Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A
Click here to load reader
-
Upload
compliance-llc -
Category
Education
-
view
11.395 -
download
30
Transcript of Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A
Certified Risk and Compliance Management Professional
(CRCMP) Prep Course – Part A
International Association of Risk and Compliance Professionals (IARCP)
© International Association of Risk and Compliance Professionals (IARCP)2
Introduction The International Association of Risk and
Compliance Professionals (IARCP) develops and maintains a compendium of risk and compliance topics
Subject matter experts review and update this body of knowledge
The IARCP offers the following risk and compliance management certification programs:
Certified Risk and Compliance Management Professional (CRCMP)
Certified Information Systems Risk and Compliance Professional (CISRCP)
© International Association of Risk and Compliance Professionals (IARCP)3
Introduction Certified Risk and Compliance Management
Professional (CRCMP) www.risk-compliance-association.com/
Distance_Learning_and_Certification.htm Certified Information Systems Risk and
Compliance Professional (CISRCP) www.risk-compliance-association.com/
CISRCP_Distance_Learning_and_Certification.htm
© International Association of Risk and Compliance Professionals (IARCP)4
Introduction The exam is online. To find more: www.risk-compliance-association.com/
Questions_About_The_Certification_And_The_Exams_1.pdf
www.risk-compliance-association.com/CRCP_Certification_Steps_1.pdf
© International Association of Risk and Compliance Professionals (IARCP)5
Introduction Instead of just training, you can have more 1. Training 2. Certification - If you pass the exam, you
will be entitled to use the designation: Certified Risk and Compliance Management Professional (CRCMP)
3. Updates - Become (at no extra cost) a member of the IARCP to stay current with new developments in risk and compliance management
You will continue to learn, month after month
© International Association of Risk and Compliance Professionals (IARCP)6
Agenda PART A: COMPLIANCE WITH LAWS AND
REGULATIONS, AND RISK MANAGEMENT Introduction Regulatory Compliance and Risk Management
- Definitions, roles and responsibilities The role of the board of directors, the
supervisors, the internal and external auditors
The new international landscape and the interaction among laws, regulations, and professional standards
© International Association of Risk and Compliance Professionals (IARCP)7
Agenda Benefits of an enterprise wide compliance
program Compliance culture: Why it is important, and
how to communicate the regulatory obligations
Policies, Workplace Ethics, Risk and Compliance
Policies, procedures and the ethical code of conduct
Privacy and information security Handling confidential information Conflicts of interest Use of organizational property
© International Association of Risk and Compliance Professionals (IARCP)8
Agenda Fair dealings with customers, vendors and
competitors Reporting ethical concerns Governance, Risk and Compliance The need for Internal Controls Understand how to identify, mitigate and
control risks effectively Approaches to risk assessment Qualitative, quantitative… stress testing Integrating risk management into corporate
governance and compliance
© International Association of Risk and Compliance Professionals (IARCP)9
Agenda PART B: SARBANES OXLEY The Sarbanes Oxley Act Key Sections SEC, EDGAR, PCAOB, SAG PCAOB Auditing Standards: What we need to
know Management's Testing Management's Documentation Sections 302, 404, 906: The three
certifications Sections 302, 404, 906: Examples and case
studies
© International Association of Risk and Compliance Professionals (IARCP)10
Agenda Management's Responsibilities Committees and Teams
Control Deficiency Deficiency in Design Deficiency in Operation Significant Deficiency Material Weakness
© International Association of Risk and Compliance Professionals (IARCP)11
Agenda Companies Affected International companies Foreign Private Issuers (FPIs) Employees Affected
© International Association of Risk and Compliance Professionals (IARCP)12
Agenda PART C: BASEL II Improving risk and asset management to
avoid financial disasters "Sufficient assets" to offset risks The technical challenges for both banks and
supervisors How much capital is necessary to serve as a
sufficient buffer? The three-pillar regulatory structure Purposes of Basel II
© International Association of Risk and Compliance Professionals (IARCP)13
Agenda Pillar 1: Minimum capital requirements Credit Risk – 3 approaches The standardized approach to credit risk The two internal ratings-based (IRB)
approaches to credit risk Pillar 2: Supervisory review Key principles Pillar 3: Market discipline Disclosure requirements
© International Association of Risk and Compliance Professionals (IARCP)14
Agenda Operational Risk What is operational risk Legal risk Information Technology operational risk
Operational Risk Approaches Basic Indicator Approach (BIA) Standardized Approach (SA) Advanced Measurement Approaches (AMA)
© International Association of Risk and Compliance Professionals (IARCP)15
Agenda Basel II and other regulations
Common elements and differences of compliance projects
New standards Disclosure issues Multinational companies and compliance
challenges
© International Association of Risk and Compliance Professionals (IARCP)16
Agenda PART D: THE FRAMEWORKS Internal Controls - COSO The Control Environment Risk Assessment Control Activities Information and Communication Monitoring Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with applicable laws and
regulations
© International Association of Risk and Compliance Professionals (IARCP)17
Agenda IT Controls Deterrent, Preventive, Detective, Corrective,
Recovery, Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls COSO Enterprise Risk Management (ERM)
Framework Is COSO ERM needed for compliance? Internal Environment Objective Setting Event Identification
© International Association of Risk and Compliance Professionals (IARCP)18
Agenda Risk Assessment Risk Response Control Activities Information and Communication Monitoring
The two cubes Objectives: Strategic, Operations, Reporting,
Compliance
© International Association of Risk and Compliance Professionals (IARCP)19
Agenda COBIT - the framework that focuses on IT Is COBIT needed for compliance? COSO or COBIT? Management Guidelines The high-level control objectives What to do with the specific control
objectives
Maturity Models Critical Success Factors (CSFs)
© International Association of Risk and Compliance Professionals (IARCP)20
Agenda PART E: DESIGNING AND IMPLEMENTING A
RISK AND COMPLIANCE PROGRAM Designing an Internal Compliance System Compliance programs that withstand scrutiny Documentation Testing Ongoing compliance reviews and risk
assessments for continuing compliance with laws and regulations
Compliance Monitoring The company and other stakeholders
© International Association of Risk and Compliance Professionals (IARCP)21
Agenda International and national regulatory
requirements Regulatory compliance in Europe Regulatory compliance in the USA The GCC countries The Caribbean The Pacific Rim Common elements and differences of
compliance projects
Certified Risk and Compliance Management Professional
(CRCMP) Prep Course
International Association of Risk and Compliance Professionals (IARCP)
PART A: COMPLIANCE WITH LAWS AND
REGULATIONSAND RISK MANAGEMENT
International Association of Risk and Compliance Professionals
(IARCP)
© International Association of Risk and Compliance Professionals (IARCP)24
Internal controls, Governance, Risk, Compliance - Corporate governance CORPORATE GOVERNANCE Processes, systems and controls put in place
to direct and control an organisation in order to…
… increase performance and achieve shareholder value
As such, it has to do with the performance of management and the board of directors…
… the sufficiency and reliability of corporate reporting…
… risk management and internal controls
© International Association of Risk and Compliance Professionals (IARCP)25
Internal controls, Governance, Risk, Compliance - Corporate governance Governments often make decisions about
governance … … it is NOT a “best practice”
The legal and regulatory environment is of paramount importance
© International Association of Risk and Compliance Professionals (IARCP)26
Internal controls, Governance, Risk, Compliance - Corporate governance A corporation is a a separate legal entity… … and has legal *rights* and *obligations*
A corporation has the ability to hold assets separately from the assets of its stakeholders
Some legal structures have the ability to limit the liability of stakeholders
© International Association of Risk and Compliance Professionals (IARCP)27
Internal controls, Governance, Risk, Compliance - Corporate governance The interests of the stakeholders… … the owners… … the board of directors… … executive management… … managers… … data owners… … process owners… … employees… … suppliers… … regulators, supervisors… … clients and communities
© International Association of Risk and Compliance Professionals (IARCP)28
Internal controls, Governance, Risk, Compliance - Corporate governance Governance - Some common principles
Acting for the Best Interests of the Shareholders
Ethical Behavior
Professional Behavior
Culture of Risk and Compliance
© International Association of Risk and Compliance Professionals (IARCP)29
Internal controls, Governance, Risk, Compliance - Corporate governance Governance - Some common principles
Transparency and Disclosures
Tested and Documented Processes
Tested and Documented Internal Controls
© International Association of Risk and Compliance Professionals (IARCP)30
OECD Principles of CorporateGovernance - 2004 The original member countries of the OECD
are Austria, Belgium, Canada, Denmark, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States
Also members: Japan, Finland, Australia, New Zealand,
Mexico, the Czech Republic, Hungary, Poland, Korea, the Slovak Republic (14th December 2000)
© International Association of Risk and Compliance Professionals (IARCP)31
OECD Principles of CorporateGovernance - 2004 The OECD Principles of Corporate Governance
were endorsed by OECD Ministers in 1999… … when the OECD extended the boundary of
accountability to include stakeholders such as employees…
… and have since become an international benchmark for policy makers, investors, corporations and other stakeholders ***worldwide***
© International Association of Risk and Compliance Professionals (IARCP)32
OECD Principles of CorporateGovernance - 2004 They have provided specific guidance for
legislative and regulatory initiatives in both OECD and non OECD countries
The Rights of Shareholders and Key Ownership Functions
The corporate governance framework should **protect and facilitate the exercise of shareholders’ rights**
© International Association of Risk and Compliance Professionals (IARCP)33
OECD Principles of CorporateGovernance - 2004 A. Basic shareholder rights should include the
right to:
Obtain relevant and material information on the corporation on a timely and regular basis
Share in the profits of the corporation
Shareholders should have the opportunity to ask questions to the board, including…
… questions relating to the annual external audit
© International Association of Risk and Compliance Professionals (IARCP)34
Internal controls, Governance, Risk, Compliance - Risk RISK: The possibility of a loss, catastrophe, or other
undesirable outcome A potential negative impact to an asset We may accept, mitigate or avoid a risk Risk is described both qualitatively and
quantitatively
Risk is proportional to both the expected losses (impact) which may be caused by an event and to…
… the probability of this event
© International Association of Risk and Compliance Professionals (IARCP)35
Internal controls, Governance, Risk, Compliance - Risk In technical contexts, the word has several
more specialized uses and meanings Three of these are particularly important
since they are widely used across disciplines: 1. risk = an unwanted ***event*** which may
or may not occur 2. risk = the ***cause*** of an unwanted
event which may or may not occur 3. risk = the ***probability*** of an unwanted
event which may or may not occur
© International Association of Risk and Compliance Professionals (IARCP)36
Internal controls, Governance, Risk, Compliance - Risk Risk… is it good or bad?
All opportunities come with some degree of risk
Risks and opportunities go hand in hand
An efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses
© International Association of Risk and Compliance Professionals (IARCP)37
Internal controls, Governance, Risk, Compliance – Risk Management RISK MANAGEMENT Making informed business decisions
We mitigate risks only when… … they are above our risk appetite…
Risks must reach a level that is acceptable to the organization
© International Association of Risk and Compliance Professionals (IARCP)38
Internal controls, Governance, Risk, Compliance – Risk Management Risk management is an integral **part** of
good management… … and an essential **part** of good corporate
governance
Priorities… … a cost benefit analysis - the costs of
protective measures for the benefit of achieving the mission of the organisation
© International Association of Risk and Compliance Professionals (IARCP)39
Internal controls, Governance, Risk, Compliance – Risk Management The types of risks depend on… … the location… … the industry… … the business objectives of the organization
© International Association of Risk and Compliance Professionals (IARCP)40
Internal controls, Governance, Risk, Compliance - Risk Management Risks can result from factors both external
and internal to the organisation
The Risk Management process in an organization is influenced by:
1. The organization’s mission, vision and objectives
2. Products and services 3. The physical, environmental and regulatory
conditions
© International Association of Risk and Compliance Professionals (IARCP)41
Internal controls, Governance, Risk, Compliance - Risk Management Asset: A resource, product, process, or
element that an organization has determined must be protected
Threat: Any potential event that causes a detrimental impact on the organization
Vulnerability: The lack / weakness of a safeguard counter to a threat
Safeguard: A control employed to reduce the risk associated with a specific threat
© International Association of Risk and Compliance Professionals (IARCP)42
Internal controls, Governance, Risk, Compliance - Risk Management Risk management
A. Identification… … of the risks associated with each process… An organisation’s exposure to uncertainty Requires knowledge of the organisation… … the market… … the industry… … the legal, social, political and cultural
environment in which it exists
© International Association of Risk and Compliance Professionals (IARCP)43
Internal controls, Governance, Risk, Compliance - Risk Management B. Assessment… … qualitative and quantitative… … evaluating risks and risk impacts… … and recommending measures to reduce
risks
A major element - the assessment of the value of the information resources
Cost benefit analysis
© International Association of Risk and Compliance Professionals (IARCP)44
Internal controls, Governance, Risk, Compliance - Risk Management C. Management…
… (measurement, mitigation, development of countermeasures)…
… internal controls…
… implementation of the measures to reduce risks recommended in the risk assessment process
© International Association of Risk and Compliance Professionals (IARCP)45
Problems… Over Optimism
Misrepresentation - false, incorrect, improper, or incomplete statement of material facts
Alarmism - production of needless warnings
Prejudice
© International Association of Risk and Compliance Professionals (IARCP)46
Where do you work? In a military environment or in a bank… … we have the same principles in risk
management!
Let’s have a look at some Information Warfare slides…
… all the principles apply in a corporate environment as well
© International Association of Risk and Compliance Professionals (IARCP)47
© International Association of Risk and Compliance Professionals (IARCP)48
© International Association of Risk and Compliance Professionals (IARCP)49
© International Association of Risk and Compliance Professionals (IARCP)50
© International Association of Risk and Compliance Professionals (IARCP)51
© International Association of Risk and Compliance Professionals (IARCP)52
Australia/New Zealand Standard 4360 Since 1992 Three major elements:
1. The risk management workflow
2. Monitoring and review
3. Communication and consult
© International Association of Risk and Compliance Professionals (IARCP)53
Australia/New Zealand Standard 4360
© International Association of Risk and Compliance Professionals (IARCP)54
Risk Management Guide for Information Technology SystemsNIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)55
Risk Management Guide for Information Technology SystemsNIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)56
Risk Management Guide for Information Technology SystemsNIST Special Publication 800-30
© International Association of Risk and Compliance Professionals (IARCP)57
Vulnerabilities… Vulnerability: A flaw or weakness in system security
procedures, design, implementation, or internal controls that…
… could be exercised (accidentally triggered or intentionally exploited)…
… and result in a security breach or a violation of the system’s security policy
© International Association of Risk and Compliance Professionals (IARCP)58
Threats and Vulnerabilities
© International Association of Risk and Compliance Professionals (IARCP)59
Risk Mitigation Methodology Flowchart
© International Association of Risk and Compliance Professionals (IARCP)60
Risk Mitigation Methodology Flowchart
© International Association of Risk and Compliance Professionals (IARCP)61
Risk Mitigation Methodology Flowchart
© International Association of Risk and Compliance Professionals (IARCP)62
Example: Government of Canada, Communications Security Establishment
© International Association of Risk and Compliance Professionals (IARCP)63
Outsourcing and Risk Management“Management remains responsible” Sarbanes-Oxley Act, Section 404: “Management remains responsible” for
service providers This responsibility cannot be delegated to the
service provider Basel ii, Outsourcing in Financial Services: “Management remains responsible” The Committee of European Banking
Supervisors (CEBS) – “Guidelines on Outsourcing”
“Management remains responsible”
© International Association of Risk and Compliance Professionals (IARCP)64
Outsourcingand Risk Management USA - The Board of Governors of the Federal
Reserve System - “Outsourcing of Information and Transaction Processing”
“Ensure that controls over outsourced information and transaction processing activities…
… are equivalent to those that would be implemented…
… if the activity were conducted internally”
© International Association of Risk and Compliance Professionals (IARCP)65
Good Corporate Governance and Risk Management is very important A good Risk Management Program is
important for: 1. The company’s credit rating Credit rating agencies believe that a good
Risk Management Program is very important for the credit rating of firms
2. The company’s reputation
3. The company’s cost of capital
© International Association of Risk and Compliance Professionals (IARCP)66
Good Corporate Governance and Risk Management is very important 4. Audit firm resignations and refusals
5. The company’s share price
6. The likelihood that external auditor’s opinion on financial statements is wrong
© International Association of Risk and Compliance Professionals (IARCP)67
Good Corporate Governance and Risk Management is very important After the risk management failures in 2007-
2008… … good risk management is a source of
***value creation***
Risk management MUST be linked to the overall objective of value maximization
We must communicate what we do to all stakeholder groups
This dimension is often unknown to employees
© International Association of Risk and Compliance Professionals (IARCP)68
Good Corporate Governance and Risk Management is very important In the past, the capital markets *were* only
interested in the share price … … and did not pay much attention to
corporate governance and risk management
Today good corporate governance practice is now strongly tied to investment decisions and corporate value
© International Association of Risk and Compliance Professionals (IARCP)69
Internal controls, Governance, Risk, Compliance - Compliance Acting in accordance with laws and
regulations
Laws are enacted by legislative bodies… … while regulations are created by
government agencies
One of the major risks: No compliance! Compliance with external laws… … and internal policies and procedures Standards and best practices do NOT have
the force of law
© International Association of Risk and Compliance Professionals (IARCP)70
Enterprise wide risk and compliance program One solution for one problem Best Practices More cost effective Auditors understand how we manage risks The board understands Easier testing and documentation
© International Association of Risk and Compliance Professionals (IARCP)71
Enterprise wide risk and compliance program According to Susan Schmidt Bies (member of
the Board of Governors of the Federal Reserve System):
“An enterprise-wide approach can integrate the risk assessment of functions that have traditionally been managed in silos
A culture of compliance should establish- from the top of the organization - the proper ethical tone that will govern the conduct of business”
Policies, Procedures, Baselines, Guidelines, Ethics
© International Association of Risk and Compliance Professionals (IARCP)73
© International Association of Risk and Compliance Professionals (IARCP)74
Policies Policies are considered the highest level of
documentation
Standards, Guidelines and Procedures are derived from policies
Acknowledgment of importance of resources
© International Association of Risk and Compliance Professionals (IARCP)75
Policies High lever principles
Without well structured policies an organisation will be unstructured…
… unfocussed… … and probably operationally and financially
ineffective
© International Association of Risk and Compliance Professionals (IARCP)76
Policy - Example:“We respect privacy”
© International Association of Risk and Compliance Professionals (IARCP)77
Privacy and Information Security From Privacy vs. Information Security… … to Information Security to comply with
Privacy rules
A legal obligation… … a risk of no compliance
High level policies… …in line with functional policies (procedures)
© International Association of Risk and Compliance Professionals (IARCP)78
Procedures and Standards These contain the actual detail of the policy Describe how the policies should be
implemented
Procedures: Detail the steps required to implement the policy
Sometimes called “practices”
Standards: Specify use of technology in a uniform way and should be made compulsory
© International Association of Risk and Compliance Professionals (IARCP)79
Baselines and Guidelines Baselines: Baselines are similar to
standards, standards can be developed after the baseline is established
Sensitivity level, current / normal situation
Guidelines: Similar to standards but not compulsory, more flexible
© International Association of Risk and Compliance Professionals (IARCP)80
“Regulatory” Policies The company is required to implement
policies to comply with legal or regulatory requirements
Usually very detailed and specific to the industry of the organization
A well written policy can provide protection from liability
© International Association of Risk and Compliance Professionals (IARCP)81
Ethics Code of Ethics - Soft law Not legal… or not ethical? An organization's beliefs and culture Procedures to be used in specific situations
such as conflicts of interest or the acceptance of gifts
The effectiveness of the code of ethics depends on…
… the extent to which it has the support of the management…
… with sanctions and rewards
© International Association of Risk and Compliance Professionals (IARCP)82
Ethics Code of Ethics - Example “Respect: We treat others as we would like to
be treated ourselves. Ruthlessness, callousness and arrogance don't belong here”
“Integrity: We work with customers and prospects openly, honestly and sincerely. When we say we will do something, we will do it”
“Communication: We believe that information is meant to move and that information moves people”
(From Enron’s Code of Ethics)
© International Association of Risk and Compliance Professionals (IARCP)83
A great firm now: Merck, a global research-driven pharmaceutical company “Accountability: Each of us is responsible for
adhering to the values and standards set forth in this Code…
… and for raising questions if we are uncertain as to whether or not the standards are being met
Violations of the Code may result in a variety of corrective actions and…
… in some cases, may result in disciplinary action up to and including termination of employment”
© International Association of Risk and Compliance Professionals (IARCP)84
A great firm now: Merck, a global research-driven pharmaceutical company www.merck.com/about/conduct.html The code includes: Relationships with Our Customers Relationships with Fellow Employees Relationships with Shareholders Relationships with Suppliers Relationships with Our Communities and
Society Compliance with Laws, Rules and Regulations Raising Concerns
© International Association of Risk and Compliance Professionals (IARCP)85
Conflicts of Interest and Ethics A natural or legal person... ... has a *private* interest that could
influence the objective exercise of his or her official duties
“An interest” - a financial interest, or a special advantage that comes into conflict with a duty
For him or his family and friends
© International Association of Risk and Compliance Professionals (IARCP)86
Conflicts of Interest and Ethics Examples A. Self Review
B. The CEO of a private consulting company works for the government...
... and uses his official position to secure a contract for the private firm
C. Using confidential information
© International Association of Risk and Compliance Professionals (IARCP)87
Risk and ComplianceKey Roles
© International Association of Risk and Compliance Professionals (IARCP)89
Risk and ComplianceKey Roles - Senior management Senior management They must understand the risks… … provide the resources needed … … and “ensure” that the firm can accomplish
its objectives Reasonable assurance
© International Association of Risk and Compliance Professionals (IARCP)90
Risk and ComplianceKey Roles - Risk Officer The Role of the Risk Officer There is no definition... and where there is
one, it is far from uniform But there is something that you need to
know: The role of the risk officer becomes more important year after year
All companies try to understand risks and spend much money to manage risks
Risk officers play an important role in implementing enterprise risk management
© International Association of Risk and Compliance Professionals (IARCP)91
Risk and ComplianceKey Roles - Risk Officer Risk officers have one additional obligation:
To explain… … risks and countermeasures… … to owners… … auditors… … senior management… … and the board of directors
© International Association of Risk and Compliance Professionals (IARCP)92
Risk and ComplianceKey Roles – Chief Risk Officer The Role of the Chief Risk Officer The Chief Risk Officer's job is to ensure that
the organization is in full compliance with applicable laws and regulations
He must coordinate the company's risk management efforts…
… explain risks and controls to senior management and the board…
… and make recommendations
© International Association of Risk and Compliance Professionals (IARCP)93
Risk and ComplianceKey Roles – Chief Risk Officer The Chief Risk Officer is rapidly becoming one
of the 3-5 most important members of the management team
We read some important paragraphs from a report from the Economist Intelligence Unit Sponsored by: ACE, Cisco Systems, Deutsche Bank and IBM
“For a corporate post with only a decade of history, the chief risk officer (CRO) attracts a lot of attention”
© International Association of Risk and Compliance Professionals (IARCP)94
Risk and ComplianceKey Roles – Chief Risk Officer “CROs have consolidated their position in the
financial sector, where they began… … and are increasingly to be found in other
industries” “As companies seek to respond to increased
regulatory pressures and a growing array of business risks…
… the CRO is emerging as one of the most important positions in the management team”
© International Association of Risk and Compliance Professionals (IARCP)95
Risk and ComplianceKey Roles – Chief Risk Officer “Regulatory compliance is the top priority for
risk management” “Regulatory risk ranks as one of the top two
threats to global business” Regulatory compliance is the CRO’s primary
responsibility” [Business continuity is also a top priority]
© International Association of Risk and Compliance Professionals (IARCP)96
Case Study: Credit Suisse
© International Association of Risk and Compliance Professionals (IARCP)97
Case Study: Credit Suisse
© International Association of Risk and Compliance Professionals (IARCP)98
Risk and ComplianceKey Roles – Chief Compliance Officer The Role of the Chief Compliance Officer According to Commissioner Cynthia A.
Glassman, U.S. Securities and Exchange Commission…
“While the CEO cannot delegate his or her ultimate responsibility…
… a company should have an officer with ownership of corporate compliance and ethics issues… …
… and of what Title III of Sarbanes-Oxley broadly refers to as ***Corporate Responsibility***”…
© International Association of Risk and Compliance Professionals (IARCP)99
Risk and ComplianceKey Roles – Chief Compliance Officer “While every company must assess its
particular needs based on the size and nature of its business…
… there are several characteristics that I would want the corporate responsibility officer to have…
… if I were relying on this person:” “He or she should have sufficient seniority
and authority to take the actions necessary under the circumstances”
“Ask yourself if this person would be able to address the worst-case scenario”
© International Association of Risk and Compliance Professionals (IARCP)100
Risk and ComplianceKey Roles – Chief Compliance Officer “The position should have the full support of
the CEO and senior management, both in theory and in practice
The corporate responsibility officer should *have access* and provide regular reports to senior management”
“He or she can play an important role in helping a company meet the ***information gathering and reporting requirements***
© International Association of Risk and Compliance Professionals (IARCP)101
Risk and ComplianceKey Roles – Chief Compliance Officer “The corporate responsibility officer should
have the ability to report directly to the board (for example, to the audit committee chairman)…
… on matters of significant import to the company or matters involving misconduct by senior management”
In addition, the responsible officer should have sufficient time and adequate resources to implement the company's ***corporate responsibility program*** in an effective manner
© International Association of Risk and Compliance Professionals (IARCP)102
© International Association of Risk and Compliance Professionals (IARCP)103
© International Association of Risk and Compliance Professionals (IARCP)104
Risk and ComplianceKey Roles - Owners Data owners Understand, Give permissions
Process and system owners Need to “ensure” (reasonable assurance) that
the risks are identified and managed … … and appropriate controls are deployed
© International Association of Risk and Compliance Professionals (IARCP)105
Key RolesThe role of the internal auditors According to the Institute of Internal Auditors
(IIA)…
…Internal Auditing is an independent, objective assurance and consulting activity…
… designed to add value and… … improve an organization's operations
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach…
… to evaluate and improve the effectiveness of risk management, control, and governance processes
© International Association of Risk and Compliance Professionals (IARCP)106
Key RolesThe role of the internal auditors The internal audit activity evaluates risk
exposures relating to the organization's governance, operations and information systems, in relation to:
Effectiveness and efficiency of operations Reliability and integrity of financial and
operational information Safeguarding of assets Compliance with laws, regulations, and
contracts
© International Association of Risk and Compliance Professionals (IARCP)107
Key RolesThe role of the internal auditors While management is responsible for internal
controls…
… the internal audit activity provides ***assurance*** to management and the audit committee that …
…internal controls are effective and…
… working as intended
© International Association of Risk and Compliance Professionals (IARCP)108
The role of the internal auditorsContinuous Auditing “Continuous Auditing” An evolving regulatory environment… … increased globalization of businesses… … market pressure to improve operations… … and rapidly changing business conditions… … are creating the need for more timely and
ongoing assurance that controls are working effectively and risk is being mitigated
Continuous auditing changes the audit paradigm *from periodic reviews* of a sample of transactions to **ongoing** audit testing of 100 percent of transactions
© International Association of Risk and Compliance Professionals (IARCP)109
Key RolesThe role of the external auditors They provide independent assurance to the
society The role of the external auditor is similar to
the role of the supervisors and regulators *The regulators* safeguard stability and
investor interests *The external auditors* work for the private
interests of the shareholders of a company External auditors and supervisors cooperate
© International Association of Risk and Compliance Professionals (IARCP)110
Key RolesThe role of the external auditors Professional Standards - independence,
objectivity and integrity
Conflicts of Interest
Non-audit services
© International Association of Risk and Compliance Professionals (IARCP)111
Key RolesThe role of the Board of DirectorsA. Directors must learn and keep up to date The industry’s best practices in risk
managementB. Directors must ensure that the *management
and key employees* and process owners also learn and keep up to date
Is staff qualified, with the necessary experience and technical capabilities?
Who knows the policies, the procedures and the tasks?
There is enough information – is there also enough communication?
© International Association of Risk and Compliance Professionals (IARCP)112
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve
1. The risk management framework
2. Senior management’s guidance and direction regarding the principles underlying the framework
© International Association of Risk and Compliance Professionals (IARCP)113
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 3. Policies developed by senior management -
to identify, assess, monitor, controlling and mitigate risks
Policies for the treatment of non-compliance. No tolerance, no temptations
4. Key processes to manage risks
5. Clear lines of management responsibility, accountability and reporting for risks
© International Association of Risk and Compliance Professionals (IARCP)114
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 6. Separation of duties and responsibilities –
conflict of interest issues
7. The risk appetite and tolerance for risks
8. The risk transferred outside the organization
© International Association of Risk and Compliance Professionals (IARCP)115
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 9. High Impact / Low Frequency events and
the strategy to identify and manage these risks
10. Early warning indicators
11. Measurement methodologies - Quantification of exposure to risks, not only qualitative approaches
© International Association of Risk and Compliance Professionals (IARCP)116
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 12. Self assessments Is it an enterprise wide process? Can it be used for accountability? Who learns the issues? Can it be used in risk identification as well as
mitigation?
13. Assumptions
© International Association of Risk and Compliance Professionals (IARCP)117
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 14. The risks associated with outsourcing
activities
Is there oversight of third-party activities?
Is there a clear allocation of responsibilities and clear expectations between external service providers and the organization?
© International Association of Risk and Compliance Professionals (IARCP)118
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve Is there an assessment of the materiality of
outsourcing arrangements?
Does the organization exercise initial due diligence?
Is the organization monitoring and testing third-party activities on a regular basis?
© International Association of Risk and Compliance Professionals (IARCP)119
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 15. Contingency plans
Business Impact Analysis, Disaster Recovery and Business Continuity Plans
Has the organization identified critical business processes, including dependence on external vendors or third parties?
© International Association of Risk and Compliance Professionals (IARCP)120
Key RolesThe role of the Board of DirectorsC. Directors must understand and approve Are the alternate facilities / hot sites an
adequate distance away from the primary operations?
Is there a periodic review of these plans?
Is there training and testing?
Are there clear descriptions of roles and responsibilities?
© International Association of Risk and Compliance Professionals (IARCP)121
Key RolesThe role of the Board of DirectorsD. Directors must establish A management structure… … capable of implementing the firm's risk
management framework
© International Association of Risk and Compliance Professionals (IARCP)122
Key RolesThe role of the Board of DirectorsE. Directors must ensure that The risk is managed after external and
internal *changes* or new products, activities and systems
The risk management system is well documented
They do their best to establish a strong internal control culture in which control activities are an integral part of the activities of a bank
© International Association of Risk and Compliance Professionals (IARCP)123
Key RolesThe role of the Board of DirectorsE. Directors must ensure that The risk management framework is
implemented consistently across the whole bank
They learn about material losses
There is adequate and meaningful reporting
© International Association of Risk and Compliance Professionals (IARCP)124
Key RolesThe role of the Board of DirectorsE. Directors must ensure that Understand and meet the auditors, internal
function and staff responsible for monitoring compliance
There is adequate internal audit coverage to verify effective implementation of policies and procedures
There is a clear audit plan and scope with respect to operational risk management
The internal audit function does not have operational risk management responsibilities
© International Association of Risk and Compliance Professionals (IARCP)125
Director’s responsibilities includeDuty of care To exercise the care that an ordinarily
prudent person in a like position would use under similar circumstances
What does a prudent director do? 1. Learns - all material information
reasonably available before making a business decision
There is “good faith” only in case of an informed business decision
2. Considers alternatives
© International Association of Risk and Compliance Professionals (IARCP)126
Director’s responsibilities includeDuty of care 3. Attends meetings of the board and of the
committees
4. Asks questions
5. Tries to prevent and detect illegal conduct
6. Exercises oversight
© International Association of Risk and Compliance Professionals (IARCP)127
Director’s responsibilities includeDuty of loyalty What does a prudent director do?
Acts in good faith - in a manner he / she reasonably believes to be in the best interests of the corporation
© International Association of Risk and Compliance Professionals (IARCP)128
Director’s responsibilities include Proves that he acts in good faith - is alert to
any interest he or she may have that might be considered to conflict with the best interests of the corporation
Discloses fully and carefully financial or personal interests to which the corporation is a party
For example, contracts where he / she had a financial or other personal interest
© International Association of Risk and Compliance Professionals (IARCP)129
Director’s responsibilities includeDuty of loyalty What does a prudent director do?
Keeps confidential all matters involving the corporation that have not been disclosed to the general public…
… Directors are not authorized spokespersons for the corporation
© International Association of Risk and Compliance Professionals (IARCP)130
To continue with Part B of the course: Become a Certified Risk and Compliance
Management Professional (CRCMP) you can visit:
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm