Certified Risk and Compliance Training

The International Association of Risk and Compliance Professionals (IARCP) develops and maintains four certification programs and many tailor-made training programs for directors, executive managers, risk and compliance managers, consultants, vendors, service providers, auditors and legal counsels around the world. Subject matter experts review and update this body of knowledge.

For instructor-led training, you may contact Lyn Spooner at lyn@risk-compliance-association.com


Discover 10 amazing CRCMP jobs and what it takes to get hired, which factors matter?

Download the E-book (no registration needed).


Certified Risk and Compliance Management Professional (CRMCP)

(Note: This is the Certified Risk and Compliance Management Professional (CRCMP) program. It is different from the Certified Regulatory and Compliance Professional (CRCP) program, provided by FINRA, which can be found at www.finra.org).

The CRCMP program has become one of the most recognized programs in risk management and compliance. There are CRCMPs in 32 countries. Companies and organizations like IBM, Accenture, American Express, USAA etc. consider the CRCMP a preferred certificate.

The CRCMP program has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management. The course provides with the skills needed to pass the Certified Risk and Compliance Management Professional (CRCMP) exam. We have updated the program the 10th of January, 2018.

Target Audience

The CRCMP certification program is beneficial to:
- Risk managers, employees, auditors and consultants.
- Compliance managers, employees, auditors and consultants.
- Senior managers involved in risk and compliance management.
- Risk and compliance management vendors, suppliers and service providers.

Course Synopsis

Part A: Introduction, Compliance and Risk Management

What is corporate governance.
The OECD (Organization for Economic Cooperation and Development) principles of corporate governance.
FSB, Thematic Review on Risk Governance.
FSB 2017, Thematic Review on Corporate Governance.

What is risk.
Risk and uncertainty.
Risk acceptance, transfer, avoidance.
Definitions of risk - from the US Marine Corps (Marine Cops Training Command) to the corporate environment.
Risk - good or bad?
Case Study: Daimler Group, Risk and Opportunity Management system.
Risk Management and Issue Management.
Marine Corps and Banks – similar Records Management principles.
Threats and vulnerabilities.
Risk mitigation methodology flowchart.
Outsourcing and Risk Management.

What is compliance.
Enterprise wide risk and compliance program.
Case Study: Annual Report, Munich Re.
Policies, Procedures, Standards, Baselines, Guidelines, Ethics.
Case Study: Merck.
Conflicts of interest.
Roles and responsibilities.
The Chief Risk Officer.

Case Study: Annual Report, Bank of America Corporation.
Case Study: Annual Report, Credit Suisse Group AG.
Case Study: Annual Report, Munich Re.

Data Owners, Process Owners.
The role of the internal auditors.
Continuous Auditing.
The role of the external auditors.
The role of the Board of Directors.
Case Study: Annual Report, Credit Suisse Group AG
Case Study: Annual Report, GE.
Case Study: Annual Report, Lloyds Banking Group.
Case Study: Annual Report, Bank of America
Case Study: Annual Report, Amazon.
Case Study: Annual Report, Daimler Group.

Part B: Sarbanes-Oxley, an international standard.

The need.
Companies affected.
American Depository Receipt (ADR) program.
Employees affected.
Foreign Private Issuers (FPIs) and Sarbanes-Oxley compliance.
EDGAR - Electronic Data Gathering, Analysis, and Retrieval system.
Case Studies: Microsoft, Sony.

The Sarbanes-Oxley Act.
Key sections, what we need to know.
Board's new responsibilities.
Management’s testing and documentation.
Management’s responsibilities.
Committees and teams.
Sections 302, 404, 906: The three certifications.
Sections 302, 404, 906: Examples and case studies.

The Securities and Exchange Commission (SEC) and the Sarbanes-Oxley Act.
The PCAOB and the new Auditing Standards: What we need to know.
Auditing Standard No. 1, to Auditing Standard No. 16.
Reorganized PCAOB Auditing Standards.

Control Deficiency.
Deficiency in Design.
Deficiency in Operation.
Significant Deficiency.
Material Weakness.

The Scope of the Sarbanes-Oxley Act.
Software and Spreadsheets after the Sarbanes-Oxley Act.
Service providers.

E-SOX, the European Sarbanes-Oxley.
The 8th Company Law Directive of the European Union.
Ahold, Parmalat and the new rules.
Article 45 - Registration and oversight of third-country auditors and audit entities.
The “equivalence” of a third country.
Article 46 - Derogation in the case of equivalence.

J-SOX, the Japanese Sarbanes-Oxley.
From Enron to Livedoor, Kokudo, Kanebo.
The Financial Instruments and Exchange Law.
J-SOX requirements similar to the U.S. Sarbanes-Oxley Act.
“Corporate Responsibility for Financial Reports”
“Management Assessment of Internal Controls”
From the Financial Services Agency (FSA), to the Certified Public Accountants and Auditing Oversight Board (CPAAOB), to the Securities and Exchange Surveillance Commission (SESC).

Part C: Basel II, Basel III – the new international standards in governance, risk and compliance

The Bretton Woods Agreement.
Bankhaus Herstatt.
The Bank for International Settlements (BIS).
The Basel Committee on Banking Supervision (BCBS).
The purposes of the Basel framework.

Basel I, Basel II, Basel III.
Basel I - The First Basel Capital Accord.
Basel II - The major amendment.
Pillar 1: Minimum capital requirements.
Pillar 2: Supervisory review process.
Pillar 3: Market discipline.
Branch office vs. subsidiary.
Credit risk, market risk, operation risk.
Operating, Operations, Operational risks.
Seven Event Types (Loss Categories).
The 8 business lines.

Delphi method - exploring the future.
5 categories of control breakdowns.
Outsourcing and Basel compliance.

The Basel III amendment.
The objective of the reform.
Basel III, sound corporate governance principles.
A. Board practices.
B. Senior management.
C. Risk management and internal controls.
D. Compensation.
E. Complex or opaque corporate structures.
F. Disclosure and transparency.
The role of the supervisors.

Part D: The Frameworks

The Committee of Sponsoring Organizations (COSO).
1992, COSO Internal Control — Integrated Framework.
The COSO cube.

Control Environment.
Risk Assessment.
Control Activities.
Information and Communication.
Monitoring.

Effectiveness and Efficiency of Operations.
Reliability of Financial Reporting.
Compliance with applicable laws and regulations.

2013, COSO Internal Control — Integrated Framework.
The updated COSO cube.
Example: Cyber risk and COSO.

2004 - The COSO Enterprise Risk Management (ERM) Framework.
The differences between COSO and COSO ERM.
Components of Enterprise Risk Management.
The COSO ERM cube.

Is COSO ERM needed for compliance?
Internal Environment.
Objective Setting.
Event Identification.
Risk Assessment.
Risk Response.
Control Activities.
Information and Communication.
Monitoring.

Objectives: Strategic, Operations, Reporting, Compliance.
ERM – Application Techniques.
2017 - The updated COSO ERM.
Enterprise Risk Management and Strategy Selection.

Control Objectives for IT - COBIT.
COBIT 5.

Part E: Designing and implementing a risk and compliance program

Which is the best program?
Principles of Effective Compliance Programs, from the US Bureau of Industry and Security.
Comprehensive compliance programs.

The Rulemaking Process in the US and the EU.
International and national regulatory requirements.
Regulatory compliance in Europe.
Regulatory compliance in the USA.
Canada’s Sarbanes Oxley.
The GCC (Gulf Cooperation Council) Countries.
The Offshore Financial Centers (OFCs).
The Special Purpose Entities (SPEs).


Certified Information Systems Risk and Compliance Professional (CISRCP)

Overview

Which is one of the biggest mistakes companies and organizations make with IT and information security? They rely on expert opinion and technical advice that is not based on laws and regulations.

To minimize liability and reduce risks, including losses from legal action, IT and information security experts must understand the current legal environment. Executive orders, directives and regulations shape international standards and best practices and determine how IT and information security must be organized.

The CISRCP program deals with the interaction of US and EU executive orders, directives and regulations that shape international standards and best practices, and IT, information security and privacy. It covers the General Data Protection Regulation (GDPR) of the EU, and the extraterritorial application of EU law, including the data protection "by design" and "by default".

Objectives:

The seminar has been designed to provide with the knowledge and skills needed to understand the legal and regulatory obligations that shape international standards and best practices in IT and information security, and to become a Certified Information Systems Risk and Compliance Professional (CISRCP).

Target Audience

The CISRCP certification program is beneficial to:
- Managers and employees involved in the design and implementation of IT, information security, risk and compliance related strategies, policies, procedures, risk assessments, control activities, testing, documentation, monitoring and reporting.
- IT and information security managers, employees, and consultants.
- Senior managers involved in IT, information security, risk and compliance management.
- Vendors, suppliers and service providers.

This course is intended for employers demanding qualified IT and information security professionals that meet the fit and proper requirements in risk and compliance management.

Course Synopsis

Part 1: US Executive Orders and federal government regulation that shape cybercrime laws, regulations and international standards.

Executive orders.
National Security Decision Directive 145 (NSDD 145).
National Security Presidential Directive 38 (NSPD 38).
The National Strategy to Secure Cyberspace.
National Security Presidential Directive 54 (NSPD 54).
Homeland Security Presidential Directive 23, (HSPD 23).
Einstein 1, 2 , E3A.
Executive Order 13587.
Executive Order (EO) 13636.
PPD 21.
Executive Order 13636.
Executive Order 13691.
PPD 41.
Executive Order 13794.
Executive Order 13800.

US federal government regulation.
Health Insurance Portability and Accountability Act (HIPAA).
Gramm-Leach-Bliley Act.

Part 2: The European Union's directives and regulations that shape international standards.

The Budapest Convention on Cybercrime, 2001.
The EU Cybersecurity Strategy, 2013.
Directive 2013/40/EU.
The Digital Single Market Strategy, 2015.

The European Agenda on Security, 2015.

The EU Computer Emergency Response Team (CERT-EU).
Europol’s Cybercrime Centre (EC3).
The EC3 Programme Board.

The directive on security of network and information systems (NIS Directive), 2016.
The NIS Directive, important parts.

Critical infrastructure protection in the EU.
Directive 2008/114/EC.
COM (2006) 786.
JOIN (2017) 450.
Reform of cyber security in Europe.

Part 3: The General Data Protection Regulation (GDPR) of the EU, and the extraterritorial application of EU law.

Important sections of the GDPR.
Principles relating to processing of personal data.
Data protection "by design" and "by default".
Representatives of controllers or processors not established in the Union.
Information security.
Security of processing.
Appropriate level of security, "taking into account the state of the art".
The "data protection impact assessment ".
Transfers of personal data to third countries.
GDPR practical steps, from ENISA.

Closing remarks.
World Economic Forum, Global Centre for Cybersecurity.