(Full specification is here)
Executive Summary
THE PROBLEM
Traditional technology governance pushes architectural decisions UP to senior
leaders who lack detailed understanding, creating:
- Bottlenecks where executives approve decisions they cannot adequately
evaluate - Innovation blocked by senior uncertainty and risk aversion
- Accountability theatre where senior leaders “own” decisions but architects
carry consequences - Governance based on process compliance rather than judgment quality
This creates the worst of both worlds: slow decisions AND inadequate
oversight.
THE SOLUTION
MMCR extends proven insurance risk management patterns to architectural
decision-making:
UNDERWRITING AUTHORITY → ARCHITECTURAL AUTHORITY
Just as underwriters receive delegated authority based on demonstrated
competence, architects receive authority to make decisions within defined
scope and risk thresholds.
ACTUARIAL CERTIFICATION → ARCHITECTURAL CERTIFICATION
Just as actuaries are certified for competence before receiving authority,
architects are certified before delegation.
SMCR ACCOUNTABILITY → MMCR ACCOUNTABILITY
Senior leaders retain ultimate accountability but delegate decisions to
certified, competent individuals rather than trying to evaluate every choice.
RISK-BASED AUDIT → RISK-BASED OVERSIGHT
Internal Audit samples decisions to validate judgment quality, not check
process completion.
HOW IT WORKS
1. CERTIFICATION (Owned by Compliance, Operated by Internal Audit)
Individuals demonstrate competence in specific domains
(platform architecture, data architecture, etc.)
↓
2. DELEGATION (Issued by SMCR Holder)
Certified individuals receive explicit authority for decisions
within defined boundaries (domain, technology, financial threshold)
↓
3. DECISION-MAKING (By Certified Architect)
Decisions documented with principled rationale:
– What purpose does this serve?
– Why is this approach appropriate for our context?
– How does this adequately meet requirements?
↓
4. OVERSIGHT (Risk-Based Sampling by Internal Audit)
Audit samples decisions to validate judgment quality
Senior leadership receives assurance from expert judgment,
not process compliance
EXPERT JUDGMENT ROLLS UP, NOT CHECKLIST COMPLIANCE
Traditional Governance: MMCR Governance:
───────────────────── ─────────────────
Architect fills template → Certified architect makes decision
↓ ↓
Committee checks boxes → Audit validates judgment quality
↓ ↓
Senior leader hopes → Senior leader has confidence
↓ ↓
“We followed the process” → “Expert made sound decision”
KEY BENEFITS
FASTER DECISIONS
Competent people have authority to act without navigating approval layers
BETTER DECISIONS
People who understand the problem space make the choices
GENUINE ASSURANCE
Senior leadership receives confidence from expert judgment, not process
theatre
REMOVES BOTTLENECKS
Senior people no longer forced to approve technical decisions they cannot
evaluate
ENABLES INNOVATION
Appropriate innovation proceeds with risk tolerance explicit in delegation
boundaries
SCALES CAPABILITY
Organization makes more good decisions as certified individuals multiply
SPEAKS INSURANCE LANGUAGE
Leverages patterns already embedded in your culture (underwriting authority,
SMCR, risk-based oversight)
REGULATORY ALIGNMENT
MMCR aligns with principles-based supervision:
FCA: Demonstrates adequate management and control (Principle 3) for
architectural risk decisions
PRA: Provides clear accountability for operational resilience and prudential
technology decisions
SMCR: Extends senior accountability to the layer where architectural
decisions are actually made
Operational Resilience: Governs architectural decisions affecting important
business services
IMPLEMENTATION APPROACH
START SMALL: Pilot in single domain (e.g., platform architecture) with 2-3
certified individuals
PROVE VALUE: Demonstrate faster decisions with maintained/improved quality
EXPAND: Extend to additional domains and broader population
EMBED: Make MMCR standard operating model for architectural governance
WHY NOW?
Technology decisions create material business risk. Platform choices,
architectural patterns, and technology strategies affect:
- Operational resilience of critical services
- Customer outcomes and regulatory compliance
- Multi-million pound investments and vendor lock-in
- Organizational agility and competitive position
These decisions deserve the same governance rigor as underwriting decisions –
certified competence, delegated authority, and expert judgment.
MMCR provides that governance using patterns your organization already
understands and trusts.
THE BOTTOM LINE
Insurance companies are expert at managing risk through delegated authority,
certification, and accountability.
MMCR applies that expertise to architectural decisions.
Result: Better decisions, faster, with genuine (not theatrical)
accountability.