Hiring an SMF4 Chief Risk Officer: A Guide for UK Regulated Firms

Hiring an SMF4 Chief Risk Officer: A Guide for UK Regulated Firms

SMF4 is the FCA designation that attaches personal regulatory accountability to the Chief Risk Officer of an FCA-regulated firm. It is a different role from a corporate CRO appointment — the candidate must be FCA-approved before they take up the role, the Statement of Responsibility is a regulatory document with weight, and the personal accountability under the regime affects who is genuinely available, what they should be paid, and what the firm needs to do to make the role attractive to the strongest candidates. SMF4 is also one of the most operationally consequential SMF appointments: the CRO is the senior individual responsible for the firm’s risk management framework, the second line of defence (where the firm operates a three-lines model), and the relationship between risk and the Board’s Risk Committee.

This guide is written for CEOs, chairs of Risk Committees, and Boards working through the appointment of a CRO into an FCA-regulated firm. It sets out what an SMF4 appointment actually involves: how the role differs from a corporate CRO, how it sits within the three lines of defence, what the Statement of Responsibility looks like, how the FCA approval process operates, how to think about the candidate pool, and what compensation and structure look like at the senior level. It draws on the work we run across asset management, wealth management, insurance, brokerage, fintech and consumer credit firms — and on the FCA’s published guidance on senior management functions for solo-regulated firms. For the broader SMF picture, see our SMF Roles guide; for the corporate (non-regulated) CRO appointment, see CRO recruitment.

What SMF4 covers

SMF4 is the Chief Risk Officer function under the Senior Managers and Certification Regime. It applies to the senior individual responsible for the firm’s risk function — typically the CRO reporting to the CEO, or in some firm structures reporting directly to the Chair of the Risk Committee. Like other prescribed senior management functions, SMF4 must be held by an FCA-approved individual at all times where the function exists at the firm; any change in the SMF4 holder triggers a regulatory notification and approval process.

The substantive scope of SMF4 covers what a corporate CRO would recognise — the firm’s risk management framework, the risk appetite framework that defines what the firm will and will not do, the firm’s stress testing and scenario planning, the operation of the second line of defence, and the senior-level relationship with the Board on risk matters. The regulatory dimension is layered through every part of it: the SMF4 holder is personally accountable for the way the firm’s risk function operates, and the FCA can hold them personally accountable when something goes wrong in their area of responsibility.

One specific point worth being explicit about. SMF4 applies where the firm has a Chief Risk Officer function — which most Enhanced firms have, and most Core firms above a certain scale have. Smaller Core firms and Limited Scope firms may not have a separate CRO function at all; in those cases, risk responsibility may be allocated to the SMF1 (CEO) or another senior management function rather than to a designated SMF4. If you are unsure whether your firm has SMF4 in scope, your compliance lead or external compliance adviser will know.

Three lines of defence: where the SMF4 sits

Almost every regulated firm of meaningful scale operates a “three lines of defence” model for risk management, and understanding which line the SMF4 sits in is the starting point for the search. The three-lines model is the framework most boards and regulators use to think about how risk is managed across the firm.

The first line is the business — the people and functions that take risk on behalf of the firm in pursuit of its commercial objectives. Trading desks, portfolio managers, lending teams, underwriters, sales functions all sit in the first line. They are the people closest to the risk and the people who manage it day-to-day in their decisions.

The second line is the independent risk function and the compliance function. They set the framework within which the first line operates, monitor first-line activity against that framework, and provide independent challenge to the business’s risk decisions. The CRO leads the second line risk function — and SMF4 typically sits firmly in the second line.

The third line is internal audit, which provides independent assurance to the Board and the Audit Committee that both the first and second lines are working effectively. Internal audit reports to the Audit Committee Chair (often through SMF5 Head of Internal Audit) and is structurally independent of both the business and the second-line risk function.

For SMF4 hiring, this matters in two ways. First, the candidate’s prior experience needs to be in the second line. Strong candidates may have moved between first and second line earlier in their careers — a CRO who once ran a trading desk often has real value in their understanding of where risk actually arises — but their most recent senior experience should be in the second line. A candidate moving directly from a senior first-line role into SMF4 will face a more substantive FCA assessment on whether they can operate with appropriate independence from the business.

Second, the firm’s specific implementation of the three-lines model affects what the SMF4 actually does. In firms where the second-line risk function holds significant operational risk responsibilities (some asset managers, some insurance firms), the SMF4 has a broader operational remit. In firms where the second line is more narrowly oversight-focused (most banks, most investment firms), the SMF4 role is more about framework, monitoring, and challenge.

What an SMF4 CRO does that a corporate CRO does not

The substantive role of any senior risk leader includes setting the risk framework, owning the risk appetite, monitoring the firm’s risk profile, and presenting risk matters to the Board. SMF4 layers regulatory accountability over all of that and adds several specific dimensions that a corporate CRO would not typically encounter.

Personal accountability to the regulator. The CRO’s Statement of Responsibility allocates specific prescribed responsibilities to the SMF4 holder — typically including responsibility for the operation of the risk management framework, the firm’s risk-appetite-setting process, the second line’s relationship with the first line, and the ongoing identification of emerging risks. When something goes wrong in any of these areas, the FCA’s first analytical question is whether the SMF4 took reasonable steps in the area they are responsible for.

The relationship with the Risk Committee Chair (where applicable). In Enhanced firms with a Risk Committee, the CRO works closely with the Risk Committee Chair (SMF10) — a relationship that is collaborative but structurally distinct. The CRO is the senior risk leader within the firm; the Risk Committee Chair is the senior independent voice testing risk matters at Board level. The two roles complement each other; they should not duplicate each other. In Core firms without a separate Risk Committee, the CRO’s main Board-level interface is typically the Audit Committee or, in smaller firms, the full Board.

The relationship with the FCA on risk matters. The CRO is often the firm’s principal point of contact with the FCA on risk-specific supervisory engagement — particularly during firm visits, thematic reviews, or any FCA-led work focused on prudential matters, operational resilience, or specific risk categories. SMF4 holders are increasingly expected to handle this engagement directly rather than through compliance or general management intermediaries.

Operational resilience accountability. The FCA’s Operational Resilience policy took effect in March 2022 and imposes substantial requirements on regulated firms — identifying important business services, setting impact tolerances, and demonstrating the firm can deliver within those tolerances during severe but plausible disruption. While day-to-day operational resilience is often led by SMF24 (Chief Operations Function) where one exists, the CRO has a substantial role in the framework: assessing operational risk concentrations, evaluating third-party operational risk, and providing the second-line challenge to the firm’s operational resilience self-assessment.

Consumer Duty and conduct risk. The FCA’s Consumer Duty introduced a principle requiring firms to deliver good outcomes for retail customers, evidenced by senior management oversight. Conduct risk has become a much more substantial part of the CRO’s remit since 2023 — particularly the integration of conduct risk into the broader risk framework, the second-line monitoring of customer outcomes, and the CRO’s role in challenging product design, pricing and customer communications where conduct risks are present.

Risk culture is on the SMF4’s plate. The FCA increasingly evaluates firms on the strength of their risk culture, not just on the technical adequacy of their risk frameworks. The CRO is typically expected to articulate how the firm’s risk culture works, where it is strong, where it is being strengthened, and how senior management are reinforcing it. Strong CRO candidates can do this from prior experience; first-time SMF4 candidates often need preparation on this dimension.

Building the SMF4 role specification

The role specification for an SMF4 search needs to do three things at once: communicate the substantive risk leadership role at this specific firm, communicate the regulatory dimension, and communicate the working environment the candidate will join. Specifications that handle the substantive role but skim the others systematically attract candidates who may withdraw at offer stage when they understand what the role actually entails.

The substantive dimension covers the standard CRO content tailored to the firm: the risk profile of the business (the dominant categories of risk — market, credit, operational, conduct, prudential), the maturity of the existing risk function (greenfield build, established function being refreshed, function inherited from a predecessor with specific reform priorities), the relationship with the executive team, and the specific strategic priorities where the CRO is expected to add value.

The regulatory dimension covers the SMF4 designation explicitly, the prescribed responsibilities allocated to the role, the firm’s classification under SMCR (Core / Enhanced / Limited Scope), the FCA supervisory category, and the regulatory priorities the firm is currently working on (Consumer Duty implementation status, operational resilience self-assessment cycle, any active FCA matters on risk topics, any matters in the firm’s recent regulatory history that bear on risk).

The governance dimension covers the existing Risk Committee (where applicable) and the Risk Committee Chair, the relationship with the SMF1 CEO and SMF24 COO, the second-line organisational structure (size and composition of the risk team, reporting lines, sub-functional structure), and the responsibilities map. SMF4 candidates evaluating an offer will read all of this carefully — the strength of the second-line team and the working relationships with the Risk Committee Chair and CEO are first-order considerations for whether they can perform the role effectively.

Strong SMF4 specifications include a draft Statement of Responsibility — even in skeleton form. Candidates with prior SMF experience will read it and may propose amendments, particularly around the boundary between the SMF4’s accountability and the SMF1’s overall accountability for risk outcomes. This conversation is healthy and signals to the candidate that the firm has done its governance work.

The FCA approval process for SMF4

Once the firm has selected its preferred candidate, the FCA approval process begins. The mechanics are similar to other SMF approvals — and we cover the detailed mechanics in the SMF1 CEO hiring guide — but several aspects of SMF4 approval are worth flagging specifically.

The submission is built around Form A, supported by the candidate’s Statement of Responsibility, the firm’s Management Responsibilities Map, regulatory references covering the candidate’s previous six years of regulated employment, and supporting evidence on competence and capability. The FCA’s published service standard for Form A turnaround is up to three months for SMF approval, with most clean SMF4 applications resolved within four to ten weeks.

For SMF4 specifically, the FCA’s assessment focuses on three things beyond the standard fit-and-proper criteria.

Independence from the business. The FCA examines whether the candidate has the independence required to operate effectively as a second-line CRO. Where the candidate is moving from a first-line role at the same firm, or from a senior first-line role at a related firm, the FCA may probe how the independence will be established and maintained. Candidates with a track record in second-line risk roles clear this dimension cleanly; candidates moving across the line need a more deliberate explanation.

Technical competence in risk. The bar on technical competence is higher for SMF4 than for many other SMFs. The FCA expects candidates to demonstrate substantive knowledge of the relevant risk disciplines — market risk, credit risk, operational risk, conduct risk, prudential frameworks, depending on the firm’s profile. Candidates with formal risk qualifications (PRMIA, IRM, GARP designations) and substantial second-line experience clear this bar; candidates with general management experience but limited specific risk depth face a more rigorous assessment.

Understanding of the firm’s specific risk profile. The FCA is particularly interested in whether the candidate understands the specific risks of the firm they will be joining. Candidates who can articulate, with examples, the dominant risks in the firm’s business model and how they would approach managing them — including any specific FCA matters in the firm’s history — clear this aspect of the assessment cleanly.

The fit-and-proper assessment for SMF4

The fit-and-proper assessment for SMF4 covers the same three statutory criteria as for any senior management function: honesty, integrity and reputation; competence and capability; and financial soundness. The application of these criteria to the CRO role has some specific dimensions.

Honesty, integrity and reputation is examined with particular attention to the candidate’s track record on independent challenge and on willingness to escalate. The FCA looks for any pattern in previous roles that suggests the candidate has been accommodating of business pressure rather than independent of it, or that they have been associated with risk failures where independent challenge was clearly absent. Anything in the candidate’s record that requires explanation should be disclosed proactively — the regulatory references will surface it regardless, and proactive disclosure carries better than late discovery.

Competence and capability for SMF4 is assessed substantively. Prior SMF4 experience is the strongest evidence. Substantial second-line risk leadership experience in a regulated firm — head of risk, deputy CRO, or equivalent — is the next strongest. Candidates with prior senior risk experience at corporate firms (non-regulated FTSE companies, for example, or private companies with sophisticated risk functions) can clear competence and capability where the firm has put in place a credible induction and the candidate’s broader background equips them for the regulated dimension.

Financial soundness covers the candidate’s personal financial position. Same bar as for other SMF roles — anything significant must be disclosed, explainable, and not indicative of broader integrity concerns.

The fit-and-proper assessment is conducted both at appointment and on an ongoing basis. The firm itself has an obligation to satisfy itself annually that the SMF4 (and other Senior Managers) remain fit and proper, and to notify the FCA promptly of any matters that could affect the assessment. For CROs, this annual review is particularly important because risk roles can be exposed to specific incidents — a major loss event, a regulatory matter, a customer harm event — that may bear on fit-and-proper status if not handled appropriately.

The Statement of Responsibility for an SMF4 CRO

The Statement of Responsibility for the CRO sets out what the SMF4 holder is accountable for. For SMF4, the SoR will typically include:

• The operation of the firm’s risk management framework, including the framework’s design, deployment, and ongoing effectiveness
• The risk appetite framework — the formal articulation of what risk the firm will and will not take, and the metrics used to monitor it
• The second line of defence, including the structure, capability and independence of the risk function
• Stress testing and scenario analysis — the firm’s processes for testing its resilience to adverse but plausible scenarios
• The identification of emerging risks and the framework for bringing them to senior management and Board attention
• Operational risk and operational resilience, in coordination with SMF24 where applicable
• Conduct risk and Consumer Duty risk monitoring, in coordination with SMF16 (Compliance Oversight) where applicable
• The CRO’s relationship with the Board’s Risk Committee (where applicable) and the broader Board on risk matters

The exact allocation varies by firm and by classification. In Enhanced firms with a separate Risk Committee, certain prescribed responsibilities sit with the SMF10 Risk Committee Chair rather than the SMF4 — typically those relating to the Board’s oversight of risk matters specifically. The SoR for the CRO must be consistent with how the firm’s overall responsibilities map allocates these.

Three drafting points are worth flagging for SMF4 SoRs.

The boundary with SMF1 needs to be clear. The CEO has overall accountability for the firm’s risk profile under their broader SMF1 responsibilities. The CRO has accountability for the operation of the risk function. The boundary between “overall accountability for risk outcomes” and “accountability for the risk function” needs to be drafted carefully so neither the SoR nor the responsibilities map creates duplication or gaps.

The boundary with SMF24 needs to be clear where SMF24 exists. Where the firm has both an SMF4 CRO and an SMF24 COO, the boundary on operational risk and operational resilience needs to be explicit. Typical pattern: the SMF24 has accountability for operational performance and the firm’s resilience capability; the SMF4 has accountability for the risk framework that monitors and challenges that capability. Both roles sit on the responsibilities map and the boundary is in the language of the SoRs.

The boundary with SMF16 needs to be clear where SMF16 exists. Compliance Oversight (SMF16) and CRO (SMF4) often work together on conduct risk and regulatory risk. Some firms combine the two functions under a single individual (a “head of risk and compliance”), which the FCA permits but which requires careful SoR drafting to ensure both sets of responsibilities are clearly held. Where the two functions are separate, the boundary should be explicit.

Building the candidate pool for SMF4

The SMF4 candidate pool is structurally narrow, and several factors shape who is genuinely available.

Prior SMF4 approval is the strongest signal. Candidates currently holding or recently holding SMF4 in another regulated firm carry the highest credibility with the regulator and the lowest approval risk for the hiring firm. They have demonstrated they can clear the fit-and-proper assessment, they understand the substance of the role, and they bring direct regulatory engagement experience on risk matters. The challenge is that the population is small — the regulated CRO market in the UK is genuinely tight at the senior level — and the most credible candidates are typically not actively seeking moves.

Heads of risk and deputy CROs are the natural step-up pool. Candidates currently holding senior second-line risk roles below CRO level — head of risk, deputy CRO, head of credit risk, head of operational risk depending on firm type — are the most natural step-up pool for first-time SMF4 appointments. They have lived under the regime, have an existing FCA approval as a Certified Person where applicable, and understand the second line first-hand. Many SMF4 appointments come from this population.

Strong SMF24 holders can transition. Where the SMF4 role has a heavy operational risk dimension — common in fintech, asset management technology platforms, or firms emphasising operational resilience — candidates currently holding SMF24 can be credible SMF4 successors. The transition is more substantial because the SMF24 role is functionally narrower than CRO, but it is well-trodden in firms where the boundary between operational risk and the broader risk framework is fluid.

Senior risk leaders from larger or differently-classified firms. A senior risk leader from an Enhanced firm moving down to a Core firm CRO role, or a senior risk leader from a banking environment moving into asset management, can bring useful breadth provided the underlying risk discipline transfers. The FCA’s assessment will probe the transfer carefully — risk skills do not always translate directly across firm types — but the pool exists and is sometimes overlooked.

Corporate CROs without prior SMF approval. Strong corporate CROs — from FTSE 100 or 250 companies, or from large private companies with sophisticated risk functions — can clear the SMF4 fit-and-proper assessment with the right preparation. The most common pattern is structured FCA induction, sponsorship from existing SMF holders in the firm, and a deliberately staged Statement of Responsibility that allocates the most regulator-sensitive responsibilities (prudential matters where applicable, certain conduct risk dimensions) carefully during the first phase of the appointment. Corporate CROs from financial services-adjacent industries (insurance, financial technology, payments) typically transition more easily than those from completely unregulated sectors.

One specific note on candidate availability. The UK CRO market has been tight for several years following the post-2008 build-out of risk functions. Strong candidates often have multiple options at any given time, and searches that connect with candidates 18-24 months before they intend to move see substantively better outcomes than searches that begin only when the firm urgently needs to fill the role.

Compensation, indemnity and the personal accountability dimension

SMF4 compensation in UK regulated firms operates within constraints similar to other senior executive SMF roles. The constraints come from three sources: the regulatory rules on remuneration where applicable (particularly under the FCA’s Remuneration Code for relevant firm types), the disclosure requirements applicable to listed regulated firms, and the practical reality that personal accountability under the regime affects what the role is reasonably worth.

Base salary, bonus and long-term incentive structures still apply. CRO compensation in regulated firms typically reflects a base salary in the range of a senior C-suite position at the firm, with bonus opportunity and long-term incentives shaped by the Remuneration Code overlay where applicable. Deferral periods, malus and clawback provisions, and performance metric alignment with risk and conduct outcomes are all standard elements of CRO packages in Enhanced firms — and increasingly in Core firms above a certain scale.

One specific compensation consideration for CROs: performance metrics that are appropriate for the role. CRO bonuses are not typically linked to revenue or commercial performance — the role is structurally independent of the business and linking compensation to commercial outcomes would compromise that independence. Strong CRO compensation structures use metrics like risk framework effectiveness, regulatory engagement quality, audit findings, second-line independence assessments, and stakeholder feedback. Boards designing CRO packages without thinking through this dimension sometimes inadvertently create perverse incentives that the FCA will probe during firm reviews.

Insurance and indemnity arrangements are an important part of the SMF4 offer. The CRO’s personal accountability under the regime means the candidate is exposed to potential FCA action against them as an individual — including fines and prohibition from regulated employment — in addition to the standard director liabilities where the CRO is on the Board. Most regulated firms maintain D&O insurance and SMF-specific cover; the strength of this cover is a real consideration for SMF4 candidates and should be discussed during offer rather than after acceptance.

The reasonable steps test is the dimension that experienced candidates scrutinise most carefully. SMF4 candidates evaluate the firm’s risk and compliance environment, the strength of the existing second-line team, the responsibilities map, the working relationship with the Risk Committee Chair, and any matters in the firm’s recent regulatory history. They are evaluating whether the firm is one where they can take reasonable steps consistently and document their decisions appropriately. Firms that present well on this dimension attract better candidates.

Common SMF4 search pitfalls

Several patterns recur in SMF4 searches that go off-track. Each is avoidable with deliberate planning at the start.

Underestimating the candidate pool tightness. Boards that begin SMF4 searches assuming a robust pool of available candidates often discover the reality more slowly than they expect. The fix is to start the search earlier than the comfortable timeline suggests and to engage candidates 18-24 months before they intend to move where possible.

Drafting the Statement of Responsibility around the chosen candidate. SoRs that have been retrofitted to fit a chosen candidate tend to be weaker than SoRs built first. The retrofit version often has gaps that the FCA will probe during approval, and creates the first-year governance issue that the boundary between the CRO and other senior managers is unclear. The fix is to draft the SoR as part of the role specification, before the candidate is selected.

Underspecifying the boundary with SMF1, SMF16 and SMF24. The CRO operates at the intersection of overall executive accountability (SMF1), compliance oversight (SMF16) and operational accountability (SMF24). Specifications and SoRs that do not address these boundaries explicitly create governance gaps and confusion in the first year of the appointment. The fix is to map the boundaries before the search and reflect them clearly in the SoR.

Underestimating the FCA timeline. Boards that have not factored eight to twelve weeks of FCA approval into their planning often end up with regulatory gaps, interim CRO arrangements, or compromises on the strongest candidate. The fix is to plan the search timeline backward from the desired start date with the FCA approval window built in.

Treating compensation as a corporate CRO equivalent. Compensation structures designed without reference to the Remuneration Code (where applicable), the personal accountability dimension, or the specific performance metrics appropriate to a second-line role can attract the wrong candidates and create regulatory friction. The fix is to design the compensation structure with input from both the firm’s compensation advisers and from a search firm with regulated CRO experience.

Not engaging the Risk Committee Chair (where applicable) in the search. The CRO works closely with the Risk Committee Chair, and the dynamic between them shapes the effectiveness of the firm’s risk governance. Searches that present the Risk Committee Chair with a fait accompli on the CRO appointment start the relationship on the wrong footing. The fix is to involve the Risk Committee Chair throughout the search, while preserving the principle that the CRO is an executive appointment rather than a Board appointment.

How Exec Capital approaches SMF4 mandates

Exec Capital runs SMF4 mandates as integrated executive-and-regulatory searches. The substantive risk leadership dimension — risk profile fit, second-line capability, leadership of the risk function, working relationships with the Risk Committee Chair and CEO — receives the same rigour we bring to any senior C-suite search. The regulatory dimension is built in from the brief, not added at the end. We work through the Statement of Responsibility outline with the firm, identify the candidate pool with prior SMF4 approval first and step-up candidates second, and structure the timeline around the realistic FCA approval window.

Our regulated-firm practice covers the full set of senior appointments under SMCR — SMF1 CEO, SMF3 Executive Director, SMF4 CRO, SMF24 Chief Operations Function, SMF9 Chair and SMF14 SID, alongside the senior C-suite, director-level and specialist roles that operate within regulated firms. Where the appointment falls within a sister firm’s specialism — finance and compliance functions including SMF2, SMF16 and SMF17 (FD Capital), or audit-qualified roles including SMF5 (Accountancy Capital) — we make the introduction directly and work alongside the relevant team. For wider non-executive appointments outside the SMF designation specifically, our specialist sister firm NED Capital covers the broader board landscape.

For boards beginning CRO succession or appointing an SMF4 for the first time, we offer a structured initial conversation that walks through the responsibilities map, the role specification and the realistic candidate pool before any formal mandate begins. For more on the broader SMF cluster, see our SMF Roles guide. For the corresponding executive role, our SMF1 CEO hiring guide sets out how CEO appointments fit alongside CRO succession. For the corporate (non-regulated) version of the CRO appointment, see CRO recruitment.

Further Reading and Authoritative Sources

For the FCA’s authoritative guidance on the SMCR and the SMF4 designation, see the FCA’s SMCR overview and the solo-regulated firms guidance. The FCA’s Form A guidance sets out the application requirements for SMF appointments.

For the broader regulatory framework, see the FCA Operational Resilience policy and the FCA’s Consumer Duty, both of which create substantial accountability for SMF4 holders. The Bank of England Supervisory Statement on individual accountability covers the dual-regulated firm context where applicable.

For risk management frameworks and the three lines of defence model, the Institute of Internal Auditors publishes guidance that complements the regulatory requirements, particularly on the relationship between the second and third lines. The Institute of Risk Management publishes guidance on risk leadership, the CRO role, and risk culture that is widely used as a benchmark by senior risk professionals. The Institute of Directors publishes governance guidance that complements the regulatory framework on Risk Committee effectiveness and the CRO-Board relationship.