Hire an FD/CFO contactus
HIRE AN FD/CFO CONTACT US

SMF24 Explained: The Chief Operations Function in FCA-Regulated Firms

  • Home
  • SMF24 Explained: The Chief Operations Function in FCA-Regulated Firms

SMF24 Recruitment: Find a Chief Operations Function Approved Person

SMF24 is the Senior Management Function under the FCA’s Senior Managers and Certification Regime that designates the senior individual responsible for the operational backbone of an Enhanced-tier regulated firm — the technology, operations, and the systems that underpin the firm’s ability to deliver its services reliably. Introduced in April 2019 and substantially expanded in scope by the Operational Resilience policy statement (PS21/3) and DORA, SMF24 has become one of the most strategically significant SMF roles in modern UK regulated firms.

This guide covers what SMF24 actually means in practice — the scope of the operations responsibility, how it interacts with SMF4 (CRO) and SMF18 holders covering specific operational areas, the personal liability position, and what FD Capital looks for when placing SMF24-approved candidates. It also covers compensation benchmarks, the substantial shift in candidate profile required since PS21/3 came into force, and why SMF24 is currently one of the tightest specialist markets in regulated firm recruitment.

What’s missing from most explanations of SMF24 is the practical recruitment perspective and the recognition that the role has changed materially since 2022. The candidate profile that worked for the role in 2019-2021 is not the candidate profile that works in 2026. That’s the gap this guide fills.

What SMF24 Means and When It’s Required

SMF24 is the Chief Operations Function under SM&CR. The holder is responsible for the firm’s operations, technology, and the operational infrastructure that delivers regulated services to clients. Per SUP 10C, SMF24 covers “the function of having responsibility for the firm’s internal operations and technology including the firm’s information technology, cyber security, internal operations, business continuity and outsourcing”.

SMF24 is required only for Enhanced-tier solo-regulated firms. It does not apply to Core-tier or Limited Scope firms. In smaller firms, operational responsibility is typically allocated within other SMF roles — most commonly the SMF1 (CEO) or distributed among other SMFs. Banks and insurers under joint FCA/PRA regulation have parallel operational SMFs but with different naming conventions.

Firm tier SMF24 requirement
Limited Scope Not applicable
Core Not required (operational responsibility within SMF1 or other SMFs)
Enhanced Required — formal SMF24 approval mandatory
Dual-regulated banks/insurers Different SMF designations (PRA SMFs)

The Enhanced-tier threshold is typically reached at: £35bn in client assets under management (CASS-significant firms), £50bn turnover for credit firms, IFPRU 730k investment firms above material size, and certain other specific tests. The full Enhanced-firm criteria are set out in SUP 10C.4. Firms approaching the Enhanced threshold should plan for SMF24 recruitment well in advance — both because of the FCA approval timeline and because the qualified candidate pool is small.

The PS21/3 Transformation — How SMF24 Changed in 2022

SMF24 launched in April 2019 as part of the Enhanced-tier extension of SMCR. In the original framework, SMF24 covered IT, internal operations, business continuity and outsourcing — important but defensible scope at typical SMF24 candidate level.

The Operational Resilience policy statement (PS21/3) came into force in March 2022 and substantially expanded what SMF24 actually does. The framework requires firms to:

  • Identify their important business services — the services whose failure would cause intolerable harm to consumers or pose risk to market integrity
  • Set impact tolerances — the maximum tolerable level of disruption to each important business service
  • Map dependencies — identifying the people, processes, technology, facilities and information that each important business service depends on
  • Test scenarios — running severe-but-plausible disruption scenarios to test that the firm remains within tolerance
  • Remain within tolerance — by 31 March 2025, firms must demonstrate they can stay within tolerance under severe-but-plausible scenarios

The SMF24 typically owns the operational delivery of this framework — particularly the mapping, testing, and remediation programme. The SMF4 (CRO) typically holds second-line oversight of operational resilience as part of the broader risk framework, but operational ownership rests with SMF24 in firms that have one.

Then DORA — the Digital Operational Resilience Act — came into effect for UK firms with EU operations from January 2025, adding a parallel framework with specific ICT risk management requirements, third-party governance obligations and incident reporting. SMF24 holders in firms with EU operations have effectively been running two operational resilience programmes simultaneously since early 2024 (preparing for DORA in parallel with continuing PS21/3 implementation).

The result: SMF24 in 2026 is fundamentally different from SMF24 in 2020. The role requires:

  • Deep operational resilience programme leadership experience
  • ICT risk management expertise
  • Third-party and outsourcing risk governance
  • Incident management and crisis response capability
  • Significant programme management capability — these are multi-year programmes with substantial budgets
  • Board-level communication ability — operational resilience is a board-level conversation, not a technical one

For the operational resilience framework specifically, see our Operational Resilience Guide. For DORA, see our DORA Guide. For third-party risk management specifically, see our Third-Party Risk Management Guide.

Day-to-Day Responsibilities of an SMF24

The day-to-day responsibilities of an SMF24 in a typical Enhanced-tier solo-regulated firm cover:

  • Operational resilience programme leadership: Owning the firm’s PS21/3 compliance programme — important business services identification, impact tolerance setting, mapping, testing programme, scenario design, remediation, and reporting to the board
  • Technology strategy and delivery: Setting and delivering the firm’s IT strategy, managing the technology function, owning the technology budget, vendor selection for material IT investments
  • ICT risk and cyber security: Owning ICT risk management framework, cyber security programme, incident response, security operations
  • DORA implementation (where applicable): ICT risk management framework under DORA, ICT incident classification and reporting, threat-led penetration testing, ICT third-party risk management
  • Business continuity and crisis management: BCP framework, crisis management protocols, scenario rehearsals, recovery time objectives
  • Outsourcing and third-party governance: Vendor risk management framework, critical third-party identification, intra-group dependency management, outsourcing arrangements under SYSC 8
  • Operations management: Internal operations function, transaction processing, settlement, reconciliation, operations team leadership
  • Change management: Major change programmes, system migrations, M&A integration where operational/technology aspects are dominant
  • Operational risk reporting: Operational loss data, near-miss reporting, control monitoring, contributing to the broader risk framework managed by SMF4
  • Vendor relationships: Strategic vendor relationships, particularly with critical third-party providers
  • Regulatory engagement: FCA dialogue on operational matters, particularly during operational resilience supervisory interactions

The proportion of time spent on each area varies by firm. In a financial services firm with material technology infrastructure (asset manager with proprietary trading platform, payments firm with proprietary payment processing), technology and ICT risk dominate. In firms with predominantly outsourced operations, vendor governance and outsourcing oversight dominate. Operational resilience programme work absorbs significant time across all firms during the current implementation phase.

Personal Liability for Operational Failures

SMF24 carries the standard SMF Duty of Responsibility under section 66B of FSMA — meaning personal FCA enforcement is possible where operational failures occur in the SMF24’s area and reasonable steps were not taken to prevent them.

The most significant personal liability exposures for SMF24 holders:

  • Operational resilience tolerance breaches: Where the firm exceeds an impact tolerance during a real disruption, the SMF24 is in scope for enforcement examination. The “reasonable steps” defence requires demonstrable programme delivery, testing, and remediation activity prior to the event.
  • ICT incidents: Material ICT incidents — outages, cyber breaches, third-party failures — that cause customer harm or regulatory breach can trigger personal liability examination.
  • Third-party / outsourcing failures: Where a critical third-party provider fails and the firm has not adequately managed the dependency, SMF24 personal liability is direct.
  • Cyber security failures: Material cyber incidents — particularly those involving customer data — carry personal liability exposure.
  • Failure to escalate: Becoming aware of significant operational concerns and failing to escalate appropriately is a recurring enforcement theme.
  • Inadequate operational risk reporting: Where reporting to the board is inadequate or misleading, conduct rules breach exposure applies.

The 31 March 2025 deadline for full operational resilience compliance under PS21/3 — by which firms must remain within impact tolerances under severe-but-plausible scenarios — has materially elevated the personal liability profile of SMF24 holders. Firms that miss this deadline face heightened FCA scrutiny, and SMF24 holders carry personal liability for the firm’s compliance position.

SMF24 Compensation Benchmarks (UK 2026)

SMF24 compensation has risen substantially since 2022 reflecting tight candidate supply for genuinely qualified candidates with operational resilience programme experience:

Firm size / type Base salary range Total package range
Smaller Enhanced firm (transitioning to Enhanced) £180k-£260k £220k-£380k
Mid-Enhanced firm £250k-£350k £320k-£550k
Larger Enhanced firm £300k-£500k+ £450k-£900k+ (with material LTIP)
PE-backed Enhanced firm £280k-£400k £500k-£1.5m+ (with sweet equity)
Asset manager with proprietary trading technology £350k-£600k+ £500k-£1.2m+

The premium for SMF24 candidates with hands-on operational resilience programme delivery experience is significant — typically £30k-£60k on base salary. Candidates with both PS21/3 and DORA programme delivery experience are at a substantial premium. The pool of candidates who have actually delivered impact-tolerance testing under severe-but-plausible scenarios, navigated FCA dialogue during the implementation phase, and integrated DORA requirements alongside is genuinely small — likely under 100 named individuals nationally with the full credentials.

Fractional and interim SMF24 engagements have grown for firms transitioning into Enhanced status or running specific operational resilience programmes. Day rates run £1,400-£2,000 for established candidates with full credentials. The fractional model is particularly suited to firms post-Enhanced-transition that need senior operational leadership while building the permanent function.

Hiring an SMF24 — What FD Capital Looks For

Prior SMF24 (or pre-2019 equivalent) approval

Candidates with prior SMF24 approval have the fastest FCA approval path. The function is relatively new (introduced 2019) so the population of prior SMF24 holders is smaller than for established SMFs like SMF2 or SMF16. This is one reason candidate supply is tight.

Operational resilience programme delivery experience

For roles in firms with active PS21/3 compliance programmes — which is essentially all Enhanced firms — operational resilience programme delivery experience is the threshold criterion. Candidates without it can take 12-18 months to come up to speed; firms with active deadlines cannot accommodate this.

Technology and ICT risk depth

Strong SMF24 candidates have technology backgrounds substantial enough to engage credibly with the firm’s technology strategy, vendor relationships, and ICT risk framework. CIO-track candidates with regulatory experience are typical; pure operations candidates without technology depth often struggle.

Programme management capability

SMF24 typically runs multi-year programmes with substantial budgets. Programme management capability — including the ability to communicate progress to the board, manage senior stakeholder relationships, and deliver complex change programmes — is essential.

Sector match

Cross-sector SMF24 transitions are difficult — the operational profile of an asset manager differs substantially from that of a payments firm, and sector-specific operational and regulatory knowledge is rarely transferable in the timeframe most hiring firms expect.

Regulatory engagement experience

FCA dialogue on operational resilience, ICT and third-party matters has intensified since 2022. SMF24 candidates need to demonstrate they can lead this engagement credibly.

The Operational Resilience Compliance Deadline — Why SMF24 Demand Is Tight

The 31 March 2025 deadline for full PS21/3 compliance has substantially elevated demand for experienced SMF24 candidates. Firms that have not yet completed their operational resilience programme face heightened FCA scrutiny and need senior operational leadership immediately. Firms that have completed the initial programme need ongoing testing, scenario rehearsal and incident response capability. Both segments of the market are competing for a small candidate pool, and compensation benchmarks reflect this tension. Hiring boards should plan 20-30 week recruitment timelines and benchmark at the upper end of the salary ranges.

SMF24 and the Wider SMF Framework

SMF24 sits at the centre of operational governance and works closely with adjacent SMFs:

  • SMF2 (Chief Finance Function): SMF24 owns operational technology including financial systems infrastructure; SMF2 owns financial reporting that runs on those systems. The intersection includes regulatory reporting infrastructure, financial control systems, and major finance technology investments.
  • SMF4 (Chief Risk Function): SMF4 holds second-line oversight of operational resilience and ICT risk; SMF24 holds first-line operational ownership. The boundary between operational delivery (SMF24) and risk oversight (SMF4) is critical and needs explicit governance.
  • SMF16 (Compliance Oversight): Compliance with operational regulatory requirements (e.g., FCA outsourcing rules under SYSC 8) is overseen by SMF16; operational implementation rests with SMF24.
  • SMF17 (MLRO): Transaction monitoring technology and SAR investigation operational delivery may sit within SMF24 accountability; AML framework rests with SMF17.
  • SMF18 (Other Overall Responsibility): Specific operational areas (specific business unit operations, particular outsourced functions) may be allocated to SMF18 holders rather than absorbed into SMF24 scope. Statement of Responsibilities discipline is critical here.

For the broader regulatory framework, see our complete SMCR guide.

Common SMF24 Recruitment Pitfalls

Underestimating timeline. SMF24 mandates take 20-30 weeks end-to-end. The qualified candidate pool is genuinely small.

Generic operations job specs. Specifications that don’t address operational resilience, ICT risk and DORA explicitly attract a mix of regulated and non-regulated operational candidates and waste time filtering.

Pricing below market for OR-experienced candidates. The premium for operational resilience programme delivery experience is real and structural.

Unclear boundary with SMF4. Where the SMF24/SMF4 boundary on operational resilience and ICT risk is unclear, candidates ask probing questions during interview and walk away from roles where the answers are unclear.

Insufficient board engagement on operational matters. Firms where operations is treated as a back-office function rather than a strategic concern struggle to attract experienced SMF24s.

Cross-sector recruitment. Trying to recruit cross-sector — wealth manager to payments firm, asset manager to consumer credit firm — typically fails for SMF24 roles because the operational profiles differ substantially.

A Note from Our Founder — Adrian Lawrence FCA

SMF24 is the role that has changed the most over the last four years — and the role I see most often misjudged in recruitment briefs. Boards that designed their SMF24 framework in 2019-2020 are sometimes surprised when they come to recruit a replacement and discover that the candidate market expects a fundamentally different profile in 2026. Operational resilience, DORA, ICT risk, third-party governance, the integration of cyber and operational risk — all of these have transformed the role since the original SMF24 framework launched.

The conversation I have with hiring boards is usually about scope and seniority. They sometimes start with a job specification that reads like a head of operations or head of IT role and is benchmarked at corresponding salary levels. The candidates they actually need — to lead the firm’s operational resilience programme through to compliance, navigate FCA dialogue on ICT and operational matters, and provide board-level operational leadership — are at SMF24 calibre and price accordingly. Once that conversation is had honestly, the search becomes deliverable.

The other dimension that comes up frequently is the SMF4/SMF24 boundary. Firms that have not clearly defined where second-line risk oversight (SMF4) ends and first-line operational ownership (SMF24) begins find that experienced candidates ask probing questions during interview and either walk away or ask for governance changes as a condition of joining. The boundary needs to be clear before the search begins, and the Statement of Responsibilities for SMF24 needs to be specific enough that the candidate can see exactly what they are accepting.

At FD Capital we work on SMF24 mandates regularly across asset managers, payments firms, wealth managers and other Enhanced-tier solo-regulated firms. The market is genuinely tight — we typically work with longer timelines and at the upper end of salary benchmarks for SMF24 placements. If you are recruiting an SMF24 — for permanent appointment, interim cover during a programme phase, or fractional support post-Enhanced transition — I’m happy to have a direct conversation about your specific situation.

Speak to Adrian about an SMF24 appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire an SMF24 Chief Operations Function

SMF24 placements require deep specialist expertise in operational resilience, ICT risk and third-party governance — increasingly the threshold criteria for the role since PS21/3 and DORA. FD Capital places SMF24 candidates on permanent, interim and fractional engagements across the Enhanced-tier solo-regulated population.

020 3287 9501

FCA Regulated Firm Recruitment › | Contact Us

Further Reading and Authoritative Sources

For the FCA’s authoritative guidance on Senior Management Functions, see FCA Handbook SUP 10C. For the operational resilience policy, see the FCA Operational Resilience policy statement (PS21/3). For DORA, the European supervisory authorities’ DORA pages provide authoritative reference.

For the systems and controls framework that applies to SMF24-relevant areas, see the SYSC Sourcebook, particularly SYSC 8 on outsourcing.

Related Guides: SMCR and SMF Functions

Part of FD Capital’s series of practical guides for FCA-regulated firms: SMCR — The Complete UK Guide | SMF2 — The Chief Finance Function | SMF4 — The Chief Risk Officer Function | SMF16 — The Compliance Oversight Function | SMF17 — The MLRO Function | SMF18 — The Other Overall Responsibility Function | Operational Resilience Guide | DORA Guide | Third-Party Risk Management Guide

FD Capital
FD Capital
FD Capital

FD Capital Recruitment Ltd is registered at Companies House (no. 13329383) and has been providing CFOs and Finance Directors since 2018 and is operated by an ICAEW-registered practice. Our founder Adrian Lawrence FCA holds an ICAEW practising certificate.