More Related Content Similar to Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A (20) More from Compliance LLC (20) Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A1. Certified Risk and Compliance
Management Professional (CRCMP)
Prep Course – Part A
International Association of Risk and Compliance
Professionals (IARCP)
2. Introduction
The International Association of Risk and Compliance
Professionals (IARCP) develops and maintains a
compendium of risk and compliance topics
Subject matter experts review and update this body of
knowledge
The IARCP offers the following risk and compliance
management certification programs:
Certified Risk and Compliance Management
Professional (CRCMP)
Certified Information Systems Risk and Compliance
Professional (CISRCP)
© International Association of Risk and Compliance Professionals (IARCP)
2
3. Introduction
Certified Risk and Compliance Management
Professional (CRCMP)
www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
Certified Information Systems Risk and Compliance
Professional (CISRCP)
www.risk-compliance-
association.com/CISRCP_Distance_Learning_and_Certification.htm
© International Association of Risk and Compliance Professionals (IARCP)
3
4. Introduction
The exam is online. To find more:
www.risk-compliance-
association.com/Questions_About_The_Certification_An
d_The_Exams_1.pdf
www.risk-compliance-
association.com/CRCP_Certification_Steps_1.pdf
© International Association of Risk and Compliance Professionals (IARCP)
4
5. Introduction
Instead of just training, you can have more
1. Training
2. Certification - If you pass the exam, you will be
entitled to use the designation: Certified Risk and
Compliance Management Professional (CRCMP)
3. Updates - Become (at no extra cost) a member of the
IARCP to stay current with new developments in risk
and compliance management
You will continue to learn, month after month
© International Association of Risk and Compliance Professionals (IARCP)
5
6. Agenda
PART A: COMPLIANCE WITH LAWS AND
REGULATIONS, AND RISK MANAGEMENT
Introduction
Regulatory Compliance and Risk Management -
Definitions, roles and responsibilities
The role of the board of directors, the supervisors, the
internal and external auditors
The new international landscape and the interaction
among laws, regulations, and professional standards
© International Association of Risk and Compliance Professionals (IARCP)
6
7. Agenda
Benefits of an enterprise wide compliance program
Compliance culture: Why it is important, and how to
communicate the regulatory obligations
Policies, Workplace Ethics, Risk and Compliance
Policies, procedures and the ethical code of conduct
Privacy and information security
Handling confidential information
Conflicts of interest
Use of organizational property
© International Association of Risk and Compliance Professionals (IARCP)
7
8. Agenda
Fair dealings with customers, vendors and competitors
Reporting ethical concerns
Governance, Risk and Compliance
The need for Internal Controls
Understand how to identify, mitigate and control risks
effectively
Approaches to risk assessment
Qualitative, quantitative… stress testing
Integrating risk management into corporate governance
and compliance
© International Association of Risk and Compliance Professionals (IARCP)
8
9. Agenda
PART B: SARBANES OXLEY
The Sarbanes Oxley Act
Key Sections
SEC, EDGAR, PCAOB, SAG
PCAOB Auditing Standards: What we need to know
Management's Testing
Management's Documentation
Sections 302, 404, 906: The three certifications
Sections 302, 404, 906: Examples and case studies
© International Association of Risk and Compliance Professionals (IARCP)
9
10. Agenda
Management's Responsibilities
Committees and Teams
Control Deficiency
Deficiency in Design
Deficiency in Operation
Significant Deficiency
Material Weakness
© International Association of Risk and Compliance Professionals (IARCP)
10
11. Agenda
Companies Affected
International companies
Foreign Private Issuers (FPIs)
Employees Affected
© International Association of Risk and Compliance Professionals (IARCP)
11
12. Agenda
PART C: BASEL II
Improving risk and asset management to avoid financial
disasters
"Sufficient assets" to offset risks
The technical challenges for both banks and supervisors
How much capital is necessary to serve as a sufficient
buffer?
The three-pillar regulatory structure
Purposes of Basel II
© International Association of Risk and Compliance Professionals (IARCP)
12
13. Agenda
Pillar 1: Minimum capital requirements
Credit Risk – 3 approaches
The standardized approach to credit risk
The two internal ratings-based (IRB) approaches to credit
risk
Pillar 2: Supervisory review
Key principles
Pillar 3: Market discipline
Disclosure requirements
© International Association of Risk and Compliance Professionals (IARCP)
13
14. Agenda
Operational Risk
What is operational risk
Legal risk
Information Technology operational risk
Operational Risk Approaches
Basic Indicator Approach (BIA)
Standardized Approach (SA)
Advanced Measurement Approaches (AMA)
© International Association of Risk and Compliance Professionals (IARCP)
14
15. Agenda
Basel II and other regulations
Common elements and differences of compliance
projects
New standards
Disclosure issues
Multinational companies and compliance challenges
© International Association of Risk and Compliance Professionals (IARCP)
15
16. Agenda
PART D: THE FRAMEWORKS
Internal Controls - COSO
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
© International Association of Risk and Compliance Professionals (IARCP)
16
17. Agenda
IT Controls
Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls
COSO Enterprise Risk Management (ERM) Framework
Is COSO ERM needed for compliance?
Internal Environment
Objective Setting
Event Identification
© International Association of Risk and Compliance Professionals (IARCP)
17
18. Agenda
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The two cubes
Objectives: Strategic, Operations, Reporting, Compliance
© International Association of Risk and Compliance Professionals (IARCP)
18
19. Agenda
COBIT - the framework that focuses on IT
Is COBIT needed for compliance?
COSO or COBIT?
Management Guidelines
The high-level control objectives
What to do with the specific control objectives
Maturity Models
Critical Success Factors (CSFs)
© International Association of Risk and Compliance Professionals (IARCP)
19
20. Agenda
PART E: DESIGNING AND IMPLEMENTING A RISK
AND COMPLIANCE PROGRAM
Designing an Internal Compliance System
Compliance programs that withstand scrutiny
Documentation
Testing
Ongoing compliance reviews and risk assessments for
continuing compliance with laws and regulations
Compliance Monitoring
The company and other stakeholders
© International Association of Risk and Compliance Professionals (IARCP)
20
21. Agenda
International and national regulatory requirements
Regulatory compliance in Europe
Regulatory compliance in the USA
The GCC countries
The Caribbean
The Pacific Rim
Common elements and differences of compliance
projects
© International Association of Risk and Compliance Professionals (IARCP)
21
22. Certified Risk and Compliance
Management Professional (CRCMP)
Prep Course
International Association of Risk and Compliance
Professionals (IARCP)
23. PART A:
COMPLIANCE WITH LAWS AND
REGULATIONS
AND RISK MANAGEMENT
International Association of Risk and
Compliance Professionals (IARCP)
24. Internal controls, Governance, Risk,
Compliance - Corporate governance
CORPORATE GOVERNANCE
Processes, systems and controls put in place to direct and
control an organisation in order to…
… increase performance and achieve shareholder value
As such, it has to do with the performance of
management and the board of directors…
… the sufficiency and reliability of corporate
reporting…
… risk management and internal controls
© International Association of Risk and Compliance Professionals (IARCP)
24
25. Internal controls, Governance, Risk,
Compliance - Corporate governance
Governments often make decisions about governance …
… it is NOT a “best practice”
The legal and regulatory environment is of paramount
importance
© International Association of Risk and Compliance Professionals (IARCP)
25
26. Internal controls, Governance, Risk,
Compliance - Corporate governance
A corporation is a a separate legal entity…
… and has legal *rights* and *obligations*
A corporation has the ability to hold assets separately
from the assets of its stakeholders
Some legal structures have the ability to limit the
liability of stakeholders
© International Association of Risk and Compliance Professionals (IARCP)
26
27. Internal controls, Governance, Risk,
Compliance - Corporate governance
The interests of the stakeholders…
… the owners…
… the board of directors…
… executive management…
… managers…
… data owners…
… process owners…
… employees…
… suppliers…
… regulators, supervisors…
… clients and communities
© International Association of Risk and Compliance Professionals (IARCP)
27
28. Internal controls, Governance, Risk,
Compliance - Corporate governance
Governance - Some common principles
Acting for the Best Interests of the Shareholders
Ethical Behavior
Professional Behavior
Culture of Risk and Compliance
© International Association of Risk and Compliance Professionals (IARCP)
28
29. Internal controls, Governance, Risk,
Compliance - Corporate governance
Governance - Some common principles
Transparency and Disclosures
Tested and Documented Processes
Tested and Documented Internal Controls
© International Association of Risk and Compliance Professionals (IARCP)
29
30. OECD Principles of Corporate
Governance - 2004
The original member countries of the OECD are Austria,
Belgium, Canada, Denmark, France, Germany, Greece,
Iceland, Ireland, Italy, Luxembourg, the Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland, Turkey,
the United Kingdom and the United States
Also members:
Japan, Finland, Australia, New Zealand, Mexico, the
Czech Republic, Hungary, Poland, Korea, the Slovak
Republic (14th December 2000)
© International Association of Risk and Compliance Professionals (IARCP)
30
31. OECD Principles of Corporate
Governance - 2004
The OECD Principles of Corporate Governance were
endorsed by OECD Ministers in 1999…
… when the OECD extended the boundary of
accountability to include stakeholders such as
employees…
… and have since become an international benchmark for
policy makers, investors, corporations and other
stakeholders ***worldwide***
© International Association of Risk and Compliance Professionals (IARCP)
31
32. OECD Principles of Corporate
Governance - 2004
They have provided specific guidance for legislative and
regulatory initiatives in both OECD and non OECD
countries
The Rights of Shareholders and Key Ownership
Functions
The corporate governance framework should **protect
and facilitate the exercise of shareholders’ rights**
© International Association of Risk and Compliance Professionals (IARCP)
32
33. OECD Principles of Corporate
Governance - 2004
A. Basic shareholder rights should include the right to:
Obtain relevant and material information on the
corporation on a timely and regular basis
Share in the profits of the corporation
Shareholders should have the opportunity to ask
questions to the board, including…
… questions relating to the annual external audit
© International Association of Risk and Compliance Professionals (IARCP)
33
34. Internal controls, Governance, Risk,
Compliance - Risk
RISK:
The possibility of a loss, catastrophe, or other
undesirable outcome
A potential negative impact to an asset
We may accept, mitigate or avoid a risk
Risk is described both qualitatively and quantitatively
Risk is proportional to both the expected losses (impact)
which may be caused by an event and to…
… the probability of this event
© International Association of Risk and Compliance Professionals (IARCP)
34
35. Internal controls, Governance, Risk,
Compliance - Risk
In technical contexts, the word has several more
specialized uses and meanings
Three of these are particularly important since they are
widely used across disciplines:
1. risk = an unwanted ***event*** which may or may not
occur
2. risk = the ***cause*** of an unwanted event which may
or may not occur
3. risk = the ***probability*** of an unwanted event
which may or may not occur
© International Association of Risk and Compliance Professionals (IARCP)
35
36. Internal controls, Governance, Risk,
Compliance - Risk
Risk… is it good or bad?
All opportunities come with some degree of risk
Risks and opportunities go hand in hand
An efficient balance between realizing opportunities for
gains and minimizing vulnerabilities and losses
© International Association of Risk and Compliance Professionals (IARCP)
36
37. Internal controls, Governance, Risk,
Compliance – Risk Management
RISK MANAGEMENT
Making informed business decisions
We mitigate risks only when…
… they are above our risk appetite…
Risks must reach a level that is acceptable to the
organization
© International Association of Risk and Compliance Professionals (IARCP)
37
38. Internal controls, Governance, Risk,
Compliance – Risk Management
Risk management is an integral **part** of good
management…
… and an essential **part** of good corporate governance
Priorities…
… a cost benefit analysis - the costs of protective
measures for the benefit of achieving the mission of the
organisation
© International Association of Risk and Compliance Professionals (IARCP)
38
39. Internal controls, Governance, Risk,
Compliance – Risk Management
The types of risks depend on…
… the location…
… the industry…
… the business objectives of the organization
© International Association of Risk and Compliance Professionals (IARCP)
39
40. Internal controls, Governance, Risk,
Compliance - Risk Management
Risks can result from factors both external and internal to
the organisation
The Risk Management process in an organization is
influenced by:
1. The organization’s mission, vision and objectives
2. Products and services
3. The physical, environmental and regulatory conditions
© International Association of Risk and Compliance Professionals (IARCP)
40
41. Internal controls, Governance, Risk,
Compliance - Risk Management
Asset: A resource, product, process, or element that an
organization has determined must be protected
Threat: Any potential event that causes a detrimental
impact on the organization
Vulnerability: The lack / weakness of a safeguard counter
to a threat
Safeguard: A control employed to reduce the risk
associated with a specific threat
© International Association of Risk and Compliance Professionals (IARCP)
41
42. Internal controls, Governance, Risk,
Compliance - Risk Management
Risk management
A. Identification…
… of the risks associated with each process…
An organisation’s exposure to uncertainty
Requires knowledge of the organisation…
… the market…
… the industry…
… the legal, social, political and cultural environment in
which it exists
© International Association of Risk and Compliance Professionals (IARCP)
42
43. Internal controls, Governance, Risk,
Compliance - Risk Management
B. Assessment…
… qualitative and quantitative…
… evaluating risks and risk impacts…
… and recommending measures to reduce risks
A major element - the assessment of the value of the
information resources
Cost benefit analysis
© International Association of Risk and Compliance Professionals (IARCP)
43
44. Internal controls, Governance, Risk,
Compliance - Risk Management
C. Management…
… (measurement, mitigation, development of
countermeasures)…
… internal controls…
… implementation of the measures to reduce risks
recommended in the risk assessment process
© International Association of Risk and Compliance Professionals (IARCP)
44
45. Problems…
Over Optimism
Misrepresentation - false, incorrect, improper, or
incomplete statement of material facts
Alarmism - production of needless warnings
Prejudice
© International Association of Risk and Compliance Professionals (IARCP)
45
46. Where do you work?
In a military environment or in a bank…
… we have the same principles in risk management!
Let’s have a look at some Information Warfare slides…
… all the principles apply in a corporate environment as
well
© International Association of Risk and Compliance Professionals (IARCP)
46
52. Australia/New Zealand Standard 4360
Since 1992
Three major elements:
1. The risk management workflow
2. Monitoring and review
3. Communication and consult
© International Association of Risk and Compliance Professionals (IARCP)
52
54. Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)
54
55. Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)
55
56. Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)
56
57. Vulnerabilities…
Vulnerability:
A flaw or weakness in system security procedures,
design, implementation, or internal controls that…
… could be exercised (accidentally triggered or
intentionally exploited)…
… and result in a security breach or a violation of the
system’s security policy
© International Association of Risk and Compliance Professionals (IARCP)
57
62. Example: Government of Canada,
Communications Security Establishment
© International Association of Risk and Compliance Professionals (IARCP)
62
63. Outsourcing and Risk Management
“Management remains responsible”
Sarbanes-Oxley Act, Section 404:
“Management remains responsible” for service providers
This responsibility cannot be delegated to the service
provider
Basel ii, Outsourcing in Financial Services:
“Management remains responsible”
The Committee of European Banking Supervisors
(CEBS) – “Guidelines on Outsourcing”
“Management remains responsible”
© International Association of Risk and Compliance Professionals (IARCP)
63
64. Outsourcing
and Risk Management
USA - The Board of Governors of the Federal Reserve
System - “Outsourcing of Information and Transaction
Processing”
“Ensure that controls over outsourced information and
transaction processing activities…
… are equivalent to those that would be implemented…
… if the activity were conducted internally”
© International Association of Risk and Compliance Professionals (IARCP)
64
65. Good Corporate Governance and Risk
Management is very important
A good Risk Management Program is important for:
1. The company’s credit rating
Credit rating agencies believe that a good Risk
Management Program is very important for the credit
rating of firms
2. The company’s reputation
3. The company’s cost of capital
© International Association of Risk and Compliance Professionals (IARCP)
65
66. Good Corporate Governance and Risk
Management is very important
4. Audit firm resignations and refusals
5. The company’s share price
6. The likelihood that external auditor’s opinion on
financial statements is wrong
© International Association of Risk and Compliance Professionals (IARCP)
66
67. Good Corporate Governance and Risk
Management is very important
After the risk management failures in 2007-2008…
… good risk management is a source of ***value
creation***
Risk management MUST be linked to the overall
objective of value maximization
We must communicate what we do to all stakeholder
groups
This dimension is often unknown to employees
© International Association of Risk and Compliance Professionals (IARCP)
67
68. Good Corporate Governance and Risk
Management is very important
In the past, the capital markets *were* only interested in
the share price …
… and did not pay much attention to corporate
governance and risk management
Today good corporate governance practice is now
strongly tied to investment decisions and corporate value
© International Association of Risk and Compliance Professionals (IARCP)
68
69. Internal controls, Governance, Risk,
Compliance - Compliance
Acting in accordance with laws and regulations
Laws are enacted by legislative bodies…
… while regulations are created by government agencies
One of the major risks: No compliance!
Compliance with external laws…
… and internal policies and procedures
Standards and best practices do NOT have the force of
law
© International Association of Risk and Compliance Professionals (IARCP)
69
70. Enterprise wide risk and compliance
program
One solution for one problem
Best Practices
More cost effective
Auditors understand how we manage risks
The board understands
Easier testing and documentation
© International Association of Risk and Compliance Professionals (IARCP)
70
71. Enterprise wide risk and compliance
program
According to Susan Schmidt Bies (member of the Board
of Governors of the Federal Reserve System):
“An enterprise-wide approach can integrate the risk
assessment of functions that have traditionally been
managed in silos
A culture of compliance should establish- from the top of
the organization - the proper ethical tone that will govern
the conduct of business”
© International Association of Risk and Compliance Professionals (IARCP)
71
74. Policies
Policies are considered the highest level of
documentation
Standards, Guidelines and Procedures are derived from
policies
Acknowledgment of importance of resources
© International Association of Risk and Compliance Professionals (IARCP)
74
75. Policies
High lever principles
Without well structured policies an organisation will be
unstructured…
… unfocussed…
… and probably operationally and financially ineffective
© International Association of Risk and Compliance Professionals (IARCP)
75
76. Policy - Example:
“We respect privacy”
© International Association of Risk and Compliance Professionals (IARCP)
76
77. Privacy and Information Security
From Privacy vs. Information Security…
… to Information Security to comply with Privacy rules
A legal obligation…
… a risk of no compliance
High level policies…
…in line with functional policies (procedures)
© International Association of Risk and Compliance Professionals (IARCP)
77
78. Procedures and Standards
These contain the actual detail of the policy
Describe how the policies should be implemented
Procedures: Detail the steps required to implement the
policy
Sometimes called “practices”
Standards: Specify use of technology in a uniform way
and should be made compulsory
© International Association of Risk and Compliance Professionals (IARCP)
78
79. Baselines and Guidelines
Baselines: Baselines are similar to standards,
standards can be developed after the baseline is
established
Sensitivity level, current / normal situation
Guidelines: Similar to standards but not compulsory,
more flexible
© International Association of Risk and Compliance Professionals (IARCP)
79
80. “Regulatory” Policies
The company is required to implement policies to
comply with legal or regulatory requirements
Usually very detailed and specific to the industry of
the organization
A well written policy can provide protection from
liability
© International Association of Risk and Compliance Professionals (IARCP)
80
81. Ethics
Code of Ethics - Soft law
Not legal… or not ethical?
An organization's beliefs and culture
Procedures to be used in specific situations such as
conflicts of interest or the acceptance of gifts
The effectiveness of the code of ethics depends on…
… the extent to which it has the support of the
management…
… with sanctions and rewards
© International Association of Risk and Compliance Professionals (IARCP)
81
82. Ethics
Code of Ethics - Example
“Respect: We treat others as we would like to be treated
ourselves. Ruthlessness, callousness and arrogance don't
belong here”
“Integrity: We work with customers and prospects
openly, honestly and sincerely. When we say we will do
something, we will do it”
“Communication: We believe that information is meant
to move and that information moves people”
(From Enron’s Code of Ethics)
© International Association of Risk and Compliance Professionals (IARCP)
82
83. A great firm now: Merck, a global research-
driven pharmaceutical company
“Accountability: Each of us is responsible for adhering to
the values and standards set forth in this Code…
… and for raising questions if we are uncertain as to
whether or not the standards are being met
Violations of the Code may result in a variety of
corrective actions and…
… in some cases, may result in disciplinary action up to
and including termination of employment”
© International Association of Risk and Compliance Professionals (IARCP)
83
84. A great firm now: Merck, a global research-
driven pharmaceutical company
www.merck.com/about/conduct.html
The code includes:
Relationships with Our Customers
Relationships with Fellow Employees
Relationships with Shareholders
Relationships with Suppliers
Relationships with Our Communities and Society
Compliance with Laws, Rules and Regulations
Raising Concerns
© International Association of Risk and Compliance Professionals (IARCP)
84
85. Conflicts of Interest and Ethics
A natural or legal person...
... has a *private* interest that could influence the
objective exercise of his or her official duties
“An interest” - a financial interest, or a special advantage
that comes into conflict with a duty
For him or his family and friends
© International Association of Risk and Compliance Professionals (IARCP)
85
86. Conflicts of Interest and Ethics
Examples
A. Self Review
B. The CEO of a private consulting company works for
the government...
... and uses his official position to secure a contract for
the private firm
C. Using confidential information
© International Association of Risk and Compliance Professionals (IARCP)
86
89. Risk and Compliance
Key Roles - Senior management
Senior management
They must understand the risks…
… provide the resources needed …
… and “ensure” that the firm can accomplish its
objectives
Reasonable assurance
© International Association of Risk and Compliance Professionals (IARCP)
89
90. Risk and Compliance
Key Roles - Risk Officer
The Role of the Risk Officer
There is no definition... and where there is one, it is far
from uniform
But there is something that you need to know: The role
of the risk officer becomes more important year after year
All companies try to understand risks and spend much
money to manage risks
Risk officers play an important role in implementing
enterprise risk management
© International Association of Risk and Compliance Professionals (IARCP)
90
91. Risk and Compliance
Key Roles - Risk Officer
Risk officers have one additional obligation: To
explain…
… risks and countermeasures…
… to owners…
… auditors…
… senior management…
… and the board of directors
© International Association of Risk and Compliance Professionals (IARCP)
91
92. Risk and Compliance
Key Roles – Chief Risk Officer
The Role of the Chief Risk Officer
The Chief Risk Officer's job is to ensure that the
organization is in full compliance with applicable laws
and regulations
He must coordinate the company's risk management
efforts…
… explain risks and controls to senior management and
the board…
… and make recommendations
© International Association of Risk and Compliance Professionals (IARCP)
92
93. Risk and Compliance
Key Roles – Chief Risk Officer
The Chief Risk Officer is rapidly becoming one of the 3-5
most important members of the management team
We read some important paragraphs from a report from
the Economist Intelligence Unit Sponsored by: ACE,
Cisco Systems, Deutsche Bank and IBM
“For a corporate post with only a decade of history, the
chief risk officer (CRO) attracts a lot of attention”
© International Association of Risk and Compliance Professionals (IARCP)
93
94. Risk and Compliance
Key Roles – Chief Risk Officer
“CROs have consolidated their position in the financial
sector, where they began…
… and are increasingly to be found in other industries”
“As companies seek to respond to increased regulatory
pressures and a growing array of business risks…
… the CRO is emerging as one of the most important
positions in the management team”
© International Association of Risk and Compliance Professionals (IARCP)
94
95. Risk and Compliance
Key Roles – Chief Risk Officer
“Regulatory compliance is the top priority for risk
management”
“Regulatory risk ranks as one of the top two threats to
global business”
Regulatory compliance is the CRO’s primary
responsibility”
[Business continuity is also a top priority]
© International Association of Risk and Compliance Professionals (IARCP)
95
96. Case Study: Credit Suisse
© International Association of Risk and Compliance Professionals (IARCP)
96
97. Case Study: Credit Suisse
© International Association of Risk and Compliance Professionals (IARCP)
97
98. Risk and Compliance
Key Roles – Chief Compliance Officer
The Role of the Chief Compliance Officer
According to Commissioner Cynthia A. Glassman, U.S.
Securities and Exchange Commission…
“While the CEO cannot delegate his or her ultimate
responsibility…
… a company should have an officer with ownership of
corporate compliance and ethics issues… …
… and of what Title III of Sarbanes-Oxley broadly refers
to as ***Corporate Responsibility***”…
© International Association of Risk and Compliance Professionals (IARCP)
98
99. Risk and Compliance
Key Roles – Chief Compliance Officer
“While every company must assess its particular needs
based on the size and nature of its business…
… there are several characteristics that I would want the
corporate responsibility officer to have…
… if I were relying on this person:”
“He or she should have sufficient seniority and authority
to take the actions necessary under the circumstances”
“Ask yourself if this person would be able to address the
worst-case scenario”
© International Association of Risk and Compliance Professionals (IARCP)
99
100. Risk and Compliance
Key Roles – Chief Compliance Officer
“The position should have the full support of the CEO
and senior management, both in theory and in practice
The corporate responsibility officer should *have access*
and provide regular reports to senior management”
“He or she can play an important role in helping a
company meet the ***information gathering and
reporting requirements***
© International Association of Risk and Compliance Professionals (IARCP)
100
101. Risk and Compliance
Key Roles – Chief Compliance Officer
“The corporate responsibility officer should have the
ability to report directly to the board (for example, to the
audit committee chairman)…
… on matters of significant import to the company or
matters involving misconduct by senior management”
In addition, the responsible officer should have
sufficient time and adequate resources to implement the
company's ***corporate responsibility program*** in an
effective manner
© International Association of Risk and Compliance Professionals (IARCP)
101
104. Risk and Compliance
Key Roles - Owners
Data owners
Understand, Give permissions
Process and system owners
Need to “ensure” (reasonable assurance) that the risks are
identified and managed …
… and appropriate controls are deployed
© International Association of Risk and Compliance Professionals (IARCP)
104
105. Key Roles
The role of the internal auditors
According to the Institute of Internal Auditors (IIA)…
…Internal Auditing is an independent, objective
assurance and consulting activity…
… designed to add value and…
… improve an organization's operations
It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach…
… to evaluate and improve the effectiveness of risk
management, control, and governance processes
© International Association of Risk and Compliance Professionals (IARCP)
105
106. Key Roles
The role of the internal auditors
The internal audit activity evaluates risk exposures
relating to the organization's governance, operations and
information systems, in relation to:
Effectiveness and efficiency of operations
Reliability and integrity of financial and operational
information
Safeguarding of assets
Compliance with laws, regulations, and contracts
© International Association of Risk and Compliance Professionals (IARCP)
106
107. Key Roles
The role of the internal auditors
While management is responsible for internal controls…
… the internal audit activity provides ***assurance*** to
management and the audit committee that …
…internal controls are effective and…
… working as intended
© International Association of Risk and Compliance Professionals (IARCP)
107
108. The role of the internal auditors
Continuous Auditing
“Continuous Auditing”
An evolving regulatory environment…
… increased globalization of businesses…
… market pressure to improve operations…
… and rapidly changing business conditions…
… are creating the need for more timely and ongoing
assurance that controls are working effectively and risk is
being mitigated
Continuous auditing changes the audit paradigm *from
periodic reviews* of a sample of transactions to
**ongoing** audit testing of 100 percent of transactions
© International Association of Risk and Compliance Professionals (IARCP)
108
109. Key Roles
The role of the external auditors
They provide independent assurance to the society
The role of the external auditor is similar to the role of
the supervisors and regulators
*The regulators* safeguard stability and investor
interests
*The external auditors* work for the private interests of
the shareholders of a company
External auditors and supervisors cooperate
© International Association of Risk and Compliance Professionals (IARCP)
109
110. Key Roles
The role of the external auditors
Professional Standards - independence, objectivity and
integrity
Conflicts of Interest
Non-audit services
© International Association of Risk and Compliance Professionals (IARCP)
110
111. Key Roles
The role of the Board of Directors
A. Directors must learn and keep up to date
The industry’s best practices in risk management
B. Directors must ensure that the *management and key
employees* and process owners also learn and keep up to
date
Is staff qualified, with the necessary experience and
technical capabilities?
Who knows the policies, the procedures and the tasks?
There is enough information – is there also enough
communication?
© International Association of Risk and Compliance Professionals (IARCP)
111
112. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
1. The risk management framework
2. Senior management’s guidance and direction
regarding the principles underlying the framework
© International Association of Risk and Compliance Professionals (IARCP)
112
113. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
3. Policies developed by senior management - to identify,
assess, monitor, controlling and mitigate risks
Policies for the treatment of non-compliance. No
tolerance, no temptations
4. Key processes to manage risks
5. Clear lines of management responsibility,
accountability and reporting for risks
© International Association of Risk and Compliance Professionals (IARCP)
113
114. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
6. Separation of duties and responsibilities – conflict of
interest issues
7. The risk appetite and tolerance for risks
8. The risk transferred outside the organization
© International Association of Risk and Compliance Professionals (IARCP)
114
115. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
9. High Impact / Low Frequency events and the strategy
to identify and manage these risks
10. Early warning indicators
11. Measurement methodologies - Quantification of
exposure to risks, not only qualitative approaches
© International Association of Risk and Compliance Professionals (IARCP)
115
116. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
12. Self assessments
Is it an enterprise wide process?
Can it be used for accountability?
Who learns the issues?
Can it be used in risk identification as well as
mitigation?
13. Assumptions
© International Association of Risk and Compliance Professionals (IARCP)
116
117. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
14. The risks associated with outsourcing activities
Is there oversight of third-party activities?
Is there a clear allocation of responsibilities and clear
expectations between external service providers and the
organization?
© International Association of Risk and Compliance Professionals (IARCP)
117
118. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
Is there an assessment of the materiality of outsourcing
arrangements?
Does the organization exercise initial due diligence?
Is the organization monitoring and testing third-party
activities on a regular basis?
© International Association of Risk and Compliance Professionals (IARCP)
118
119. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
15. Contingency plans
Business Impact Analysis, Disaster Recovery and
Business Continuity Plans
Has the organization identified critical business
processes, including dependence on external vendors or
third parties?
© International Association of Risk and Compliance Professionals (IARCP)
119
120. Key Roles
The role of the Board of Directors
C. Directors must understand and approve
Are the alternate facilities / hot sites an adequate distance
away from the primary operations?
Is there a periodic review of these plans?
Is there training and testing?
Are there clear descriptions of roles and responsibilities?
© International Association of Risk and Compliance Professionals (IARCP)
120
121. Key Roles
The role of the Board of Directors
D. Directors must establish
A management structure…
… capable of implementing the firm's risk management
framework
© International Association of Risk and Compliance Professionals (IARCP)
121
122. Key Roles
The role of the Board of Directors
E. Directors must ensure that
The risk is managed after external and internal *changes*
or new products, activities and systems
The risk management system is well documented
They do their best to establish a strong internal control
culture in which control activities are an integral part of
the activities of a bank
© International Association of Risk and Compliance Professionals (IARCP)
122
123. Key Roles
The role of the Board of Directors
E. Directors must ensure that
The risk management framework is implemented
consistently across the whole bank
They learn about material losses
There is adequate and meaningful reporting
© International Association of Risk and Compliance Professionals (IARCP)
123
124. Key Roles
The role of the Board of Directors
E. Directors must ensure that
Understand and meet the auditors, internal function and
staff responsible for monitoring compliance
There is adequate internal audit coverage to verify
effective implementation of policies and procedures
There is a clear audit plan and scope with respect to
operational risk management
The internal audit function does not have operational
risk management responsibilities
© International Association of Risk and Compliance Professionals (IARCP)
124
125. Director’s responsibilities include
Duty of care
To exercise the care that an ordinarily prudent person in
a like position would use under similar circumstances
What does a prudent director do?
1. Learns - all material information reasonably available
before making a business decision
There is “good faith” only in case of an informed
business decision
2. Considers alternatives
© International Association of Risk and Compliance Professionals (IARCP)
125
126. Director’s responsibilities include
Duty of care
3. Attends meetings of the board and of the committees
4. Asks questions
5. Tries to prevent and detect illegal conduct
6. Exercises oversight
© International Association of Risk and Compliance Professionals (IARCP)
126
127. Director’s responsibilities include
Duty of loyalty
What does a prudent director do?
Acts in good faith - in a manner he / she reasonably
believes to be in the best interests of the corporation
© International Association of Risk and Compliance Professionals (IARCP)
127
128. Director’s responsibilities include
Proves that he acts in good faith - is alert to any interest
he or she may have that might be considered to conflict
with the best interests of the corporation
Discloses fully and carefully financial or personal
interests to which the corporation is a party
For example, contracts where he / she had a financial or
other personal interest
© International Association of Risk and Compliance Professionals (IARCP)
128
129. Director’s responsibilities include
Duty of loyalty
What does a prudent director do?
Keeps confidential all matters involving the corporation
that have not been disclosed to the general public…
… Directors are not authorized spokespersons for the
corporation
© International Association of Risk and Compliance Professionals (IARCP)
129
130. To continue with Part B of the course:
Become a Certified Risk and Compliance
Management Professional (CRCMP) you can visit:
www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
© International Association of Risk and Compliance Professionals (IARCP)
130