Certified Risk and Compliance Management Professional (CRCMP) �Prep Course Part A�
GeorgeLekatis
15,841 views
130 slides
Mar 12, 2012
Slide 1 of 130
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
About This Presentation
Certified Risk and Compliance Management Professional (CRCMP) Prep Course – Part A
First Certified Course
Certified Risk and Compliance Management Professional (CRMCP)
This course has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance ...
Slide Content
Certified Risk and Compliance
Management Professional (CRCMP)
Prep Course –Part A
International Association of Risk and Compliance
Professionals (IARCP)
Management Professional (CRCMP)
Prep Course –Part A
International Association of Risk and Compliance
Professionals (IARCP)
© International Association of Risk and Compliance Professionals (IARCP)
2
Introduction
The International Association of Risk and Compliance
Professionals (IARCP) develops and maintains a
compendium of risk and compliance topics
Subject matter expertsreview and update this body of
knowledge
The IARCP offers the following risk and compliance
management certification programs:
Certified Risk and Compliance Management
Professional (CRCMP)
Certified Information SystemsRisk and Compliance
Professional (CISRCP)
2
Introduction
The International Association of Risk and Compliance
Professionals (IARCP) develops and maintains a
compendium of risk and compliance topics
Subject matter expertsreview and update this body of
knowledge
The IARCP offers the following risk and compliance
management certification programs:
Certified Risk and Compliance Management
Professional (CRCMP)
Certified Information SystemsRisk and Compliance
Professional (CISRCP)
© International Association of Risk and Compliance Professionals (IARCP)
3
Introduction
Certified Risk and Compliance Management
Professional (CRCMP)
www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
Certified Information SystemsRisk and Compliance
Professional (CISRCP)
www.risk-compliance-
association.com/CISRCP_Distance_Learning_and_Certification.htm
3
Introduction
Certified Risk and Compliance Management
Professional (CRCMP)
www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
Certified Information SystemsRisk and Compliance
Professional (CISRCP)
www.risk-compliance-
association.com/CISRCP_Distance_Learning_and_Certification.htm
© International Association of Risk and Compliance Professionals (IARCP)
4
Introduction
The exam is online. To find more:
www.risk-compliance-
association.com/Questions_About_The_Certification_An
d_The_Exams_1.pdf
www.risk-compliance-
association.com/CRCP_Certification_Steps_1.pdf
4
Introduction
The exam is online. To find more:
www.risk-compliance-
association.com/Questions_About_The_Certification_An
d_The_Exams_1.pdf
www.risk-compliance-
association.com/CRCP_Certification_Steps_1.pdf
© International Association of Risk and Compliance Professionals (IARCP)
5
Introduction
Instead of just training, you can have more
1. Training
2. Certification-If you pass the exam, you will be
entitled to use the designation: Certified Risk and
Compliance Management Professional (CRCMP)
3. Updates-Become (at no extra cost) a member of the
IARCP to stay currentwith new developments in risk
and compliance management
You will continue to learn, month after month
5
Introduction
Instead of just training, you can have more
1. Training
2. Certification-If you pass the exam, you will be
entitled to use the designation: Certified Risk and
Compliance Management Professional (CRCMP)
3. Updates-Become (at no extra cost) a member of the
IARCP to stay currentwith new developments in risk
and compliance management
You will continue to learn, month after month
© International Association of Risk and Compliance Professionals (IARCP)
6
Agenda
PART A: COMPLIANCE WITH LAWS AND
REGULATIONS, AND RISK MANAGEMENT
Introduction
Regulatory Complianceand Risk Management-
Definitions, roles and responsibilities
The roleof the board of directors, the supervisors, the
internal and external auditors
The new international landscapeand the interaction
among laws, regulations, and professional standards
6
Agenda
PART A: COMPLIANCE WITH LAWS AND
REGULATIONS, AND RISK MANAGEMENT
Introduction
Regulatory Complianceand Risk Management-
Definitions, roles and responsibilities
The roleof the board of directors, the supervisors, the
internal and external auditors
The new international landscapeand the interaction
among laws, regulations, and professional standards
© International Association of Risk and Compliance Professionals (IARCP)
7
Agenda
Benefits of an enterprise widecompliance program
Compliance culture: Why it is important, and how to
communicate the regulatory obligations
Policies, Workplace Ethics,Risk and Compliance
Policies, proceduresand the ethical code of conduct
Privacy and information security
Handling confidentialinformation
Conflicts of interest
Use of organizational property
7
Agenda
Benefits of an enterprise widecompliance program
Compliance culture: Why it is important, and how to
communicate the regulatory obligations
Policies, Workplace Ethics,Risk and Compliance
Policies, proceduresand the ethical code of conduct
Privacy and information security
Handling confidentialinformation
Conflicts of interest
Use of organizational property
© International Association of Risk and Compliance Professionals (IARCP)
8
Agenda
Fair dealingswith customers, vendors and competitors
Reportingethical concerns
Governance, Risk and Compliance
The need for Internal Controls
Understand how to identify, mitigate and control risks
effectively
Approachesto risk assessment
Qualitative, quantitative… stress testing
Integrating risk management into corporate governance
and compliance
8
Agenda
Fair dealingswith customers, vendors and competitors
Reportingethical concerns
Governance, Risk and Compliance
The need for Internal Controls
Understand how to identify, mitigate and control risks
effectively
Approachesto risk assessment
Qualitative, quantitative… stress testing
Integrating risk management into corporate governance
and compliance
© International Association of Risk and Compliance Professionals (IARCP)
9
Agenda
PART B: SARBANES OXLEY
The Sarbanes Oxley Act
Key Sections
SEC, EDGAR, PCAOB, SAG
PCAOB Auditing Standards: What we need to know
Management's Testing
Management's Documentation
Sections 302, 404, 906: The three certifications
Sections 302, 404, 906: Examples and case studies
9
Agenda
PART B: SARBANES OXLEY
The Sarbanes Oxley Act
Key Sections
SEC, EDGAR, PCAOB, SAG
PCAOB Auditing Standards: What we need to know
Management's Testing
Management's Documentation
Sections 302, 404, 906: The three certifications
Sections 302, 404, 906: Examples and case studies
© International Association of Risk and Compliance Professionals (IARCP)
10
Agenda
Management's Responsibilities
Committees and Teams
Control Deficiency
Deficiency in Design
Deficiency in Operation
Significant Deficiency
Material Weakness
10
Agenda
Management's Responsibilities
Committees and Teams
Control Deficiency
Deficiency in Design
Deficiency in Operation
Significant Deficiency
Material Weakness
© International Association of Risk and Compliance Professionals (IARCP)
11
Agenda
Companies Affected
International companies
Foreign Private Issuers (FPIs)
Employees Affected
11
Agenda
Companies Affected
International companies
Foreign Private Issuers (FPIs)
Employees Affected
© International Association of Risk and Compliance Professionals (IARCP)
12
Agenda
PART C: BASEL II
Improving risk and asset management to avoid financial
disasters
"Sufficient assets" to offset risks
The technical challengesfor both banks and supervisors
How muchcapital is necessary to serve as a sufficient
buffer?
The three-pillarregulatory structure
Purposes of Basel II
12
Agenda
PART C: BASEL II
Improving risk and asset management to avoid financial
disasters
"Sufficient assets" to offset risks
The technical challengesfor both banks and supervisors
How muchcapital is necessary to serve as a sufficient
buffer?
The three-pillarregulatory structure
Purposes of Basel II
© International Association of Risk and Compliance Professionals (IARCP)
13
Agenda
Pillar 1:Minimum capital requirements
Credit Risk –3 approaches
The standardized approach to credit risk
The two internal ratings-based (IRB) approaches to credit
risk
Pillar 2:Supervisory review
Key principles
Pillar 3:Market discipline
Disclosure requirements
13
Agenda
Pillar 1:Minimum capital requirements
Credit Risk –3 approaches
The standardized approach to credit risk
The two internal ratings-based (IRB) approaches to credit
risk
Pillar 2:Supervisory review
Key principles
Pillar 3:Market discipline
Disclosure requirements
© International Association of Risk and Compliance Professionals (IARCP)
14
Agenda
Operational Risk
What is operational risk
Legal risk
Information Technology operational risk
Operational Risk Approaches
Basic Indicator Approach (BIA)
Standardized Approach (SA)
Advanced Measurement Approaches (AMA)
14
Agenda
Operational Risk
What is operational risk
Legal risk
Information Technology operational risk
Operational Risk Approaches
Basic Indicator Approach (BIA)
Standardized Approach (SA)
Advanced Measurement Approaches (AMA)
© International Association of Risk and Compliance Professionals (IARCP)
15
Agenda
Basel II and other regulations
Common elements and differencesof compliance
projects
New standards
Disclosure issues
Multinational companies and compliance challenges
15
Agenda
Basel II and other regulations
Common elements and differencesof compliance
projects
New standards
Disclosure issues
Multinational companies and compliance challenges
© International Association of Risk and Compliance Professionals (IARCP)
16
Agenda
PART D: THE FRAMEWORKS
Internal Controls -COSO
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
16
Agenda
PART D: THE FRAMEWORKS
Internal Controls -COSO
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
© International Association of Risk and Compliance Professionals (IARCP)
17
Agenda
IT Controls
Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls
COSO Enterprise Risk Management (ERM) Framework
Is COSO ERM needed for compliance?
Internal Environment
Objective Setting
Event Identification
17
Agenda
IT Controls
Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls
COSO Enterprise Risk Management (ERM) Framework
Is COSO ERM needed for compliance?
Internal Environment
Objective Setting
Event Identification
© International Association of Risk and Compliance Professionals (IARCP)
18
Agenda
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The two cubes
Objectives:Strategic, Operations, Reporting, Compliance
18
Agenda
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The two cubes
Objectives:Strategic, Operations, Reporting, Compliance
© International Association of Risk and Compliance Professionals (IARCP)
19
Agenda
COBIT -the framework that focuses on IT
Is COBIT needed for compliance?
COSO or COBIT?
Management Guidelines
The high-level control objectives
What to do with the specific control objectives
Maturity Models
Critical Success Factors (CSFs)
19
Agenda
COBIT -the framework that focuses on IT
Is COBIT needed for compliance?
COSO or COBIT?
Management Guidelines
The high-level control objectives
What to do with the specific control objectives
Maturity Models
Critical Success Factors (CSFs)
© International Association of Risk and Compliance Professionals (IARCP)
20
Agenda
PART E: DESIGNING AND IMPLEMENTING A RISK
AND COMPLIANCE PROGRAM
Designing an Internal Compliance System
Compliance programs that withstand scrutiny
Documentation
Testing
Ongoing compliance reviews and risk assessmentsfor
continuing compliance with laws and regulations
Compliance Monitoring
The company and other stakeholders
20
Agenda
PART E: DESIGNING AND IMPLEMENTING A RISK
AND COMPLIANCE PROGRAM
Designing an Internal Compliance System
Compliance programs that withstand scrutiny
Documentation
Testing
Ongoing compliance reviews and risk assessmentsfor
continuing compliance with laws and regulations
Compliance Monitoring
The company and other stakeholders
© International Association of Risk and Compliance Professionals (IARCP)
21
Agenda
International and national regulatory requirements
Regulatory compliance in Europe
Regulatory compliance in the USA
The GCC countries
The Caribbean
The Pacific Rim
Common elements and differencesof compliance
projects
21
Agenda
International and national regulatory requirements
Regulatory compliance in Europe
Regulatory compliance in the USA
The GCC countries
The Caribbean
The Pacific Rim
Common elements and differencesof compliance
projects
Certified Risk and Compliance
Management Professional (CRCMP)
Prep Course
International Association of Risk and Compliance
Professionals (IARCP)
Management Professional (CRCMP)
Prep Course
International Association of Risk and Compliance
Professionals (IARCP)
PART A:
COMPLIANCE WITH LAWS AND
REGULATIONS
ANDRISK MANAGEMENT
International Association of Risk and
Compliance Professionals (IARCP)
COMPLIANCE WITH LAWS AND
REGULATIONS
ANDRISK MANAGEMENT
International Association of Risk and
Compliance Professionals (IARCP)
© International Association of Risk and Compliance Professionals (IARCP)
24
Internal controls, Governance, Risk,
Compliance -Corporate governance
CORPORATE GOVERNANCE
Processes, systems and controlsput in place to direct and
control an organisationin order to…
…increase performanceand achieve shareholder value
As such, it has to do with the performanceof
management and the boardof directors…
… the sufficiency and reliabilityof corporate
reporting…
… risk managementand internal controls
24
Internal controls, Governance, Risk,
Compliance -Corporate governance
CORPORATE GOVERNANCE
Processes, systems and controlsput in place to direct and
control an organisationin order to…
…increase performanceand achieve shareholder value
As such, it has to do with the performanceof
management and the boardof directors…
… the sufficiency and reliabilityof corporate
reporting…
… risk managementand internal controls
© International Association of Risk and Compliance Professionals (IARCP)
25
Internal controls, Governance, Risk,
Compliance -Corporate governance
Governmentsoften make decisions about governance…
… it is NOT a “best practice”
The legal and regulatoryenvironment is of paramount
importance
25
Internal controls, Governance, Risk,
Compliance -Corporate governance
Governmentsoften make decisions about governance…
… it is NOT a “best practice”
The legal and regulatoryenvironment is of paramount
importance
© International Association of Risk and Compliance Professionals (IARCP)
26
Internal controls, Governance, Risk,
Compliance -Corporate governance
A corporation is a a separate legal entity…
… and has legal*rights* and*obligations*
A corporation has the ability to hold assetsseparately
from the assets of its stakeholders
Some legal structures have the ability to limit the
liability of stakeholders
26
Internal controls, Governance, Risk,
Compliance -Corporate governance
A corporation is a a separate legal entity…
… and has legal*rights* and*obligations*
A corporation has the ability to hold assetsseparately
from the assets of its stakeholders
Some legal structures have the ability to limit the
liability of stakeholders
© International Association of Risk and Compliance Professionals (IARCP)
27
Internal controls, Governance, Risk,
Compliance -Corporate governance
The interests of the stakeholders…
… the owners…
… the board of directors…
… executive management…
… managers…
… data owners…
… process owners…
… employees…
… suppliers…
… regulators, supervisors…
… clients and communities
27
Internal controls, Governance, Risk,
Compliance -Corporate governance
The interests of the stakeholders…
… the owners…
… the board of directors…
… executive management…
… managers…
… data owners…
… process owners…
… employees…
… suppliers…
… regulators, supervisors…
… clients and communities
© International Association of Risk and Compliance Professionals (IARCP)
28
Internal controls, Governance, Risk,
Compliance -Corporate governance
Governance -Some common principles
Acting for the Best Interestsof the Shareholders
EthicalBehavior
ProfessionalBehavior
Cultureof Risk and Compliance
28
Internal controls, Governance, Risk,
Compliance -Corporate governance
Governance -Some common principles
Acting for the Best Interestsof the Shareholders
EthicalBehavior
ProfessionalBehavior
Cultureof Risk and Compliance
© International Association of Risk and Compliance Professionals (IARCP)
29
Internal controls, Governance, Risk,
Compliance -Corporate governance
Governance -Some common principles
Transparencyand Disclosures
Tested and DocumentedProcesses
Tested and DocumentedInternal Controls
29
Internal controls, Governance, Risk,
Compliance -Corporate governance
Governance -Some common principles
Transparencyand Disclosures
Tested and DocumentedProcesses
Tested and DocumentedInternal Controls
© International Association of Risk and Compliance Professionals (IARCP)
30
OECD Principles of Corporate
Governance -2004
The original member countriesof the OECD are Austria,
Belgium, Canada, Denmark, France, Germany, Greece,
Iceland, Ireland, Italy, Luxembourg, the Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland, Turkey,
the United Kingdom and the United States
Also members:
Japan, Finland, Australia, New Zealand, Mexico, the
Czech Republic, Hungary, Poland, Korea, the Slovak
Republic (14th December 2000)
30
OECD Principles of Corporate
Governance -2004
The original member countriesof the OECD are Austria,
Belgium, Canada, Denmark, France, Germany, Greece,
Iceland, Ireland, Italy, Luxembourg, the Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland, Turkey,
the United Kingdom and the United States
Also members:
Japan, Finland, Australia, New Zealand, Mexico, the
Czech Republic, Hungary, Poland, Korea, the Slovak
Republic (14th December 2000)
© International Association of Risk and Compliance Professionals (IARCP)
31
OECD Principles of Corporate
Governance -2004
The OECD Principles of Corporate Governance were
endorsed by OECD Ministers in 1999…
… when the OECD extended the boundary of
accountabilityto include stakeholders such as
employees…
… and have since become an international benchmarkfor
policy makers, investors, corporations and other
stakeholders ***worldwide***
31
OECD Principles of Corporate
Governance -2004
The OECD Principles of Corporate Governance were
endorsed by OECD Ministers in 1999…
… when the OECD extended the boundary of
accountabilityto include stakeholders such as
employees…
… and have since become an international benchmarkfor
policy makers, investors, corporations and other
stakeholders ***worldwide***
© International Association of Risk and Compliance Professionals (IARCP)
32
OECD Principles of Corporate
Governance -2004
They have provided specific guidance for legislative and
regulatory initiativesin both OECD and non OECD
countries
The Rights of Shareholders and Key Ownership
Functions
The corporate governanceframework should**protect
and facilitate the exercise of shareholders’ rights**
32
OECD Principles of Corporate
Governance -2004
They have provided specific guidance for legislative and
regulatory initiativesin both OECD and non OECD
countries
The Rights of Shareholders and Key Ownership
Functions
The corporate governanceframework should**protect
and facilitate the exercise of shareholders’ rights**
© International Association of Risk and Compliance Professionals (IARCP)
33
OECD Principles of Corporate
Governance -2004
A. Basic shareholder rights should include the right to:
Obtain relevant and material informationon the
corporation on a timely and regular basis
Share in the profitsof the corporation
Shareholders should have the opportunity to ask
questions to the board, including…
… questions relating to the annual external audit
33
OECD Principles of Corporate
Governance -2004
A. Basic shareholder rights should include the right to:
Obtain relevant and material informationon the
corporation on a timely and regular basis
Share in the profitsof the corporation
Shareholders should have the opportunity to ask
questions to the board, including…
… questions relating to the annual external audit
© International Association of Risk and Compliance Professionals (IARCP)
34
Internal controls, Governance, Risk,
Compliance -Risk
RISK:
The possibilityof a loss, catastrophe, or other
undesirable outcome
A potential negative impactto an asset
We may accept, mitigate or avoid arisk
Risk is described both qualitatively and quantitatively
Risk is proportional to both the expected losses(impact)
which may be caused by an event and to…
… the probabilityof this event
34
Internal controls, Governance, Risk,
Compliance -Risk
RISK:
The possibilityof a loss, catastrophe, or other
undesirable outcome
A potential negative impactto an asset
We may accept, mitigate or avoid arisk
Risk is described both qualitatively and quantitatively
Risk is proportional to both the expected losses(impact)
which may be caused by an event and to…
… the probabilityof this event
© International Association of Risk and Compliance Professionals (IARCP)
35
Internal controls, Governance, Risk,
Compliance -Risk
In technicalcontexts, the word has severalmore
specialized uses and meanings
Threeof these are particularly importantsince they are
widely used across disciplines:
1. risk= an unwanted ***event***which may or may not
occur
2. risk= the ***cause***of an unwanted event which may
or may not occur
3. risk= the ***probability***of an unwanted event
which may or may not occur
35
Internal controls, Governance, Risk,
Compliance -Risk
In technicalcontexts, the word has severalmore
specialized uses and meanings
Threeof these are particularly importantsince they are
widely used across disciplines:
1. risk= an unwanted ***event***which may or may not
occur
2. risk= the ***cause***of an unwanted event which may
or may not occur
3. risk= the ***probability***of an unwanted event
which may or may not occur
© International Association of Risk and Compliance Professionals (IARCP)
36
Internal controls, Governance, Risk,
Compliance -Risk
Risk… is it good or bad?
All opportunities come with some degree of risk
Risks and opportunitiesgo hand in hand
An efficient balancebetween realizing opportunitiesfor
gains and minimizing vulnerabilities and losses
36
Internal controls, Governance, Risk,
Compliance -Risk
Risk… is it good or bad?
All opportunities come with some degree of risk
Risks and opportunitiesgo hand in hand
An efficient balancebetween realizing opportunitiesfor
gains and minimizing vulnerabilities and losses
© International Association of Risk and Compliance Professionals (IARCP)
37
Internal controls, Governance, Risk,
Compliance –Risk Management
RISK MANAGEMENT
Making informed business decisions
We mitigate risks onlywhen…
… they are above our risk appetite…
Risks must reach a level that is acceptableto the
organization
37
Internal controls, Governance, Risk,
Compliance –Risk Management
RISK MANAGEMENT
Making informed business decisions
We mitigate risks onlywhen…
… they are above our risk appetite…
Risks must reach a level that is acceptableto the
organization
© International Association of Risk and Compliance Professionals (IARCP)
38
Internal controls, Governance, Risk,
Compliance –Risk Management
Risk managementis an integral **part**of good
management…
… and an essential**part** of good corporate governance
Priorities…
… a cost benefitanalysis -the costsof protective
measures for the benefitof achieving the mission of the
organisation
38
Internal controls, Governance, Risk,
Compliance –Risk Management
Risk managementis an integral **part**of good
management…
… and an essential**part** of good corporate governance
Priorities…
… a cost benefitanalysis -the costsof protective
measures for the benefitof achieving the mission of the
organisation
© International Association of Risk and Compliance Professionals (IARCP)
39
Internal controls, Governance, Risk,
Compliance –Risk Management
The types of risksdepend on…
… the location…
… the industry…
… the business objectivesof the organization
39
Internal controls, Governance, Risk,
Compliance –Risk Management
The types of risksdepend on…
… the location…
… the industry…
… the business objectivesof the organization
© International Association of Risk and Compliance Professionals (IARCP)
40
Internal controls, Governance, Risk,
Compliance -Risk Management
Risks can result from factorsboth externaland internalto
the organisation
The Risk Management processin an organization is
influencedby:
1. The organization’s mission, vision and objectives
2. Products and services
3. The physical, environmental and regulatory conditions
40
Internal controls, Governance, Risk,
Compliance -Risk Management
Risks can result from factorsboth externaland internalto
the organisation
The Risk Management processin an organization is
influencedby:
1. The organization’s mission, vision and objectives
2. Products and services
3. The physical, environmental and regulatory conditions
© International Association of Risk and Compliance Professionals (IARCP)
41
Internal controls, Governance, Risk,
Compliance -Risk Management
Asset:A resource, product, process, or element that an
organization has determined must be protected
Threat:Any potentialevent that causes a detrimental
impact on the organization
Vulnerability:The lack / weakness of a safeguardcounter
to a threat
Safeguard:A controlemployed to reduce the risk
associated with a specific threat
41
Internal controls, Governance, Risk,
Compliance -Risk Management
Asset:A resource, product, process, or element that an
organization has determined must be protected
Threat:Any potentialevent that causes a detrimental
impact on the organization
Vulnerability:The lack / weakness of a safeguardcounter
to a threat
Safeguard:A controlemployed to reduce the risk
associated with a specific threat
© International Association of Risk and Compliance Professionals (IARCP)
42
Internal controls, Governance, Risk,
Compliance -Risk Management
Risk management
A. Identification…
… of the risks associated with each process…
An organisation’s exposure to uncertainty
Requires knowledgeof the organisation…
… the market…
… the industry…
… the legal, social, political and cultural environment in
which it exists
42
Internal controls, Governance, Risk,
Compliance -Risk Management
Risk management
A. Identification…
… of the risks associated with each process…
An organisation’s exposure to uncertainty
Requires knowledgeof the organisation…
… the market…
… the industry…
… the legal, social, political and cultural environment in
which it exists
© International Association of Risk and Compliance Professionals (IARCP)
43
Internal controls, Governance, Risk,
Compliance -Risk Management
B. Assessment…
… qualitative and quantitative…
… evaluating risks and risk impacts…
… and recommending measures to reducerisks
A major element -the assessment of the value of the
information resources
Cost benefit analysis
43
Internal controls, Governance, Risk,
Compliance -Risk Management
B. Assessment…
… qualitative and quantitative…
… evaluating risks and risk impacts…
… and recommending measures to reducerisks
A major element -the assessment of the value of the
information resources
Cost benefit analysis
© International Association of Risk and Compliance Professionals (IARCP)
44
Internal controls, Governance, Risk,
Compliance -Risk Management
C. Management…
… (measurement, mitigation, development of
countermeasures)…
… internal controls…
… implementationof the measures to reduce risks
recommended in the risk assessment process
44
Internal controls, Governance, Risk,
Compliance -Risk Management
C. Management…
… (measurement, mitigation, development of
countermeasures)…
… internal controls…
… implementationof the measures to reduce risks
recommended in the risk assessment process
© International Association of Risk and Compliance Professionals (IARCP)
45
Problems…
Over Optimism
Misrepresentation -false, incorrect, improper, or
incomplete statement of material facts
Alarmism -production of needless warnings
Prejudice
45
Problems…
Over Optimism
Misrepresentation -false, incorrect, improper, or
incomplete statement of material facts
Alarmism -production of needless warnings
Prejudice
© International Association of Risk and Compliance Professionals (IARCP)
46
Where do you work?
In a military environment or in a bank…
… we have the same principles in risk management!
Let’s have a look at some Information Warfare slides…
… all the principles apply in a corporate environment as
well
46
Where do you work?
In a military environment or in a bank…
… we have the same principles in risk management!
Let’s have a look at some Information Warfare slides…
… all the principles apply in a corporate environment as
well
© International Association of Risk and Compliance Professionals (IARCP)
47
47
© International Association of Risk and Compliance Professionals (IARCP)
48
48
© International Association of Risk and Compliance Professionals (IARCP)
49
49
© International Association of Risk and Compliance Professionals (IARCP)
50
50
© International Association of Risk and Compliance Professionals (IARCP)
51
51
© International Association of Risk and Compliance Professionals (IARCP)
52
Australia/New Zealand Standard 4360
Since 1992
Three major elements:
1. The risk management workflow
2. Monitoring and review
3. Communication and consult
52
Australia/New Zealand Standard 4360
Since 1992
Three major elements:
1. The risk management workflow
2. Monitoring and review
3. Communication and consult
© International Association of Risk and Compliance Professionals (IARCP)
53
Australia/New Zealand Standard 4360
53
Australia/New Zealand Standard 4360
© International Association of Risk and Compliance Professionals (IARCP)
54
Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
54
Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)
55
Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
55
Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)
56
Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
56
Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)
57
Vulnerabilities…
Vulnerability:
A flaw or weaknessin system security procedures,
design, implementation, or internal controlsthat…
… could be exercised (accidentally triggered or
intentionally exploited)…
… and result in a security breachor a violation of the
system’s security policy
57
Vulnerabilities…
Vulnerability:
A flaw or weaknessin system security procedures,
design, implementation, or internal controlsthat…
… could be exercised (accidentally triggered or
intentionally exploited)…
… and result in a security breachor a violation of the
system’s security policy
© International Association of Risk and Compliance Professionals (IARCP)
58
Threats and Vulnerabilities
58
Threats and Vulnerabilities
© International Association of Risk and Compliance Professionals (IARCP)
59
Risk Mitigation Methodology
Flowchart
59
Risk Mitigation Methodology
Flowchart
© International Association of Risk and Compliance Professionals (IARCP)
60
Risk Mitigation Methodology
Flowchart
60
Risk Mitigation Methodology
Flowchart
© International Association of Risk and Compliance Professionals (IARCP)
61
Risk Mitigation Methodology
Flowchart
61
Risk Mitigation Methodology
Flowchart
© International Association of Risk and Compliance Professionals (IARCP)
62
Example: Government of Canada,
Communications Security Establishment
62
Example: Government of Canada,
Communications Security Establishment
© International Association of Risk and Compliance Professionals (IARCP)
63
Outsourcing and Risk Management
“Management remains responsible”
Sarbanes-OxleyAct, Section 404:
“Management remains responsible” for service providers
This responsibility cannot be delegatedto the service
provider
Basel ii,Outsourcing in Financial Services:
“Management remains responsible”
The Committee of European Banking Supervisors
(CEBS) –“Guidelines on Outsourcing”
“Management remains responsible”
63
Outsourcing and Risk Management
“Management remains responsible”
Sarbanes-OxleyAct, Section 404:
“Management remains responsible” for service providers
This responsibility cannot be delegatedto the service
provider
Basel ii,Outsourcing in Financial Services:
“Management remains responsible”
The Committee of European Banking Supervisors
(CEBS) –“Guidelines on Outsourcing”
“Management remains responsible”
© International Association of Risk and Compliance Professionals (IARCP)
64
Outsourcing
and Risk Management
USA -The Board of Governors of the Federal Reserve
System -“Outsourcing of Information and Transaction
Processing”
“Ensure that controls over outsourced informationand
transaction processing activities…
… are equivalentto those that would beimplemented…
… if the activity were conducted internally”
64
Outsourcing
and Risk Management
USA -The Board of Governors of the Federal Reserve
System -“Outsourcing of Information and Transaction
Processing”
“Ensure that controls over outsourced informationand
transaction processing activities…
… are equivalentto those that would beimplemented…
… if the activity were conducted internally”
© International Association of Risk and Compliance Professionals (IARCP)
65
Good Corporate Governance and Risk
Management is veryimportant
A good Risk Management Program is important for:
1. The company’s credit rating
Credit rating agencies believe that a good Risk
Management Program is very important for the credit
rating of firms
2. The company’s reputation
3. The company’s cost of capital
65
Good Corporate Governance and Risk
Management is veryimportant
A good Risk Management Program is important for:
1. The company’s credit rating
Credit rating agencies believe that a good Risk
Management Program is very important for the credit
rating of firms
2. The company’s reputation
3. The company’s cost of capital
© International Association of Risk and Compliance Professionals (IARCP)
66
Good Corporate Governance and Risk
Management is veryimportant
4. Audit firm resignations and refusals
5. The company’s share price
6. The likelihood that external auditor’s opinionon
financial statements is wrong
66
Good Corporate Governance and Risk
Management is veryimportant
4. Audit firm resignations and refusals
5. The company’s share price
6. The likelihood that external auditor’s opinionon
financial statements is wrong
© International Association of Risk and Compliance Professionals (IARCP)
67
Good Corporate Governance and Risk
Management is veryimportant
After the risk management failures in 2007-2008…
… good risk management is a source of***value
creation***
Risk management MUST be linkedto the overall
objective of value maximization
We must communicatewhat we do to all stakeholder
groups
This dimension is often unknown to employees
67
Good Corporate Governance and Risk
Management is veryimportant
After the risk management failures in 2007-2008…
… good risk management is a source of***value
creation***
Risk management MUST be linkedto the overall
objective of value maximization
We must communicatewhat we do to all stakeholder
groups
This dimension is often unknown to employees
© International Association of Risk and Compliance Professionals (IARCP)
68
Good Corporate Governance and Risk
Management is veryimportant
In the past, the capital markets *were*only interested in
the share price…
… and did not pay much attentionto corporate
governance and risk management
Todaygood corporate governance practice is now
strongly tiedto investment decisions and corporate value
68
Good Corporate Governance and Risk
Management is veryimportant
In the past, the capital markets *were*only interested in
the share price…
… and did not pay much attentionto corporate
governance and risk management
Todaygood corporate governance practice is now
strongly tiedto investment decisions and corporate value
© International Association of Risk and Compliance Professionals (IARCP)
69
Internal controls, Governance, Risk,
Compliance -Compliance
Acting in accordance with laws and regulations
Lawsare enacted by legislative bodies…
… while regulationsare created by government agencies
One of the major risks:No compliance!
Compliance with externallaws…
… and internalpolicies and procedures
Standards and best practicesdo NOT have the force of
law
69
Internal controls, Governance, Risk,
Compliance -Compliance
Acting in accordance with laws and regulations
Lawsare enacted by legislative bodies…
… while regulationsare created by government agencies
One of the major risks:No compliance!
Compliance with externallaws…
… and internalpolicies and procedures
Standards and best practicesdo NOT have the force of
law
© International Association of Risk and Compliance Professionals (IARCP)
70
Enterprise widerisk and compliance
program
One solution for one problem
Best Practices
More cost effective
Auditors understandhow we manage risks
The board understands
Easier testing and documentation
70
Enterprise widerisk and compliance
program
One solution for one problem
Best Practices
More cost effective
Auditors understandhow we manage risks
The board understands
Easier testing and documentation
© International Association of Risk and Compliance Professionals (IARCP)
71
Enterprise widerisk and compliance
program
According to Susan Schmidt Bies (member of the Board
of Governors of the Federal Reserve System):
“An enterprise-wideapproach can integrate the risk
assessment of functions that have traditionally been
managed in silos
A culture of complianceshould establish-from the top of
the organization -the proper ethical tone that will govern
the conduct of business”
71
Enterprise widerisk and compliance
program
According to Susan Schmidt Bies (member of the Board
of Governors of the Federal Reserve System):
“An enterprise-wideapproach can integrate the risk
assessment of functions that have traditionally been
managed in silos
A culture of complianceshould establish-from the top of
the organization -the proper ethical tone that will govern
the conduct of business”
Policies, Procedures, Baselines,
Guidelines, Ethics
Guidelines, Ethics
© International Association of Risk and Compliance Professionals (IARCP)
73
73
© International Association of Risk and Compliance Professionals (IARCP)
74
Policies
Policies are considered the highest levelof
documentation
Standards, Guidelines and Proceduresare derivedfrom
policies
Acknowledgment of importanceof resources
74
Policies
Policies are considered the highest levelof
documentation
Standards, Guidelines and Proceduresare derivedfrom
policies
Acknowledgment of importanceof resources
© International Association of Risk and Compliance Professionals (IARCP)
75
Policies
High lever principles
Without well structured policiesan organisation will be
unstructured…
… unfocussed…
… and probably operationally and financially ineffective
75
Policies
High lever principles
Without well structured policiesan organisation will be
unstructured…
… unfocussed…
… and probably operationally and financially ineffective
© International Association of Risk and Compliance Professionals (IARCP)
76
Policy -Example:
“We respect privacy”
76
Policy -Example:
“We respect privacy”
© International Association of Risk and Compliance Professionals (IARCP)
77
Privacy and Information Security
From Privacy vs. Information Security…
… to Information Security to comply with Privacyrules
A legal obligation…
… a risk of no compliance
High level policies…
…in line with functional policies (procedures)
77
Privacy and Information Security
From Privacy vs. Information Security…
… to Information Security to comply with Privacyrules
A legal obligation…
… a risk of no compliance
High level policies…
…in line with functional policies (procedures)
© International Association of Risk and Compliance Professionals (IARCP)
78
Procedures and Standards
These contain the actual detailof the policy
Describe howthe policies should be implemented
Procedures:Detail the stepsrequired to implement the
policy
Sometimes called “practices”
Standards:Specify use of technology in a uniform way
and should be made compulsory
78
Procedures and Standards
These contain the actual detailof the policy
Describe howthe policies should be implemented
Procedures:Detail the stepsrequired to implement the
policy
Sometimes called “practices”
Standards:Specify use of technology in a uniform way
and should be made compulsory
© International Association of Risk and Compliance Professionals (IARCP)
79
Baselines and Guidelines
Baselines:Baselines are similar to standards,
standards can be developed after the baseline is
established
Sensitivity level, current / normal situation
Guidelines:Similar to standards but not compulsory,
more flexible
79
Baselines and Guidelines
Baselines:Baselines are similar to standards,
standards can be developed after the baseline is
established
Sensitivity level, current / normal situation
Guidelines:Similar to standards but not compulsory,
more flexible
© International Association of Risk and Compliance Professionals (IARCP)
80
“Regulatory” Policies
The company is requiredto implement policies to
complywith legal or regulatory requirements
Usually very detailed and specificto the industry of
the organization
A well written policy can provide protection from
liability
80
“Regulatory” Policies
The company is requiredto implement policies to
complywith legal or regulatory requirements
Usually very detailed and specificto the industry of
the organization
A well written policy can provide protection from
liability
© International Association of Risk and Compliance Professionals (IARCP)
81
Ethics
Code of Ethics -Soft law
Not legal…ornot ethical?
An organization's beliefs and culture
Proceduresto be used in specific situationssuch as
conflicts of interest or the acceptance of gifts
Theeffectivenessof the code of ethics depends on…
… the extent to which it has the supportof the
management…
… with sanctions and rewards
81
Ethics
Code of Ethics -Soft law
Not legal…ornot ethical?
An organization's beliefs and culture
Proceduresto be used in specific situationssuch as
conflicts of interest or the acceptance of gifts
Theeffectivenessof the code of ethics depends on…
… the extent to which it has the supportof the
management…
… with sanctions and rewards
© International Association of Risk and Compliance Professionals (IARCP)
82
Ethics
Code of Ethics -Example
“Respect:We treat others as we would like to be treated
ourselves. Ruthlessness, callousness and arrogance don't
belong here”
“Integrity:We work with customers and prospects
openly, honestly and sincerely. When we say we will do
something, we will do it”
“Communication:We believe that information is meant
to move and that information moves people”
(From Enron’s Code of Ethics)
82
Ethics
Code of Ethics -Example
“Respect:We treat others as we would like to be treated
ourselves. Ruthlessness, callousness and arrogance don't
belong here”
“Integrity:We work with customers and prospects
openly, honestly and sincerely. When we say we will do
something, we will do it”
“Communication:We believe that information is meant
to move and that information moves people”
(From Enron’s Code of Ethics)
© International Association of Risk and Compliance Professionals (IARCP)
83
A great firm now: Merck, a global research-
driven pharmaceutical company
“Accountability:Eachof us is responsible for adhering to
the values and standardsset forth in this Code…
… and for raising questionsif we are uncertain as to
whether or not the standards are being met
Violationsof the Code may result in a variety of
corrective actionsand…
… in some cases, may result in disciplinary action up to
and including termination of employment”
83
A great firm now: Merck, a global research-
driven pharmaceutical company
“Accountability:Eachof us is responsible for adhering to
the values and standardsset forth in this Code…
… and for raising questionsif we are uncertain as to
whether or not the standards are being met
Violationsof the Code may result in a variety of
corrective actionsand…
… in some cases, may result in disciplinary action up to
and including termination of employment”
© International Association of Risk and Compliance Professionals (IARCP)
84
A great firm now: Merck, a global research-
driven pharmaceutical company
www.merck.com/about/conduct.html
The code includes:
Relationshipswith Our Customers
Relationshipswith Fellow Employees
Relationshipswith Shareholders
Relationshipswith Suppliers
Relationshipswith Our Communities and Society
Compliancewith Laws, Rules and Regulations
Raising Concerns
84
A great firm now: Merck, a global research-
driven pharmaceutical company
www.merck.com/about/conduct.html
The code includes:
Relationshipswith Our Customers
Relationshipswith Fellow Employees
Relationshipswith Shareholders
Relationshipswith Suppliers
Relationshipswith Our Communities and Society
Compliancewith Laws, Rules and Regulations
Raising Concerns
© International Association of Risk and Compliance Professionals (IARCP)
85
Conflicts of Interest and Ethics
A natural or legal person...
... has a *private*interest that could influence the
objective exercise of his or her official duties
“An interest”-a financialinterest, or a special advantage
that comes into conflict with a duty
For him or his family and friends
85
Conflicts of Interest and Ethics
A natural or legal person...
... has a *private*interest that could influence the
objective exercise of his or her official duties
“An interest”-a financialinterest, or a special advantage
that comes into conflict with a duty
For him or his family and friends
© International Association of Risk and Compliance Professionals (IARCP)
86
Conflicts of Interest and Ethics
Examples
A. Self Review
B. The CEO of a private consulting companyworks for
the government...
... and uses his official position to secure a contractfor
the private firm
C. Using confidential information
86
Conflicts of Interest and Ethics
Examples
A. Self Review
B. The CEO of a private consulting companyworks for
the government...
... and uses his official position to secure a contractfor
the private firm
C. Using confidential information
© International Association of Risk and Compliance Professionals (IARCP)
87
87
Risk and Compliance
Key Roles
Key Roles
© International Association of Risk and Compliance Professionals (IARCP)
89
Risk and Compliance
Key Roles -Senior management
Senior management
They must understandthe risks…
…provide the resources needed …
… and “ensure”that the firm can accomplish its
objectives
Reasonable assurance
89
Risk and Compliance
Key Roles -Senior management
Senior management
They must understandthe risks…
…provide the resources needed …
… and “ensure”that the firm can accomplish its
objectives
Reasonable assurance
© International Association of Risk and Compliance Professionals (IARCP)
90
Risk and Compliance
Key Roles -Risk Officer
The Role of the Risk Officer
There is no definition...and where there is one, it is far
from uniform
But there is something that you need to know: The role
of the risk officer becomes more important year after year
All companies try to understand risksand spend much
money to manage risks
Risk officers play an important role in implementing
enterprise risk management
90
Risk and Compliance
Key Roles -Risk Officer
The Role of the Risk Officer
There is no definition...and where there is one, it is far
from uniform
But there is something that you need to know: The role
of the risk officer becomes more important year after year
All companies try to understand risksand spend much
money to manage risks
Risk officers play an important role in implementing
enterprise risk management
© International Association of Risk and Compliance Professionals (IARCP)
91
Risk and Compliance
Key Roles -Risk Officer
Risk officers have one additional obligation: To
explain…
… risks and countermeasures…
… to owners…
… auditors…
… senior management…
… and the board of directors
91
Risk and Compliance
Key Roles -Risk Officer
Risk officers have one additional obligation: To
explain…
… risks and countermeasures…
… to owners…
… auditors…
… senior management…
… and the board of directors
© International Association of Risk and Compliance Professionals (IARCP)
92
Risk and Compliance
Key Roles –Chief Risk Officer
The Role of the Chief Risk Officer
The Chief Risk Officer's job is to ensure that the
organization is in full compliancewith applicable laws
and regulations
He must coordinatethe company's risk management
efforts…
… explainrisks and controls to senior management and
the board…
… and make recommendations
92
Risk and Compliance
Key Roles –Chief Risk Officer
The Role of the Chief Risk Officer
The Chief Risk Officer's job is to ensure that the
organization is in full compliancewith applicable laws
and regulations
He must coordinatethe company's risk management
efforts…
… explainrisks and controls to senior management and
the board…
… and make recommendations
© International Association of Risk and Compliance Professionals (IARCP)
93
Risk and Compliance
Key Roles –Chief Risk Officer
The Chief Risk Officer is rapidly becomingone of the 3-5
most important membersof the management team
We read some important paragraphs from a report from
the Economist Intelligence UnitSponsored by: ACE,
Cisco Systems, Deutsche Bank and IBM
“For a corporate post with only a decade of history, the
chief risk officer (CRO) attracts a lot of attention”
93
Risk and Compliance
Key Roles –Chief Risk Officer
The Chief Risk Officer is rapidly becomingone of the 3-5
most important membersof the management team
We read some important paragraphs from a report from
the Economist Intelligence UnitSponsored by: ACE,
Cisco Systems, Deutsche Bank and IBM
“For a corporate post with only a decade of history, the
chief risk officer (CRO) attracts a lot of attention”
© International Association of Risk and Compliance Professionals (IARCP)
94
Risk and Compliance
Key Roles –Chief Risk Officer
“CROs have consolidated their position in the financial
sector, where they began…
… and are increasingly to be found in other industries”
“As companies seek to respond to increased regulatory
pressuresand a growing array of business risks…
… the CRO is emergingas one of the most important
positions in the management team”
94
Risk and Compliance
Key Roles –Chief Risk Officer
“CROs have consolidated their position in the financial
sector, where they began…
… and are increasingly to be found in other industries”
“As companies seek to respond to increased regulatory
pressuresand a growing array of business risks…
… the CRO is emergingas one of the most important
positions in the management team”
© International Association of Risk and Compliance Professionals (IARCP)
95
Risk and Compliance
Key Roles –Chief Risk Officer
“Regulatory complianceis the top priorityfor risk
management”
“Regulatory riskranks as one of the top two threats to
global business”
Regulatory complianceis the CRO’s primary
responsibility”
[Business continuity is also a top priority]
95
Risk and Compliance
Key Roles –Chief Risk Officer
“Regulatory complianceis the top priorityfor risk
management”
“Regulatory riskranks as one of the top two threats to
global business”
Regulatory complianceis the CRO’s primary
responsibility”
[Business continuity is also a top priority]
© International Association of Risk and Compliance Professionals (IARCP)
96
Case Study: Credit Suisse
96
Case Study: Credit Suisse
© International Association of Risk and Compliance Professionals (IARCP)
97
Case Study: Credit Suisse
97
Case Study: Credit Suisse
© International Association of Risk and Compliance Professionals (IARCP)
98
Risk and Compliance
Key Roles –Chief Compliance Officer
The Role of the Chief Compliance Officer
According to Commissioner Cynthia A. Glassman, U.S.
Securities and Exchange Commission…
“While the CEO cannot delegatehis or her ultimate
responsibility…
… a company should have an officerwith ownership of
corporate compliance and ethicsissues… …
… and of what Title III of Sarbanes-Oxley broadly refers
to as ***Corporate Responsibility***”…
98
Risk and Compliance
Key Roles –Chief Compliance Officer
The Role of the Chief Compliance Officer
According to Commissioner Cynthia A. Glassman, U.S.
Securities and Exchange Commission…
“While the CEO cannot delegatehis or her ultimate
responsibility…
… a company should have an officerwith ownership of
corporate compliance and ethicsissues… …
… and of what Title III of Sarbanes-Oxley broadly refers
to as ***Corporate Responsibility***”…
© International Association of Risk and Compliance Professionals (IARCP)
99
Risk and Compliance
Key Roles –Chief Compliance Officer
“While every company must assess its particular needs
based on the size and nature of its business…
… there are several characteristicsthat I would want the
corporate responsibility officerto have…
… if I were relying on this person:”
“He or she should have sufficient seniority and authority
to take the actions necessary under the circumstances”
“Ask yourself if this person would be able to address the
worst-case scenario”
99
Risk and Compliance
Key Roles –Chief Compliance Officer
“While every company must assess its particular needs
based on the size and nature of its business…
… there are several characteristicsthat I would want the
corporate responsibility officerto have…
… if I were relying on this person:”
“He or she should have sufficient seniority and authority
to take the actions necessary under the circumstances”
“Ask yourself if this person would be able to address the
worst-case scenario”
© International Association of Risk and Compliance Professionals (IARCP)
100
Risk and Compliance
Key Roles –Chief Compliance Officer
“The position should have the full support of the CEO
and senior management,both in theory and in practice
The corporate responsibility officershould *have access*
and provide regular reports to senior management”
“He or she can play an important role in helping a
company meet the ***information gathering and
reporting requirements***
100
Risk and Compliance
Key Roles –Chief Compliance Officer
“The position should have the full support of the CEO
and senior management,both in theory and in practice
The corporate responsibility officershould *have access*
and provide regular reports to senior management”
“He or she can play an important role in helping a
company meet the ***information gathering and
reporting requirements***
© International Association of Risk and Compliance Professionals (IARCP)
101
Risk and Compliance
Key Roles –Chief Compliance Officer
“The corporate responsibility officer should have the
ability to report directly to the board(for example, to the
audit committee chairman)…
… on matters of significant import to the company or
matters involving misconduct by senior management”
In addition, the responsible officer should have
sufficient timeand adequate resourcesto implement the
company's ***corporate responsibility program***in an
effective manner
101
Risk and Compliance
Key Roles –Chief Compliance Officer
“The corporate responsibility officer should have the
ability to report directly to the board(for example, to the
audit committee chairman)…
… on matters of significant import to the company or
matters involving misconduct by senior management”
In addition, the responsible officer should have
sufficient timeand adequate resourcesto implement the
company's ***corporate responsibility program***in an
effective manner
© International Association of Risk and Compliance Professionals (IARCP)
102
102
© International Association of Risk and Compliance Professionals (IARCP)
103
103
© International Association of Risk and Compliance Professionals (IARCP)
104
Risk and Compliance
Key Roles -Owners
Data owners
Understand, Give permissions
Process and system owners
Need to “ensure” (reasonable assurance)that the risks are
identified and managed…
… and appropriate controlsare deployed
104
Risk and Compliance
Key Roles -Owners
Data owners
Understand, Give permissions
Process and system owners
Need to “ensure” (reasonable assurance)that the risks are
identified and managed…
… and appropriate controlsare deployed
© International Association of Risk and Compliance Professionals (IARCP)
105
Key Roles
The role of the internal auditors
According to the Institute of Internal Auditors (IIA)…
…Internal Auditing is an independent, objective
assuranceand consultingactivity…
… designed to add valueand…
… improvean organization's operations
It helps an organization accomplish its objectivesby
bringing a systematic, disciplined approach…
… to evaluate and improvethe effectiveness of risk
management, control, and governance processes
105
Key Roles
The role of the internal auditors
According to the Institute of Internal Auditors (IIA)…
…Internal Auditing is an independent, objective
assuranceand consultingactivity…
… designed to add valueand…
… improvean organization's operations
It helps an organization accomplish its objectivesby
bringing a systematic, disciplined approach…
… to evaluate and improvethe effectiveness of risk
management, control, and governance processes
© International Association of Risk and Compliance Professionals (IARCP)
106
Key Roles
The role of the internal auditors
The internal auditactivity evaluates risk exposures
relating to the organization's governance, operations and
information systems, in relation to:
Effectiveness and efficiency of operations
Reliability and integrity of financial and operational
information
Safeguardingof assets
Compliance with laws, regulations, and contracts
106
Key Roles
The role of the internal auditors
The internal auditactivity evaluates risk exposures
relating to the organization's governance, operations and
information systems, in relation to:
Effectiveness and efficiency of operations
Reliability and integrity of financial and operational
information
Safeguardingof assets
Compliance with laws, regulations, and contracts
© International Association of Risk and Compliance Professionals (IARCP)
107
Key Roles
The role of the internal auditors
While management is responsiblefor internal controls…
… the internal auditactivity provides ***assurance***to
management and the audit committeethat …
…internal controls are effective and…
… working as intended
107
Key Roles
The role of the internal auditors
While management is responsiblefor internal controls…
… the internal auditactivity provides ***assurance***to
management and the audit committeethat …
…internal controls are effective and…
… working as intended
© International Association of Risk and Compliance Professionals (IARCP)
108
The role of the internal auditors
Continuous Auditing
“Continuous Auditing”
An evolving regulatory environment…
… increased globalization of businesses…
… market pressure to improve operations…
… and rapidly changing business conditions…
… are creating the need for more timely and ongoing
assurancethat controls are working effectively and risk is
being mitigated
Continuous auditing changes the auditparadigm *from
periodic reviews* of a sample of transactions to
**ongoing** audit testing of 100 percent of transactions
108
The role of the internal auditors
Continuous Auditing
“Continuous Auditing”
An evolving regulatory environment…
… increased globalization of businesses…
… market pressure to improve operations…
… and rapidly changing business conditions…
… are creating the need for more timely and ongoing
assurancethat controls are working effectively and risk is
being mitigated
Continuous auditing changes the auditparadigm *from
periodic reviews* of a sample of transactions to
**ongoing** audit testing of 100 percent of transactions
© International Association of Risk and Compliance Professionals (IARCP)
109
Key Roles
The role of the externalauditors
They provide independent assurance to the society
The role of the external auditor is similarto the role of
the supervisors and regulators
*The regulators*safeguard stabilityand investor
interests
*The external auditors*work for the private interests of
the shareholdersof a company
External auditors and supervisorscooperate
109
Key Roles
The role of the externalauditors
They provide independent assurance to the society
The role of the external auditor is similarto the role of
the supervisors and regulators
*The regulators*safeguard stabilityand investor
interests
*The external auditors*work for the private interests of
the shareholdersof a company
External auditors and supervisorscooperate
© International Association of Risk and Compliance Professionals (IARCP)
110
Key Roles
The role of the externalauditors
Professional Standards-independence, objectivity and
integrity
Conflicts of Interest
Non-audit services
110
Key Roles
The role of the externalauditors
Professional Standards-independence, objectivity and
integrity
Conflicts of Interest
Non-audit services
© International Association of Risk and Compliance Professionals (IARCP)
111
Key Roles
The role of the Board of Directors
A. Directors must learn and keep up to date
The industry’s best practicesin risk management
B. Directors must ensure that the *management and key
employees* and process ownersalso learn and keep up to
date
Is staff qualified,with the necessary experience and
technical capabilities?
Who knowsthe policies, the procedures and the tasks?
There is enoughinformation –is there also enough
communication?
111
Key Roles
The role of the Board of Directors
A. Directors must learn and keep up to date
The industry’s best practicesin risk management
B. Directors must ensure that the *management and key
employees* and process ownersalso learn and keep up to
date
Is staff qualified,with the necessary experience and
technical capabilities?
Who knowsthe policies, the procedures and the tasks?
There is enoughinformation –is there also enough
communication?
© International Association of Risk and Compliance Professionals (IARCP)
112
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
1. The risk management framework
2. Senior management’s guidance and direction
regarding the principlesunderlying the framework
112
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
1. The risk management framework
2. Senior management’s guidance and direction
regarding the principlesunderlying the framework
© International Association of Risk and Compliance Professionals (IARCP)
113
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
3. Policiesdeveloped by senior management -to identify,
assess, monitor, controlling and mitigate risks
Policies for the treatment of non-compliance. No
tolerance, no temptations
4. Key processesto manage risks
5. Clear linesof management responsibility,
accountability and reporting for risks
113
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
3. Policiesdeveloped by senior management -to identify,
assess, monitor, controlling and mitigate risks
Policies for the treatment of non-compliance. No
tolerance, no temptations
4. Key processesto manage risks
5. Clear linesof management responsibility,
accountability and reporting for risks
© International Association of Risk and Compliance Professionals (IARCP)
114
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
6. Separationof duties and responsibilities –conflict of
interest issues
7. The risk appetiteand tolerancefor risks
8. The risk transferredoutside the organization
114
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
6. Separationof duties and responsibilities –conflict of
interest issues
7. The risk appetiteand tolerancefor risks
8. The risk transferredoutside the organization
© International Association of Risk and Compliance Professionals (IARCP)
115
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
9. High Impact / Low Frequencyevents and the strategy
to identify and managethese risks
10. Early warningindicators
11. Measurement methodologies-Quantificationof
exposure to risks, not only qualitativeapproaches
115
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
9. High Impact / Low Frequencyevents and the strategy
to identify and managethese risks
10. Early warningindicators
11. Measurement methodologies-Quantificationof
exposure to risks, not only qualitativeapproaches
© International Association of Risk and Compliance Professionals (IARCP)
116
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
12. Self assessments
Is it an enterprise wideprocess?
Can it be used for accountability?
Who learnsthe issues?
Can it be used in risk identificationas well as
mitigation?
13. Assumptions
116
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
12. Self assessments
Is it an enterprise wideprocess?
Can it be used for accountability?
Who learnsthe issues?
Can it be used in risk identificationas well as
mitigation?
13. Assumptions
© International Association of Risk and Compliance Professionals (IARCP)
117
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
14. The risks associated with outsourcingactivities
Is there oversight of third-partyactivities?
Is there a clear allocationof responsibilitiesand clear
expectations between external service providers and the
organization?
117
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
14. The risks associated with outsourcingactivities
Is there oversight of third-partyactivities?
Is there a clear allocationof responsibilitiesand clear
expectations between external service providers and the
organization?
© International Association of Risk and Compliance Professionals (IARCP)
118
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
Is there an assessment of the materialityof outsourcing
arrangements?
Does the organization exercise initial due diligence?
Is the organization monitoring and testingthird-party
activities on a regular basis?
118
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
Is there an assessment of the materialityof outsourcing
arrangements?
Does the organization exercise initial due diligence?
Is the organization monitoring and testingthird-party
activities on a regular basis?
© International Association of Risk and Compliance Professionals (IARCP)
119
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
15. Contingency plans
Business Impact Analysis, Disaster Recovery and
Business Continuity Plans
Has the organization identified critical business
processes,including dependence on external vendors or
third parties?
119
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
15. Contingency plans
Business Impact Analysis, Disaster Recovery and
Business Continuity Plans
Has the organization identified critical business
processes,including dependence on external vendors or
third parties?
© International Association of Risk and Compliance Professionals (IARCP)
120
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
Are the alternatefacilities / hot sites an adequate distance
awayfrom the primary operations?
Is there a periodic reviewof these plans?
Is there trainingand testing?
Are there clear descriptions of roles and responsibilities?
120
Key Roles
The role of the Board of Directors
C. Directors must understand and approve
Are the alternatefacilities / hot sites an adequate distance
awayfrom the primary operations?
Is there a periodic reviewof these plans?
Is there trainingand testing?
Are there clear descriptions of roles and responsibilities?
© International Association of Risk and Compliance Professionals (IARCP)
121
Key Roles
The role of the Board of Directors
D. Directors must establish
A management structure…
…capableof implementing the firm's risk management
framework
121
Key Roles
The role of the Board of Directors
D. Directors must establish
A management structure…
…capableof implementing the firm's risk management
framework
© International Association of Risk and Compliance Professionals (IARCP)
122
Key Roles
The role of the Board of Directors
E. Directors must ensure that
The risk is managed after external and internal *changes*
or new products, activities and systems
The risk management system is well documented
They do their best to establish a strong internal control
culturein which control activitiesare an integral part of
the activities of a bank
122
Key Roles
The role of the Board of Directors
E. Directors must ensure that
The risk is managed after external and internal *changes*
or new products, activities and systems
The risk management system is well documented
They do their best to establish a strong internal control
culturein which control activitiesare an integral part of
the activities of a bank
© International Association of Risk and Compliance Professionals (IARCP)
123
Key Roles
The role of the Board of Directors
E. Directors must ensure that
The risk management framework is implemented
consistentlyacross the whole bank
They learnabout material losses
There is adequate and meaningful reporting
123
Key Roles
The role of the Board of Directors
E. Directors must ensure that
The risk management framework is implemented
consistentlyacross the whole bank
They learnabout material losses
There is adequate and meaningful reporting
© International Association of Risk and Compliance Professionals (IARCP)
124
Key Roles
The role of the Board of Directors
E. Directors must ensure that
Understand and meetthe auditors, internal function and
staff responsibleformonitoringcompliance
There is adequate internal auditcoverage to verify
effective implementation of policies and procedures
There is a clear audit plan and scopewith respect to
operational risk management
The internal audit functiondoes nothave operational
risk management responsibilities
124
Key Roles
The role of the Board of Directors
E. Directors must ensure that
Understand and meetthe auditors, internal function and
staff responsibleformonitoringcompliance
There is adequate internal auditcoverage to verify
effective implementation of policies and procedures
There is a clear audit plan and scopewith respect to
operational risk management
The internal audit functiondoes nothave operational
risk management responsibilities
© International Association of Risk and Compliance Professionals (IARCP)
125
Director’s responsibilities include
Duty of care
To exercise the carethat an ordinarily prudent personin
a like position would use under similar circumstances
What does a prudent directordo?
1. Learns-all material information reasonably available
before making a business decision
There is “good faith”only in case of an informed
business decision
2. Considers alternatives
125
Director’s responsibilities include
Duty of care
To exercise the carethat an ordinarily prudent personin
a like position would use under similar circumstances
What does a prudent directordo?
1. Learns-all material information reasonably available
before making a business decision
There is “good faith”only in case of an informed
business decision
2. Considers alternatives
© International Association of Risk and Compliance Professionals (IARCP)
126
Director’s responsibilities include
Duty of care
3. Attends meetingsof the board and of the committees
4. Asks questions
5. Tries to preventand detectillegal conduct
6. Exercises oversight
126
Director’s responsibilities include
Duty of care
3. Attends meetingsof the board and of the committees
4. Asks questions
5. Tries to preventand detectillegal conduct
6. Exercises oversight
© International Association of Risk and Compliance Professionals (IARCP)
127
Director’s responsibilities include
Duty of loyalty
What does a prudent directordo?
Acts in good faith-in a manner he / she reasonably
believes to be in the best interests of the corporation
127
Director’s responsibilities include
Duty of loyalty
What does a prudent directordo?
Acts in good faith-in a manner he / she reasonably
believes to be in the best interests of the corporation
© International Association of Risk and Compliance Professionals (IARCP)
128
Director’s responsibilities include
Proves that he acts in good faith-is alert to any interest
he or she may have that might be consideredto conflict
with the best interests of the corporation
Disclosesfully and carefully financial or personal
intereststo which the corporation is a party
For example, contracts where he / she had a financial or
other personal interest
128
Director’s responsibilities include
Proves that he acts in good faith-is alert to any interest
he or she may have that might be consideredto conflict
with the best interests of the corporation
Disclosesfully and carefully financial or personal
intereststo which the corporation is a party
For example, contracts where he / she had a financial or
other personal interest
© International Association of Risk and Compliance Professionals (IARCP)
129
Director’s responsibilities include
Duty of loyalty
What does a prudent directordo?
Keeps confidentialall matters involving the corporation
that have not been disclosed to the general public…
… Directors are not authorized spokespersonsfor the
corporation
129
Director’s responsibilities include
Duty of loyalty
What does a prudent directordo?
Keeps confidentialall matters involving the corporation
that have not been disclosed to the general public…
… Directors are not authorized spokespersonsfor the
corporation
© International Association of Risk and Compliance Professionals (IARCP)
130
To continue with Part B of the course:
Become a Certified Risk and Compliance
Management Professional (CRCMP) you can visit:
www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
130
To continue with Part B of the course:
Become a Certified Risk and Compliance
Management Professional (CRCMP) you can visit:
www.risk-compliance-
association.com/Distance_Learning_and_Certification.htm
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 15,841
- Slides 130
- Favorites 27
- Age 5018 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
34 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
36 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
34 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
30 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
31 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
35 views