The Boundary Between SMF24 and Operational SMFs: Hiring the Right COO at a Regulated Firm
The SMF24 Chief Operations function is one of the more misunderstood Senior Management Functions. It sits at the intersection of operations, technology and outsourcing, and its boundaries with other SMFs — and with roles that are not SMFs at all — are frequently blurred. For a board hiring a Chief Operating Officer at a regulated firm, getting that boundary right is not academic: it determines who needs FCA pre-approval, how responsibilities are allocated, and whether the firm’s Statements of Responsibilities actually hold together.
This guide sets out what SMF24 covers, where it ends and other functions begin, and what boards should look for when appointing to the role. It is written for the people making the appointment, not for compliance teams administering the regime.
A Note from Our Founder — Adrian Lawrence FCA
The SMF24 boundary question comes up in almost every regulated COO search I run. Boards often assume the COO simply holds SMF24 and move on, but the reality is more nuanced: the function is about the internal operational infrastructure, and where that overlaps with technology, outsourcing or the responsibilities of other senior managers, the allocation has to be deliberate. Get it right and accountability is clean; get it wrong and you have gaps or overlaps the regulator will notice. I treat the responsibilities map as part of the hiring brief, not an afterthought.
Adrian Lawrence FCA | Founder, Exec Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 15037964
What SMF24 actually covers
The SMF24 Chief Operations function, as set out in the FCA’s SYSC sourcebook, is responsible for the internal operations and technology of a firm — the systems, processes and infrastructure that keep the business running. It was introduced to ensure a named senior manager owns operational resilience and the technology backbone, areas the regulator has increasingly prioritised. In practice, it covers IT systems, operational processes, outsourcing arrangements and the day-to-day operational running of the firm.
Crucially, SMF24 is not automatically the same as the job title “Chief Operating Officer.” A firm’s COO might hold SMF24, but might also hold other functions, or the SMF24 responsibilities might sit with a different individual entirely — a Chief Technology Officer or Chief Operations Director. The regulatory function and the job title are separate things, and conflating them is where boards go wrong.
Where SMF24 ends and other SMFs begin
The boundary questions arise at three main intersections. First, with the SMF4 Chief Risk function: operational risk sits partly in operations and partly in risk, and the allocation of operational-resilience responsibility between SMF24 and SMF4 must be explicit. Second, with technology leadership: where a firm has a CTO distinct from its COO, the split of system ownership and operational-resilience accountability needs defining. Third, with the SMF1 Chief Executive, who holds ultimate accountability but delegates operational ownership downward.
The regulator’s expectation, articulated through the SMCR framework, is that every significant responsibility is owned by a named individual with no gaps and no unmanaged overlaps. For operations, that means the board must decide deliberately how SMF24 relates to the risk, technology and executive functions around it — and then hire a person whose experience matches the specific boundary the firm has drawn.
What this means for the hiring brief
Because the SMF24 boundary varies between firms, the hiring brief for a regulated COO varies too. A firm that places operational resilience and technology squarely within SMF24 needs a leader with deep systems and infrastructure experience. A firm that splits technology into a separate CTO function needs a COO whose strength is process, outsourcing and operational governance. The wrong hire is not incompetent — they are mismatched to where the firm has actually drawn the function’s edges.
This is why the responsibilities map should precede the search, not follow it. Once the board has decided what SMF24 covers at this firm, the brief writes itself: the specific operational, technology and resilience experience the individual needs to own that defined scope credibly, both to the business and to the regulator assessing their approval.
Operational resilience and the modern COO
The regulator’s focus on operational resilience has raised the stakes for the SMF24 role. Firms are expected to identify their important business services, set impact tolerances, and demonstrate they can remain within those tolerances through disruption. The FCA’s operational resilience requirements place this squarely within the operations function’s remit. A modern regulated COO therefore needs resilience expertise — scenario testing, third-party risk, business continuity — alongside traditional operational leadership.
This has narrowed the credible candidate pool. The COO who can run efficient operations is common; the COO who can also own regulatory operational resilience to the standard the FCA now expects is rarer. That combination — operational leadership plus regulatory resilience credibility plus approvability — is the real specification for an SMF24 hire, and identifying it is a specialist search.
Getting the appointment right
A well-executed SMF24 appointment starts with the boundary decision, flows into a precise brief, and ends with a candidate whose experience matches the defined scope and who will clear FCA approval. The firms that struggle are those that hire a COO on a generic operational brief and then try to retrofit the SMF24 responsibilities afterward — discovering too late that the person’s experience does not match the regulatory scope they now hold. For the broader regulated senior team, our COO of a regulated firm and FCA-regulated recruitment practices set out how these appointments are run.
Outsourcing and third-party risk under SMF24
One of the most consequential parts of the SMF24 remit is outsourcing. Modern regulated firms — and technology-native ones especially — depend heavily on third-party providers for critical services, from cloud infrastructure to payment processing. The regulator expects a named senior manager to own the risk this creates, and at most firms that ownership sits within the operations function. The SMF24 holder must understand the firm’s material outsourcing arrangements, the concentration risk they carry, and the firm’s ability to continue operating if a key provider fails.
This has raised the bar for the role. A COO who can run internal operations but has never grappled with third-party and concentration risk at a regulated firm is only half-equipped for a modern SMF24 mandate. The boards that hire well look for operational leaders who treat outsourcing governance as core to the role, not a peripheral compliance task — because the regulator increasingly treats it as central to operational resilience.
How the SMF24 boundary changes as a firm grows
The allocation of SMF24 responsibilities is not fixed — it evolves with the firm. At a smaller regulated business, the COO may hold SMF24 alongside a broad operational remit, with technology and resilience folded into a single role. As the firm grows and its technology estate becomes more complex, it often makes sense to separate a dedicated technology leadership function, at which point the SMF24 boundary must be redrawn and the responsibilities reallocated between operations and technology.
Boards that anticipate this evolution hire with it in mind, appointing a COO whose remit can flex as the structure matures rather than one whose role becomes awkwardly straddled the moment a CTO is added. Getting the sequencing right — and being explicit about the boundary at each stage — keeps accountability clean as the firm scales, and avoids the gaps and overlaps the regulator is quick to notice when responsibilities shift without deliberate reallocation.
Further reading
The FCA SYSC sourcebook and the FCA operational resilience material are the primary references for the SMF24 function. For benchmarking the role, see our SMF salary guide.
Discuss a Senior FCA-Regulated Appointment
No obligation. Shortlist in 3–7 working days.
0203 834 9616 | recruitment@execcapital.co.uk
Regulated COO Search at Exec Capital
Retained search for the SMF24 Chief Operations function — approvable operational and resilience leaders matched precisely to how your firm has drawn the function’s boundaries. Led personally by Adrian Lawrence FCA.
| Practice Area Regulated Operations Leadership The SMF24 COO and executive appointments owning operations, technology and resilience at a regulated firm. | Practice Area Risk & Resilience The CRO and risk functions that share the operational-resilience boundary with SMF24. | Practice Area Board & Governance The Chair and NED appointments that oversee operational resilience at board level. | Practice Area Guides & Market The companion SMF salary and market guides for boards planning regulated operations hires. |
Every regulated operations mandate is led personally by Adrian Lawrence FCA — matched to how your firm has drawn the SMF24 boundary.
Browse regulated COO recruitment →·Tell us about your hire →
Related posts:
Hiring a Deputy CEO at an FCA-Regulated Firm
How to Choose a Compliance Recruitment Agency That Understands the FCA
How long does FCA SMF approval actually take? A realistic timeline for regulated firm boards
COO Recruitment at Fintechs: SMF24 Considerations in Scale-Up Environments
Executive Director Appointments at FCA-Regulated Firms: The SMF3 Brief
Wealth Management Senior Recruitment: Consumer Duty's Impact on the Board Brief
Adrian Lawrence FCA is the founder of Exec Capital. He is a Chartered Accountant and holds an ICAEW practising certificate in his own name with over 25 years’ experience operating at C-suite level, Adrian brings direct executive experience to senior search. His background spans private equity-backed businesses, owner-managed companies, and listed environments, giving Exec Capital a practitioner’s understanding of what leadership hires actually require.