CRO Dynamic

The relationship between the Chair of the Risk Committee and the Chief Risk Officer is one of the most important governance relationships in a regulated firm, and one of the most delicate. Getting it right is a precondition for effective risk governance; getting it wrong produces either rubber-stamp oversight (where the Chair defers too much to management) or adversarial dysfunction (where the Chair-CRO relationship becomes a governance bottleneck).

The ideal Chair-CRO relationship is characterised by three qualities: respect for the CRO’s technical expertise; independence from the management viewpoint the CRO inevitably carries; and trust that enables candid communication when the CRO has concerns they need to raise at board level. The Chair who has the CRO’s respect will receive better information; the Chair who maintains genuine independence will provide better oversight; and the Chair who has the CRO’s trust will hear the things that matter most.

In practice, this relationship requires deliberate investment. The Chair should ensure that they have substantive one-on-one time with the CRO between committee meetings — not just the formal committee interaction — and should be actively accessible when the CRO needs board-level input on a significant risk decision. A Chair who is only present at formal meetings is not providing the continuous oversight governance that the SMF10 accountability implies.

For context on the CRO’s perspective on this relationship, the CRO recruitment practice and the SMF4 CRO Hiring Guide provide the counterpart perspective on how the CRO sees the board risk governance relationship.

FCA Pre-Approval: The SMF10 Application Process

The SMF10 appointment requires FCA pre-approval before the candidate can take on the function. The firm submits a Form A application to the FCA, and the FCA assesses the candidate’s fitness and propriety against the three statutory criteria: reputation, competence and capability, and financial soundness.

The fit and proper assessment. The FCA’s assessment of an SMF10 candidate’s fitness and propriety focuses on: their regulatory history across the six years prior to the application (including any regulatory investigations, enforcement actions, or adverse supervisory findings at previous firms); their competence for the specific SMF10 accountability (the risk committee chair function requires genuine risk management knowledge, not just general NED experience); and their financial position (any undischarged insolvency, significant unpaid debts, or financial conduct concerns are material to the assessment).

Application timeline. The FCA targets a determination on SMF applications within three months for straightforward cases. Complex applications — where there is significant regulatory history to review, where the candidate’s experience creates genuine competence questions, or where the firm’s overall regulatory relationship is under close supervisory attention — can take significantly longer. Firms should plan for a 12–16 week window from submission to approval for a clean application, and should not allow the candidate to take on any SMF10 responsibilities before approval is granted.

The Statement of Responsibility. The SMF10 Statement of Responsibility must accurately reflect the prescribed responsibility for risk committee oversight and must be consistent with the firm’s Management Responsibilities Map. The firm’s legal counsel and compliance team should draft and review the SoR before it is presented to the candidate — not only to ensure regulatory accuracy but to ensure the candidate fully understands the personal accountability they are accepting. Candidates with prior SMF experience will review the SoR carefully and will flag loose or overlapping language; candidates without prior SMF experience sometimes accept SoRs without adequate scrutiny, which creates problems when the accountability is invoked. For the full SoR framework, the SMF Roles guide covers the SoR and Management Responsibilities Map process in detail.

Regulatory references. Under the SMCR, firms are required to obtain regulatory references covering six years of employment history for SMF applicants. These references are structured — the reference format is prescribed — and must be obtained from each relevant previous employer. They will surface any material regulatory history that the candidate’s own disclosures may have missed. The regulatory reference process takes time and should be initiated early in the appointment process rather than left until after an offer has been accepted.

The SMF10 Candidate Profile

The Chair of the Risk Committee candidate pool at a UK regulated firm is narrower than many firms expect, particularly at the smaller end of the market where the intersection of regulatory credibility, genuine risk management expertise, and NED governance experience is uncommon.

Risk management expertise is the foundation. The Chair of the Risk Committee who does not have genuine risk management knowledge — either from a career in risk management, credit risk, market risk, or operational risk, or from deep NED experience of risk committee governance at comparable firms — will be unable to provide meaningful challenge to the risk management information presented by the CRO and the management team. The FCA’s competence assessment will probe this dimension, and the candidate’s ability to engage substantively with the firm’s specific risk profile is a key quality indicator.

Prior SMF experience is a significant advantage. Candidates who have previously held an SMF function — including SMF10 at another firm, or any of the other NED SMF functions — have demonstrated their ability to navigate the regulatory framework, manage their personal accountability, and operate within the SMCR’s governance requirements. They typically require shorter onboarding, present fewer surprises in the FCA application process, and bring the credibility with the FCA that comes from an established regulatory track record.

Independence from management is non-negotiable. The SMF10 holder must be genuinely independent of the executive management team. FCA guidance on independence — which reflects the UK Corporate Governance Code’s independence criteria — requires that the NED has no material relationship with the firm beyond their non-executive role, has not been an employee of the firm within the past five years, and is free from any commercial or personal relationship that could reasonably be seen to affect their independence of judgment. The independence assessment should be documented and reviewed by the firm’s legal counsel before the appointment is offered.

Sector-specific regulatory literacy. The risk governance requirements at a bank, an asset manager, an insurance company, and a consumer credit firm are materially different — in the risk categories overseen (credit risk, market risk, operational risk, liquidity risk), in the regulatory framework that applies (PRA as well as FCA for banking and insurance), and in the supervisory attention that different sectors receive. A Chair of the Risk Committee with experience confined to a very different regulated sector may not have the specific regulatory literacy the role requires. Where cross-sector candidates are being considered, the assessment should specifically probe their understanding of the firm’s sector-specific risk framework.

Where SMF10 Talent Comes From

SMF10 candidates come from three primary backgrounds, each with different characteristics.

Career risk professionals who have transitioned to NED roles. Former CROs, Heads of Risk, and Group Risk Directors who have moved from executive to non-executive careers are the most directly qualified SMF10 candidates. They bring genuine risk management depth, regulatory credibility, and often existing relationships with the FCA. Their risk is that they may struggle to transition from executive management mode to the governance oversight and challenge mode that an effective NED requires.

Senior NEDs with risk committee experience at comparable firms. Established NEDs who have chaired or served on risk committees at comparable regulated firms bring the governance experience and the NED skillset that the role requires, alongside the risk credibility that comes from direct risk committee oversight. These candidates are often the most immediately effective but may be in high demand and carrying multiple NED mandates that need careful scheduling consideration.

Retired or senior finance and actuarial professionals. Former CFOs, Chief Actuaries, and senior finance executives with regulated firm backgrounds sometimes transition successfully into SMF10 roles, bringing quantitative and financial risk literacy alongside P&L-connected commercial judgment. These candidates may need development on governance process and pure risk management methodology but can provide strong oversight of financial and credit risk dimensions.

Running the SMF10 Search

An SMF10 search requires regulatory due diligence to be embedded in the process — not as a post-offer compliance step but as a pre-offer quality check. The firm should ask candidates directly about their regulatory history, request disclosure of any prior regulatory investigations or enforcement actions, and review the candidate’s publicly available regulatory record (the FCA Register and, where applicable, the PRA Register) before shortlisting.

The assessment should include a substantive risk governance discussion — specifically, a conversation about the candidate’s approach to risk appetite framework design, their experience of managing the Chair-CRO dynamic, and their view of the firm’s most significant current risk challenges. This is not an examination; it is a test of whether the candidate’s risk management knowledge and governance approach are appropriate for the specific firm and its current risk profile.

Board chair and senior independent director involvement in the assessment is essential. The SMF10 holder works within a board governance structure — under the board chair, alongside the senior independent director, and in close interaction with the audit committee chair. The appointment should have the board chair’s genuine endorsement, not just formal approval.

The regulatory pre-approval timeline — 12–16 weeks from submission — means that the total time from search opening to the SMF10 holder being able to exercise their function is typically 20–28 weeks for a clean process. Firms should plan for this timeline from the outset and should not create governance gaps by allowing a departing SMF10 holder to leave before a successor is in place.

SMF10 Compensation and Time Commitment

Non-Executive Director compensation for SMF10 holders reflects the regulatory accountability, the time commitment, and the market for qualified risk committee chair candidates.

NED fees. At mid-size FCA-regulated firms (authorised firms below FTSE 250 scale), SMF10 NED fees typically run from £40,000 to £80,000 per annum depending on firm size, the complexity of the risk profile, and the frequency of committee meetings. FTSE 250 and major financial services firms pay significantly more — £80,000 to £150,000 — reflecting the scale of the accountability and the competitive market for qualified candidates at that level.

Time commitment. The SMF10 role typically requires 20–30 days per year — risk committee meetings (typically quarterly, with additional ad-hoc meetings in response to material risk events), preparation time, one-to-one meetings with the CRO, board meetings, and regulatory engagement. Firms whose risk profiles are complex or whose risk committees meet more frequently should calibrate the time commitment and fee accordingly.

Additional committee membership. Many SMF10 holders also serve on the main board and one or more additional board committees, which increases both the time commitment and the total NED fee. The total package should be negotiated with the full committee portfolio in mind.

Common Hiring Mistakes

1. Appointing a NED with governance experience but insufficient risk management depth. A capable NED who lacks genuine risk management knowledge will not be able to provide meaningful challenge to the CRO’s reports and the risk management framework. The FCA’s competence assessment may flag this, but even if the application passes, the governance quality of the SMF10 oversight will be inadequate.

2. Failing to conduct regulatory history due diligence pre-offer. Discovering material regulatory history after an offer has been made — and after the candidate has been publicly associated with the firm — is significantly more damaging than surfacing it pre-search. Regulatory due diligence should be a pre-offer requirement, not a post-offer compliance step.

3. Not preparing the Statement of Responsibility with adequate legal input. An SoR that is vague, that overlaps with other SMF functions, or that understates the prescribed responsibility will create regulatory exposure. The SoR should be drafted by the firm’s legal counsel, reviewed by the compliance function, and presented to the candidate in final form before the offer is made.

4. Ignoring the independence assessment. Independence from management is a regulatory requirement, not a preference. The independence assessment should be formally documented, reviewed by legal counsel, and confirmed against the FCA’s independence criteria before the appointment is offered. An SMF10 who is later found to lack independence creates a governance failure with potential enforcement consequences.

5. Underestimating the application timeline. Planning for a six-week FCA approval turnaround when the realistic estimate for a clean application is 12–16 weeks creates governance gaps and candidate frustration. Build the realistic timeline into the search plan from day one.

How Exec Capital Approaches SMF10 Appointments

Exec Capital’s regulated-firm practice covers the full range of SMF NED appointments — SMF9 (Chair), SMF10 (Chair of Risk Committee), SMF11 (Chair of Audit Committee), SMF12 (Chair of Remuneration Committee), SMF14 (Senior Independent Director) — alongside the executive SMF functions. Our SMF10 search process embeds regulatory due diligence from the outset, ensuring that candidates presented to the firm are pre-qualified on regulatory history, independence, and sector-specific risk management competence before they appear on the shortlist.

We work with the firm’s legal and compliance teams on the Statement of Responsibility and Management Responsibilities Map before candidates are engaged — because the SoR defines the role, and a well-drafted SoR attracts better candidates and produces fewer surprises in the FCA application. For firms making their first SMF10 appointment, or refreshing the function following a departure, we provide a full brief development process that addresses the regulatory, governance, and commercial dimensions of the role before any outreach begins.

Related SMF NED appointments that frequently accompany or follow the SMF10 hire include the SMF11 Chair of Audit Committee and the SMF9 Chair. For the full SMCR context, the SMF Roles: A Complete Guide is the foundational reference. For firms considering the full board governance structure alongside the SMF10 appointment, the Board Construction Guide provides the broader framework.

The SMF10 and Climate and Emerging Risk Governance

The risk committee’s agenda has expanded significantly in recent years to encompass non-traditional risk categories that were not part of the standard risk management framework ten years ago. The Chair of the Risk Committee needs to be equipped to provide meaningful oversight of these emerging risk areas as well as the traditional financial and operational risk categories.

Climate and transition risk. The FCA’s TCFD requirements, the Bank of England’s Climate Biennial Exploratory Scenario, and the growing regulatory expectation that regulated firms manage climate risk as a material financial risk have placed climate firmly on the risk committee’s agenda. The SMF10 holder does not need to be a climate scientist, but they do need to understand how physical climate risks (asset stranding, supply chain disruption, operational impact) and transition risks (policy changes, energy cost volatility, stranded asset exposure) translate into financial risk for the firm, and to ensure that the risk management framework captures these exposures credibly. For context on the sustainability governance framework that intersects with the risk committee’s climate risk oversight, the Chief Sustainability Officer guide is relevant.

AI and model risk. The increasing use of AI in financial services decision-making — credit scoring, fraud detection, customer triage, automated advice — creates model risk that the risk committee is expected to oversee. The FCA’s evolving framework for AI governance in financial services places the oversight of AI risk squarely within the risk committee’s accountability. The Chair of the Risk Committee should ensure the risk committee has adequate technical input — either from the CRO’s team or from a specialist technical NED — to provide meaningful oversight of AI model risk rather than rubber-stamping management’s assurances.

Operational and third-party risk under DORA. For firms with EU operations, the Digital Operational Resilience Act (DORA) has significantly expanded the regulatory requirements for ICT risk management and third-party oversight. The risk committee’s oversight of the firm’s ICT risk management framework, its critical third-party dependencies, and its operational resilience testing programme are all within the SMF10 accountability scope. A Chair of the Risk Committee without digital and operational resilience knowledge may need to ensure the committee has adequate specialist input to meet DORA oversight requirements credibly.

Further Reading and Authoritative Sources

The FCA’s Senior Managers and Certification Regime overview and the FCA’s guidance for solo-regulated firms are the primary regulatory references for the SMF10 function. The FCA’s prescribed responsibilities guidance sets out the formal accountability structure within which the SMF10 prescribed responsibility sits.

For risk committee governance best practice, the Institute of Directors and the FRC UK Corporate Governance Code provide the broader governance framework within which FCA-regulated firm risk committee governance operates. The Professional Risk Managers’ International Association (PRMIA) provides professional standards for risk management practitioners relevant to assessing SMF10 candidate qualifications.

On NED appointment processes and governance standards, the FRC’s Guidance on Board Effectiveness provides the framework for how boards should assess the performance of individual directors — including risk committee chairs — and the ICAEW Corporate Governance resources include specific guidance on audit and risk committee governance at regulated firms.

Related Exec Capital guides: SMF Roles: A Complete Guide · SMF4 CRO Hiring Guide · SMF11 Chair of Audit Committee · SMF9 Chair Hiring Guide · Financial Services Executive Hiring · Board Construction Guide · Audit and Risk Committee Chairs Guide