Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A

Certified Risk and Compliance
Management Professional (CRCMP)
Prep Course – Part A

International Association of Risk and Compliance
Professionals (IARCP)

Introduction
 The International Association of Risk and Compliance
Professionals (IARCP) develops and maintains a
compendium of risk and compliance topics
 Subject matter experts review and update this body of
knowledge
 The IARCP offers the following risk and compliance
management certification programs:
 Certified Risk and Compliance Management
Professional (CRCMP)
 Certified Information Systems Risk and Compliance
Professional (CISRCP)

© International Association of Risk and Compliance Professionals (IARCP)
2

Introduction
 Certified Risk and Compliance Management
Professional (CRCMP)
 www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
 Certified Information Systems Risk and Compliance
Professional (CISRCP)
association.com/CISRCP_Distance_Learning_and_Certification.htm

3

Introduction
 The exam is online. To find more:
association.com/Questions_About_The_Certification_An
d_The_Exams_1.pdf
association.com/CRCP_Certification_Steps_1.pdf

4

Introduction
 Instead of just training, you can have more
 1. Training
 2. Certification - If you pass the exam, you will be
entitled to use the designation: Certified Risk and
Compliance Management Professional (CRCMP)
 3. Updates - Become (at no extra cost) a member of the
IARCP to stay current with new developments in risk
and compliance management

 You will continue to learn, month after month

5

Agenda
 PART A: COMPLIANCE WITH LAWS AND
REGULATIONS, AND RISK MANAGEMENT
 Introduction
 Regulatory Compliance and Risk Management -
Definitions, roles and responsibilities
 The role of the board of directors, the supervisors, the
internal and external auditors
 The new international landscape and the interaction
among laws, regulations, and professional standards

6

Agenda
 Benefits of an enterprise wide compliance program
 Compliance culture: Why it is important, and how to
communicate the regulatory obligations
 Policies, Workplace Ethics, Risk and Compliance
 Policies, procedures and the ethical code of conduct
 Privacy and information security
 Handling confidential information
 Conflicts of interest
 Use of organizational property

7

Agenda
 Fair dealings with customers, vendors and competitors
 Reporting ethical concerns
 Governance, Risk and Compliance
 The need for Internal Controls
 Understand how to identify, mitigate and control risks
effectively
 Approaches to risk assessment
 Qualitative, quantitative… stress testing
 Integrating risk management into corporate governance
and compliance

8

Agenda
 PART B: SARBANES OXLEY
 The Sarbanes Oxley Act
 Key Sections
 SEC, EDGAR, PCAOB, SAG
 PCAOB Auditing Standards: What we need to know
 Management's Testing
 Management's Documentation
 Sections 302, 404, 906: The three certifications
 Sections 302, 404, 906: Examples and case studies

9

Agenda
 Management's Responsibilities
 Committees and Teams

 Control Deficiency
 Deficiency in Design
 Deficiency in Operation
 Significant Deficiency
 Material Weakness

10

Agenda
 Companies Affected
 International companies
 Foreign Private Issuers (FPIs)
 Employees Affected

11

Agenda
 PART C: BASEL II
 Improving risk and asset management to avoid financial
disasters
 "Sufficient assets" to offset risks
 The technical challenges for both banks and supervisors
 How much capital is necessary to serve as a sufficient
buffer?
 The three-pillar regulatory structure
 Purposes of Basel II

12

Agenda
 Pillar 1: Minimum capital requirements
 Credit Risk – 3 approaches
 The standardized approach to credit risk
 The two internal ratings-based (IRB) approaches to credit
risk
 Pillar 2: Supervisory review
 Key principles
 Pillar 3: Market discipline
 Disclosure requirements

13

Agenda
 Operational Risk
 What is operational risk
 Legal risk
 Information Technology operational risk

 Operational Risk Approaches
 Basic Indicator Approach (BIA)
 Standardized Approach (SA)
 Advanced Measurement Approaches (AMA)

14

Agenda
 Basel II and other regulations

 Common elements and differences of compliance
projects
 New standards
 Disclosure issues
 Multinational companies and compliance challenges

15

Agenda
 PART D: THE FRAMEWORKS
 Internal Controls - COSO
 The Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring
 Effectiveness and Efficiency of Operations
 Reliability of Financial Reporting
 Compliance with applicable laws and regulations

16

Agenda
 IT Controls
 Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
 Layers of overlapping controls
 COSO Enterprise Risk Management (ERM) Framework
 Is COSO ERM needed for compliance?
 Internal Environment
 Objective Setting
 Event Identification

17

Agenda
 Risk Assessment
 Risk Response
 Control Activities
 Information and Communication
 Monitoring

 The two cubes
 Objectives: Strategic, Operations, Reporting, Compliance

18

Agenda
 COBIT - the framework that focuses on IT
 Is COBIT needed for compliance?
 COSO or COBIT?
 Management Guidelines
 The high-level control objectives
 What to do with the specific control objectives

 Maturity Models
 Critical Success Factors (CSFs)

19

Agenda
 PART E: DESIGNING AND IMPLEMENTING A RISK
AND COMPLIANCE PROGRAM
 Designing an Internal Compliance System
 Compliance programs that withstand scrutiny
 Documentation
 Testing
 Ongoing compliance reviews and risk assessments for
continuing compliance with laws and regulations
 Compliance Monitoring
 The company and other stakeholders

20

Agenda
 International and national regulatory requirements
 Regulatory compliance in Europe
 Regulatory compliance in the USA
 The GCC countries
 The Caribbean
 The Pacific Rim
 Common elements and differences of compliance
projects

21

Certified Risk and Compliance
Management Professional (CRCMP)
Prep Course

International Association of Risk and Compliance
Professionals (IARCP)

PART A:
COMPLIANCE WITH LAWS AND
REGULATIONS
AND RISK MANAGEMENT

International Association of Risk and
Compliance Professionals (IARCP)

Internal controls, Governance, Risk,
Compliance - Corporate governance
 CORPORATE GOVERNANCE
 Processes, systems and controls put in place to direct and
control an organisation in order to…
 … increase performance and achieve shareholder value
 As such, it has to do with the performance of
management and the board of directors…
 … the sufficiency and reliability of corporate
reporting…
 … risk management and internal controls

24

 Governments often make decisions about governance …
 … it is NOT a “best practice”

 The legal and regulatory environment is of paramount
importance

25

 A corporation is a a separate legal entity…
 … and has legal *rights* and *obligations*

 A corporation has the ability to hold assets separately
from the assets of its stakeholders

 Some legal structures have the ability to limit the
liability of stakeholders

26

 The interests of the stakeholders…
 … the owners…
 … the board of directors…
 … executive management…
 … managers…
 … data owners…
 … process owners…
 … employees…
 … suppliers…
 … regulators, supervisors…
 … clients and communities

27

 Governance - Some common principles

 Acting for the Best Interests of the Shareholders

 Ethical Behavior

 Professional Behavior

 Culture of Risk and Compliance

28

 Governance - Some common principles

 Transparency and Disclosures

 Tested and Documented Processes

 Tested and Documented Internal Controls

29

OECD Principles of Corporate
Governance - 2004
 The original member countries of the OECD are Austria,
Belgium, Canada, Denmark, France, Germany, Greece,
Iceland, Ireland, Italy, Luxembourg, the Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland, Turkey,
the United Kingdom and the United States

 Also members:
 Japan, Finland, Australia, New Zealand, Mexico, the
Czech Republic, Hungary, Poland, Korea, the Slovak
Republic (14th December 2000)

30

Governance - 2004
 The OECD Principles of Corporate Governance were
endorsed by OECD Ministers in 1999…
 … when the OECD extended the boundary of
accountability to include stakeholders such as
employees…
 … and have since become an international benchmark for
policy makers, investors, corporations and other
stakeholders ***worldwide***

31

Governance - 2004
 They have provided specific guidance for legislative and
regulatory initiatives in both OECD and non OECD
countries

 The Rights of Shareholders and Key Ownership
Functions

 The corporate governance framework should **protect
and facilitate the exercise of shareholders’ rights**

32

Governance - 2004
 A. Basic shareholder rights should include the right to:

 Obtain relevant and material information on the
corporation on a timely and regular basis

 Share in the profits of the corporation

 Shareholders should have the opportunity to ask
questions to the board, including…
 … questions relating to the annual external audit

33

Compliance - Risk
 RISK:
 The possibility of a loss, catastrophe, or other
undesirable outcome
 A potential negative impact to an asset
 We may accept, mitigate or avoid a risk
 Risk is described both qualitatively and quantitatively

 Risk is proportional to both the expected losses (impact)
which may be caused by an event and to…
 … the probability of this event

34

Compliance - Risk
 In technical contexts, the word has several more
specialized uses and meanings
 Three of these are particularly important since they are
widely used across disciplines:
 1. risk = an unwanted ***event*** which may or may not
occur
 2. risk = the ***cause*** of an unwanted event which may
or may not occur
 3. risk = the ***probability*** of an unwanted event
which may or may not occur

35

Compliance - Risk
 Risk… is it good or bad?

 All opportunities come with some degree of risk

 Risks and opportunities go hand in hand

 An efficient balance between realizing opportunities for
gains and minimizing vulnerabilities and losses

36

Compliance – Risk Management
 RISK MANAGEMENT
 Making informed business decisions

 We mitigate risks only when…
 … they are above our risk appetite…

 Risks must reach a level that is acceptable to the
organization

37

 Risk management is an integral **part** of good
management…
 … and an essential **part** of good corporate governance

 Priorities…
 … a cost benefit analysis - the costs of protective
measures for the benefit of achieving the mission of the
organisation

38

 The types of risks depend on…
 … the location…
 … the industry…
 … the business objectives of the organization

39

Compliance - Risk Management
 Risks can result from factors both external and internal to
the organisation

 The Risk Management process in an organization is
influenced by:
 1. The organization’s mission, vision and objectives
 2. Products and services
 3. The physical, environmental and regulatory conditions

40

 Asset: A resource, product, process, or element that an
organization has determined must be protected

 Threat: Any potential event that causes a detrimental
impact on the organization
 Vulnerability: The lack / weakness of a safeguard counter
to a threat

 Safeguard: A control employed to reduce the risk
associated with a specific threat

41

 Risk management

 A. Identification…
 … of the risks associated with each process…
 An organisation’s exposure to uncertainty
 Requires knowledge of the organisation…
 … the market…
 … the industry…
 … the legal, social, political and cultural environment in
which it exists

42

 B. Assessment…
 … qualitative and quantitative…
 … evaluating risks and risk impacts…
 … and recommending measures to reduce risks

 A major element - the assessment of the value of the
information resources

 Cost benefit analysis

43

 C. Management…

 … (measurement, mitigation, development of
countermeasures)…

 … internal controls…

 … implementation of the measures to reduce risks
recommended in the risk assessment process

44

Problems…
 Over Optimism

 Misrepresentation - false, incorrect, improper, or
incomplete statement of material facts

 Alarmism - production of needless warnings

 Prejudice

45

Where do you work?
 In a military environment or in a bank…
 … we have the same principles in risk management!

 Let’s have a look at some Information Warfare slides…
 … all the principles apply in a corporate environment as
well

46

47

48

49

50

51

Australia/New Zealand Standard 4360
 Since 1992
 Three major elements:

 1. The risk management workflow

 2. Monitoring and review

 3. Communication and consult

52

Australia/New Zealand Standard 4360

53

Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30

54

Technology Systems

55

Technology Systems

56

Vulnerabilities…
 Vulnerability:
 A flaw or weakness in system security procedures,
design, implementation, or internal controls that…
 … could be exercised (accidentally triggered or
intentionally exploited)…
 … and result in a security breach or a violation of the
system’s security policy

57

Threats and Vulnerabilities

58

Risk Mitigation Methodology
Flowchart

59

Flowchart

60

Flowchart

61

Example: Government of Canada,
Communications Security Establishment

62

Outsourcing and Risk Management
“Management remains responsible”
 Sarbanes-Oxley Act, Section 404:
 “Management remains responsible” for service providers
 This responsibility cannot be delegated to the service
provider
 Basel ii, Outsourcing in Financial Services:
 “Management remains responsible”
 The Committee of European Banking Supervisors
(CEBS) – “Guidelines on Outsourcing”
 “Management remains responsible”

63

Outsourcing
and Risk Management
 USA - The Board of Governors of the Federal Reserve
System - “Outsourcing of Information and Transaction
Processing”
 “Ensure that controls over outsourced information and
transaction processing activities…
 … are equivalent to those that would be implemented…
 … if the activity were conducted internally”

64

Good Corporate Governance and Risk
Management is very important
 A good Risk Management Program is important for:
 1. The company’s credit rating
 Credit rating agencies believe that a good Risk
Management Program is very important for the credit
rating of firms

 2. The company’s reputation

 3. The company’s cost of capital

65

 4. Audit firm resignations and refusals

 5. The company’s share price

 6. The likelihood that external auditor’s opinion on
financial statements is wrong

66

 After the risk management failures in 2007-2008…
 … good risk management is a source of ***value
creation***

 Risk management MUST be linked to the overall
objective of value maximization
 We must communicate what we do to all stakeholder
groups
 This dimension is often unknown to employees

67

 In the past, the capital markets *were* only interested in
the share price …
 … and did not pay much attention to corporate
governance and risk management

 Today good corporate governance practice is now
strongly tied to investment decisions and corporate value

68

Compliance - Compliance
 Acting in accordance with laws and regulations

 Laws are enacted by legislative bodies…
 … while regulations are created by government agencies

 One of the major risks: No compliance!
 Compliance with external laws…
 … and internal policies and procedures
 Standards and best practices do NOT have the force of
law

69

Enterprise wide risk and compliance
program
 One solution for one problem
 Best Practices
 More cost effective
 Auditors understand how we manage risks
 The board understands
 Easier testing and documentation

70

Enterprise wide risk and compliance
program
 According to Susan Schmidt Bies (member of the Board
of Governors of the Federal Reserve System):
 “An enterprise-wide approach can integrate the risk
assessment of functions that have traditionally been
managed in silos
 A culture of compliance should establish- from the top of
the organization - the proper ethical tone that will govern
the conduct of business”

71

Policies, Procedures, Baselines,
Guidelines, Ethics

73

Policies
 Policies are considered the highest level of
documentation

 Standards, Guidelines and Procedures are derived from
policies

 Acknowledgment of importance of resources

74

Policies
 High lever principles

 Without well structured policies an organisation will be
unstructured…
 … unfocussed…
 … and probably operationally and financially ineffective

75

Policy - Example:
“We respect privacy”

76

Privacy and Information Security
 From Privacy vs. Information Security…
 … to Information Security to comply with Privacy rules

 A legal obligation…
 … a risk of no compliance

 High level policies…
 …in line with functional policies (procedures)

77

Procedures and Standards
 These contain the actual detail of the policy
 Describe how the policies should be implemented

 Procedures: Detail the steps required to implement the
policy
 Sometimes called “practices”

 Standards: Specify use of technology in a uniform way
and should be made compulsory

78

Baselines and Guidelines
 Baselines: Baselines are similar to standards,
standards can be developed after the baseline is
established

 Sensitivity level, current / normal situation

 Guidelines: Similar to standards but not compulsory,
more flexible

79

“Regulatory” Policies
 The company is required to implement policies to
comply with legal or regulatory requirements

 Usually very detailed and specific to the industry of
the organization

 A well written policy can provide protection from
liability

80

Ethics
 Code of Ethics - Soft law
 Not legal… or not ethical?
 An organization's beliefs and culture
 Procedures to be used in specific situations such as
conflicts of interest or the acceptance of gifts

 The effectiveness of the code of ethics depends on…
 … the extent to which it has the support of the
management…
 … with sanctions and rewards

81

Ethics
 Code of Ethics - Example
 “Respect: We treat others as we would like to be treated
ourselves. Ruthlessness, callousness and arrogance don't
belong here”
 “Integrity: We work with customers and prospects
openly, honestly and sincerely. When we say we will do
something, we will do it”
 “Communication: We believe that information is meant
to move and that information moves people”
 (From Enron’s Code of Ethics)

82

A great firm now: Merck, a global research-
driven pharmaceutical company
 “Accountability: Each of us is responsible for adhering to
the values and standards set forth in this Code…
 … and for raising questions if we are uncertain as to
whether or not the standards are being met

 Violations of the Code may result in a variety of
corrective actions and…
 … in some cases, may result in disciplinary action up to
and including termination of employment”

83

A great firm now: Merck, a global research-
driven pharmaceutical company
 www.merck.com/about/conduct.html
 The code includes:
 Relationships with Our Customers
 Relationships with Fellow Employees
 Relationships with Shareholders
 Relationships with Suppliers
 Relationships with Our Communities and Society
 Compliance with Laws, Rules and Regulations
 Raising Concerns

84

Conflicts of Interest and Ethics
 A natural or legal person...
 ... has a *private* interest that could influence the
objective exercise of his or her official duties

 “An interest” - a financial interest, or a special advantage
that comes into conflict with a duty
 For him or his family and friends

85

Conflicts of Interest and Ethics
 Examples
 A. Self Review

 B. The CEO of a private consulting company works for
the government...
 ... and uses his official position to secure a contract for
the private firm

 C. Using confidential information

86

87

Risk and Compliance
Key Roles

Risk and Compliance
Key Roles - Senior management
 Senior management
 They must understand the risks…
 … provide the resources needed …
 … and “ensure” that the firm can accomplish its
objectives
 Reasonable assurance

89

Risk and Compliance
Key Roles - Risk Officer
 The Role of the Risk Officer
 There is no definition... and where there is one, it is far
from uniform
 But there is something that you need to know: The role
of the risk officer becomes more important year after year

 All companies try to understand risks and spend much
money to manage risks
 Risk officers play an important role in implementing
enterprise risk management

90

Risk and Compliance
Key Roles - Risk Officer
 Risk officers have one additional obligation: To
explain…
 … risks and countermeasures…
 … to owners…
 … auditors…
 … senior management…
 … and the board of directors

91

Risk and Compliance
Key Roles – Chief Risk Officer
 The Role of the Chief Risk Officer
 The Chief Risk Officer's job is to ensure that the
organization is in full compliance with applicable laws
and regulations
 He must coordinate the company's risk management
efforts…
 … explain risks and controls to senior management and
the board…
 … and make recommendations

92

Risk and Compliance
 The Chief Risk Officer is rapidly becoming one of the 3-5
most important members of the management team

 We read some important paragraphs from a report from
the Economist Intelligence Unit Sponsored by: ACE,
Cisco Systems, Deutsche Bank and IBM

 “For a corporate post with only a decade of history, the
chief risk officer (CRO) attracts a lot of attention”

93

Risk and Compliance
 “CROs have consolidated their position in the financial
sector, where they began…
 … and are increasingly to be found in other industries”
 “As companies seek to respond to increased regulatory
pressures and a growing array of business risks…
 … the CRO is emerging as one of the most important
positions in the management team”

94

Risk and Compliance
 “Regulatory compliance is the top priority for risk
management”
 “Regulatory risk ranks as one of the top two threats to
global business”
 Regulatory compliance is the CRO’s primary
responsibility”

 [Business continuity is also a top priority]

95

Case Study: Credit Suisse

96

Case Study: Credit Suisse

97

Risk and Compliance
Key Roles – Chief Compliance Officer
 The Role of the Chief Compliance Officer
 According to Commissioner Cynthia A. Glassman, U.S.
Securities and Exchange Commission…
 “While the CEO cannot delegate his or her ultimate
responsibility…
 … a company should have an officer with ownership of
corporate compliance and ethics issues… …
 … and of what Title III of Sarbanes-Oxley broadly refers
to as ***Corporate Responsibility***”…

98

Risk and Compliance
 “While every company must assess its particular needs
based on the size and nature of its business…
 … there are several characteristics that I would want the
corporate responsibility officer to have…
 … if I were relying on this person:”
 “He or she should have sufficient seniority and authority
to take the actions necessary under the circumstances”
 “Ask yourself if this person would be able to address the
worst-case scenario”

99

Risk and Compliance
 “The position should have the full support of the CEO
and senior management, both in theory and in practice

 The corporate responsibility officer should *have access*
and provide regular reports to senior management”

 “He or she can play an important role in helping a
company meet the ***information gathering and
reporting requirements***

100

Risk and Compliance
 “The corporate responsibility officer should have the
ability to report directly to the board (for example, to the
audit committee chairman)…
 … on matters of significant import to the company or
matters involving misconduct by senior management”

 In addition, the responsible officer should have
sufficient time and adequate resources to implement the
company's ***corporate responsibility program*** in an
effective manner

101

102

103

Risk and Compliance
Key Roles - Owners
 Data owners
 Understand, Give permissions

 Process and system owners
 Need to “ensure” (reasonable assurance) that the risks are
identified and managed …
 … and appropriate controls are deployed

104

Key Roles
The role of the internal auditors
 According to the Institute of Internal Auditors (IIA)…

 …Internal Auditing is an independent, objective
assurance and consulting activity…
 … designed to add value and…
 … improve an organization's operations

 It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach…
 … to evaluate and improve the effectiveness of risk
management, control, and governance processes

105

Key Roles
 The internal audit activity evaluates risk exposures
relating to the organization's governance, operations and
information systems, in relation to:
 Effectiveness and efficiency of operations
 Reliability and integrity of financial and operational
information
 Safeguarding of assets
 Compliance with laws, regulations, and contracts

106

Key Roles
 While management is responsible for internal controls…

 … the internal audit activity provides ***assurance*** to
management and the audit committee that …

 …internal controls are effective and…

 … working as intended

107

Continuous Auditing
 “Continuous Auditing”
 An evolving regulatory environment…
 … increased globalization of businesses…
 … market pressure to improve operations…
 … and rapidly changing business conditions…
 … are creating the need for more timely and ongoing
assurance that controls are working effectively and risk is
being mitigated

 Continuous auditing changes the audit paradigm *from
periodic reviews* of a sample of transactions to
**ongoing** audit testing of 100 percent of transactions

108

Key Roles
The role of the external auditors
 They provide independent assurance to the society
 The role of the external auditor is similar to the role of
the supervisors and regulators
 *The regulators* safeguard stability and investor
interests
 *The external auditors* work for the private interests of
the shareholders of a company
 External auditors and supervisors cooperate

109

Key Roles
The role of the external auditors
 Professional Standards - independence, objectivity and
integrity

 Conflicts of Interest

 Non-audit services

110

Key Roles
The role of the Board of Directors
A. Directors must learn and keep up to date
 The industry’s best practices in risk management
B. Directors must ensure that the *management and key
employees* and process owners also learn and keep up to
date
 Is staff qualified, with the necessary experience and
technical capabilities?
 Who knows the policies, the procedures and the tasks?
 There is enough information – is there also enough
communication?

111

Key Roles
C. Directors must understand and approve

 1. The risk management framework

 2. Senior management’s guidance and direction
regarding the principles underlying the framework

112

Key Roles
 3. Policies developed by senior management - to identify,
assess, monitor, controlling and mitigate risks
 Policies for the treatment of non-compliance. No
tolerance, no temptations

 4. Key processes to manage risks

 5. Clear lines of management responsibility,
accountability and reporting for risks

113

Key Roles
 6. Separation of duties and responsibilities – conflict of
interest issues

 7. The risk appetite and tolerance for risks

 8. The risk transferred outside the organization

114

Key Roles
 9. High Impact / Low Frequency events and the strategy
to identify and manage these risks

 10. Early warning indicators

 11. Measurement methodologies - Quantification of
exposure to risks, not only qualitative approaches

115

Key Roles
 12. Self assessments
 Is it an enterprise wide process?
 Can it be used for accountability?
 Who learns the issues?
 Can it be used in risk identification as well as
mitigation?

 13. Assumptions

116

Key Roles
 14. The risks associated with outsourcing activities

 Is there oversight of third-party activities?

 Is there a clear allocation of responsibilities and clear
expectations between external service providers and the
organization?

117

Key Roles
 Is there an assessment of the materiality of outsourcing
arrangements?

 Does the organization exercise initial due diligence?

 Is the organization monitoring and testing third-party
activities on a regular basis?

118

Key Roles
 15. Contingency plans

 Business Impact Analysis, Disaster Recovery and
Business Continuity Plans

 Has the organization identified critical business
processes, including dependence on external vendors or
third parties?

119

Key Roles
 Are the alternate facilities / hot sites an adequate distance
away from the primary operations?

 Is there a periodic review of these plans?

 Is there training and testing?

 Are there clear descriptions of roles and responsibilities?

120

Key Roles
D. Directors must establish
 A management structure…
 … capable of implementing the firm's risk management
framework

121

Key Roles
E. Directors must ensure that
 The risk is managed after external and internal *changes*
or new products, activities and systems

 The risk management system is well documented

 They do their best to establish a strong internal control
culture in which control activities are an integral part of
the activities of a bank

122

Key Roles
 The risk management framework is implemented
consistently across the whole bank

 They learn about material losses

 There is adequate and meaningful reporting

123

Key Roles
 Understand and meet the auditors, internal function and
staff responsible for monitoring compliance
 There is adequate internal audit coverage to verify
effective implementation of policies and procedures
 There is a clear audit plan and scope with respect to
operational risk management
 The internal audit function does not have operational
risk management responsibilities

124

Director’s responsibilities include
Duty of care
 To exercise the care that an ordinarily prudent person in
a like position would use under similar circumstances

 What does a prudent director do?
 1. Learns - all material information reasonably available
before making a business decision
 There is “good faith” only in case of an informed
business decision
 2. Considers alternatives

125

Duty of care
 3. Attends meetings of the board and of the committees

 4. Asks questions

 5. Tries to prevent and detect illegal conduct

 6. Exercises oversight

126

Duty of loyalty

 Acts in good faith - in a manner he / she reasonably
believes to be in the best interests of the corporation

127

 Proves that he acts in good faith - is alert to any interest
he or she may have that might be considered to conflict
with the best interests of the corporation

 Discloses fully and carefully financial or personal
interests to which the corporation is a party

 For example, contracts where he / she had a financial or
other personal interest

128

Duty of loyalty

 Keeps confidential all matters involving the corporation
that have not been disclosed to the general public…
 … Directors are not authorized spokespersons for the
corporation

129

To continue with Part B of the course:
 Become a Certified Risk and Compliance
Management Professional (CRCMP) you can visit:

association.com/Distance_Learning_and_Certification.htm

130

Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A

Similar to Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A (20)

More from Compliance LLC

More from Compliance LLC (20)

Recently uploaded

Recently uploaded (20)

Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A