Your SlideShare is downloading. ×
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A

7,015

Published on

Certified Risk and Compliance Management Professional (CRCMP) Prep Course – Part A …

Certified Risk and Compliance Management Professional (CRCMP) Prep Course – Part A


First Certified Course
Certified Risk and Compliance Management Professional (CRMCP)

This course has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management, and to promote best practices and international standards that align with business and regulatory requirements.

The course provides with the skills needed to pass the Certified Risk and Compliance Management Professional (CRCMP) exam.

This course is intended for professionals that want to understand risk and compliance and to work as risk and compliance officers. They will prove that they are qualified, when they pass the Certified Risk and Compliance Management Professional (CRCMP) exam.

This course is intended for employers demanding qualified risk and compliance professionals. The course is recommended for senior executives involved in risk and compliance.

1 Comment
4 Likes
Statistics
Notes
  • Is there a presentation like this for the IS certification?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
7,015
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
293
Comments
1
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Certified Risk and ComplianceManagement Professional (CRCMP) Prep Course – Part AInternational Association of Risk and Compliance Professionals (IARCP)
  • 2. Introduction The International Association of Risk and Compliance Professionals (IARCP) develops and maintains a compendium of risk and compliance topics Subject matter experts review and update this body of knowledge The IARCP offers the following risk and compliance management certification programs: Certified Risk and Compliance Management Professional (CRCMP) Certified Information Systems Risk and Compliance Professional (CISRCP) © International Association of Risk and Compliance Professionals (IARCP) 2
  • 3. Introduction Certified Risk and Compliance Management Professional (CRCMP) www.risk-compliance- association.com/Distance_Learning_and_Certification.htm Certified Information Systems Risk and Compliance Professional (CISRCP) www.risk-compliance- association.com/CISRCP_Distance_Learning_and_Certification.htm © International Association of Risk and Compliance Professionals (IARCP) 3
  • 4. Introduction The exam is online. To find more: www.risk-compliance- association.com/Questions_About_The_Certification_An d_The_Exams_1.pdf www.risk-compliance- association.com/CRCP_Certification_Steps_1.pdf © International Association of Risk and Compliance Professionals (IARCP) 4
  • 5. Introduction Instead of just training, you can have more 1. Training 2. Certification - If you pass the exam, you will be entitled to use the designation: Certified Risk and Compliance Management Professional (CRCMP) 3. Updates - Become (at no extra cost) a member of the IARCP to stay current with new developments in risk and compliance management You will continue to learn, month after month © International Association of Risk and Compliance Professionals (IARCP) 5
  • 6. Agenda PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND RISK MANAGEMENT Introduction Regulatory Compliance and Risk Management - Definitions, roles and responsibilities The role of the board of directors, the supervisors, the internal and external auditors The new international landscape and the interaction among laws, regulations, and professional standards © International Association of Risk and Compliance Professionals (IARCP) 6
  • 7. Agenda Benefits of an enterprise wide compliance program Compliance culture: Why it is important, and how to communicate the regulatory obligations Policies, Workplace Ethics, Risk and Compliance Policies, procedures and the ethical code of conduct Privacy and information security Handling confidential information Conflicts of interest Use of organizational property © International Association of Risk and Compliance Professionals (IARCP) 7
  • 8. Agenda Fair dealings with customers, vendors and competitors Reporting ethical concerns Governance, Risk and Compliance The need for Internal Controls Understand how to identify, mitigate and control risks effectively Approaches to risk assessment Qualitative, quantitative… stress testing Integrating risk management into corporate governance and compliance © International Association of Risk and Compliance Professionals (IARCP) 8
  • 9. Agenda PART B: SARBANES OXLEY The Sarbanes Oxley Act Key Sections SEC, EDGAR, PCAOB, SAG PCAOB Auditing Standards: What we need to know Managements Testing Managements Documentation Sections 302, 404, 906: The three certifications Sections 302, 404, 906: Examples and case studies © International Association of Risk and Compliance Professionals (IARCP) 9
  • 10. Agenda Managements Responsibilities Committees and Teams Control Deficiency Deficiency in Design Deficiency in Operation Significant Deficiency Material Weakness © International Association of Risk and Compliance Professionals (IARCP) 10
  • 11. Agenda Companies Affected International companies Foreign Private Issuers (FPIs) Employees Affected © International Association of Risk and Compliance Professionals (IARCP) 11
  • 12. Agenda PART C: BASEL II Improving risk and asset management to avoid financial disasters "Sufficient assets" to offset risks The technical challenges for both banks and supervisors How much capital is necessary to serve as a sufficient buffer? The three-pillar regulatory structure Purposes of Basel II © International Association of Risk and Compliance Professionals (IARCP) 12
  • 13. Agenda Pillar 1: Minimum capital requirements Credit Risk – 3 approaches The standardized approach to credit risk The two internal ratings-based (IRB) approaches to credit risk Pillar 2: Supervisory review Key principles Pillar 3: Market discipline Disclosure requirements © International Association of Risk and Compliance Professionals (IARCP) 13
  • 14. Agenda Operational Risk What is operational risk Legal risk Information Technology operational risk Operational Risk Approaches Basic Indicator Approach (BIA) Standardized Approach (SA) Advanced Measurement Approaches (AMA) © International Association of Risk and Compliance Professionals (IARCP) 14
  • 15. Agenda Basel II and other regulations Common elements and differences of compliance projects New standards Disclosure issues Multinational companies and compliance challenges © International Association of Risk and Compliance Professionals (IARCP) 15
  • 16. Agenda PART D: THE FRAMEWORKS Internal Controls - COSO The Control Environment Risk Assessment Control Activities Information and Communication Monitoring Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with applicable laws and regulations © International Association of Risk and Compliance Professionals (IARCP) 16
  • 17. Agenda IT Controls Deterrent, Preventive, Detective, Corrective, Recovery, Compensating, Monitoring and Disclosure Controls Layers of overlapping controls COSO Enterprise Risk Management (ERM) Framework Is COSO ERM needed for compliance? Internal Environment Objective Setting Event Identification © International Association of Risk and Compliance Professionals (IARCP) 17
  • 18. Agenda Risk Assessment Risk Response Control Activities Information and Communication Monitoring The two cubes Objectives: Strategic, Operations, Reporting, Compliance © International Association of Risk and Compliance Professionals (IARCP) 18
  • 19. Agenda COBIT - the framework that focuses on IT Is COBIT needed for compliance? COSO or COBIT? Management Guidelines The high-level control objectives What to do with the specific control objectives Maturity Models Critical Success Factors (CSFs) © International Association of Risk and Compliance Professionals (IARCP) 19
  • 20. Agenda PART E: DESIGNING AND IMPLEMENTING A RISK AND COMPLIANCE PROGRAM Designing an Internal Compliance System Compliance programs that withstand scrutiny Documentation Testing Ongoing compliance reviews and risk assessments for continuing compliance with laws and regulations Compliance Monitoring The company and other stakeholders © International Association of Risk and Compliance Professionals (IARCP) 20
  • 21. Agenda International and national regulatory requirements Regulatory compliance in Europe Regulatory compliance in the USA The GCC countries The Caribbean The Pacific Rim Common elements and differences of compliance projects © International Association of Risk and Compliance Professionals (IARCP) 21
  • 22. Certified Risk and ComplianceManagement Professional (CRCMP) Prep CourseInternational Association of Risk and Compliance Professionals (IARCP)
  • 23. PART A:COMPLIANCE WITH LAWS AND REGULATIONS AND RISK MANAGEMENTInternational Association of Risk and Compliance Professionals (IARCP)
  • 24. Internal controls, Governance, Risk,Compliance - Corporate governance CORPORATE GOVERNANCE Processes, systems and controls put in place to direct and control an organisation in order to… … increase performance and achieve shareholder value As such, it has to do with the performance of management and the board of directors… … the sufficiency and reliability of corporate reporting… … risk management and internal controls © International Association of Risk and Compliance Professionals (IARCP) 24
  • 25. Internal controls, Governance, Risk,Compliance - Corporate governance Governments often make decisions about governance … … it is NOT a “best practice” The legal and regulatory environment is of paramount importance © International Association of Risk and Compliance Professionals (IARCP) 25
  • 26. Internal controls, Governance, Risk,Compliance - Corporate governance A corporation is a a separate legal entity… … and has legal *rights* and *obligations* A corporation has the ability to hold assets separately from the assets of its stakeholders Some legal structures have the ability to limit the liability of stakeholders © International Association of Risk and Compliance Professionals (IARCP) 26
  • 27. Internal controls, Governance, Risk,Compliance - Corporate governance The interests of the stakeholders… … the owners… … the board of directors… … executive management… … managers… … data owners… … process owners… … employees… … suppliers… … regulators, supervisors… … clients and communities © International Association of Risk and Compliance Professionals (IARCP) 27
  • 28. Internal controls, Governance, Risk,Compliance - Corporate governance Governance - Some common principles Acting for the Best Interests of the Shareholders Ethical Behavior Professional Behavior Culture of Risk and Compliance © International Association of Risk and Compliance Professionals (IARCP) 28
  • 29. Internal controls, Governance, Risk,Compliance - Corporate governance Governance - Some common principles Transparency and Disclosures Tested and Documented Processes Tested and Documented Internal Controls © International Association of Risk and Compliance Professionals (IARCP) 29
  • 30. OECD Principles of CorporateGovernance - 2004 The original member countries of the OECD are Austria, Belgium, Canada, Denmark, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States Also members: Japan, Finland, Australia, New Zealand, Mexico, the Czech Republic, Hungary, Poland, Korea, the Slovak Republic (14th December 2000) © International Association of Risk and Compliance Professionals (IARCP) 30
  • 31. OECD Principles of CorporateGovernance - 2004 The OECD Principles of Corporate Governance were endorsed by OECD Ministers in 1999… … when the OECD extended the boundary of accountability to include stakeholders such as employees… … and have since become an international benchmark for policy makers, investors, corporations and other stakeholders ***worldwide*** © International Association of Risk and Compliance Professionals (IARCP) 31
  • 32. OECD Principles of CorporateGovernance - 2004 They have provided specific guidance for legislative and regulatory initiatives in both OECD and non OECD countries The Rights of Shareholders and Key Ownership Functions The corporate governance framework should **protect and facilitate the exercise of shareholders’ rights** © International Association of Risk and Compliance Professionals (IARCP) 32
  • 33. OECD Principles of CorporateGovernance - 2004 A. Basic shareholder rights should include the right to: Obtain relevant and material information on the corporation on a timely and regular basis Share in the profits of the corporation Shareholders should have the opportunity to ask questions to the board, including… … questions relating to the annual external audit © International Association of Risk and Compliance Professionals (IARCP) 33
  • 34. Internal controls, Governance, Risk,Compliance - Risk RISK: The possibility of a loss, catastrophe, or other undesirable outcome A potential negative impact to an asset We may accept, mitigate or avoid a risk Risk is described both qualitatively and quantitatively Risk is proportional to both the expected losses (impact) which may be caused by an event and to… … the probability of this event © International Association of Risk and Compliance Professionals (IARCP) 34
  • 35. Internal controls, Governance, Risk,Compliance - Risk In technical contexts, the word has several more specialized uses and meanings Three of these are particularly important since they are widely used across disciplines: 1. risk = an unwanted ***event*** which may or may not occur 2. risk = the ***cause*** of an unwanted event which may or may not occur 3. risk = the ***probability*** of an unwanted event which may or may not occur © International Association of Risk and Compliance Professionals (IARCP) 35
  • 36. Internal controls, Governance, Risk,Compliance - Risk Risk… is it good or bad? All opportunities come with some degree of risk Risks and opportunities go hand in hand An efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses © International Association of Risk and Compliance Professionals (IARCP) 36
  • 37. Internal controls, Governance, Risk,Compliance – Risk Management RISK MANAGEMENT Making informed business decisions We mitigate risks only when… … they are above our risk appetite… Risks must reach a level that is acceptable to the organization © International Association of Risk and Compliance Professionals (IARCP) 37
  • 38. Internal controls, Governance, Risk,Compliance – Risk Management Risk management is an integral **part** of good management… … and an essential **part** of good corporate governance Priorities… … a cost benefit analysis - the costs of protective measures for the benefit of achieving the mission of the organisation © International Association of Risk and Compliance Professionals (IARCP) 38
  • 39. Internal controls, Governance, Risk,Compliance – Risk Management The types of risks depend on… … the location… … the industry… … the business objectives of the organization © International Association of Risk and Compliance Professionals (IARCP) 39
  • 40. Internal controls, Governance, Risk,Compliance - Risk Management Risks can result from factors both external and internal to the organisation The Risk Management process in an organization is influenced by: 1. The organization’s mission, vision and objectives 2. Products and services 3. The physical, environmental and regulatory conditions © International Association of Risk and Compliance Professionals (IARCP) 40
  • 41. Internal controls, Governance, Risk,Compliance - Risk Management Asset: A resource, product, process, or element that an organization has determined must be protected Threat: Any potential event that causes a detrimental impact on the organization Vulnerability: The lack / weakness of a safeguard counter to a threat Safeguard: A control employed to reduce the risk associated with a specific threat © International Association of Risk and Compliance Professionals (IARCP) 41
  • 42. Internal controls, Governance, Risk,Compliance - Risk Management Risk management A. Identification… … of the risks associated with each process… An organisation’s exposure to uncertainty Requires knowledge of the organisation… … the market… … the industry… … the legal, social, political and cultural environment in which it exists © International Association of Risk and Compliance Professionals (IARCP) 42
  • 43. Internal controls, Governance, Risk,Compliance - Risk Management B. Assessment… … qualitative and quantitative… … evaluating risks and risk impacts… … and recommending measures to reduce risks A major element - the assessment of the value of the information resources Cost benefit analysis © International Association of Risk and Compliance Professionals (IARCP) 43
  • 44. Internal controls, Governance, Risk,Compliance - Risk Management C. Management… … (measurement, mitigation, development of countermeasures)… … internal controls… … implementation of the measures to reduce risks recommended in the risk assessment process © International Association of Risk and Compliance Professionals (IARCP) 44
  • 45. Problems… Over Optimism Misrepresentation - false, incorrect, improper, or incomplete statement of material facts Alarmism - production of needless warnings Prejudice © International Association of Risk and Compliance Professionals (IARCP) 45
  • 46. Where do you work? In a military environment or in a bank… … we have the same principles in risk management! Let’s have a look at some Information Warfare slides… … all the principles apply in a corporate environment as well © International Association of Risk and Compliance Professionals (IARCP) 46
  • 47. © International Association of Risk and Compliance Professionals (IARCP) 47
  • 48. © International Association of Risk and Compliance Professionals (IARCP) 48
  • 49. © International Association of Risk and Compliance Professionals (IARCP) 49
  • 50. © International Association of Risk and Compliance Professionals (IARCP) 50
  • 51. © International Association of Risk and Compliance Professionals (IARCP) 51
  • 52. Australia/New Zealand Standard 4360 Since 1992 Three major elements: 1. The risk management workflow 2. Monitoring and review 3. Communication and consult © International Association of Risk and Compliance Professionals (IARCP) 52
  • 53. Australia/New Zealand Standard 4360 © International Association of Risk and Compliance Professionals (IARCP) 53
  • 54. Risk Management Guide for InformationTechnology SystemsNIST Special Publication 800-30 © International Association of Risk and Compliance Professionals (IARCP) 54
  • 55. Risk Management Guide for InformationTechnology SystemsNIST Special Publication 800-30 © International Association of Risk and Compliance Professionals (IARCP) 55
  • 56. Risk Management Guide for InformationTechnology SystemsNIST Special Publication 800-30 © International Association of Risk and Compliance Professionals (IARCP) 56
  • 57. Vulnerabilities… Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that… … could be exercised (accidentally triggered or intentionally exploited)… … and result in a security breach or a violation of the system’s security policy © International Association of Risk and Compliance Professionals (IARCP) 57
  • 58. Threats and Vulnerabilities © International Association of Risk and Compliance Professionals (IARCP) 58
  • 59. Risk Mitigation MethodologyFlowchart © International Association of Risk and Compliance Professionals (IARCP) 59
  • 60. Risk Mitigation MethodologyFlowchart © International Association of Risk and Compliance Professionals (IARCP) 60
  • 61. Risk Mitigation MethodologyFlowchart © International Association of Risk and Compliance Professionals (IARCP) 61
  • 62. Example: Government of Canada,Communications Security Establishment © International Association of Risk and Compliance Professionals (IARCP) 62
  • 63. Outsourcing and Risk Management“Management remains responsible” Sarbanes-Oxley Act, Section 404: “Management remains responsible” for service providers This responsibility cannot be delegated to the service provider Basel ii, Outsourcing in Financial Services: “Management remains responsible” The Committee of European Banking Supervisors (CEBS) – “Guidelines on Outsourcing” “Management remains responsible” © International Association of Risk and Compliance Professionals (IARCP) 63
  • 64. Outsourcingand Risk Management USA - The Board of Governors of the Federal Reserve System - “Outsourcing of Information and Transaction Processing” “Ensure that controls over outsourced information and transaction processing activities… … are equivalent to those that would be implemented… … if the activity were conducted internally” © International Association of Risk and Compliance Professionals (IARCP) 64
  • 65. Good Corporate Governance and RiskManagement is very important A good Risk Management Program is important for: 1. The company’s credit rating Credit rating agencies believe that a good Risk Management Program is very important for the credit rating of firms 2. The company’s reputation 3. The company’s cost of capital © International Association of Risk and Compliance Professionals (IARCP) 65
  • 66. Good Corporate Governance and RiskManagement is very important 4. Audit firm resignations and refusals 5. The company’s share price 6. The likelihood that external auditor’s opinion on financial statements is wrong © International Association of Risk and Compliance Professionals (IARCP) 66
  • 67. Good Corporate Governance and RiskManagement is very important After the risk management failures in 2007-2008… … good risk management is a source of ***value creation*** Risk management MUST be linked to the overall objective of value maximization We must communicate what we do to all stakeholder groups This dimension is often unknown to employees © International Association of Risk and Compliance Professionals (IARCP) 67
  • 68. Good Corporate Governance and RiskManagement is very important In the past, the capital markets *were* only interested in the share price … … and did not pay much attention to corporate governance and risk management Today good corporate governance practice is now strongly tied to investment decisions and corporate value © International Association of Risk and Compliance Professionals (IARCP) 68
  • 69. Internal controls, Governance, Risk,Compliance - Compliance Acting in accordance with laws and regulations Laws are enacted by legislative bodies… … while regulations are created by government agencies One of the major risks: No compliance! Compliance with external laws… … and internal policies and procedures Standards and best practices do NOT have the force of law © International Association of Risk and Compliance Professionals (IARCP) 69
  • 70. Enterprise wide risk and complianceprogram One solution for one problem Best Practices More cost effective Auditors understand how we manage risks The board understands Easier testing and documentation © International Association of Risk and Compliance Professionals (IARCP) 70
  • 71. Enterprise wide risk and complianceprogram According to Susan Schmidt Bies (member of the Board of Governors of the Federal Reserve System): “An enterprise-wide approach can integrate the risk assessment of functions that have traditionally been managed in silos A culture of compliance should establish- from the top of the organization - the proper ethical tone that will govern the conduct of business” © International Association of Risk and Compliance Professionals (IARCP) 71
  • 72. Policies, Procedures, Baselines, Guidelines, Ethics
  • 73. © International Association of Risk and Compliance Professionals (IARCP) 73
  • 74. Policies Policies are considered the highest level of documentation Standards, Guidelines and Procedures are derived from policies Acknowledgment of importance of resources © International Association of Risk and Compliance Professionals (IARCP) 74
  • 75. Policies High lever principles Without well structured policies an organisation will be unstructured… … unfocussed… … and probably operationally and financially ineffective © International Association of Risk and Compliance Professionals (IARCP) 75
  • 76. Policy - Example:“We respect privacy” © International Association of Risk and Compliance Professionals (IARCP) 76
  • 77. Privacy and Information Security From Privacy vs. Information Security… … to Information Security to comply with Privacy rules A legal obligation… … a risk of no compliance High level policies… …in line with functional policies (procedures) © International Association of Risk and Compliance Professionals (IARCP) 77
  • 78. Procedures and Standards These contain the actual detail of the policy Describe how the policies should be implemented Procedures: Detail the steps required to implement the policy Sometimes called “practices” Standards: Specify use of technology in a uniform way and should be made compulsory © International Association of Risk and Compliance Professionals (IARCP) 78
  • 79. Baselines and Guidelines Baselines: Baselines are similar to standards, standards can be developed after the baseline is established Sensitivity level, current / normal situation Guidelines: Similar to standards but not compulsory, more flexible © International Association of Risk and Compliance Professionals (IARCP) 79
  • 80. “Regulatory” Policies The company is required to implement policies to comply with legal or regulatory requirements Usually very detailed and specific to the industry of the organization A well written policy can provide protection from liability © International Association of Risk and Compliance Professionals (IARCP) 80
  • 81. Ethics Code of Ethics - Soft law Not legal… or not ethical? An organizations beliefs and culture Procedures to be used in specific situations such as conflicts of interest or the acceptance of gifts The effectiveness of the code of ethics depends on… … the extent to which it has the support of the management… … with sanctions and rewards © International Association of Risk and Compliance Professionals (IARCP) 81
  • 82. Ethics Code of Ethics - Example “Respect: We treat others as we would like to be treated ourselves. Ruthlessness, callousness and arrogance dont belong here” “Integrity: We work with customers and prospects openly, honestly and sincerely. When we say we will do something, we will do it” “Communication: We believe that information is meant to move and that information moves people” (From Enron’s Code of Ethics) © International Association of Risk and Compliance Professionals (IARCP) 82
  • 83. A great firm now: Merck, a global research-driven pharmaceutical company “Accountability: Each of us is responsible for adhering to the values and standards set forth in this Code… … and for raising questions if we are uncertain as to whether or not the standards are being met Violations of the Code may result in a variety of corrective actions and… … in some cases, may result in disciplinary action up to and including termination of employment” © International Association of Risk and Compliance Professionals (IARCP) 83
  • 84. A great firm now: Merck, a global research-driven pharmaceutical company www.merck.com/about/conduct.html The code includes: Relationships with Our Customers Relationships with Fellow Employees Relationships with Shareholders Relationships with Suppliers Relationships with Our Communities and Society Compliance with Laws, Rules and Regulations Raising Concerns © International Association of Risk and Compliance Professionals (IARCP) 84
  • 85. Conflicts of Interest and Ethics A natural or legal person... ... has a *private* interest that could influence the objective exercise of his or her official duties “An interest” - a financial interest, or a special advantage that comes into conflict with a duty For him or his family and friends © International Association of Risk and Compliance Professionals (IARCP) 85
  • 86. Conflicts of Interest and Ethics Examples A. Self Review B. The CEO of a private consulting company works for the government... ... and uses his official position to secure a contract for the private firm C. Using confidential information © International Association of Risk and Compliance Professionals (IARCP) 86
  • 87. © International Association of Risk and Compliance Professionals (IARCP) 87
  • 88. Risk and Compliance Key Roles
  • 89. Risk and ComplianceKey Roles - Senior management Senior management They must understand the risks… … provide the resources needed … … and “ensure” that the firm can accomplish its objectives Reasonable assurance © International Association of Risk and Compliance Professionals (IARCP) 89
  • 90. Risk and ComplianceKey Roles - Risk Officer The Role of the Risk Officer There is no definition... and where there is one, it is far from uniform But there is something that you need to know: The role of the risk officer becomes more important year after year All companies try to understand risks and spend much money to manage risks Risk officers play an important role in implementing enterprise risk management © International Association of Risk and Compliance Professionals (IARCP) 90
  • 91. Risk and ComplianceKey Roles - Risk Officer Risk officers have one additional obligation: To explain… … risks and countermeasures… … to owners… … auditors… … senior management… … and the board of directors © International Association of Risk and Compliance Professionals (IARCP) 91
  • 92. Risk and ComplianceKey Roles – Chief Risk Officer The Role of the Chief Risk Officer The Chief Risk Officers job is to ensure that the organization is in full compliance with applicable laws and regulations He must coordinate the companys risk management efforts… … explain risks and controls to senior management and the board… … and make recommendations © International Association of Risk and Compliance Professionals (IARCP) 92
  • 93. Risk and ComplianceKey Roles – Chief Risk Officer The Chief Risk Officer is rapidly becoming one of the 3-5 most important members of the management team We read some important paragraphs from a report from the Economist Intelligence Unit Sponsored by: ACE, Cisco Systems, Deutsche Bank and IBM “For a corporate post with only a decade of history, the chief risk officer (CRO) attracts a lot of attention” © International Association of Risk and Compliance Professionals (IARCP) 93
  • 94. Risk and ComplianceKey Roles – Chief Risk Officer “CROs have consolidated their position in the financial sector, where they began… … and are increasingly to be found in other industries” “As companies seek to respond to increased regulatory pressures and a growing array of business risks… … the CRO is emerging as one of the most important positions in the management team” © International Association of Risk and Compliance Professionals (IARCP) 94
  • 95. Risk and ComplianceKey Roles – Chief Risk Officer “Regulatory compliance is the top priority for risk management” “Regulatory risk ranks as one of the top two threats to global business” Regulatory compliance is the CRO’s primary responsibility” [Business continuity is also a top priority] © International Association of Risk and Compliance Professionals (IARCP) 95
  • 96. Case Study: Credit Suisse © International Association of Risk and Compliance Professionals (IARCP) 96
  • 97. Case Study: Credit Suisse © International Association of Risk and Compliance Professionals (IARCP) 97
  • 98. Risk and ComplianceKey Roles – Chief Compliance Officer The Role of the Chief Compliance Officer According to Commissioner Cynthia A. Glassman, U.S. Securities and Exchange Commission… “While the CEO cannot delegate his or her ultimate responsibility… … a company should have an officer with ownership of corporate compliance and ethics issues… … … and of what Title III of Sarbanes-Oxley broadly refers to as ***Corporate Responsibility***”… © International Association of Risk and Compliance Professionals (IARCP) 98
  • 99. Risk and ComplianceKey Roles – Chief Compliance Officer “While every company must assess its particular needs based on the size and nature of its business… … there are several characteristics that I would want the corporate responsibility officer to have… … if I were relying on this person:” “He or she should have sufficient seniority and authority to take the actions necessary under the circumstances” “Ask yourself if this person would be able to address the worst-case scenario” © International Association of Risk and Compliance Professionals (IARCP) 99
  • 100. Risk and ComplianceKey Roles – Chief Compliance Officer “The position should have the full support of the CEO and senior management, both in theory and in practice The corporate responsibility officer should *have access* and provide regular reports to senior management” “He or she can play an important role in helping a company meet the ***information gathering and reporting requirements*** © International Association of Risk and Compliance Professionals (IARCP) 100
  • 101. Risk and ComplianceKey Roles – Chief Compliance Officer “The corporate responsibility officer should have the ability to report directly to the board (for example, to the audit committee chairman)… … on matters of significant import to the company or matters involving misconduct by senior management” In addition, the responsible officer should have sufficient time and adequate resources to implement the companys ***corporate responsibility program*** in an effective manner © International Association of Risk and Compliance Professionals (IARCP) 101
  • 102. © International Association of Risk and Compliance Professionals (IARCP) 102
  • 103. © International Association of Risk and Compliance Professionals (IARCP) 103
  • 104. Risk and ComplianceKey Roles - Owners Data owners Understand, Give permissions Process and system owners Need to “ensure” (reasonable assurance) that the risks are identified and managed … … and appropriate controls are deployed © International Association of Risk and Compliance Professionals (IARCP) 104
  • 105. Key RolesThe role of the internal auditors According to the Institute of Internal Auditors (IIA)… …Internal Auditing is an independent, objective assurance and consulting activity… … designed to add value and… … improve an organizations operations It helps an organization accomplish its objectives by bringing a systematic, disciplined approach… … to evaluate and improve the effectiveness of risk management, control, and governance processes © International Association of Risk and Compliance Professionals (IARCP) 105
  • 106. Key RolesThe role of the internal auditors The internal audit activity evaluates risk exposures relating to the organizations governance, operations and information systems, in relation to: Effectiveness and efficiency of operations Reliability and integrity of financial and operational information Safeguarding of assets Compliance with laws, regulations, and contracts © International Association of Risk and Compliance Professionals (IARCP) 106
  • 107. Key RolesThe role of the internal auditors While management is responsible for internal controls… … the internal audit activity provides ***assurance*** to management and the audit committee that … …internal controls are effective and… … working as intended © International Association of Risk and Compliance Professionals (IARCP) 107
  • 108. The role of the internal auditorsContinuous Auditing “Continuous Auditing” An evolving regulatory environment… … increased globalization of businesses… … market pressure to improve operations… … and rapidly changing business conditions… … are creating the need for more timely and ongoing assurance that controls are working effectively and risk is being mitigated Continuous auditing changes the audit paradigm *from periodic reviews* of a sample of transactions to **ongoing** audit testing of 100 percent of transactions © International Association of Risk and Compliance Professionals (IARCP) 108
  • 109. Key RolesThe role of the external auditors They provide independent assurance to the society The role of the external auditor is similar to the role of the supervisors and regulators *The regulators* safeguard stability and investor interests *The external auditors* work for the private interests of the shareholders of a company External auditors and supervisors cooperate © International Association of Risk and Compliance Professionals (IARCP) 109
  • 110. Key RolesThe role of the external auditors Professional Standards - independence, objectivity and integrity Conflicts of Interest Non-audit services © International Association of Risk and Compliance Professionals (IARCP) 110
  • 111. Key RolesThe role of the Board of DirectorsA. Directors must learn and keep up to date The industry’s best practices in risk managementB. Directors must ensure that the *management and key employees* and process owners also learn and keep up to date Is staff qualified, with the necessary experience and technical capabilities? Who knows the policies, the procedures and the tasks? There is enough information – is there also enough communication? © International Association of Risk and Compliance Professionals (IARCP) 111
  • 112. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 1. The risk management framework 2. Senior management’s guidance and direction regarding the principles underlying the framework © International Association of Risk and Compliance Professionals (IARCP) 112
  • 113. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 3. Policies developed by senior management - to identify, assess, monitor, controlling and mitigate risks Policies for the treatment of non-compliance. No tolerance, no temptations 4. Key processes to manage risks 5. Clear lines of management responsibility, accountability and reporting for risks © International Association of Risk and Compliance Professionals (IARCP) 113
  • 114. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 6. Separation of duties and responsibilities – conflict of interest issues 7. The risk appetite and tolerance for risks 8. The risk transferred outside the organization © International Association of Risk and Compliance Professionals (IARCP) 114
  • 115. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 9. High Impact / Low Frequency events and the strategy to identify and manage these risks 10. Early warning indicators 11. Measurement methodologies - Quantification of exposure to risks, not only qualitative approaches © International Association of Risk and Compliance Professionals (IARCP) 115
  • 116. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 12. Self assessments Is it an enterprise wide process? Can it be used for accountability? Who learns the issues? Can it be used in risk identification as well as mitigation? 13. Assumptions © International Association of Risk and Compliance Professionals (IARCP) 116
  • 117. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 14. The risks associated with outsourcing activities Is there oversight of third-party activities? Is there a clear allocation of responsibilities and clear expectations between external service providers and the organization? © International Association of Risk and Compliance Professionals (IARCP) 117
  • 118. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve Is there an assessment of the materiality of outsourcing arrangements? Does the organization exercise initial due diligence? Is the organization monitoring and testing third-party activities on a regular basis? © International Association of Risk and Compliance Professionals (IARCP) 118
  • 119. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 15. Contingency plans Business Impact Analysis, Disaster Recovery and Business Continuity Plans Has the organization identified critical business processes, including dependence on external vendors or third parties? © International Association of Risk and Compliance Professionals (IARCP) 119
  • 120. Key RolesThe role of the Board of DirectorsC. Directors must understand and approve Are the alternate facilities / hot sites an adequate distance away from the primary operations? Is there a periodic review of these plans? Is there training and testing? Are there clear descriptions of roles and responsibilities? © International Association of Risk and Compliance Professionals (IARCP) 120
  • 121. Key RolesThe role of the Board of DirectorsD. Directors must establish A management structure… … capable of implementing the firms risk management framework © International Association of Risk and Compliance Professionals (IARCP) 121
  • 122. Key RolesThe role of the Board of DirectorsE. Directors must ensure that The risk is managed after external and internal *changes* or new products, activities and systems The risk management system is well documented They do their best to establish a strong internal control culture in which control activities are an integral part of the activities of a bank © International Association of Risk and Compliance Professionals (IARCP) 122
  • 123. Key RolesThe role of the Board of DirectorsE. Directors must ensure that The risk management framework is implemented consistently across the whole bank They learn about material losses There is adequate and meaningful reporting © International Association of Risk and Compliance Professionals (IARCP) 123
  • 124. Key RolesThe role of the Board of DirectorsE. Directors must ensure that Understand and meet the auditors, internal function and staff responsible for monitoring compliance There is adequate internal audit coverage to verify effective implementation of policies and procedures There is a clear audit plan and scope with respect to operational risk management The internal audit function does not have operational risk management responsibilities © International Association of Risk and Compliance Professionals (IARCP) 124
  • 125. Director’s responsibilities includeDuty of care To exercise the care that an ordinarily prudent person in a like position would use under similar circumstances What does a prudent director do? 1. Learns - all material information reasonably available before making a business decision There is “good faith” only in case of an informed business decision 2. Considers alternatives © International Association of Risk and Compliance Professionals (IARCP) 125
  • 126. Director’s responsibilities includeDuty of care 3. Attends meetings of the board and of the committees 4. Asks questions 5. Tries to prevent and detect illegal conduct 6. Exercises oversight © International Association of Risk and Compliance Professionals (IARCP) 126
  • 127. Director’s responsibilities includeDuty of loyalty What does a prudent director do? Acts in good faith - in a manner he / she reasonably believes to be in the best interests of the corporation © International Association of Risk and Compliance Professionals (IARCP) 127
  • 128. Director’s responsibilities include Proves that he acts in good faith - is alert to any interest he or she may have that might be considered to conflict with the best interests of the corporation Discloses fully and carefully financial or personal interests to which the corporation is a party For example, contracts where he / she had a financial or other personal interest © International Association of Risk and Compliance Professionals (IARCP) 128
  • 129. Director’s responsibilities includeDuty of loyalty What does a prudent director do? Keeps confidential all matters involving the corporation that have not been disclosed to the general public… … Directors are not authorized spokespersons for the corporation © International Association of Risk and Compliance Professionals (IARCP) 129
  • 130. To continue with Part B of the course: Become a Certified Risk and Compliance Management Professional (CRCMP) you can visit: www.risk-compliance- association.com/Distance_Learning_and_Certification.htm © International Association of Risk and Compliance Professionals (IARCP) 130

×