In today’s regulatory environment, the use of sign-offs and attestations has evolved from being a compliance formality into a catalyst for genuine accountability. The FCA has long used attestations as a supervisory tool to hold individuals to account. When done well, they go far beyond a regulatory formality. They prompt individuals to engage; to confirm, with intent, the accuracy of what they oversee. A personal attestation from a senior manager or certified individual is more than a signature; it’s a statement of accountability that contributes to culture, strengthens control, and embeds ownership throughout the organisation.

Accountability formalised through attestations

Under the Senior Managers & Certification Regime (SM&CR), attestations make accountability personal and visible. Senior individuals are required to formally affirm, in writing, that they have taken responsibility for a specific risk, control, or remedial action.

This process does more than meet regulatory compliance - it clarifies ownership, prompts timely action, and builds a stronger line of defence that works in practice, not just on paper.

Why the FCA emphasises attestations

The FCA’s guidance makes clear that attestations are intended to prompt and compel firms and individuals to act - whether that means verifying the implementation of a control, confirming progress of remediation, or acknowledging specific prescribed responsibilities.

However, many firms still rely on manual processes such as email threads, spreadsheets, or static PDF sign-offs. These approaches create gaps, limit visibility, and make it difficult to evidence consistent control effectiveness during inspections. They also fail to scale, exposing firms to operational inefficiencies.

Turning attestations into a control

Digitising the attestation process does more than reduce administrative effort - it fundamentally enhances accountability and governance across the business in three ways

• Legitimacy: Clear, traceable statements from named individuals make ownership transparent and auditable.

• Resilience: Controls can be assessed, tested, and validated continuously, rather than only in response to regulatory pressure.

• Relevance: Attestations spark meaningful discussions about whether controls remain fit for purpose as risks evolve.

At Grath, these principles - clarity, accountability, and ownership - are central to the design of our GRC platform. Whether managing a control, updating a risk register, or administering policies, named responsibility is embedded by default. The premise of Grath GRC is simple: A control framework is only as strong as its weakest link, and diffused or invisible accountability can cause it to fail under pressure.

Attestations extend beyond senior managers

SM&CR is not confined to the boardroom. The Certification Regime and Conduct Rules ensure accountability runs throughout the organisation, reinforcing the idea that everyone across the firm is a risk manager.

Yet, in many firms, accountability becomes diluted. Policies are acknowledged but not fully understood, and controls are “owned” by individuals who may not realise the scope of their responsibility. 

Grath removes that uncertainty. Our platform makes ownership explicit, requires formal sign-off, and tracks attestations in real time. This transparency creates a culture where accountability is visible, expectations are clear, and actions are followed through.

Future-proof your accountability with Grath

True accountability cannot be achieved through paper-based processes. It requires systems that make responsibility traceable, auditable, and alive within day-to-day operations.

Grath’s attestation capability enables firms to embed accountability seamlessly within their governance framework. It links incidents, breaches, risk event management, policy attestations, and operational oversight in one integrated environment.

The result is a culture of ownership where accountability is not imposed from above but lived across the organisation.

If your firm is ready to strengthen its SM&CR compliance and build a culture of visible accountability, book a demo or contact the Grath team to see how we can help.