SMF4 Recruitment: Find a Chief Risk Officer Who Has Done This Before

SMF4 is the Senior Management Function under the FCA’s Senior Managers and Certification Regime (SM&CR) that designates the senior individual responsible for overseeing risk in a regulated firm. In firms with a designated CRO, SMF4 is the regulatory approval that sits alongside the corporate title. The holder is named on the FCA Register, has a written Statement of Responsibilities, and carries personal liability for the firm’s risk management framework and the effectiveness of its risk controls.

This guide covers what SMF4 actually means in practice — the scope of responsibility, how the role interacts with the Three Lines of Defence model, the personal liability position under the Duty of Responsibility, and how the role differs significantly across firm types and SM&CR tiers. It also covers what FD Capital looks for when placing SMF4-approved candidates, current compensation benchmarks, and the specific reasons SMF4 searches frequently take longer than firms expect.

What’s missing from most online explanations of SMF4 is the practical recruitment dimension — the qualified candidate pool is genuinely small, the sector-specific knowledge requirements are unforgiving, and Operational Resilience plus DORA have substantially expanded the role since 2022. That’s the gap this guide fills.

What SMF4 Means and When the Function Is Required

SMF4 is the Chief Risk Function under the FCA’s Senior Manager regime. The full list of SMFs is set out in the FCA Handbook (SUP 10C), with SMF4 carrying responsibility for the firm’s overall risk management framework — including how risks are identified, measured, monitored and controlled across the business.

SMF4 is not required for every regulated firm. In Limited Scope and many Core-tier firms, risk responsibility may be allocated to another SMF (typically the SMF1 CEO or, in smaller firms, integrated into a single executive role). SMF4 becomes mandatory in Enhanced-tier solo-regulated firms, and is universally present in dual-regulated banks and insurers. The function also applies in firms that have voluntarily adopted a CRO structure for governance reasons even where not strictly required.

Firm tier	SMF4 requirement	Typical practice
Limited Scope	Not required	Risk responsibility usually sits with the SMF3 / sole director
Core (without CRO)	Not required	Risk responsibility often allocated to SMF1 (CEO) or split between SMF2 and SMF16
Core (with designated CRO)	Voluntary but advisable	Where a CRO role exists, SMF4 approval is standard practice
Enhanced	Mandatory	Full SMF4 approval and Statement of Responsibilities required
Dual-regulated	Mandatory (joint FCA/PRA)	Approval requires both FCA and PRA sign-off

The trend across the FCA-regulated population since 2022 has been increased adoption of the SMF4 role even where not strictly mandated — driven by Operational Resilience requirements (PS21/3), Consumer Duty, increased FCA enforcement focus, and the recognition that risk leadership at senior level is meaningfully different from risk activity allocated as a secondary responsibility within finance or compliance.

SMF4 vs Corporate CRO Title — When They Diverge

Most firms that have an SMF4 use the corporate title “Chief Risk Officer” for the same individual. But the two designations are not the same — and where they diverge, the regulatory accountability follows the SMF4, not the corporate title.

Corporate CRO with no SMF4 approval: A senior risk leader operating outside SM&CR designation. Common in private companies and non-regulated activities of regulated groups.
Corporate CRO who is also SMF4: The standard pattern in regulated firms. The corporate role and the regulatory function sit together.
SMF4 with corporate title other than CRO: Less common but occurs in firms structuring risk responsibility under a “Head of Risk” or similar designation while still allocating SMF4 to that individual.
Risk responsibility without dedicated SMF4: Occurs in smaller firms where risk is integrated into the SMF1 CEO function or split across other SMFs. The Statement of Responsibilities for those SMFs must explicitly cover risk in this case.

For recruitment purposes, the distinction matters because the candidate pool, compensation benchmark and FCA approval process differ between an SMF4 role and a non-regulated CRO role. Firms recruiting an SMF4 should be explicit about the regulatory dimension in the job specification — candidates from non-regulated CRO backgrounds rarely transition smoothly into SMF4 roles without sector experience, and the firm needs to be honest about this from the start.

The Three Lines of Defence and Where SMF4 Sits

The Three Lines of Defence model is the standard governance framework for risk management in financial services. SMF4’s positioning within this model defines the function’s authority and the relationships with other senior managers.

First Line: The Business

The first line is the operational business — the front-office, investment, trading or service-delivery functions that take and own day-to-day risks as part of their commercial activity. First-line risk ownership rests with business heads, not the SMF4. The SMF4’s role here is to set the risk framework within which the first line operates, define the risk appetite, and oversee how the first line manages its risks within that framework.

Second Line: Risk and Compliance Functions

The second line is the dedicated risk and compliance function — the SMF4’s primary territory. The risk function provides independent challenge to the first line, monitors compliance with the risk framework, develops methodologies and metrics, and reports on enterprise risk to the board. The SMF16 (Compliance Oversight) typically heads the compliance second line, while the SMF4 heads the risk second line. In smaller firms these can be combined under a single Chief Risk and Compliance Officer (a structure FD Capital recruits for via our CRCO recruitment capability).

Third Line: Internal Audit

The third line is internal audit — providing independent assurance to the board over the effectiveness of both first and second lines. Internal audit reports independently of the SMF4 (typically to the Audit Committee chair). For Enhanced firms, the Head of Internal Audit is itself an SMF (SMF5).

For a comprehensive view of how this framework operates in practice, see our Three Lines of Defence Guide.

Personal Liability for Risk Failures

SMF4 carries the same Duty of Responsibility under section 66B of FSMA as any other SMF — meaning the FCA can take personal enforcement action against the SMF4 where a relevant requirement contravention occurs in their area and they did not take reasonable steps to prevent it.

The areas of personal liability exposure that come up most frequently for SMF4 holders are:

Risk framework failures: Inadequate risk identification, measurement or monitoring leading to material risk events. The FCA examines whether the framework was fit for purpose and whether the SMF4 took reasonable steps to maintain it.
Risk appetite breaches: Where the firm operates outside its stated risk appetite without proper escalation or remediation, the SMF4 is in scope for enforcement examination.
Operational resilience failures: Since PS21/3 came into force, operational disruption — IT outages, third-party failures, cyber incidents — that exceed impact tolerances places direct personal liability pressure on the SMF4 (and the SMF24 Chief Operations Function where one exists).
Risk reporting to the board: Inadequate, misleading, or untimely risk reporting to the board can be a personal Conduct Rules breach.
Failure to escalate: Becoming aware of a material risk concern and failing to escalate appropriately is a recurring enforcement theme. The “reasonable steps” defence requires demonstrable escalation activity.
ICAAP/ICARA process failures: Where the SMF4 contributes to the firm’s capital adequacy assessment process and that process is found to be inadequate, the SMF4 carries shared liability with the SMF2.

Experienced SMF4 candidates — particularly those who have previously held the function — are typically well-informed about the firms they will and won’t take on. Firms with weak board engagement on risk, governance issues that have not been resolved, or histories of risk function under-resourcing find it materially harder to recruit experienced SMF4s than firms with strong governance reputations.

Operational Resilience and DORA — How the SMF4 Role Has Expanded Since 2022

Two regulatory programmes have substantially expanded SMF4 scope since 2022:

Operational Resilience (PS21/3)

The FCA’s Operational Resilience policy statement (PS21/3) came into effect in March 2022, requiring in-scope firms to identify their important business services, set impact tolerances for each, map dependencies, test scenarios, and maintain operational resilience within tolerance. By 31 March 2025, firms must remain within their impact tolerances under severe-but-plausible scenarios.

SMF4 typically owns or co-owns operational resilience under SM&CR — particularly the second-line oversight of the framework, the testing programme and the reporting to the board. In firms with an SMF24 Chief Operations Function, responsibility is split between the operational ownership (SMF24) and the second-line risk oversight (SMF4). The interaction between these two roles is one of the more nuanced governance design questions in modern UK regulated firms.

For more on the operational resilience framework, see our Operational Resilience Guide.

DORA (Digital Operational Resilience Act)

DORA applies to UK financial entities with EU operations from January 2025. While it is EU regulation, in-scope UK firms have implemented DORA-aligned frameworks alongside their PS21/3 programmes. DORA’s ICT risk requirements, third-party governance obligations, and incident reporting framework all sit within SMF4 oversight in firms operating both regimes.

For DORA detail, see our DORA Guide.

The result: SMF4 scope is meaningfully larger in 2026 than in 2022

Candidates who have held SMF4 since before these programmes were implemented have had to adapt substantially. Candidates approaching SMF4 for the first time in 2026 need to demonstrate familiarity with operational resilience, ICT risk, third-party risk and the integrated approach to enterprise risk that combines traditional financial risk with operational and technology risk. The candidate profile is genuinely different from the SMF4 candidate profile of five years ago.

Day-to-Day Responsibilities of an SMF4

The day-to-day responsibilities of an SMF4 vary by firm type, but a typical Enhanced-tier solo-regulated firm SMF4 will cover:

Enterprise Risk Management: Maintaining the firm-wide risk framework, risk taxonomy, and risk register. Establishing and updating risk appetite statements and tolerances.
Risk reporting and escalation: Monthly risk reporting to the executive committee, quarterly risk reporting to the board (typically via a Risk Committee), and ad-hoc escalation of material risk events.
ICAAP/ICARA contribution: Risk identification and quantification input to the firm’s capital adequacy process, including stress testing.
Operational risk oversight: Operational loss data, near-miss reporting, control monitoring, operational resilience programme oversight.
Conduct risk and Consumer Duty: Where Consumer Duty applies, SMF4 typically shares ownership with SMF16 of the firm’s conduct risk framework.
Third-party and outsourcing risk: Vendor risk management, critical third-party identification, intra-group dependencies, outsourcing arrangements under SYSC 8.
Risk culture: Setting and reinforcing risk culture across the firm — increasingly recognised by the FCA as a leading indicator of risk management quality.
Risk function leadership: Recruiting and managing the risk team, including any Certification Regime employees in risk roles.
Regulatory and external engagement: Participating in FCA supervisory dialogue on risk topics, presenting to external auditors, engaging with skilled persons during s166 reviews.

The proportion of time spent on enterprise risk versus specific areas (operational resilience, conduct risk, financial risk) varies by firm. In a smaller Core-tier firm with a single Chief Risk and Compliance Officer covering both SMF4 and SMF16, the role is broader but the ownership burden per area is lighter. In an Enhanced-tier firm with separate SMF4 and SMF16 holders, the SMF4 specialises into risk specifically.

Sector-Specific SMF4 Variations

SMF4 candidates are not interchangeable across sectors. The dominant risk types differ substantially between firm types, and a candidate’s experience profile needs to match.

SMF4 in investment firms (MIFIDPRU)

Investment firms under MIFIDPRU face a specific risk taxonomy — K-factor risks (K-AUM, K-CMH, K-ASA, K-COH, K-DTF, K-NPR, K-CMG, K-TCD, K-CON), market risk in trading books, operational risk under K-factor RtC and RtM, and the integrated ICARA process that captures all material risks. Strong SMF4 candidates here understand the K-factor methodology, have led ICARA processes, and have experience of FCA supervisory dialogue under MIFIDPRU.

SMF4 in AIFM and fund management firms

Fund managers face investment risk on the funds they manage (which is largely a fund-level concern, not a firm-level one), operational risk in the firm structure, and depositary, valuation, NAV and conflicts of interest as core risk areas. SMF4 candidates with AIFMD experience understand the specific risk framework AIFMD requires and the interaction between firm-level and fund-level risk management.

SMF4 in payments and e-money firms

Payments firms face a different risk landscape — settlement risk, operational risk dominated by transaction processing, fraud risk, AML risk integration, and regulatory risk specific to PSR and EMR rules. The safeguarding regime is fundamentally different from CASS, and SMF4 candidates need to understand it specifically.

SMF4 in firms with significant CASS or client money exposure

Firms holding client assets face concentrated CASS-related risk, where operational failures translate quickly into regulatory breaches. CASS-experienced SMF4 candidates command a premium because the technical knowledge needed for effective oversight cannot be acquired in the timeframe most hiring firms need.

SMF4 in firms under FCA supervisory pressure

Firms with active skilled person reviews, ongoing remediation programmes or recent enforcement action need SMF4 candidates who can operate under pressure. The recruitment dynamic here is different — firms typically pay a premium for experience operating under regulatory scrutiny, and the candidate due diligence cuts both ways (the candidate evaluates the firm’s situation as carefully as the firm evaluates the candidate). For more on s166 reviews specifically, see our Section 166 Guide.

SMF4 Compensation Benchmarks (UK 2026)

SMF4 compensation tracks similarly to SMF2 — a regulated-firm premium of 20-30% over equivalent non-regulated CRO roles, reflecting personal liability, smaller candidate pool and greater regulatory complexity:

Firm size / type	Base salary range	Total package range
Smaller Core firm with combined CRO/CCO role	£110k-£160k	£130k-£200k
Mid-size Core firm (£10m-£30m revenue)	£150k-£220k	£180k-£300k
Larger Core / smaller Enhanced firm	£200k-£300k	£250k-£450k
Enhanced tier (£100m+ revenue, full-spec CRO)	£280k-£450k+	£400k-£800k+ (with material LTIP)
PE-backed Enhanced firm	£280k-£400k	£500k-£1.5m+ (with sweet equity)

The premium for operational resilience and DORA-experienced SMF4 candidates has grown materially since 2023. Firms with active OR/DORA programmes — particularly those that need to deliver ongoing testing, scenario analysis and supervisory engagement — pay materially more for SMF4 candidates who have already led these programmes elsewhere. The supply-demand position in this segment of the market is structurally tight.

Fractional and interim SMF4 engagements have grown rapidly since 2023, particularly in Core-tier firms that need senior risk leadership but cannot justify a full-time CRO. Day rates for established SMF4-experienced candidates run £1,200-£1,800. The fractional model is particularly suited to firms post-authorisation or in transition between CRO appointments.

Hiring an SMF4 — What FD Capital Looks For

Placing an SMF4 candidate is a specialist search. The pool narrows quickly through the following filters:

Prior SMF4 (or PRA equivalent) approval

Candidates with prior SMF4 approval — or pre-2019 CF28 approval, or PRA-side equivalents — have a faster FCA approval path. Candidates approaching SMF4 for the first time can still be approved, but require a stronger case.

Sector and risk-type match

An SMF4 with deep market risk and trading book experience is rarely a strong candidate for an asset management firm. An SMF4 from a payments background may not be appropriate for a wealth manager. The match needs to be specific to firm type and dominant risk profile.

Operational resilience and ICT risk fluency

Since PS21/3 and DORA, OR/ICT risk experience is no longer optional for most SMF4 roles. Candidates who only have traditional financial risk backgrounds increasingly struggle to pass scrutiny.

Three Lines of Defence experience

Strong SMF4 candidates have operated genuinely independently of the first line — managed the tension between risk function and business, navigated board-level disagreements, and demonstrated independence in reporting. Candidates whose prior risk experience has been embedded in business teams rather than as second-line independent challenge often struggle in SMF4 roles.

Cultural fit with regulated risk culture

An experienced SMF4 expects board engagement on risk, expects to be involved in significant strategic decisions, and expects to be able to escalate concerns without consequence. Firms where these conditions are not met find SMF4 retention difficult regardless of remuneration.

Reference depth

Reference checking for SMF4 placements typically extends to prior board members, prior auditors, prior FCA supervisory contacts (where appropriate), and sometimes to peer SMFs from the candidate’s previous firms. The Regulatory References regime under SM&CR creates the mandatory reference exchange between regulated firms but commercial reference work goes beyond this.

The OR/DORA Premium — A Structural Market ShiftThe premium for SMF4 candidates with hands-on PS21/3 and DORA programme experience has roughly doubled since 2022. Firms that need active operational resilience leadership cannot wait for candidates to learn on the job, and the candidate pool that has actually delivered impact-tolerance testing, ICT incident reporting frameworks and third-party governance under DORA is genuinely small. Firms recruiting SMF4 with OR/DORA expectations should benchmark at the upper end of the salary range and plan timeline accordingly.

SMF4 and the Wider Risk Governance Framework

SMF4 sits at the centre of a broader governance ecosystem. Understanding the boundaries with adjacent SMFs is essential:

SMF2 (Chief Finance Function): Owns financial risk specifically — capital, liquidity, financial reporting risk. SMF4 owns the broader risk framework within which financial risk sits.
SMF16 (Compliance Oversight): Owns regulatory compliance risk and the compliance function. In smaller firms these are combined under a Chief Risk and Compliance Officer; in Enhanced firms they are typically split. The SMF4/SMF16 boundary is a frequent governance design discussion.
SMF17 (MLRO): Owns AML risk specifically. AML risk fits within the broader risk framework owned by SMF4 but reporting and escalation goes to the MLRO.
SMF24 (Chief Operations Function): In Enhanced firms, owns operational ownership (first-line operational management). SMF4 owns operational risk oversight (second line). The interaction is critical and needs explicit governance.
SMF5 (Head of Internal Audit) / SMF11 (Audit Committee Chair): Internal audit (third line) is independent of SMF4. The Audit Committee chair (SMF11) is independent of executive management.

For the broader regulatory framework, see our complete SMCR guide.

Common SMF4 Recruitment Pitfalls

The most common reasons SMF4 searches stall:

Underestimating timeline. SMF4 mandates typically take 16-26 weeks end-to-end including notice and FCA approval. Rushed timelines lead to compromised candidate quality.

Generic risk job specs. Job specifications that read like generic risk leadership role descriptions struggle to attract regulated-firm SMF4 candidates. The specification needs to be specific about firm type, dominant risk profile, OR/DORA scope, and the regulatory dimension.

Pricing at non-regulated CRO rates. The regulated-firm premium is real and qualified candidates know their market value.

SMF4/SMF16 boundary unclear. Firms that have not clearly delineated risk and compliance responsibility find that SMF4 candidates ask probing questions during interview — and walk away from roles where the answers are unclear.

Insufficient board engagement on risk. Firms that treat risk as a defensive function rather than a strategic one struggle to attract experienced SMF4s.

Regulatory history not addressed honestly. Skilled person reviews, enforcement findings, ongoing remediation programmes — these need to be discussed openly with candidates from first interview. Discovered later in process, they cause searches to collapse.

A Note from Our Founder — Adrian Lawrence FCA

SMF4 is the role I’ve seen change the most over the last five years. Operational resilience, DORA, Consumer Duty, the increased focus on third-party risk — all of these have expanded the SMF4 mandate substantially. The candidates I was placing in 2020 covered enterprise risk, financial risk and a relatively contained operational risk piece. The candidates I’m placing in 2026 are running integrated enterprise frameworks that include ICT risk, third-party risk, conduct risk and operational resilience as core elements alongside the traditional financial and operational risk areas.

What this means in practice for hiring boards is that SMF4 is no longer a defensive appointment — it’s a strategic one. The candidates who do this role well shape the firm’s risk culture, contribute to strategic decisions about market entry and product launch, and provide independent challenge at board level on matters where the executive team has commercial pressure to push forward. They cost more, take longer to recruit, and are more selective about the firms they will join. The firms that recruit them successfully are the ones that have done the governance work — clear Statement of Responsibilities, board-level Risk Committee, proper second-line independence, and a culture where escalation is welcomed rather than punished.

The conversation I have with founders and CEOs starting an SMF4 search is usually about scope and seniority. They sometimes start by asking for a “Head of Risk” at a salary level that reflects their commercial discomfort with senior risk hires. The candidates they actually need — if they want someone who can lead operational resilience programmes, navigate FCA dialogue, and provide genuine board-level challenge — are at SMF4 calibre and price accordingly. Once that conversation is had honestly, the search becomes deliverable.

At FD Capital we work on SMF4 mandates regularly across investment firms, AIFM firms, payments firms and FCA-authorisation candidates. If you’re considering an SMF4 appointment — permanent, interim or fractional — I’m happy to have a direct conversation about your specific situation.

Speak to Adrian about an SMF4 appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire an SMF4 Chief Risk Officer

SMF4 placements require deep specialist knowledge of risk frameworks across investment firms, AIFM firms, payments and e-money firms, and the operational resilience and DORA programmes that have expanded the role since 2022. FD Capital places SMF4 candidates on permanent, interim and fractional engagements across the FCA-regulated population.

020 3287 9501

Chief Risk Officer Recruitment › | Contact Us

SMF4 Explained: The Chief Risk Officer Function in FCA-Regulated Firms