MIDDLE MANAGEMENT CERTIFICATION REGIME (MMCR)
Governance Framework for Architectural Decision Authority
OVERVIEW
The Middle Management Certification Regime (MMCR) extends principles-based accountability from senior leadership (SMCR) to the architectural and technical decision-making layer where material risk decisions are actually made.
MMCR ensures that architectural decisions are made by certified, competent individuals with appropriate delegated authority, while maintaining robust oversight and accountability – mirroring the proven risk management patterns already embedded in insurance underwriting, actuarial certification, and regulatory accountability frameworks.
PURPOSE
MMCR addresses a critical governance gap in technology transformation:
Traditional governance pushes decisions UP to senior people without detailed understanding, resulting in:
– Bottlenecks where executives become approval gates for decisions they cannot adequately evaluate
– Accountability theatre where senior leaders “own” decisions but architects carry consequences
– Risk aversion and innovation blockage due to senior uncertainty
– Rubber-stamping based on process compliance rather than judgment quality
MMCR pushes authority DOWN to certified, competent decision-makers while pushing assurance UP through expert judgment rather than checklist compliance.
CORE PRINCIPLES
MMCR operates on the same principles as established risk management frameworks within insurance:
1. DELEGATED AUTHORITY
Competent individuals receive explicit delegation to make decisions within defined scope and risk thresholds, analogous to underwriting authority.
2. CERTIFICATION OF COMPETENCE
Authority is granted based on demonstrated competence, not job title or seniority, analogous to actuarial or underwriting certification.
3. RISK-PROPORTIONATE OVERSIGHT
Oversight intensity scales with decision risk and value-at-risk, analogous to risk-based audit sampling.
4. PERSONAL ACCOUNTABILITY
Certified individuals are personally accountable for decisions within their delegated authority, analogous to SMCR accountability.
5. EXPERT JUDGMENT OVER PROCESS COMPLIANCE
Decisions are evaluated on quality of judgment and rationale, not merely completion of process artifacts.
FRAMEWORK STRUCTURE
MMCR operates through four interconnected components:
COMPONENT 1: CERTIFICATION
Certification establishes that an individual possesses adequate competence to make architectural decisions within a specific domain.
CERTIFICATION AUTHORITY
– Owned by: Compliance function
– Operated by: Internal Audit
– Subject matter input from: Head of Architecture (or equivalent)
CERTIFICATION APPROACH
The certification process must itself be appropriate, adequate, and fit-for-purpose for the organizational context. The issuing authority determines specific certification mechanisms, which may include:
– Portfolio evidence of past decisions and outcomes
– Domain knowledge assessment
– Technical capability evaluation
– Decision case study review
– Peer review and validation
– Professional certifications (TOGAF, BCS, etc.) as supporting evidence
– Shadowing and mentorship period
CERTIFICATION DIMENSIONS
Certification may be granted across multiple dimensions:
– Domain scope (e.g., platform architecture, data architecture, integration architecture, security architecture)
– Technology scope (e.g., cloud platforms, legacy modernization, specific product ecosystems)
– Risk/value threshold (e.g., decisions up to £1M, £5M, £10M)
– Organizational scope (e.g., single business unit, enterprise-wide, market infrastructure)
CERTIFICATION VALIDITY
– Certifications are time-bounded and require periodic renewal
– Renewal frequency determined by issuing authority based on risk
– Renewal process validates continued competence and domain currency
CERTIFICATION PRINCIPLES
The certification process itself must be:
– Appropriate: Fit organizational context and risk profile
– Adequate: Sufficiently rigorous to provide genuine assurance
– Fit-for-purpose: Serve the explicit purpose of ensuring competent decision-making
COMPONENT 2: DELEGATION
Delegation grants certified individuals explicit authority to make architectural decisions within defined boundaries.
DELEGATION AUTHORITY
Delegation letters are issued by the SMCR holder responsible for technology/architecture (typically Head of Architecture, CTO, CIO, or equivalent Senior Manager Function).
DELEGATION LETTER CONTENTS
Each delegation letter must specify:
– Delegating authority (SMCR holder name and function)
– Delegate name and certification reference
– Domain scope of authority
– Technology scope of authority
– Financial threshold (value-at-risk ceiling
– Organizational scope
– Exclusions (decisions requiring escalation regardless of value)
– Validity period (typically aligned with certification validity)
– Reporting and documentation requirements
– Escalation criteria
DELEGATION PREREQUISITES
Delegation can only be granted when:
– Individual holds valid certification for relevant domain/scope
– Compliance has confirmed certification validity
– Internal Audit has provided assurance on certification process
DELEGATION PRINCIPLES
Delegation scope must be
– Appropriate: Aligned with individual’s demonstrated competence
– Adequate: Sufficient authority to make necessary decisions without creating bottlenecks
– Fit-for-purpose: Matched to organizational needs and risk tolerance
COMPONENT 3: DECISION DOCUMENTATION
Decisions made under delegated authority must be documented to enable oversight, audit, and accountability.
DOCUMENTATION REQUIREMENTS
For decisions within delegated authority, documentation must include:
– Decision summary and context
– Estimated value-at-risk or financial impact
– Purpose definition: explicit statement of what purpose this decision serves
– Appropriateness assessment: why this approach is contextually fit
– Adequacy assessment: how this solution meets requirements sufficiently
– Alternatives considered and rationale for selection
– Risk assessment and mitigation
– Regulatory/compliance implications
– Decision-maker name and delegation reference
– Date and approval
DOCUMENTATION PRINCIPLES
Documentation must demonstrate principled judgment, not merely process completion. The rationale should enable independent review of decision quality.
DOCUMENTATION PROPORTIONALITY
Documentation depth should be proportionate to:
– Value-at-risk (higher risk = more detailed rationale)
– Novelty (unprecedented approaches require stronger justification)
– Reversibility (irreversible decisions require deeper analysis)
ESCALATION TRIGGERS
Certain decisions must be escalated to the delegating SMCR holder regardless of value:
– Decisions exceeding delegated financial threshold
– Decisions outside delegated domain/technology scope
– Decisions with material regulatory/compliance implications
– Decisions affecting operational resilience of critical services
– Decisions where purpose is ambiguous or contested among stakeholders
– Decisions involving novel risk profiles without precedent
COMPONENT 4: OVERSIGHT AND ASSURANCE
Oversight ensures that delegated authority is exercised appropriately and that certified individuals maintain competence.
OVERSIGHT MODEL
MMCR employs risk-based oversight analogous to audit sampling in underwriting review
– Not every decision is reviewed (would create bottleneck)
– Sampling is risk-weighted (higher value/risk = higher sample rate)
– Review assesses judgment quality, not process compliance
INTERNAL AUDIT ROLE
Internal Audit provides independent assurance through:
1. CERTIFICATION PROCESS ASSURANCE
– Validates certification process is appropriate and adequate
– Reviews certification decisions for consistency
– Confirms individuals meet stated certification criteria
2. DECISION SAMPLING AND REVIEW
– Samples architectural decisions across delegated decision-makers
– Assesses quality of judgment and rationale
– Identifies patterns of poor judgment or process deviation
– Sample rate and selection criteria determined by risk profile
3. DELEGATION BOUNDARY COMPLIANCE
– Verifies decisions are within delegated authority
– Confirms escalation triggers are honoured
– Reviews documentation completeness and quality
4. PERIODIC COMPETENCE VALIDATION
– Reviews decision track record as input to certification renewal
– Identifies individuals requiring additional development
– Recommends delegation scope adjustments based on performance
COMPLIANCE FUNCTION ROLE
Compliance owns the MMCR regime and ensures:
– Certification standards remain current and appropriate
– Delegation framework aligns with SMCR and regulatory expectations
– Regime effectiveness through periodic review
– Regulatory reporting requirements are met
– Continuous improvement based on audit findings
SMCR HOLDER OVERSIGHT
The delegating SMCR holder (Head of Architecture/CTO/CIO) retains ultimate accountability and exercises oversight through: – Periodic review of decision patterns and outcomes
– Exception reporting (escalations, audit findings)
– Certification and delegation decision approval
– Culture setting for principled judgment
– Intervention when judgment quality concerns arise
ASSURANCE ROLL-UP
Senior leadership receives confidence through expert judgment rolling up, not checklist compliance:
BOTTOM LAYER: Certified architect exercises judgment → documents principled rationale
↓
MIDDLE LAYER: Internal Audit samples decisions → validates judgment quality
↓
TOP LAYER: SMCR holder receives assurance → confidence in decision quality
INTEGRATION WITH TRANSFORMATION ARCHITECTURE PRINCIPLES
MMCR operationalizes the four Transformation Architecture Principles:
PRINCIPLE 1: PRIMACY OF PRINCIPLES
MMCR ensures architectural judgment (exercised through principles) takes precedence over process compliance. Certification validates judgment capability; documentation demonstrates principled reasoning; oversight assesses judgment quality.
PRINCIPLE 2: APPROPRIATENESS
Delegation scope must be appropriate for individual competence and organizational context. Decision documentation must demonstrate appropriateness assessment. Oversight evaluates contextual fitness.
PRINCIPLE 3: ADEQUACY
Certification must be adequate to provide assurance. Delegation authority must be adequate for necessary decisions. Documentation must be adequate to enable oversight. Oversight sampling must be adequate for risk profile.
PRINCIPLE 4: PURPOSE DEFINITION
Decisions must articulate explicit purpose. Certification serves the purpose of ensuring competence. Delegation serves the purpose of enabling efficient decision-making. Documentation serves the purpose of accountability and learning. Oversight serves the purpose of assurance and improvement.
CULTURAL AND ORGANIZATIONAL BENEFITS
MMCR delivers multiple organizational benefits beyond governance:
REMOVES BOTTLENECKS
Senior people no longer forced to approve decisions they cannot adequately evaluate. Competent decision-makers have authority to act.
ALIGNS ACCOUNTABILITY WITH COMPETENCE
People who understand the problem space are accountable for decisions, rather than accountability resting with senior people who lack context.
ENABLES INNOVATION
Appropriate innovation can proceed without navigating layers of uncertain senior approval. Risk tolerance is explicit in delegation boundaries.
DEVELOPS CAPABILITY
Certification and oversight create clear competence expectations and development pathways for architectural roles.
PROVIDES GENUINE ASSURANCE
Senior leadership and audit receive confidence from expert judgment quality, not process theatre.
SCALES ARCHITECTURAL DECISION-MAKING
Organization can make more good decisions faster as certified individuals multiply rather than concentrating decisions at top.
SPEAKS INSURANCE LANGUAGE
Leverages patterns already embedded in insurance culture (underwriting authority, SMCR, risk-based oversight), making adoption natural rather than foreign.
IMPLEMENTATION CONSIDERATIONS
ORGANIZATIONAL READINESS
MMCR requires:
– Executive sponsorship (particularly from SMCR holder)
– Compliance/Audit partnership and capability
– Architectural maturity sufficient to articulate domains and decisions
– Cultural readiness for delegation and accountability
PHASED IMPLEMENTATION
Organizations typically implement MMCR progressively:
PHASE 1: PILOT DOMAIN
– Select single domain (e.g., platform architecture)
– Certify 2-3 individuals
– Test delegation and oversight mechanisms
– Refine based on learning
PHASE 2: EXPANSION
– Extend to additional domains
– Certify broader population
– Establish oversight rhythms
– Build case studies and precedents
PHASE 3: EMBEDDING
– MMCR becomes standard operating model
– Continuous improvement based on audit findings
– Integration with performance management and development
COMMON CHALLENGES
COMPETENCE ANXIETY
“What if we can’t certify enough people?”
– Start with high bar, expand as capability develops
– Certification creates development target
– External hiring can supplement internal development
OWNERSHIP AMBIGUITY
“Who builds and runs MMCR?”
– Compliance owns regime design
– Internal Audit operates certification and oversight
– Architecture provides subject matter expertise
– SMCR holder provides sponsorship and delegation
REGULATORY UNCERTAINTY
“Will FCA/PRA accept this?”
– MMCR extends proven SMCR principles
– Demonstrates appropriate governance for material risk decisions
– Provides audit trail and accountability
– Position as enhancement to existing governance
PROCESS CONCERNS
“Isn’t this just more bureaucracy?”
– MMCR replaces existing governance bottlenecks
– Net effect is faster decisions with better oversight
– Documentation already required for audit; MMCR improves quality
REGULATORY ALIGNMENT
MMCR aligns with principles-based regulatory expectations:
FCA PRINCIPLES ALIGNMENT
– Principle 3 (Management and control): MMCR provides clear accountability for architectural risk decisions
– Principle 6 (Customers’ interests): Appropriate and adequate architectural decisions protect customer outcomes
– Principle 11 (Relations with regulators): MMCR demonstrates robust governance for material decisions
PRA PRUDENTIAL ALIGNMENT
– Adequate systems and controls for technology risk
– Clear accountability for operational resilience decisions
– Demonstrable competence for mission-critical platform decisions
SMCR EXTENSION
MMCR extends SMCR accountability principles to the decision-making layer where architectural choices are actually made, addressing the gap between senior accountability and operational reality.
OPERATIONAL RESILIENCE
For organizations subject to operational resilience requirements, MMCR provides governance framework for architectural decisions affecting important business services.
CONCLUSION
The Middle Management Certification Regime provides governance for architectural decision-making that mirrors proven risk management patterns already embedded in insurance operations.
By certifying competence, delegating authority appropriately, requiring principled documentation, and providing risk-based oversight, MMCR enables expert judgment to roll up rather than relying on checklist compliance and hope.
The result is faster, better architectural decisions with genuine rather than theatrical accountability – addressing the critical gap in traditional technology governance frameworks.