Hiring an SMF24 Chief Operations Function: A Complete Guide

Hiring an SMF24 Chief Operations Function: A Complete Guide

SMF24 is the FCA designation that attaches personal regulatory accountability to the Chief Operations Function at an FCA-regulated firm — typically the Chief Operating Officer, but in some firm structures the most senior individual responsible for operations, technology, change and operational resilience even where that title is not formally COO. The role gained materially in importance after the FCA’s Operational Resilience policy took effect in March 2022, which moved operational resilience from a compliance-led discipline to an executive-accountability one and put SMF24 holders at the centre of a substantial set of regulatory expectations. The candidate pool for SMF24 is the tightest of any executive SMF role we work on, and the gap between what boards expect from a COO search and what the role actually requires under SMCR is particularly wide.

This guide is written for CEOs, chairs, and Boards working through the appointment of a COO into an FCA-regulated firm. It sets out what an SMF24 appointment actually involves: how the role differs from a corporate COO, how operational resilience reshaped the role, what the Statement of Responsibility looks like, how the FCA approval process operates, how to think about the candidate pool, and how the SMF24 sits alongside the CRO, the Head of Internal Audit and the rest of the senior management team. It draws on our work running SMF mandates across asset management, wealth management, insurance, brokerage, fintech and consumer credit firms — and on the FCA’s published guidance on operational resilience and on senior management functions for solo-regulated firms. For the broader SMF picture, see our SMF Roles guide; for the corporate (non-regulated) version of the COO appointment, see COO recruitment.

What SMF24 covers

SMF24 is the Chief Operations Function under the Senior Managers and Certification Regime. The function applies to the senior individual responsible for the firm’s operations — including, depending on firm structure, technology, change management, business continuity, third-party risk, operational resilience, and the operational delivery of the firm’s products and services. Like other prescribed senior management functions, SMF24 must be held by an FCA-approved individual where the function exists at the firm; any change in the SMF24 holder triggers a regulatory notification and approval process.

The substantive scope of SMF24 covers what a corporate COO would recognise — operational leadership of the firm, accountability for execution against the strategic plan, executive team membership at firms where the COO sits on the executive committee, and the relationship between operations and the rest of the senior management team. The regulatory dimension is layered through every part of it: the SMF24 holder is personally accountable for the way the firm’s operational capability functions and for the firm’s ability to deliver important business services within agreed impact tolerances during severe but plausible disruption.

One specific point worth being explicit about. SMF24 applies where the firm has a designated Chief Operations Function — which most Enhanced firms have, and most Core firms above a certain scale have. Smaller Core firms and Limited Scope firms may not have a separate COO function at all; in those cases, operational responsibility may sit with the SMF1 (CEO) or be split across other senior management functions. Where SMF24 exists at the firm, the FCA’s expectations are clear: the role is the operational accountability anchor for the firm, and the candidate appointed to it should be senior enough to discharge those expectations effectively.

It is also worth distinguishing SMF24 from the broader corporate COO role at non-regulated firms. The substantive operational responsibilities are similar, but the SMF24 holder has personal accountability to the regulator that a corporate COO does not face — accountability that affects who is genuinely available, what compensation looks like, and what the firm needs to do to make the role attractive to strong candidates.

How operational resilience reshaped SMF24

The single most important change to the SMF24 role in recent years was the FCA’s Operational Resilience policy, which took effect in March 2022 with a three-year transitional period running to March 2025. The policy reshaped SMF24 expectations and changed what the role actually requires from candidates.

The policy requires firms to identify their important business services — the services whose disruption would cause intolerable harm to consumers, market integrity or the firm itself. For each important business service, the firm must set impact tolerances defining the maximum acceptable level of disruption. The firm must then map and test its ability to deliver each important business service within its impact tolerances during severe but plausible disruption — and must demonstrate this through a self-assessment that the Board reviews annually.

The substantive work runs across the SMF24’s territory. Identifying important business services requires deep operational understanding of the firm’s value chain. Setting impact tolerances requires judgement that combines operational knowledge with regulatory expectation-setting. Mapping and testing requires investment in third-party risk, technology resilience, business continuity, and change management capability. The Board self-assessment is led by the SMF24 in most firms, with substantive input from the SMF4 CRO on the risk dimension and the SMF1 CEO on overall accountability.

The transition period from March 2022 to March 2025 was where most firms did the heavy lifting on the policy. Boards approaching SMF24 succession in 2026 need candidates who have lived through this — who understand what the policy actually requires in practice, what the FCA expects from the annual self-assessment, and what good operational resilience capability looks like at scale. Candidates whose most recent COO experience predates the policy or who have not been actively involved in operational resilience work since 2022 face a more substantive FCA assessment on competence and capability for the role.

The post-March 2025 period has shifted FCA focus from policy implementation to ongoing supervision. The FCA is now actively examining how firms are operating against their impact tolerances, how third-party risk is being managed in light of the policy’s expectations, and how operational resilience integrates with the firm’s broader risk framework. SMF24 holders are at the centre of this supervisory engagement.

What an SMF24 COO does that a corporate COO does not

The substantive role of any senior operational leader includes operational delivery, executive team contribution, and Board engagement on operational matters. SMF24 layers regulatory accountability over all of that and adds several specific dimensions a corporate COO would not typically encounter.

Personal accountability to the regulator. The SMF24 holder’s Statement of Responsibility allocates specific prescribed responsibilities to the role — typically including responsibility for operational resilience, third-party risk, technology resilience, change management, and the firm’s operational performance against agreed impact tolerances. When the FCA reviews how the firm has handled an operational matter, the SMF24 is the senior individual whose accountability they look at.

The relationship with the FCA on operational matters. SMF24 holders are typically the firm’s principal point of contact with the FCA on operational and resilience matters — particularly during firm visits, thematic reviews, or any FCA-led work focused on operational risk, third-party risk, or specific resilience categories. The supervisory engagement on operational resilience can be substantive, particularly for firms whose self-assessment has flagged areas of concern or where the FCA is exercising specific supervisory focus.

Third-party risk accountability. Most regulated firms have material dependencies on third parties — cloud providers, technology vendors, outsourcing partners, market infrastructure. The FCA’s expectations on third-party risk are substantial, and SMF24 holders are typically accountable for the firm’s third-party risk framework. This includes supplier due diligence, contract risk allocation, exit planning, concentration risk monitoring, and the integration of third-party risk into the firm’s overall operational resilience picture.

Technology resilience. The boundary between SMF24 and the firm’s technology leadership (whether a dedicated CIO or CTO sits on the executive team or technology rolls up to the SMF24 directly) varies by firm structure. Where technology is part of the SMF24’s remit, the role includes accountability for the firm’s technology resilience programme — change management discipline, IT incident response, cyber resilience, and the technology dimension of the firm’s important business services. Strong SMF24 candidates can articulate how they think about technology resilience even where they do not lead the technology function directly.

Consumer Duty operational dimension. The FCA’s Consumer Duty requires firms to deliver good outcomes for retail customers — and the operational dimension of that is substantial. Customer journey mapping, complaint handling effectiveness, communication clarity, fair value monitoring through operational data — all of these touch the SMF24’s territory. Boards hiring an SMF24 in consumer-facing regulated firms increasingly expect candidates with conduct-aware operational backgrounds.

The reasonable steps test on operational matters. When something goes wrong operationally — a customer harm event arising from operational failure, a major incident affecting an important business service, a supplier failure with regulatory implications — the FCA’s first analytical question includes whether the SMF24 took reasonable steps in the area they are accountable for. Strong SMF24 candidates examine the firm’s environment carefully on this dimension before accepting an offer.

Where SMF24 sits within the senior management team

Understanding how SMF24 fits alongside the other senior management functions is one of the most important parts of the role specification. Three relationships matter most.

The relationship with the SMF1 CEO. SMF24 reports to the CEO in most firm structures and is a core member of the executive team. The CEO retains overall accountability for the firm’s performance under their broader SMF1 responsibilities; SMF24 has accountability for the operational dimension specifically. The boundary between “overall accountability” and “operational accountability” needs to be drafted carefully so neither role’s Statement of Responsibility creates duplication or gaps.

The relationship with the SMF4 CRO. The CRO leads the second line risk function — including operational risk monitoring as part of the broader risk framework. The SMF24 sits in the first/executive line on operational matters. The two roles need to work together on operational resilience, third-party risk, technology resilience, and operational risk monitoring without compromising the second-line independence of the CRO function. Strong CRO–COO working relationships are characterised by frequent informal contact, joint development of operational risk priorities, and clear distinctions between executive accountability (SMF24) and second-line oversight (SMF4). The boundary needs to be explicit in both roles’ Statements of Responsibility.

The relationship with the SMF5 Head of Internal Audit. Internal audit reviews the operational function as part of normal third-line scope — examining whether the SMF24’s frameworks, controls and processes are operating effectively. SMF24 holders need to be comfortable with this review relationship and willing to engage constructively with audit findings even where they are uncomfortable. Candidates whose previous operational roles have shown them resistant to internal audit findings can find this surfaces during reference checks.

One specific point on firm structures. Some regulated firms operate with an SMF24 who also holds executive responsibility for technology — effectively a combined COO/CTO role. Other firms separate technology into a dedicated CIO/CTO role reporting to the SMF24 or to the CEO directly. The structure choice shapes the SMF24 role meaningfully, and the role specification should be explicit about which model the firm operates and what the candidate will be responsible for.

Building the SMF24 role specification

The role specification for an SMF24 search needs to do three things at once: communicate the substantive operational leadership role at this specific firm, communicate the regulatory dimension, and communicate the working environment the candidate will join. Specifications that handle the substantive role well but skim the others systematically attract candidates who may withdraw at offer stage when they understand what the role actually entails.

The substantive dimension covers the standard COO content tailored to the firm: the operational scope (what the SMF24 is accountable for and what sits elsewhere), the maturity of the existing function, the size and structure of the operations team, the relationship with the technology function, the use of outsourcing or third-party providers, and the specific strategic priorities where the SMF24 is expected to lead. Firms in transition (post-acquisition integration, technology platform replacement, scale-up phase, regulatory remediation) have specific SMF24 priorities that the specification should make explicit.

The regulatory dimension covers the SMF24 designation, the prescribed responsibilities allocated to the role, the firm’s classification under SMCR, the FCA supervisory category, the operational resilience self-assessment cycle and current state, and any active FCA matters touching operational topics. Specifications that flag the operational resilience dimension early — including the firm’s important business services, where impact tolerances are tightest, and where the firm is currently testing — attract candidates who are seriously interested in the regulated dimension.

The governance dimension covers the working relationship with the SMF1 CEO, the SMF4 CRO, the SMF5 Head of Internal Audit and any other senior management functions the SMF24 will work closely with. It also covers the firm’s executive committee structure (where the SMF24 sits on it, what the SMF24’s role on the committee involves) and the Board engagement pattern (how often the SMF24 attends Board meetings, what topics they typically lead on).

SMF24 candidates with prior experience will scrutinise the firm’s investment in operational resilience capability — the third-party risk function, the change management framework, the technology resilience programme, the incident management infrastructure. Specifications that demonstrate the firm has invested appropriately attract better candidates than specifications that present operations as cost-constrained or under-resourced.

The FCA approval process for SMF24

Once the firm has selected its preferred candidate, the FCA approval process begins. The mechanics are similar to other SMF approvals — and we cover the detailed mechanics in the SMF1 CEO hiring guide — but several aspects of SMF24 approval are worth flagging specifically.

The submission is built around Form A, supported by the candidate’s Statement of Responsibility, the firm’s Management Responsibilities Map, regulatory references covering the candidate’s previous six years of regulated employment, and supporting evidence on competence and capability. The FCA’s published service standard for Form A turnaround is up to three months for SMF approval, with most clean SMF24 applications resolved within four to ten weeks.

For SMF24 specifically, the FCA’s assessment focuses on three things beyond the standard fit-and-proper criteria.

Operational resilience experience. The FCA expects substantive evidence that the candidate understands operational resilience as a discipline — the policy framework, the practical implementation challenges, the integration with broader risk and governance, and the supervisory expectations. Candidates whose recent COO experience has actively involved operational resilience work clear this dimension cleanly. Candidates with operational backgrounds that predate the policy or who have not been actively engaged in resilience work need to demonstrate how they will close the gap.

Third-party risk understanding. The FCA increasingly probes candidate understanding of third-party risk — including the regulatory expectations on supplier governance, exit planning, concentration risk, and the integration of third-party risk with operational resilience. Candidates with experience of running third-party risk frameworks at meaningful scale clear this assessment cleanly.

Understanding of the firm’s specific operational profile. The FCA is interested in whether the candidate understands the operational realities of the firm they will be joining. Candidates who can articulate, with examples, the dominant operational risks in the firm’s business model and how they would approach managing them — including any specific FCA matters in the firm’s operational history — clear this aspect of the assessment cleanly.

The fit-and-proper assessment for SMF24

The fit-and-proper assessment for SMF24 covers the same three statutory criteria as for any senior management function: honesty, integrity and reputation; competence and capability; and financial soundness. The application of these criteria to the COO role has some specific dimensions.

Honesty, integrity and reputation is examined with attention to the candidate’s track record on operational matters that have gone wrong. Most senior COO candidates have been involved in incidents, programme failures, or operational matters that did not go to plan — the FCA does not penalise candidates for this in itself. What the FCA looks for is how the candidate handled those situations: whether they escalated appropriately, whether they took accountability or deflected, whether they engaged constructively with internal audit and second-line risk, and whether the references support the candidate’s account of what happened.

Competence and capability for SMF24 is assessed substantively. Prior SMF24 experience is the strongest evidence. Substantial COO experience at peer firms without prior FCA approval — for example, in similarly-classified firms with comparable operational complexity — is the next strongest. Candidates with prior senior operational leadership without head-of-function tenure (deputy COO, head of operations) can clear competence and capability where the firm’s environment supports the appointment and where the broader profile fits.

Financial soundness covers the candidate’s personal financial position. Same bar as for other SMF roles — anything significant must be disclosed, explainable, and not indicative of broader integrity concerns.

One specific dimension that comes up in SMF24 assessments more than other SMFs: the candidate’s track record on technology and change. Most SMF24 candidates have led significant technology programmes or operational transformations — and the FCA is interested in how those programmes were governed, what went well, what went wrong, and what the candidate learned. References from previous CIO/CTO peers, from previous CROs, and from previous Heads of Internal Audit are particularly useful for triangulating the candidate’s operational track record.

The Statement of Responsibility for an SMF24 COO

The Statement of Responsibility for the SMF24 sets out what the Chief Operations Function holder is accountable for. For SMF24, the SoR will typically include:

• The firm’s operational performance, including the operational delivery of products and services to customers
• Operational resilience, including the framework for identifying important business services, setting impact tolerances, mapping dependencies, and testing the firm’s ability to deliver within its impact tolerances during disruption
• Third-party risk and outsourcing governance, including supplier due diligence, contract risk allocation, exit planning, and concentration risk monitoring
• Technology resilience (where technology sits within the SMF24’s remit), including change management, IT incident response, and cyber resilience
• Business continuity and incident management, including the firm’s incident response capability and the integration with the broader operational resilience framework
• Operational risk identification and management, in coordination with the SMF4 CRO and the second-line risk function
• The capability of the operations team, including hiring, retention, training and the appropriate use of third-party support
• Engagement with the FCA on matters relating to operations, operational resilience, and third-party risk

The exact allocation varies by firm and by classification. In firms with a separate technology function led by a CIO or CTO who does not hold an SMF, technology accountability typically rolls up to the SMF24 even where the day-to-day technology leadership is delegated. In firms where technology is held by a different SMF (rare, but it occurs), the SoR for the SMF24 should make the boundary explicit.

Three drafting points are worth flagging for SMF24 SoRs.

Operational resilience must be explicit. Given the centrality of operational resilience to FCA expectations on SMF24, the SoR should reference operational resilience explicitly rather than treating it as implicit in broader operational accountability. This is a prescribed responsibility area where vague allocation creates regulatory risk.

The boundary with SMF4 needs to be clear. The CRO leads the second-line risk function on operational risk; the SMF24 has executive accountability for operational performance and the firm’s resilience capability. Both roles touch operational risk territory, and the SoRs need to draw the boundary cleanly. Typical pattern: SMF24 has accountability for operational performance and resilience capability; SMF4 has accountability for the second-line monitoring and challenge of that capability.

Third-party risk allocation needs care. Some firms allocate third-party risk to the SMF24 (operational view); some allocate it to the SMF4 (risk view); some split the framework across both with the SMF24 owning the operational dimension and the SMF4 owning the risk monitoring. The split needs to be deliberate and reflected consistently across both SoRs.

Building the candidate pool for SMF24

The SMF24 candidate pool is the tightest of any executive SMF role we work on, and several factors shape who is genuinely available.

Prior SMF24 approval is the strongest signal. Candidates currently holding or recently holding SMF24 in another regulated firm carry the highest credibility with the regulator and the lowest approval risk for the hiring firm. They have demonstrated they can clear the fit-and-proper assessment, they understand the substance of the role, and they bring direct regulatory engagement experience on operational matters. The challenge is that the population is small — meaningfully smaller than for SMF1 or SMF4 — and the most credible candidates are typically not actively seeking moves.

Heads of operations and deputy COOs are the natural step-up pool. Candidates currently holding senior operational roles below COO level — head of operations, deputy COO, COO of a subsidiary — are the most natural step-up pool for first-time SMF24 appointments. They have lived under SMCR (often as Certified Persons), have direct operational experience, and understand the regulated dimension. Many SMF24 appointments come from this population, and the step-up is well-trodden.

Technology and change leaders with COO breadth. Candidates whose backgrounds combine senior technology leadership with operational responsibility — CIOs who have moved into broader operational roles, change directors who have taken on operational accountability, programme leaders who have moved into permanent COO positions — can be credible SMF24 candidates particularly in firms where the operational resilience and technology dimensions are central. The FCA’s assessment will look closely at the substantive operational depth, but the pool is real and is sometimes overlooked.

Senior operational leaders from larger or differently-classified firms. A senior operational leader from an Enhanced firm moving down to a Core firm SMF24 role, or a senior operational leader from a banking environment moving into asset management, can bring useful breadth provided the underlying operational discipline transfers. The FCA’s assessment will probe the transfer carefully.

Corporate COOs without prior SMF approval. Strong corporate COOs — from FTSE 100 or 250 companies, or from large private companies with sophisticated operational functions — can clear the SMF24 fit-and-proper assessment with the right preparation. The most common pattern is structured FCA induction, sponsorship from existing SMF holders in the firm, and a deliberately staged Statement of Responsibility that is carefully scoped during the first phase of the appointment. Corporate COOs from financial services-adjacent industries (insurance, financial technology, payments) typically transition more easily than those from completely unregulated sectors.

One specific note on candidate availability. The UK SMF24 market has been particularly tight since the operational resilience policy took effect, because the substantive expectations of the role expanded faster than the candidate pool could grow. Strong candidates often have multiple options at any given time, and searches that connect with candidates 18-24 months before they intend to move see substantively better outcomes than searches that begin only when the firm urgently needs to fill the role.

Compensation, indemnity and the personal accountability dimension

SMF24 compensation in UK regulated firms operates within constraints similar to other senior executive SMF roles. Base salary, bonus and long-term incentive structures vary by firm classification, with the FCA’s Remuneration Code overlay applying to relevant firm types. SMF24 compensation typically reflects executive-team membership and is comparable with other senior C-suite positions at the same firm.

One specific compensation consideration for SMF24: the design of bonus metrics. Operational performance metrics that are appropriate for the role typically include operational resilience programme delivery, incident response performance, third-party risk framework effectiveness, change management discipline, and operational efficiency outcomes. Pure commercial metrics (revenue, profit) are less appropriate as the dominant component because they can create incentives that conflict with the operational resilience and risk management dimensions of the role. Strong SMF24 compensation structures balance commercial alignment with operational and resilience metrics.

Insurance and indemnity arrangements are an important part of the SMF24 offer. The COO’s personal accountability under the regime means the candidate is exposed to potential FCA action against them as an individual where the SMF24 functions have not been performed effectively. Operational matters that result in customer harm, market integrity issues or significant supervisory action can be the kind of events where personal accountability becomes substantive. Most regulated firms maintain D&O insurance and SMF-specific cover; the strength of this cover is a real consideration for SMF24 candidates and should be discussed during offer rather than after acceptance.

The reasonable steps test for SMF24 has a specific shape. The most common scenarios where it applies are operational matters that result in customer harm, significant operational incidents affecting important business services, third-party failures with regulatory implications, and breaches of operational resilience expectations. SMF24 candidates with prior experience evaluate the firm’s environment carefully on these dimensions before accepting an offer — particularly the maturity of the operational resilience programme, the strength of the third-party risk framework, and any matters in the firm’s recent operational history.

Common SMF24 search pitfalls

Several patterns recur in SMF24 searches that go off-track. Each is avoidable with deliberate planning at the start.

Briefing the role as a traditional COO search. Boards that approach SMF24 with a 2018-style COO brief — operational leadership, executive contribution, accountability for delivery — without the operational resilience dimension front and centre attract candidates who may be excellent operationally but who will struggle with the regulatory dimension. The fix is to brief the role accurately: operational leadership including the operational resilience and third-party risk responsibilities that are now central.

Underestimating candidate pool tightness. The UK SMF24 market is genuinely tight. Boards that begin searches assuming a robust pool of available candidates often discover the reality more slowly than they expect. The fix is to start the search earlier than the comfortable timeline suggests and to engage candidates 18-24 months before they intend to move where possible.

Drafting the Statement of Responsibility around the chosen candidate. SoRs that have been retrofitted to fit a chosen candidate tend to be weaker than SoRs built first. The retrofit version often has gaps that the FCA will probe during approval — particularly around operational resilience and third-party risk allocation — and creates first-year governance issues. The fix is to draft the SoR as part of the role specification, before the candidate is selected.

Underspecifying the boundary with SMF4 and SMF5. The SMF24 sits at the intersection of executive operational accountability (SMF24 itself), second-line risk monitoring (SMF4), and third-line independent assurance (SMF5). Specifications and SoRs that do not address these boundaries explicitly create governance gaps and confusion in the first year of the appointment. The fix is to map the boundaries before the search and reflect them clearly in the SoR.

Inadequate operational resilience capability. SMF24 candidates with prior experience scrutinise the firm’s investment in operational resilience capability — the third-party risk function, the change management framework, the technology resilience programme. Specifications that present operations as cost-constrained or that suggest the firm has not invested adequately often fail to attract the candidate seniority the role actually requires.

Treating compensation as a corporate COO equivalent. Compensation structures designed without reference to the Remuneration Code (where applicable), the personal accountability dimension, or the specific performance metrics appropriate to a regulated COO role can attract the wrong candidates and create regulatory friction. The fix is to design the compensation structure with input from both the firm’s compensation advisers and from a search firm with regulated COO experience.

Not engaging the SMF4 CRO in the search. The SMF24 will work most closely with the SMF4 CRO on operational risk and operational resilience. Searches that do not actively involve the CRO in candidate evaluation start the relationship on the wrong footing. The fix is to involve the CRO throughout the search, while preserving the principle that the SMF24 is an executive appointment reporting to the CEO rather than to the CRO.

How Exec Capital approaches SMF24 mandates

Exec Capital runs SMF24 mandates as integrated executive-and-regulatory searches with operational resilience central to the brief from day one. The substantive operational leadership dimension — operational profile fit, executive team contribution, working relationships with the CEO, CRO and Head of Internal Audit — receives the same rigour we bring to any senior C-suite search. The regulatory dimension is built in from the brief, not added at the end. We work through the Statement of Responsibility outline with the firm, identify the candidate pool with prior SMF24 approval first and step-up candidates second, and structure the timeline around the realistic FCA approval window.

Our regulated-firm practice covers the full set of senior appointments under SMCR — SMF1 CEO, SMF3 Executive Director, SMF4 CRO, SMF5 Head of Internal Audit, SMF24 Chief Operations Function, SMF9 Chair and SMF14 SID — alongside the senior C-suite, director-level and specialist roles that operate within regulated firms. Where the appointment falls within a sister firm’s specialism — finance and compliance functions including SMF2, SMF16 and SMF17 (FD Capital), or wider non-executive appointments outside the SMF designation specifically (NED Capital) — we make the introduction directly and work alongside the relevant team.

For boards beginning COO succession or appointing an SMF24 for the first time, we offer a structured initial conversation that walks through the responsibilities map, the role specification, the operational resilience environment, and the realistic candidate pool before any formal mandate begins. For more on the broader SMF cluster, see our SMF Roles guide. For the corresponding executive role, our SMF1 CEO hiring guide sets out how CEO appointments fit alongside COO succession; our SMF4 CRO hiring guide covers the CRO function the SMF24 works most closely with. For the corporate (non-regulated) version of the COO appointment, see COO recruitment.

Further Reading and Authoritative Sources

For the FCA’s authoritative guidance on the SMCR and the SMF24 designation, see the FCA’s SMCR overview and the solo-regulated firms guidance. The FCA’s Form A guidance sets out the application requirements for SMF appointments.

For operational resilience specifically — the central reshaping influence on the SMF24 role in recent years — see the FCA’s Operational Resilience policy and the underlying policy statement PS21/3. The Bank of England’s operational resilience supervisory statement applies for dual-regulated firms and provides additional context on the supervisory expectations.

For third-party risk and outsourcing, the FCA’s outsourcing guidance sets out the expectations on supplier governance, exit planning, and concentration risk monitoring. The FCA’s Consumer Duty creates substantial operational implications for SMF24 holders in consumer-facing regulated firms.

For the broader corporate governance context, the UK Corporate Governance Code published by the Financial Reporting Council and guidance from the Institute of Directors provide useful complementary reference points for the SMF24’s relationship with the Board and executive committee.