International Association of Risk and Compliance Professionals (IARCP)
Member Benefits
How to Become a Member
Certified Risk and Compliance Training
Order Your Certificate Of Membership
Contact Us
 
 
Distance Learning and Online Certification Program - Become a Certified Risk and Compliance Management Professional
Distance Learning and Online Certification Program - Certified Information Systems Risk and Compliance Professional
 
   
 
Certified Risk and Compliance Training
International Association of Risk and Compliance Professionals (IARCP)
 
The International Association of Risk and Compliance Professionals (IARCP) develops and maintains a compendium of risk and compliance topics. Subject matter experts review and update this body of knowledge.
 
The Association offers two risk and compliance certificates:
 
1. Certified Risk and Compliance Management
Professional (CRCMP)
 
 
2. Certified Information Systems Risk and Compliance Professional (CISRCP)
 
 

 
Discover 10 amazing CRCMP Jobs and what it takes to get hired
Which factors matter?
November 2012
 
Download the E-book (no registration needed)
 
Discover 10 amazing CRCMP Jobs and what it takes to get hired. Which factors matter?
 
I hope you will enjoy it.

Best Regards,
 

George Lekatis
President of the International Association of Risk
and Compliance Professionals (IARCP)
General Manager, Compliance LLC
1200 G Street NW Suite 800
Washington DC 20005, USA
Tel: (202) 449-9750
Email: lekatis@risk-compliance-association.com
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804
Wilmington DE 19801, USA
Tel: (302) 342-8828
 
 

 
First Program
Certified Risk and Compliance Management Professional (CRMCP)
 
This course has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management, and to promote best practices and international standards that align with business and regulatory requirements.
 
The course provides with the skills needed to pass the Certified Risk and Compliance Management Professional (CRCMP) exam.
 
This course is
intended for professionals that want to understand risk and compliance and to work as risk and compliance officers. They will prove that they are qualified, when they pass the  Certified Risk and Compliance Management Professional (CRCMP) exam.
 
This course is intended for employers demanding qualified risk and compliance professionals. The course is recommended for senior executives involved in risk and compliance.
 
PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND RISK MANAGEMENT

Introduction
Regulatory Compliance and Risk Management
Definitions, roles and responsibilities
The role of the board of directors, the supervisors, the internal and external auditors
The new international landscape and the interaction among laws, regulations, and standards
The difference between a best practice and a regulatory obligation
Benefits of an enterprise wide compliance program
Compliance culture: Why it is important, and how to communicate the obligations
Policies, Workplace Ethics, Risk and CompliancePolicies, procedures, the code of conduct
Privacy and information security
Handling confidential information
Conflicts of interest
Use of organizational property
Fair dealings with customers, vendors and competitors
Reporting ethical concerns
The definition of Governance, Risk and Compliance
The need for Internal Controls
Understand how to identify, mitigate and control risks effectively 
Approaches to risk assessment 
Qualitative, quantitative
Integrating risk management into corporate governance and compliance
 
PART B: THE FRAMEWORKS

Internal Controls - COSO The Internal Control — Integrated Framework by the COSO committee Using the COSO framework effectively
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
IT Controls
Program Development and Program Change
Deterrent, Preventive, Detective, Corrective Controls
Recovery, Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls
COSO Enterprise Risk Management (ERM) Framework
Is COSO ERM needed for compliance?
COSO and COSO ERM
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The two cubes
Objectives: Strategic, Operations, Reporting, Compliance
ERM – Application Techniques
Core team preparedness
Implementation plan
Likelihood
Impact
COBIT - the framework that focuses on IT
Is COBIT needed for compliance?
COSO or COBIT?
Corporate governance or financial reporting?
Executive Summary
Management Guidelines
The Framework
The 34 high-level control objectives
What to do with the 318 specific control objectives
COBIT Cube
Maturity Models
Critical Success Factors (CSFs)
Key Goal Indicators (KGIs)
Key Performance Indicators (KPIs)
How to use COBIT for compliance 
 
PART C: SARBANES OXLEY

The Sarbanes Oxley Act
The Need US federal legislation: Financial reporting or corporate governance?
The Sarbanes-Oxley Act of 2002: Key Sections
SEC, EDGAR, PCAOB, SAG
The Act and its interpretation by SEC and PCAOB
PCAOB Auditing Standards: What we need to know
Management's Testing
Management's Documentation
Reports used to Validate SOX Compliant IT Infrastructure
Documentation Issues Sections
302, 404, 906: The three certifications
Sections 302, 404, 906: Examples and case studies
Management's Responsibilities
Committees and Teams
Project Team – Section 404
Disclosure Committee
Audit Committee
Report to the Board of Directors
Control Deficiency
Deficiency in Design
Deficiency in Operation
Significant Deficiency
Material Weakness
Is it a Deficiency, or a Material Weakness?
Reporting Weaknesses and Deficiencies
Examples
Case Studies
Public Disclosure Requirements
Real Time Disclosures on a rapid and current basis?
Whistleblower protection
Rulemaking process
Companies Affected
International companies
Foreign Private Issuers (FPIs)
American Depository Receipts (ADRs)
Employees Affected
Effective Dates  
 
PART D: BASEL II / BASEL III

The Basel Capital Accords
Realigning the regulation with the economic realities of the global banking markets
New capital adequacy framework replaces the 1988 Accord
Improving risk and asset management to avoid financial disasters
"Sufficient assets" to offset risks
The technical challenges for both banks and supervisors
How much capital is necessary to serve as a sufficient buffer?
The three-pillar regulatory structure
Purposes of Basel
Pillar 1: Minimum capital requirements
Credit Risk – 3 approaches
The standardized approach to credit risk
Claims on sovereigns
Claims on banks
Claims on corporates
The two internal ratings-based (IRB) approaches to credit risk
Some definitions:
PD - The probability of default,
LGD - The loss given default,
EAD - Exposure at default,
M – Maturity
5 classes of assets
Pillar 2: Supervisory review Key principles
Aspects and issues of the supervisory review process
Pillar 3: Market discipline
Disclosure requirements
Qualitative and Quantitative disclosures
Guiding principles
Employees Affected
Effective Dates
Operational Risk
What is operational risk
Legal risk
Information Technology operational risk
Operational, operations and operating risk
The evolving importance of operational risk
Quantification of operational risk
Loss categories and business lines
Operational risk measurement methodologies
Identification of operational risk
Operational Risk Approaches
Basic Indicator Approach (BIA)
Standardized Approach (SA)
Alternative Standardized Approach (ASA)
Advanced Measurement Approaches (AMA)
Internal Measurement Approach (IMA)
Loss Distribution (LD)
Standard Normal Distribution
“Fat Tails” in the normal distribution
Expected loss (EL), Unexpected Loss (UL)
Value-at Risk (VaR)
Calculating Value-at Risk
Stress Testing
Stress testing and Basel (AMA)
Advantages / Disadvantages
Operational Risk Measurement Issues
The game theory
The prisoner’s dilemma – and the connection with operational risk management
Operational risk management
Operational Risk Management Office
Key functions of Operational Risk Management Office
Key functions of Operational Risk Managers
Key functions of Department Heads
Internal and external audit
Operational risk sound practices
Operational risk mitigation
Insurance to mitigate operational risk
Basel II and other regulations
Capital Requirements Directive (CRD)
Markets in Financial Instruments Directive (MiFID)
What is the impact of MiFID to EU and non EU banks?
Aligning Basel II operational risk and Sarbanes-Oxley 404 projects
Common elements and differences of compliance projects
New standards
Disclosure issues
Multinational companies and compliance challenges
 
What is Basel III?
The Basel III papers
Was Basel II responsible for the market crisis?
Introduction to the Basel III Amendments
The Financial Stability Board (FSB), the G20 and the Basel III framework
The New Basel III Principles for risk management and corporate governance
The key areas where the Basel Committee believes the greatest focus is necessary 
1. Board practices
2. Senior management
3. Risk management and internal controls
4. Compensation
5. Complex or opaque corporate structures
6. Disclosure and transparency
Sound Practices for the Management and Supervision of Operational Risk
The 9 principles
 
PART E: DESIGNING AND IMPLEMENTING A RISK AND COMPLIANCE PROGRAM

Designing an Implementing an enterprise wide Risk and Compliance Program
Designing an Internal Compliance System    
Compliance programs that withstand scrutiny 
How to optimize organizational structure for compliance
Documentation
Testing
Training
Ongoing compliance with laws and regulations
Compliance Monitoring
The company and other stakeholders
Managing the regulators and change in regulations
International and national regulatory requirements
Regulatory compliance in Europe
Regulatory compliance in the USA
What is different
The GCC countries
The Caribbean
The Pacific Rim
Common elements and differences of compliance projects
New standards
Disclosure issues
Multinational companies and compliance challenges
 

 
Second Program
Certified Information Systems Risk and Compliance Professional (CISRCP)
 
This course has been designed to provide IT and Information Security professionals with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management, and to promote best practices and international standards that align with business and regulatory requirements.
 
The course provides with the skills needed to pass the Certified Information Systems Risk and Compliance Professional (CISRCP) exam.
 
This course is intended for IT and Information Security professionals that want to understand risk and compliance and to work as risk and compliance officers, or IT managers and directors (and need to understand compliance and business risk management).
 
They will prove that they are qualified, when they pass the Certified Information Systems Risk and Compliance Professional (CISRCP) exam.

This course is
intended for employers demanding qualified IT and Information Security risk and compliance professionals.

This course is
recommended for senior managers with IT and Information Security background involved in risk and compliance.

PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND RISK MANAGEMENT
 
Introduction
Regulatory Compliance and Risk Management
 Definitions, roles and responsibilities
The role of the board of directors, the supervisors, the internal and external auditors
The new international landscape and the interaction among laws, regulations, standards
The difference between a best practice and a regulatory obligation
Benefits of an enterprise wide compliance program
Compliance culture: Why it is important, and how to communicate the obligations
Policies, Workplace Ethics, Risk and Compliance
Policies, procedures and the ethical code of conduct
Privacy and information security
Handling confidential information
Conflicts of interest
Use of organizational property
Fair dealings with customers, vendors and competitors
Reporting ethical concerns
The definition of Governance, Risk and Compliance
The need for Internal Controls
Understand how to identify, mitigate and control risks effectively 
Approaches to risk assessment 
Qualitative, quantitative
Integrating risk management into corporate governance and compliance
IT, Information Security, business risk and compliance
 
PART B: THE FRAMEWORKS
 
Internal Controls
 COSO, The Internal Control — Integrated Framework by the COSO committee
Using the COSO framework effectively
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
IT Controls
Program Change
Deterrent, Preventive, Detective, Corrective Controls
 Recovery, Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls
COSO Enterprise Risk Management (ERM) Framework
Is COSO ERM needed for compliance?
COSO and COSO ERM
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The two cubes
Objectives: Strategic, Operations, Reporting, Compliance
ERM – Application Techniques
Core team preparedness
Implementation plan
Likelihood Risk Ranking
Impact Risk Ranking
 
COBIT - the framework that focuses on IT
Is COBIT needed for compliance?
COSO or COBIT?
Corporate governance or financial reporting?
Executive Summary
Management Guidelines
The Framework
The 34 high-level control objectives
What to do with the 318 specific control objectives
COBIT Cube
Maturity Models
Critical Success Factors (CSFs)
Key Goal Indicators (KGIs)
Key Performance Indicators (KPIs)
How to use COBIT for compliance
The alignment of frameworks
COSO and COBIT
COSO ERM and COBIT
ITIL and COBIT
ISO/IEC 17799:2000 and COBIT
ISO/IEC 15408 and COBIT
Software and Spreadsheets
Is software necessary for risk and compliance?
Is software needed?
When and why
How large is your organization?
Is it geographically dispersed?
How many processes will you document?
Are there enough persons for that?
Selection process
Spreadsheets
It is just a spreadsheet…
Certain spreadsheets must be considered applications
Development Lifecycle Controls
Access Control (Create, Read, Update, Delete)
Integrity Controls
Change Control
Version Control
Documentation Controls
Continuity Controls
Segregation of Duties Controls
Spreadsheets – Errors
Spreadsheets and material weaknesses
Third-party service providers and vendors
Redefining outsourcing
Key risks of outsourcing
What is needed from vendors and service providers
SAS 70
Type I, II reports
Advantages of SAS 70 Type II
Disadvantages of SAS 70 Type II  
 
PART C: SARBANES OXLEY
 
The Sarbanes Oxley Act
The Need
US federal legislation: Financial reporting or corporate governance?
The Sarbanes-Oxley Act of 2002: Key Sections
SEC, EDGAR, PCAOB, SAG
The Act and its interpretation by SEC and PCAOB
PCAOB Auditing Standards: What we need to know
Management's Testing
Management's Documentation
Reports used to Validate SOX Compliant IT Infrastructure
Documentation Issues
Sections 302, 404, 906: The three certifications
Sections 302, 404, 906: Examples and case studies
Management's Responsibilities
Committees and Teams
Project Team
Steering Committee
Disclosure Committee
Certifying Officers
Audit Committee
Report to the Board of Directors
Control Deficiency
Deficiency in Design
Deficiency in Operation
Significant Deficiency
Material Weakness
Is it a Deficiency, or a Material Weakness?
Reporting Weaknesses and Deficiencies
Examples
Case Studies
Public Disclosure Requirements
Real Time Disclosures on a rapid and current basis?
Whistleblower protection
Rulemaking process
Companies Affected
International companies
Foreign Private Issuers (FPIs)
American Depository Receipts (ADRs)
Employees Affected
Effective Dates
IT and Information Security Control Objectives and Control Framework 
 
PART D: BASEL II / BASEL III
 
The Basel Capital Accords
Realigning the regulation with the economic realities of the global banking markets
New capital adequacy framework replaces the 1988 Accord
Improving risk and asset management to avoid financial disasters
"Sufficient assets" to offset risks
The technical challenges for both banks and supervisors
How much capital is necessary to serve as a sufficient buffer?
The three-pillar regulatory structure
Purposes of Basel
Pillar 1: Minimum capital requirements
Credit Risk – 3 approaches
The standardized approach to credit risk
Claims on sovereigns
Claims on banks
Claims on corporates
The two internal ratings-based (IRB) approaches to credit risk
Some definitions:
PD - The probability of default,
LGD - The loss given default,
EAD - Exposure at default,
M – Maturity
5 classes of assets
Pillar 2: Supervisory review
Key principles
Aspects and issues of the supervisory review process
Pillar 3: Market discipline
Disclosure requirements
Qualitative and Quantitative disclosures
Guiding principles
Employees Affected
Effective Dates
Operational Risk
What is operational risk
Legal risk
Information Technology operational risk
Operational, operations and operating risk
The evolving importance of operational risk
Quantification of operational risk
Loss categories and business lines
Operational risk measurement methodologies
Identification of operational risk
Operational Risk Approaches
Basic Indicator Approach (BIA)
Standardized Approach (SA)
Alternative Standardized Approach (ASA)
Advanced Measurement Approaches (AMA)
Internal Measurement Approach (IMA)
Loss Distribution (LD)
Standard Normal Distribution
“Fat Tails” in the normal distribution
Expected loss (EL), Unexpected Loss (UL)
Value-at Risk (VaR)
Calculating Value-at Risk
Stress Testing
Stress testing and Basel
(AMA) Advantages / Disadvantages
Operational Risk Measurement Issues
The game theory
The prisoner’s dilemma – and the connection with operational risk management
Operational risk management
Operational Risk Management Office
Key functions of Operational Risk Management Office
Key functions of Operational Risk Managers
Key functions of Department Heads
Internal and external audit
Operational risk sound practices
Operational risk mitigation
Insurance to mitigate operational risk
IT and Information Security in the Basel framework and projects
Basel II and other regulations
Capital Requirements Directive (CRD)
Markets in Financial Instruments Directive (MiFID)
What is the impact of MiFID to EU and non EU banks?
Aligning Basel II operational risk and Sarbanes-Oxley 404 projects
Common elements and differences of compliance projects
New standards
Disclosure issues
Multinational companies and compliance challenges
 
PART E: DESIGNING AND IMPLEMENTING A RISK AND COMPLIANCE PROGRAM
 
Designing an Implementing an enterprise wide Risk and Compliance Program
Designing an Internal Compliance System
Compliance programs that withstand scrutiny 
How to optimize organizational structure for compliance
Documentation
Testing
Training
Ongoing compliance with laws and regulations
Compliance Monitoring
The company and other stakeholders
Managing change in regulations
International and national regulatory requirements
Regulatory compliance in Europe
Regulatory compliance in the USA
What is different
The GCC countries
The Caribbean
The Pacific Rim
Common elements and differences of compliance projects
New standards
Disclosure issues
Multinational companies and compliance challenges
 
PART F: CRITICAL INFRASTRUCTURE PROTECTION IN THE USA AND THE EUROPEAN UNION - International standards, principles and best practices

a. In the USA
Introduction
Executive Order 13587 - Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
Executive Order 13636 - Improving Critical Infrastructure Cybersecurity
Presidential Policy Directive (PPD) 21 - Critical Infrastructure Security and Resilience
NIST Releases Draft Outline of Cybersecurity Framework (July 2, 2013)

b. In the European Union
EU Cybersecurity plan to protect open internet and online freedom and opportunity
European Cybercrime Centre (EC3)
Cybersecurity Strategy of the European Union
1. Achieving cyber resilience
2. Drastically reducing cybercrime
3. Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
4. Develop the industrial and technological resources for cybersecurity
5. Establish a coherent international cyberspace policy for the European Union and promote core EU values
Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection
 
 
 
   
 
 
Privacy and Compliance with the Federal Trade Commission Fair, the California Online Privacy Protection Act, the Children Online Privacy Protection Act, the Privacy Alliance, the Controlling the Assault of Non-Solicited Pornography and Marketing Act
 
Security Verified Certified by Trust Guard Privacy Verified Business Verified