SMF24 in growing firms: why the Chief Operations Function matters

SMF24 in growing firms: why the Chief Operations Function matters

The SMF24 Chief Operations Function is one of the less prominent Senior Manager designations — less widely discussed than the SMF2 CFO function or the SMF16 compliance oversight role, and less specifically defined in the FCA’s guidance than the MLRO function under SMF17. For many growing FCA-regulated firms, the SMF24 is treated as a residual designation — the catch-all that absorbs operational and technology responsibilities that do not fit neatly into the other named functions. This treatment underestimates the function’s importance and creates governance gaps that the FCA increasingly scrutinises as firms grow in scale and complexity.

What the SMF24 function covers

The SMF24 Chief Operations Function covers the overall responsibility for managing the internal operations of the firm — its technology infrastructure, its operational processes, its third-party arrangements for operational services, and its resilience against operational disruption. In practice, the function is typically held by the most senior individual who is accountable for these areas, whether their title is COO, Chief Operating Officer, Head of Operations, or simply the person in the firm who manages the operational side of the business alongside their other responsibilities.

Under the FCA’s operational resilience framework, the SMF24 holder has become the primary senior manager accountable for the firm’s operational resilience programme — the identification of important business services, the setting and testing of impact tolerances, and the governance of third-party dependencies. This has elevated the SMF24 from a relatively administrative designation to a substantively important regulatory accountability at firms where operational resilience is a live FCA supervisory concern.

The specific areas within the SMF24 scope include: management of the firm’s technology systems and IT infrastructure; management of outsourcing and third-party service arrangements; business continuity and disaster recovery; physical premises and workplace management; operational process design and efficiency; data management and data governance; and, in firms that operate at significant scale, the management of operational risk as a discipline distinct from financial risk and compliance risk.

Why growing firms underestimate the SMF24

At founding and early growth stages, most FCA-regulated firms do not have a dedicated COO. The operational management of the business is typically handled by the CEO and the CFO between them, with specific operational areas managed by department heads who do not themselves hold senior manager designations. In this context, the SMF24 is often allocated to the CEO or CFO as an additional designation alongside their primary function, or is left as an SMF18 Other Overall Responsibility designation without the specific operational function designation that the firm’s actual operational structure warrants.

The problem arises as the firm grows. The operational complexity of an FCA-regulated firm with twenty employees is materially different from one with two hundred. The technology infrastructure, the third-party arrangements, the operational processes, and the regulatory requirements around operational resilience all scale with firm size. At some point, the informal operational management that the CEO and CFO were providing is no longer adequate — either because the operational complexity exceeds what they can manage alongside their primary functions, or because the FCA’s expectations of the operational governance of a firm of that size have outpaced the firm’s governance infrastructure.

The inflection point at which the SMF24 should transition from a nominal additional designation to a primary function held by a dedicated individual varies by firm type. For payment institutions, which are inherently operationally intensive, the threshold is typically lower — the transaction volumes, the third-party payment infrastructure dependencies, and the regulatory requirements around payment system resilience all create an operational accountability burden that justifies a dedicated COO at a relatively early stage. For investment management firms with simpler operational models, the threshold may be higher.

The operational resilience evolution

The FCA’s PS21/3 operational resilience framework, fully in force since March 2025, has changed the nature of the SMF24 function significantly. The requirement to identify important business services, set impact tolerances, and test the firm’s ability to remain within those tolerances through severe disruption scenarios has created a structured governance programme that the SMF24 holder must own.

For a growing firm, the operational resilience programme is not a one-off exercise — it requires annual review, board approval of any changes to important business services or impact tolerances, and ongoing testing that becomes more demanding as the firm grows. The SMF24 holder must be able to lead this programme, present its outputs to the board, and demonstrate to the FCA that the firm’s important business services are adequately identified and that the firm has tested its ability to maintain them under severe disruption.

The third-party management dimension of the SMF24 function has also grown in importance. As firms scale, their reliance on third-party technology and operations providers grows — cloud infrastructure, payment processors, data vendors, outsourced compliance and regulatory reporting services. The SMF24 holder is the senior manager accountable for the governance of these arrangements: for ensuring that contracts include adequate provisions, that due diligence is conducted before engagement and on an ongoing basis, that exit strategies exist for critical providers, and that the firm’s important business service continuity is not compromised by third-party failures.

Appointment timing: when does a firm need a dedicated COO

There is no regulatory prescription for when an FCA-regulated firm must appoint a dedicated COO. But there are indicators that the existing arrangement has reached its limits.

The first indicator is FCA supervisory feedback that specifically mentions operational governance, operational resilience, or technology risk management. When a supervisory visit or a Section 166 review identifies weaknesses in the operational governance area, the implicit signal is that the current SMF24 arrangements are inadequate. A firm that receives this feedback and does not address it through a strengthened operational governance structure is likely to receive a more pointed communication in the next supervisory cycle.

The second indicator is the operational burden falling on the CFO. When the CFO is spending a significant proportion of their time on operational management — IT decisions, vendor relationships, operational incidents — the firm has outgrown the arrangement where the CFO holds the SMF24 as an additional designation. The CFO’s primary function requires their full attention; if operational governance is consuming meaningful CFO time, a dedicated COO is needed.

The third indicator is the firm’s important business service profile. When the firm’s important business services depend on complex technology infrastructure, multiple critical third parties, and proprietary systems that require specialist management, the operational resilience programme has become sufficiently complex to require dedicated senior leadership. A COO who understands the technology and operational landscape in depth — not just the regulatory framework — is needed to lead the important business service identification, impact tolerance setting, and testing programme effectively.

What to look for in an SMF24 holder

The effective SMF24 holder in a growing FCA-regulated firm combines several distinct capabilities that are not always found in a single individual. Operational management experience — actually having run operations, managed operational teams, and dealt with operational incidents at scale — is the foundation. Technology fluency — the ability to understand the firm’s technology infrastructure, assess technology risk, and make informed decisions about technology investment and vendor selection — is increasingly essential. Regulatory knowledge — specifically the operational resilience framework, outsourcing requirements, and the SMCR accountability structure — is necessary for the individual to understand the regulatory dimensions of their function. And board communication capability — the ability to present operational risk and resilience matters to a non-specialist board — is required for the function to work effectively within the governance structure.

The COO profile at FCA-regulated firms is genuinely different from the COO profile in non-regulated businesses. The regulatory accountability dimension, the specific operational resilience programme requirements, and the third-party governance obligations create a more structured and more demanding function than the COO role at a comparable-sized unregulated firm. Firms that appoint a commercially experienced COO without specific FCA-regulated firm experience often find a significant learning curve in the regulatory accountability dimensions of the role.

FD Capital places COOs and operational leaders in FCA-regulated investment firms, payment institutions and banks at various stages of growth. The SMF24 appointment is increasingly one of the most consequential hiring decisions a growing regulated firm makes, and the combination of operational, technology and regulatory capabilities required is specific enough that sector-focused search produces significantly better results than generalist recruitment.

Related Guides

• SMF24 — Chief Operations Function Guide
• Important Business Services: How to Identify Them
• FCA Impact Tolerances: Setting, Testing and Reviewing
• Allocating Prescribed Responsibilities by Firm Type
• SMCR: A Complete UK Guide