Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A

Certified Risk and Compliance Management Professional

(CRCMP) Prep Course – Part A

International Association of Risk and Compliance Professionals (IARCP)

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm


© International Association of Risk and Compliance Professionals (IARCP)2

Introduction The International Association of Risk and

Compliance Professionals (IARCP) develops and maintains a compendium of risk and compliance topics

Subject matter experts review and update this body of knowledge

The IARCP offers the following risk and compliance management certification programs:

Certified Risk and Compliance Management Professional (CRCMP)

Certified Information Systems Risk and Compliance Professional (CISRCP)



Introduction Certified Risk and Compliance Management

Professional (CRCMP) www.risk-compliance-association.com/

Distance_Learning_and_Certification.htm Certified Information Systems Risk and

Compliance Professional (CISRCP) www.risk-compliance-association.com/

CISRCP_Distance_Learning_and_Certification.htm


http://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Order_Your_Certificate_Of_Membership.htm



Introduction The exam is online. To find more: www.risk-compliance-association.com/

Questions_About_The_Certification_And_The_Exams_1.pdf

www.risk-compliance-association.com/CRCP_Certification_Steps_1.pdf



Introduction Instead of just training, you can have more 1. Training 2. Certification - If you pass the exam, you

will be entitled to use the designation: Certified Risk and Compliance Management Professional (CRCMP)

3. Updates - Become (at no extra cost) a member of the IARCP to stay current with new developments in risk and compliance management

You will continue to learn, month after month



Agenda PART A: COMPLIANCE WITH LAWS AND

REGULATIONS, AND RISK MANAGEMENT Introduction Regulatory Compliance and Risk Management

- Definitions, roles and responsibilities The role of the board of directors, the

supervisors, the internal and external auditors

The new international landscape and the interaction among laws, regulations, and professional standards



Agenda Benefits of an enterprise wide compliance

program Compliance culture: Why it is important, and

how to communicate the regulatory obligations

Policies, Workplace Ethics, Risk and Compliance

Policies, procedures and the ethical code of conduct

Privacy and information security Handling confidential information Conflicts of interest Use of organizational property



Agenda Fair dealings with customers, vendors and

competitors Reporting ethical concerns Governance, Risk and Compliance The need for Internal Controls Understand how to identify, mitigate and

control risks effectively Approaches to risk assessment Qualitative, quantitative… stress testing Integrating risk management into corporate

governance and compliance



Agenda PART B: SARBANES OXLEY The Sarbanes Oxley Act Key Sections SEC, EDGAR, PCAOB, SAG PCAOB Auditing Standards: What we need to

know Management's Testing Management's Documentation Sections 302, 404, 906: The three

certifications Sections 302, 404, 906: Examples and case

studies



Agenda Management's Responsibilities Committees and Teams

Control Deficiency Deficiency in Design Deficiency in Operation Significant Deficiency Material Weakness



Agenda Companies Affected International companies Foreign Private Issuers (FPIs) Employees Affected



Agenda PART C: BASEL II Improving risk and asset management to

avoid financial disasters "Sufficient assets" to offset risks The technical challenges for both banks and

supervisors How much capital is necessary to serve as a

sufficient buffer? The three-pillar regulatory structure Purposes of Basel II



Agenda Pillar 1: Minimum capital requirements Credit Risk – 3 approaches The standardized approach to credit risk The two internal ratings-based (IRB)

approaches to credit risk Pillar 2: Supervisory review Key principles Pillar 3: Market discipline Disclosure requirements



Agenda Operational Risk What is operational risk Legal risk Information Technology operational risk

Operational Risk Approaches Basic Indicator Approach (BIA) Standardized Approach (SA) Advanced Measurement Approaches (AMA)



Agenda Basel II and other regulations

Common elements and differences of compliance projects

New standards Disclosure issues Multinational companies and compliance

challenges



Agenda PART D: THE FRAMEWORKS Internal Controls - COSO The Control Environment Risk Assessment Control Activities Information and Communication Monitoring Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with applicable laws and

regulations



Agenda IT Controls Deterrent, Preventive, Detective, Corrective,

Recovery, Compensating, Monitoring and Disclosure Controls

Layers of overlapping controls COSO Enterprise Risk Management (ERM)

Framework Is COSO ERM needed for compliance? Internal Environment Objective Setting Event Identification



Agenda Risk Assessment Risk Response Control Activities Information and Communication Monitoring

The two cubes Objectives: Strategic, Operations, Reporting,

Compliance



Agenda COBIT - the framework that focuses on IT Is COBIT needed for compliance? COSO or COBIT? Management Guidelines The high-level control objectives What to do with the specific control

objectives

Maturity Models Critical Success Factors (CSFs)



Agenda PART E: DESIGNING AND IMPLEMENTING A

RISK AND COMPLIANCE PROGRAM Designing an Internal Compliance System Compliance programs that withstand scrutiny Documentation Testing Ongoing compliance reviews and risk

assessments for continuing compliance with laws and regulations

Compliance Monitoring The company and other stakeholders



Agenda International and national regulatory

requirements Regulatory compliance in Europe Regulatory compliance in the USA The GCC countries The Caribbean The Pacific Rim Common elements and differences of

compliance projects


Certified Risk and Compliance Management Professional

(CRCMP) Prep Course

International Association of Risk and Compliance Professionals (IARCP)



PART A: COMPLIANCE WITH LAWS AND

REGULATIONSAND RISK MANAGEMENT

International Association of Risk and Compliance Professionals

(IARCP)




Internal controls, Governance, Risk, Compliance - Corporate governance CORPORATE GOVERNANCE Processes, systems and controls put in place

to direct and control an organisation in order to…

… increase performance and achieve shareholder value

As such, it has to do with the performance of management and the board of directors…

… the sufficiency and reliability of corporate reporting…

… risk management and internal controls



Internal controls, Governance, Risk, Compliance - Corporate governance Governments often make decisions about

governance … … it is NOT a “best practice”

The legal and regulatory environment is of paramount importance



Internal controls, Governance, Risk, Compliance - Corporate governance A corporation is a a separate legal entity… … and has legal *rights* and *obligations*

A corporation has the ability to hold assets separately from the assets of its stakeholders

Some legal structures have the ability to limit the liability of stakeholders



Internal controls, Governance, Risk, Compliance - Corporate governance The interests of the stakeholders… … the owners… … the board of directors… … executive management… … managers… … data owners… … process owners… … employees… … suppliers… … regulators, supervisors… … clients and communities



Internal controls, Governance, Risk, Compliance - Corporate governance Governance - Some common principles

Acting for the Best Interests of the Shareholders

Ethical Behavior

Professional Behavior

Culture of Risk and Compliance



Internal controls, Governance, Risk, Compliance - Corporate governance Governance - Some common principles

Transparency and Disclosures

Tested and Documented Processes

Tested and Documented Internal Controls



OECD Principles of CorporateGovernance - 2004 The original member countries of the OECD

are Austria, Belgium, Canada, Denmark, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States

Also members: Japan, Finland, Australia, New Zealand,

Mexico, the Czech Republic, Hungary, Poland, Korea, the Slovak Republic (14th December 2000)



OECD Principles of CorporateGovernance - 2004 The OECD Principles of Corporate Governance

were endorsed by OECD Ministers in 1999… … when the OECD extended the boundary of

accountability to include stakeholders such as employees…

… and have since become an international benchmark for policy makers, investors, corporations and other stakeholders ***worldwide***



OECD Principles of CorporateGovernance - 2004 They have provided specific guidance for

legislative and regulatory initiatives in both OECD and non OECD countries

The Rights of Shareholders and Key Ownership Functions

The corporate governance framework should **protect and facilitate the exercise of shareholders’ rights**



OECD Principles of CorporateGovernance - 2004 A. Basic shareholder rights should include the

right to:

Obtain relevant and material information on the corporation on a timely and regular basis

Share in the profits of the corporation

Shareholders should have the opportunity to ask questions to the board, including…

… questions relating to the annual external audit



Internal controls, Governance, Risk, Compliance - Risk RISK: The possibility of a loss, catastrophe, or other

undesirable outcome A potential negative impact to an asset We may accept, mitigate or avoid a risk Risk is described both qualitatively and

quantitatively

Risk is proportional to both the expected losses (impact) which may be caused by an event and to…

… the probability of this event



Internal controls, Governance, Risk, Compliance - Risk In technical contexts, the word has several

more specialized uses and meanings Three of these are particularly important

since they are widely used across disciplines: 1. risk = an unwanted ***event*** which may

or may not occur 2. risk = the ***cause*** of an unwanted

event which may or may not occur 3. risk = the ***probability*** of an unwanted

event which may or may not occur



Internal controls, Governance, Risk, Compliance - Risk Risk… is it good or bad?

All opportunities come with some degree of risk

Risks and opportunities go hand in hand

An efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses



Internal controls, Governance, Risk, Compliance – Risk Management RISK MANAGEMENT Making informed business decisions

We mitigate risks only when… … they are above our risk appetite…

Risks must reach a level that is acceptable to the organization



Internal controls, Governance, Risk, Compliance – Risk Management Risk management is an integral **part** of

good management… … and an essential **part** of good corporate

governance

Priorities… … a cost benefit analysis - the costs of

protective measures for the benefit of achieving the mission of the organisation



Internal controls, Governance, Risk, Compliance – Risk Management The types of risks depend on… … the location… … the industry… … the business objectives of the organization



Internal controls, Governance, Risk, Compliance - Risk Management Risks can result from factors both external

and internal to the organisation

The Risk Management process in an organization is influenced by:

1. The organization’s mission, vision and objectives

2. Products and services 3. The physical, environmental and regulatory

conditions



Internal controls, Governance, Risk, Compliance - Risk Management Asset: A resource, product, process, or

element that an organization has determined must be protected

Threat: Any potential event that causes a detrimental impact on the organization

Vulnerability: The lack / weakness of a safeguard counter to a threat

Safeguard: A control employed to reduce the risk associated with a specific threat



Internal controls, Governance, Risk, Compliance - Risk Management Risk management

A. Identification… … of the risks associated with each process… An organisation’s exposure to uncertainty Requires knowledge of the organisation… … the market… … the industry… … the legal, social, political and cultural

environment in which it exists



Internal controls, Governance, Risk, Compliance - Risk Management B. Assessment… … qualitative and quantitative… … evaluating risks and risk impacts… … and recommending measures to reduce

risks

A major element - the assessment of the value of the information resources

Cost benefit analysis



Internal controls, Governance, Risk, Compliance - Risk Management C. Management…

… (measurement, mitigation, development of countermeasures)…

… internal controls…

… implementation of the measures to reduce risks recommended in the risk assessment process



Problems… Over Optimism

Misrepresentation - false, incorrect, improper, or incomplete statement of material facts

Alarmism - production of needless warnings

Prejudice



Where do you work? In a military environment or in a bank… … we have the same principles in risk

management!

Let’s have a look at some Information Warfare slides…

… all the principles apply in a corporate environment as well



Australia/New Zealand Standard 4360 Since 1992 Three major elements:

1. The risk management workflow

2. Monitoring and review

3. Communication and consult



Australia/New Zealand Standard 4360



Risk Management Guide for Information Technology SystemsNIST Special Publication 800-30



Vulnerabilities… Vulnerability: A flaw or weakness in system security

procedures, design, implementation, or internal controls that…

… could be exercised (accidentally triggered or intentionally exploited)…

… and result in a security breach or a violation of the system’s security policy



Threats and Vulnerabilities



Risk Mitigation Methodology Flowchart



Example: Government of Canada, Communications Security Establishment



Outsourcing and Risk Management“Management remains responsible” Sarbanes-Oxley Act, Section 404: “Management remains responsible” for

service providers This responsibility cannot be delegated to the

service provider Basel ii, Outsourcing in Financial Services: “Management remains responsible” The Committee of European Banking

Supervisors (CEBS) – “Guidelines on Outsourcing”

“Management remains responsible”



Outsourcingand Risk Management USA - The Board of Governors of the Federal

Reserve System - “Outsourcing of Information and Transaction Processing”

“Ensure that controls over outsourced information and transaction processing activities…

… are equivalent to those that would be implemented…

… if the activity were conducted internally”



Good Corporate Governance and Risk Management is very important A good Risk Management Program is

important for: 1. The company’s credit rating Credit rating agencies believe that a good

Risk Management Program is very important for the credit rating of firms

2. The company’s reputation

3. The company’s cost of capital



Good Corporate Governance and Risk Management is very important 4. Audit firm resignations and refusals

5. The company’s share price

6. The likelihood that external auditor’s opinion on financial statements is wrong



Good Corporate Governance and Risk Management is very important After the risk management failures in 2007-

2008… … good risk management is a source of

***value creation***

Risk management MUST be linked to the overall objective of value maximization

We must communicate what we do to all stakeholder groups

This dimension is often unknown to employees



Good Corporate Governance and Risk Management is very important In the past, the capital markets *were* only

interested in the share price … … and did not pay much attention to

corporate governance and risk management

Today good corporate governance practice is now strongly tied to investment decisions and corporate value



Internal controls, Governance, Risk, Compliance - Compliance Acting in accordance with laws and

regulations

Laws are enacted by legislative bodies… … while regulations are created by

government agencies

One of the major risks: No compliance! Compliance with external laws… … and internal policies and procedures Standards and best practices do NOT have

the force of law



Enterprise wide risk and compliance program One solution for one problem Best Practices More cost effective Auditors understand how we manage risks The board understands Easier testing and documentation



Enterprise wide risk and compliance program According to Susan Schmidt Bies (member of

the Board of Governors of the Federal Reserve System):

“An enterprise-wide approach can integrate the risk assessment of functions that have traditionally been managed in silos

A culture of compliance should establish- from the top of the organization - the proper ethical tone that will govern the conduct of business”


Policies, Procedures, Baselines, Guidelines, Ethics




Policies Policies are considered the highest level of

documentation

Standards, Guidelines and Procedures are derived from policies

Acknowledgment of importance of resources



Policies High lever principles

Without well structured policies an organisation will be unstructured…

… unfocussed… … and probably operationally and financially

ineffective



Policy - Example:“We respect privacy”



Privacy and Information Security From Privacy vs. Information Security… … to Information Security to comply with

Privacy rules

A legal obligation… … a risk of no compliance

High level policies… …in line with functional policies (procedures)



Procedures and Standards These contain the actual detail of the policy Describe how the policies should be

implemented

Procedures: Detail the steps required to implement the policy

Sometimes called “practices”

Standards: Specify use of technology in a uniform way and should be made compulsory



Baselines and Guidelines Baselines: Baselines are similar to

standards, standards can be developed after the baseline is established

Sensitivity level, current / normal situation

Guidelines: Similar to standards but not compulsory, more flexible



“Regulatory” Policies The company is required to implement

policies to comply with legal or regulatory requirements

Usually very detailed and specific to the industry of the organization

A well written policy can provide protection from liability



Ethics Code of Ethics - Soft law Not legal… or not ethical? An organization's beliefs and culture Procedures to be used in specific situations

such as conflicts of interest or the acceptance of gifts

The effectiveness of the code of ethics depends on…

… the extent to which it has the support of the management…

… with sanctions and rewards



Ethics Code of Ethics - Example “Respect: We treat others as we would like to

be treated ourselves. Ruthlessness, callousness and arrogance don't belong here”

“Integrity: We work with customers and prospects openly, honestly and sincerely. When we say we will do something, we will do it”

“Communication: We believe that information is meant to move and that information moves people”

(From Enron’s Code of Ethics)



A great firm now: Merck, a global research-driven pharmaceutical company “Accountability: Each of us is responsible for

adhering to the values and standards set forth in this Code…

… and for raising questions if we are uncertain as to whether or not the standards are being met

Violations of the Code may result in a variety of corrective actions and…

… in some cases, may result in disciplinary action up to and including termination of employment”



A great firm now: Merck, a global research-driven pharmaceutical company www.merck.com/about/conduct.html The code includes: Relationships with Our Customers Relationships with Fellow Employees Relationships with Shareholders Relationships with Suppliers Relationships with Our Communities and

Society Compliance with Laws, Rules and Regulations Raising Concerns



Conflicts of Interest and Ethics A natural or legal person... ... has a *private* interest that could

influence the objective exercise of his or her official duties

“An interest” - a financial interest, or a special advantage that comes into conflict with a duty

For him or his family and friends



Conflicts of Interest and Ethics Examples A. Self Review

B. The CEO of a private consulting company works for the government...

... and uses his official position to secure a contract for the private firm

C. Using confidential information


Risk and ComplianceKey Roles




Risk and ComplianceKey Roles - Senior management Senior management They must understand the risks… … provide the resources needed … … and “ensure” that the firm can accomplish

its objectives Reasonable assurance



Risk and ComplianceKey Roles - Risk Officer The Role of the Risk Officer There is no definition... and where there is

one, it is far from uniform But there is something that you need to

know: The role of the risk officer becomes more important year after year

All companies try to understand risks and spend much money to manage risks

Risk officers play an important role in implementing enterprise risk management



Risk and ComplianceKey Roles - Risk Officer Risk officers have one additional obligation:

To explain… … risks and countermeasures… … to owners… … auditors… … senior management… … and the board of directors



Risk and ComplianceKey Roles – Chief Risk Officer The Role of the Chief Risk Officer The Chief Risk Officer's job is to ensure that

the organization is in full compliance with applicable laws and regulations

He must coordinate the company's risk management efforts…

… explain risks and controls to senior management and the board…

… and make recommendations



Risk and ComplianceKey Roles – Chief Risk Officer The Chief Risk Officer is rapidly becoming one

of the 3-5 most important members of the management team

We read some important paragraphs from a report from the Economist Intelligence Unit Sponsored by: ACE, Cisco Systems, Deutsche Bank and IBM

“For a corporate post with only a decade of history, the chief risk officer (CRO) attracts a lot of attention”



Risk and ComplianceKey Roles – Chief Risk Officer “CROs have consolidated their position in the

financial sector, where they began… … and are increasingly to be found in other

industries” “As companies seek to respond to increased

regulatory pressures and a growing array of business risks…

… the CRO is emerging as one of the most important positions in the management team”



Risk and ComplianceKey Roles – Chief Risk Officer “Regulatory compliance is the top priority for

risk management” “Regulatory risk ranks as one of the top two

threats to global business” Regulatory compliance is the CRO’s primary

responsibility” [Business continuity is also a top priority]



Case Study: Credit Suisse



Risk and ComplianceKey Roles – Chief Compliance Officer The Role of the Chief Compliance Officer According to Commissioner Cynthia A.

Glassman, U.S. Securities and Exchange Commission…

“While the CEO cannot delegate his or her ultimate responsibility…

… a company should have an officer with ownership of corporate compliance and ethics issues… …

… and of what Title III of Sarbanes-Oxley broadly refers to as ***Corporate Responsibility***”…



Risk and ComplianceKey Roles – Chief Compliance Officer “While every company must assess its

particular needs based on the size and nature of its business…

… there are several characteristics that I would want the corporate responsibility officer to have…

… if I were relying on this person:” “He or she should have sufficient seniority

and authority to take the actions necessary under the circumstances”

“Ask yourself if this person would be able to address the worst-case scenario”



Risk and ComplianceKey Roles – Chief Compliance Officer “The position should have the full support of

the CEO and senior management, both in theory and in practice

The corporate responsibility officer should *have access* and provide regular reports to senior management”

“He or she can play an important role in helping a company meet the ***information gathering and reporting requirements***



Risk and ComplianceKey Roles – Chief Compliance Officer “The corporate responsibility officer should

have the ability to report directly to the board (for example, to the audit committee chairman)…

… on matters of significant import to the company or matters involving misconduct by senior management”

In addition, the responsible officer should have sufficient time and adequate resources to implement the company's ***corporate responsibility program*** in an effective manner



Risk and ComplianceKey Roles - Owners Data owners Understand, Give permissions

Process and system owners Need to “ensure” (reasonable assurance) that

the risks are identified and managed … … and appropriate controls are deployed



Key RolesThe role of the internal auditors According to the Institute of Internal Auditors

(IIA)…

…Internal Auditing is an independent, objective assurance and consulting activity…

… designed to add value and… … improve an organization's operations

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach…

… to evaluate and improve the effectiveness of risk management, control, and governance processes



Key RolesThe role of the internal auditors The internal audit activity evaluates risk

exposures relating to the organization's governance, operations and information systems, in relation to:

Effectiveness and efficiency of operations Reliability and integrity of financial and

operational information Safeguarding of assets Compliance with laws, regulations, and

contracts



Key RolesThe role of the internal auditors While management is responsible for internal

controls…

… the internal audit activity provides ***assurance*** to management and the audit committee that …

…internal controls are effective and…

… working as intended



The role of the internal auditorsContinuous Auditing “Continuous Auditing” An evolving regulatory environment… … increased globalization of businesses… … market pressure to improve operations… … and rapidly changing business conditions… … are creating the need for more timely and

ongoing assurance that controls are working effectively and risk is being mitigated

Continuous auditing changes the audit paradigm *from periodic reviews* of a sample of transactions to **ongoing** audit testing of 100 percent of transactions



Key RolesThe role of the external auditors They provide independent assurance to the

society The role of the external auditor is similar to

the role of the supervisors and regulators *The regulators* safeguard stability and

investor interests *The external auditors* work for the private

interests of the shareholders of a company External auditors and supervisors cooperate



Key RolesThe role of the external auditors Professional Standards - independence,

objectivity and integrity

Conflicts of Interest

Non-audit services



Key RolesThe role of the Board of DirectorsA. Directors must learn and keep up to date The industry’s best practices in risk

managementB. Directors must ensure that the *management

and key employees* and process owners also learn and keep up to date

Is staff qualified, with the necessary experience and technical capabilities?

Who knows the policies, the procedures and the tasks?

There is enough information – is there also enough communication?



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve

1. The risk management framework

2. Senior management’s guidance and direction regarding the principles underlying the framework



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 3. Policies developed by senior management -

to identify, assess, monitor, controlling and mitigate risks

Policies for the treatment of non-compliance. No tolerance, no temptations

4. Key processes to manage risks

5. Clear lines of management responsibility, accountability and reporting for risks



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 6. Separation of duties and responsibilities –

conflict of interest issues

7. The risk appetite and tolerance for risks

8. The risk transferred outside the organization



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 9. High Impact / Low Frequency events and

the strategy to identify and manage these risks

10. Early warning indicators

11. Measurement methodologies - Quantification of exposure to risks, not only qualitative approaches



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 12. Self assessments Is it an enterprise wide process? Can it be used for accountability? Who learns the issues? Can it be used in risk identification as well as

mitigation?

13. Assumptions



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 14. The risks associated with outsourcing

activities

Is there oversight of third-party activities?

Is there a clear allocation of responsibilities and clear expectations between external service providers and the organization?



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve Is there an assessment of the materiality of

outsourcing arrangements?

Does the organization exercise initial due diligence?

Is the organization monitoring and testing third-party activities on a regular basis?



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve 15. Contingency plans

Business Impact Analysis, Disaster Recovery and Business Continuity Plans

Has the organization identified critical business processes, including dependence on external vendors or third parties?



Key RolesThe role of the Board of DirectorsC. Directors must understand and approve Are the alternate facilities / hot sites an

adequate distance away from the primary operations?

Is there a periodic review of these plans?

Is there training and testing?

Are there clear descriptions of roles and responsibilities?



Key RolesThe role of the Board of DirectorsD. Directors must establish A management structure… … capable of implementing the firm's risk

management framework



Key RolesThe role of the Board of DirectorsE. Directors must ensure that The risk is managed after external and

internal *changes* or new products, activities and systems

The risk management system is well documented

They do their best to establish a strong internal control culture in which control activities are an integral part of the activities of a bank



Key RolesThe role of the Board of DirectorsE. Directors must ensure that The risk management framework is

implemented consistently across the whole bank

They learn about material losses

There is adequate and meaningful reporting



Key RolesThe role of the Board of DirectorsE. Directors must ensure that Understand and meet the auditors, internal

function and staff responsible for monitoring compliance

There is adequate internal audit coverage to verify effective implementation of policies and procedures

There is a clear audit plan and scope with respect to operational risk management

The internal audit function does not have operational risk management responsibilities



Director’s responsibilities includeDuty of care To exercise the care that an ordinarily

prudent person in a like position would use under similar circumstances

What does a prudent director do? 1. Learns - all material information

reasonably available before making a business decision

There is “good faith” only in case of an informed business decision

2. Considers alternatives



Director’s responsibilities includeDuty of care 3. Attends meetings of the board and of the

committees

4. Asks questions

5. Tries to prevent and detect illegal conduct

6. Exercises oversight



Director’s responsibilities includeDuty of loyalty What does a prudent director do?

Acts in good faith - in a manner he / she reasonably believes to be in the best interests of the corporation



Director’s responsibilities include Proves that he acts in good faith - is alert to

any interest he or she may have that might be considered to conflict with the best interests of the corporation

Discloses fully and carefully financial or personal interests to which the corporation is a party

For example, contracts where he / she had a financial or other personal interest



Director’s responsibilities includeDuty of loyalty What does a prudent director do?

Keeps confidential all matters involving the corporation that have not been disclosed to the general public…

… Directors are not authorized spokespersons for the corporation



To continue with Part B of the course: Become a Certified Risk and Compliance

Management Professional (CRCMP) you can visit:

www.risk-compliance-association.com/Distance_Learning_and_Certification.htm




http://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Order_Your_Certificate_Of_Membership.htm


Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A

Education

Transcript of Certified Risk and Compliance Management Professional (CRCMP) Prep Course Part A