Hiring a Chief Risk Officer (SMF4) at an FCA-Regulated Firm

Hiring a Chief Risk Officer (SMF4) at an FCA-Regulated Firm

Appointing a Chief Risk Officer at an FCA-regulated firm is one of the most consequential hiring decisions a board will make. Under the Senior Managers and Certification Regime, the CRO typically holds the SMF4 designation — Chief Risk function — making the individual personally accountable to the regulator for the integrity of the firm’s risk management framework. That accountability changes the nature of the brief, the candidate profile, and the search process.

At Exec Capital, we work with regulated firms across banking, insurance, asset management, wealth management and consumer credit to identify and place Chief Risk Officers capable of meeting both operational requirements and regulatory expectations. This guide sets out what boards and NEDs need to understand before opening a CRO search.

What SMF4 Means for the Hire

SMF4 — the Chief Risk function — is one of the prescribed senior management functions under SMCR. The individual holding it must be approved by the FCA before taking up the role. That approval process requires a Form A submission, a regulatory reference, and in some cases a regulatory interview, particularly at larger or more complex firms.

The practical implication for a search is timing. A CRO appointment at an FCA-regulated firm typically takes longer than an equivalent role in an unregulated business — not because the talent pool is smaller, but because the pre-appointment process adds four to twelve weeks depending on the firm’s regulatory category and the FCA’s current processing times. Boards that treat the CRO search as urgent but begin it late frequently find themselves in breach of their operational continuity requirements.

The Statement of Responsibilities that accompanies an SMF4 appointment must also be carefully drafted. It defines what the individual is personally accountable for, and any ambiguity at the outset can create problems during a supervisory review or enforcement action. Exec Capital works with firms and their legal advisers to ensure the SoR reflects the genuine scope of the role before the search begins.

The FCA’s Expectations of the Risk Function

The FCA expects the risk function at a regulated firm to be more than a reporting mechanism. It should be a genuine check on the firm’s risk appetite — capable of identifying emerging risks before they materialise, escalating concerns to the board without delay, and holding its position under commercial pressure. The regulator pays close attention to whether the risk function is genuinely independent of the revenue-generating parts of the business or whether it has been structurally or culturally subordinated to them.

In supervisory assessments, the FCA looks for evidence that the CRO has direct and unfettered access to the board and the Risk Committee, that risk appetite statements are properly operationalised rather than aspirational, and that the risk function’s conclusions are reflected in business decisions. Firms where the risk framework is technically complete but practically ignored are vulnerable to significant regulatory intervention regardless of the quality of their documentation.

The FCA has also signalled increasing focus on non-financial risk — operational resilience, conduct risk, data risk, and model risk — alongside the traditional focus on financial risks. CROs who have a broad risk framework capability, rather than one that is primarily credit or market risk focused, are better positioned to meet the regulator’s current expectations.

The CRO Profile at a Regulated Firm

The candidate market for CRO roles at FCA-regulated firms is relatively deep but highly segmented. A CRO with a strong credit risk background at a retail bank is not necessarily the right fit for a market risk function at a hedge fund or an operational risk leadership role at an insurer. Firms that describe the profile too broadly will attract a wide field and identify the right person slowly.

The most effective CRO appointments share a common structure: the candidate has operated at or near the board level of a firm in a comparable regulatory category, has managed a regulatory relationship directly — not just observed one — and can demonstrate that their risk framework has been tested either through a period of market stress, a supervisory visit, or a material incident. Firms should be sceptical of CRO candidates whose risk function has never faced a genuine challenge.

Beyond technical credibility, the regulated firm CRO must be able to hold ground with the CEO and the board on risk appetite decisions. The FCA expects the risk function to be genuinely independent. Candidates who have historically accommodated commercial pressure rather than escalating it are a regulatory liability regardless of their technical competence. Boards should probe this specifically during the interview process — asking candidates to describe situations where they have escalated concerns that were unwelcome and to explain what happened next.

Three-Lines-of-Defence and the CRO’s Place in the Structure

Most FCA-regulated firms operate a three-lines-of-defence model, with the CRO leading the second line. The precise scope of that second line varies significantly between firms — some CROs oversee risk only, others carry compliance within their remit, and others have responsibility for internal audit notwithstanding the independence requirements that apply to SMF5. Boards need to be precise about what sits within the SMF4 scope and what does not before the search begins, because the profile changes accordingly.

Where the CRO carries compliance within their remit, the candidate pool narrows to individuals with credible experience across both disciplines. The FCA has been explicit that compliance and risk are distinct functions with distinct purposes, and it scrutinises whether a combined function has sufficient capacity and seniority to fulfil both roles effectively. Firms that combine risk and compliance under a single senior manager should ensure the individual’s background and the team’s structure can withstand that scrutiny.

Where the CRO is expected to maintain a relationship with the FCA’s supervisory team, the candidate’s regulatory communication skills become material. The FCA places significant weight on the quality of dialogue it receives from senior management functions, and a CRO who struggles to articulate the firm’s risk position clearly and calmly under supervisory scrutiny will create problems that no risk framework can compensate for.

The Board Risk Committee Relationship

The CRO’s relationship with the Board Risk Committee chair is as important as their relationship with the CEO. In well-governed regulated firms, the Risk Committee provides genuine oversight of the risk function — challenging the CRO’s conclusions, requesting additional analysis, and escalating concerns to the full board when necessary. The CRO needs to be able to operate effectively within that governance structure, presenting complex risk positions in terms that a board-level audience can engage with meaningfully.

Before opening a CRO search, boards should assess the current Risk Committee’s composition and effectiveness. A Risk Committee that lacks the expertise to provide genuine oversight of the risk function is a governance gap that the CRO appointment cannot remedy on its own. In some cases, the right sequencing is to strengthen the Risk Committee’s non-executive membership before or alongside the CRO appointment.

The CRO should also have a clear escalation protocol for situations where their concerns are not being adequately addressed by the executive team. The FCA expects this protocol to exist and to be used. Candidates who cannot articulate how they would escalate a serious risk concern to the board, bypassing the CEO if necessary, are not meeting the standard the regulatory framework requires.

Common Pitfalls in CRO Searches at Regulated Firms

The most common mistake boards make in CRO searches is defining the role primarily in operational terms — focusing on the candidate’s technical risk management capability and their ability to manage the risk function’s day-to-day activities — while underweighting the regulatory dimension. A technically excellent CRO who has not navigated a direct regulatory relationship will struggle in the SMF4 role in ways that may not become apparent until a supervisory visit or an enforcement enquiry tests them.

A second common mistake is moving too slowly through the process. The CRO candidate market is active, and strong candidates at this level are typically running multiple processes simultaneously. Boards that take three weeks to convene a first interview and another three weeks to reach a decision frequently lose their preferred candidates. At this seniority, a well-managed search should run from brief to preferred candidate within six to eight weeks.

A third mistake is underinvesting in reference conversations. The CRO’s track record under pressure — particularly in their relationship with their previous board and regulator — is the most predictive indicator of how they will perform in the role. Formal written references from previous employers are inadequate for this purpose. Detailed conversations with previous supervisors, board members, and regulatory contacts provide the quality of insight the appointment requires.

CRO Succession and Interim Coverage

Boards that are approaching a planned CRO departure — whether through retirement, a known leadership transition, or a firm restructuring — should begin succession planning at least twelve to eighteen months in advance. The regulatory approval timeline for an SMF4 appointment means that a late start carries significant operational risk, particularly if the departing CRO holds other regulated functions that require coverage.

Where a CRO departure is unplanned, interim coverage becomes the immediate priority. The FCA expects firms to maintain adequate oversight of the risk function at all times, and a vacancy in the SMF4 role without a clear plan for coverage will attract regulatory attention. Exec Capital can provide access to experienced interim CROs who can assume the SMF4 designation while a permanent appointment is progressed.

Compensation and Market Positioning

Chief Risk Officer compensation at FCA-regulated firms reflects both the seniority of the role and the regulatory accountability it carries. At smaller authorised firms, base salaries typically range from £120,000 to £180,000. At mid-tier banks, insurers and asset managers, the range extends from £180,000 to £300,000, with variable compensation structured to comply with the Remuneration Code where applicable. At systemically important institutions, total compensation packages are materially higher.

Firms operating under the FCA’s remuneration rules — particularly those subject to the MIFIDPRU Remuneration Code or the PRA’s Remuneration Part — need to ensure that the CRO’s variable compensation structure reflects the applicable deferral and malus requirements. Getting this wrong at the offer stage creates both a retention problem and a regulatory one. The CRO, as a material risk taker and a senior management function, will almost certainly fall within the remuneration code’s most stringent provisions.

The Search Process for an SMF4 Appointment

Exec Capital approaches CRO searches at FCA-regulated firms on a retained basis. We do not run contingency assignments for SMF-designated roles. The regulatory stakes are too high and the candidate relationships too sensitive for a non-exclusive process to serve the firm well.

Our typical timeline from brief to shortlist is three to five weeks. We present a shortlist of four to six candidates with full profiles, regulatory reference context, and a clear view of each candidate’s appetite for the regulatory engagement the role requires. We support the interview process and advise on Form A preparation once a preferred candidate is identified. Where the search is time-sensitive due to a planned or unplanned departure, we can accelerate the process and provide interim coverage recommendations in parallel.