SUP 10C.6B Systems and controls functions: Other
Seniority
The chief operations function (SMF24)
- (1)
The chief operations function is the function of having overall responsibility for managing all or substantially all the internal operations or technology of the firm or of a part of the firm.
- (2)
In deciding whether a person has overall responsibility for managing all or substantially all the matters described in (1) for the purposes of this rule, the following are left out of account if one or more other persons have overall responsibility for them:
- (a)
the matters to which the internal audit requirements for SMCR firms, the compliance requirements for SMCR firms or the risk control requirements for SMCR firms relate;
- (b)
the matters to which any of the required functions relate; or
- (c)
any part of the firm responsible for advising other parts of the firm.
- (a)
- (3)
(2) applies to a firm whether or not the requirements in (2)(a) or the functions in (2)(b) apply to it.
- (4)
The chief operations function does not include the function of acting in the capacity of a chief executive of a firm.
- (5)
A person (P) does not perform the chief operations function by managing the internal operations or technology of a part of a firm that carries out other functions (such as a part of the firm that carries on regulated activities with clients) as part of P’s function of managing that part of the firm.
- (6)
A firm’s SMCR legal function is not included in the firm’s internal operations or technology for the purpose of the definition of the chief operations function.
- (1)
In SUP 10C.6B.2R technology refers principally to the firm’s information and communications technology (ICT) systems and services.
- (2)
Those services include but may not be necessarily limited to the mechanisms and networks that support the operations of a firm, including data entry, data storage, data processing and reporting services, but also monitoring, business and decision support services.
The chief operations function may include but not necessarily be limited to areas such as:
- (1)
business continuity (including responsibility for compliance with SYSC 4.1.6R and SYSC 4.1.7R (Business continuity), if those rules apply to the firm);
- (2)
cybersecurity;
- (3)
information technology;
- (4)
internal operations;
- (5)
operational continuity, resilience and strategy;
- (6)
outsourcing, procurement and vendor management; and
- (7)
management of services shared with other group members.
As explained in SYSC 26.11.4G (Overall responsibility for internal operations), if:
- (1)
a firm does not have anyone who performs the chief operations function; but
- (2)
SYSC 26 (Senior managers and certification regime: Overall and local responsibility) applies to the firm;
the firm should allocate responsibility for the functions in SUP 10C.6B.4G among its SMF managers under SYSC 26.
If a firm is required to have a management responsibilities map, the map should include the functions in SUP 10C.6B.4G, whether or not the firm has someone who performs the chief operations function (see SYSC 25 Annex 1 (Examples of the business activities and functions of an SMCR firm)).
The table in SUP 10C.6B.8G gives examples of how the chief operations function applies.
Table: Examples of how the chief operations function applies
Example |
Comments |
(1) Firm A has the following three individuals. - Chief Operating Officer (COO); - Chief Information & Technology Officer (CITO); - Head of Human Resources (Head of HR). The Head of HR and the CITO report to the COO. |
The COO is the only person performing the chief operations function. |
(2) Firm A has the following two individuals: - Chief Operating Officer (COO); - Chief Information and Technology Officer (CITO). The COO and CITO are equally senior. Both have separate reporting lines to the Board and the CEO. Overall responsibility for information technology is shared between the COO and CITO. The COO has overall responsibility for all other internal operations. |
Both individuals perform the chief operations function. |
(3) Firm A has two business lines (broking and advice). It has the following individuals: - a Chief Operating Officer responsible for the internal operations of the broking business (other than technology) (B) - a Chief Information and Technology Officer for the broking business (C) - an individual who combines the roles of Chief Operating Officer and Chief Information and Technology Officer for the advice business (D). B, C and D are equally senior. They all have separate reporting lines to the Board and the CEO. |
B, C and D perform the chief operations function. |
(4) Firm A splits overall responsibility for its internal operations between various individuals. A separate individual is responsible for human resources, business continuity, procurement and outsourcing, buildings and the remaining parts of internal operations. Firm A also has a Chief Information & Technology Officer (CITO) with responsibility for all the firm’s technology. Each individual is equally senior. |
The CITO performs the chief operations function. None of the others perform the chief operations function. This is because none of them has responsibility for the firm’s internal operations as a whole or for all the internal operations of a part of the business. Firm A has divided the responsibility based on function rather than business line. However those others may be performing the other overall responsibility function. |
(5) Firm A has a Chief Operating Officer (B) responsible for its internal operations. However Firm A separates its internal advisory functions (such as economic and market analysis) and allocates them to C. |
B performs the chief operations function. C does not. The same answer would apply if C’s functions were split between several others. |
(6) Firm A has a Chief Operating Officer (B). B does not report to the firm’s governing body. B reports to several directors about different aspects of B’s job, who in turn report to the governing body. |
B does not perform the chief operations function. B does not have overall responsibility for internal operations as B does not have direct responsibility to the governing body. SYSC 26.7 (Meaning of local and overall responsibility: Reporting to the governing body) is relevant to the meaning of overall responsibility in this context. The directors to whom B reports do not perform the chief operations function either, for the reasons in Example (4). |
(7) Firm A has two business lines (broking and advice). B is chief executive of the broking division and C is chief executive of the advisory division. Each chief executive is responsible for the internal operations and IT of their division. Both B and C report to the Board. |
SUP 10C.6B.2R(5) means that neither B nor C performs the chief operations function. |
(8) Firm A has a Chief Operating Officer (B) responsible for its internal operations. B is not responsible for Firm A’s legal department, which is managed by the firm’s general counsel (C). |
B performs the chief operations function. C does not. |