Certified Risk and Compliance Training

The International Association of Risk and Compliance Professionals (IARCP) develops and maintains three certification programs and many tailor-made training programs for directors, executive managers, professionals working for banks and financial organizations, consultants, vendors, service providers, auditors and legal counsels around the world. Subject matter experts review and update this body of knowledge.

For instructor-led training, you may contact Lyn Spooner at lyn@risk-compliance-association.com explaining what you need, and we will contact you as soon as possible.


Discover 10 amazing CRCMP Jobs and what it takes to get hired
Which factors matter?

November 2014

Download the E-book (no registration needed).

I hope you will enjoy it.

Best Regards,

George Lekatis
President of the IARCP
General Manager, Compliance LLC
1200 G Street NW Suite 800
Washington DC 20005, USA
Tel: (202) 449-9750
Email: lekatis@risk-compliance-association.com
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804
Wilmington DE 19801, USA
Tel: (302) 342-8828


First Program
Certified Risk and Compliance Management Professional (CRMCP)

This course has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management. Also, to promote best practices and international standards that align with business and regulatory requirements.

The course provides with the skills needed to pass the Certified Risk and Compliance Management Professional (CRCMP) exam.

This course is intended for professionals that want to understand risk and compliance management and to work as risk and compliance officers. They will prove that they are qualified, when they pass the Certified Risk and Compliance Management Professional (CRCMP) exam.

This course is intended for employers demanding qualified risk and compliance management professionals that meet the fit and proper requirements. The course is recommended for senior executives involved in risk and compliance management.

PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND RISK MANAGEMENT

  • Introduction
  • Regulatory Compliance and Risk Management
  • Definitions, roles and responsibilities
  • The role of the board of directors, the supervisors, the internal and external auditors
  • The new international landscape and the interaction among laws, regulations, and standards
  • The difference between a best practice and a regulatory obligation
  • Benefits of an enterprise wide compliance program
  • Compliance culture: Why it is important, and how to communicate the obligations
  • Policies, workplace ethics, risk and compliance policies, procedures and the code of conduct
  • Privacy and information security
  • Handling confidential information
  • Conflicts of interest
  • Use of organizational property
  • Fair dealings with customers, vendors and competitors
  • Reporting ethical concerns
  • The definition of Governance, Risk and Compliance
  • The need for Internal Controls
  • Understand how to identify, mitigate and control risks effectively
  • Approaches to risk assessment
  • Qualitative, quantitative approach
  • Integrating risk management into corporate governance and compliance

PART B: THE FRAMEWORKS

  • Internal Controls, COSO, the Internal Control Integrated Framework by the COSO committee
  • Using the COSO framework effectively
  • The Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring
  • Effectiveness and Efficiency of Operations
  • Reliability of Financial Reporting
  • Compliance with applicable laws and regulations
  • IT Controls
  • Program Development and Program Change
  • Deterrent, Preventive, Detective, Corrective Controls
  • Recovery, Compensating, Monitoring and Disclosure Controls
  • Layers of overlapping controls
  • COSO Enterprise Risk Management (ERM) Framework
  • Is COSO ERM necessary for compliance?
  • COSO and COSO ERM
  • Internal Environment
  • Objective Setting
  • Event Identification
  • Risk Assessment
  • Risk Response
  • Control Activities
  • Information and Communication
  • Monitoring
  • The two cubes
  • Objectives: Strategic, Operations, Reporting, Compliance
  • ERM – Application Techniques
  • Core team preparedness
  • Implementation plan
  • Likelihood
  • Impact
  • COBIT - the framework that focuses on IT
  • Is COBIT needed for compliance?
  • COSO or COBIT?
  • Corporate governance or financial reporting?
  • Executive Summary
  • Management Guidelines
  • The Framework
  • The 34 high-level control objectives
  • What to do with the 318 specific control objectives
  • COBIT Cube
  • Maturity Models
  • Critical Success Factors (CSFs)
  • Key Goal Indicators (KGIs)
  • Key Performance Indicators (KPIs)
  • How to use COBIT for compliance

PART C: SARBANES OXLEY

  • The Sarbanes Oxley Act
  • The Need
  • US Federal Legislation: Financial reporting or corporate governance?
  • The Sarbanes-Oxley Act of 2002: Key Sections
  • SEC, EDGAR, PCAOB, SAG
  • The Act and its interpretation by the SEC and the PCAOB
  • PCAOB Auditing Standards: What we need to know
  • Management's Testing
  • Management's Documentation
  • Reports used to Validate SOX Compliant IT Infrastructure
  • Documentation Issues Sections
  • 302, 404, 906: The three certifications
  • Sections 302, 404, 906: Examples and case studies
  • Management's Responsibilities
  • Committees and Teams
  • Project Team – Section 404
  • Disclosure Committee
  • Audit Committee
  • Report to the Board of Directors
  • Control Deficiency
  • Deficiency in Design
  • Deficiency in Operation
  • Significant Deficiency
  • Material Weakness
  • Is it a Deficiency, or a Material Weakness?
  • Reporting Weaknesses and Deficiencies
  • Examples
  • Case Studies
  • Public Disclosure Requirements
  • Real Time Disclosures on a rapid and current basis?
  • Whistleblower protection
  • Rulemaking process
  • Companies Affected
  • International companies
  • Foreign Private Issuers (FPIs)
  • American Depository Receipts (ADRs)
  • Employees Affected
  • Effective Dates

PART D: BASEL II / BASEL III

  • The Basel Capital Accords
  • Realigning the regulation with the economic realities of the global banking markets
  • New capital adequacy framework replaces the 1988 Accord
  • Improving risk and asset management to avoid financial disasters
  • "Sufficient assets" to offset risks
  • The technical challenges for both banks and supervisors
  • How much capital is necessary to serve as a sufficient buffer?
  • The three-pillar regulatory structure
  • Purposes of Basel
  • Pillar 1: Minimum capital requirements
  • Credit Risk – 3 approaches
  • The standardized approach to credit risk
  • Claims on sovereigns
  • Claims on banks
  • Claims on corporates
  • The internal ratings-based (IRB) approaches to credit risk
  • Some definitions:
  • PD - The probability of default,
  • LGD - The loss given default,
  • EAD - Exposure at default,
  • M – Maturity
  • 5 classes of assets
  • Pillar 2: Supervisory review
  • Key principles
  • Aspects and issues of the supervisory review process
  • Pillar 3: Market discipline
  • Disclosure requirements
  • Qualitative and Quantitative disclosures
  • Guiding principles
  • Employees Affected
  • Effective Dates
  • Operational Risk
  • What is operational risk
  • Legal risk
  • Information Technology operational risk
  • Operational, operations and operating risk
  • The evolving importance of operational risk
  • Quantification of operational risk
  • Loss categories and business lines
  • Operational risk measurement methodologies
  • Identification of operational risk
  • Operational Risk Approaches
  • Basic Indicator Approach (BIA)
  • Standardized Approach (SA)
  • Alternative Standardized Approach (ASA)
  • Advanced Measurement Approaches (AMA)
  • Internal Measurement Approach (IMA)
  • Loss Distribution (LD)
  • Standard Normal Distribution
  • “Fat Tails” in the normal distribution
  • Expected loss (EL), Unexpected Loss (UL)
  • Value-at Risk (VaR)
  • Calculating Value-at Risk
  • Stress Testing
  • Stress testing and Basel AMA
  • Advantages / Disadvantages
  • Operational Risk Measurement Issues
  • The game theory
  • The prisoner’s dilemma – and the connection with operational risk management
  • Operational risk management
  • Operational Risk Management Office
  • Key functions of Operational Risk Management Office
  • Key functions of Operational Risk Managers
  • Key functions of Department Heads
  • Internal and external audit
  • Operational risk sound practices
  • Operational risk mitigation
  • Insurance to mitigate operational risk
  • Basel II and other regulations
  • Capital Requirements Directive (CRD)
  • Aligning Basel II operational risk and Sarbanes-Oxley 404 projects
  • Common elements and differences of compliance projects
  • New standards
  • Disclosure issues
  • Multinational companies and compliance challenges

What is Basel III?
The Basel III papers
Was Basel II responsible for the market crisis?
Introduction to the Basel III Amendments
The Financial Stability Board (FSB), the G20 and the Basel III framework
The New Basel III Principles for risk management and corporate governance
The key areas where the Basel Committee believes the greatest focus is necessary

  1. Board practices
  2. Senior management
  3. Risk management and internal controls
  4. Compensation
  5. Complex or opaque corporate structures
  6. Disclosure and transparency

Sound Practices for the Management and Supervision of Operational Risk
The 9 principles

PART E: DESIGNING AND IMPLEMENTING A RISK AND COMPLIANCE PROGRAM

  • Designing and Implementing an enterprise wide Risk and Compliance Program
  • Designing an Internal Compliance System
  • Compliance programs that withstand scrutiny
  • How to optimize organizational structure for compliance
  • Documentation
  • Testing
  • Training
  • Ongoing compliance with laws and regulations
  • Compliance Monitoring
  • The company and other stakeholders
  • Managing the regulators and change in regulations
  • International and national regulatory requirements
  • Regulatory compliance in Europe
  • Regulatory compliance in the USA
  • What is different
  • The GCC countries
  • The Caribbean
  • The Pacific Rim
  • Common elements and differences of compliance projects
  • New standards
  • Disclosure issues
  • Multinational companies and compliance challenges

Second Program
Certified Information Systems Risk and Compliance Professional (CISRCP)

This course has been designed to provide IT and Information Security managers, consultants and professionals with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management.

The course provides with the skills needed to pass the Certified Information Systems Risk and Compliance Professional (CISRCP) exam.

This course is intended for employers demanding qualified IT and Information Security professionals that meet the fit and proper requirements in risk and compliance management.

This course is recommended for senior managers and directors responsible for risk and compliance management in IT.

PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND RISK MANAGEMENT

  • Introduction
  • Regulatory Compliance and Risk Management
  • Definitions, roles and responsibilities
  • The role of the board of directors, the supervisors, the internal and external auditors
  • The new international landscape and the interaction among laws, regulations and standards
  • The difference between a best practice and a regulatory obligation
  • Benefits of an enterprise wide compliance program
  • Compliance culture: Why it is important, and how to communicate the obligations
  • Policies, Workplace Ethics, Risk and Compliance
  • Policies, procedures and the ethical code of conduct
  • Privacy and information security
  • Handling confidential information
  • Conflicts of interest
  • Use of organizational property
  • Fair dealings with customers, vendors and competitors
  • Reporting ethical concerns
  • The definition of Governance, Risk and Compliance
  • The need for Internal Controls
  • Understand how to identify, mitigate and control risks effectively
  • Approaches to risk assessment
  • Qualitative, quantitative approach
  • Integrating risk management into corporate governance and compliance
  • IT, Information Security, business risk and compliance

PART B: THE FRAMEWORKS

  • Internal Controls - COSO, The Internal Control Integrated Framework by the COSO committee
  • Using the COSO framework effectively
  • The Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring
  • Effectiveness and Efficiency of Operations
  • Reliability of Financial Reporting
  • Compliance with applicable laws and regulations
  • IT Controls
  • Program Change
  • Deterrent, Preventive, Detective, Corrective Controls
  • Recovery, Compensating, Monitoring and Disclosure Controls
  • Layers of overlapping controls
  • COSO Enterprise Risk Management (ERM) Framework
  • Is COSO ERM necessary for compliance?
  • COSO and COSO ERM
  • Internal Environment
  • Objective Setting
  • Event Identification
  • Risk Assessment
  • Risk Response
  • Control Activities
  • Information and Communication
  • Monitoring
  • The two cubes
  • Objectives: Strategic, Operations, Reporting, Compliance
  • ERM – Application Techniques
  • Core team preparedness
  • Implementation plan
  • Likelihood Risk Ranking
  • Impact Risk Ranking
  •  
  • COBIT - the framework that focuses on IT
  • Is COBIT needed for compliance?
  • COSO or COBIT?
  • Corporate governance or financial reporting?
  • Executive Summary
  • Management Guidelines
  • The Framework
  • The 34 high-level control objectives
  • What to do with the 318 specific control objectives
  • COBIT Cube
  • Maturity Models
  • Critical Success Factors (CSFs)
  • Key Goal Indicators (KGIs)
  • Key Performance Indicators (KPIs)
  • How to use COBIT for compliance
  • The alignment of frameworks
  • COSO and COBIT
  • COSO ERM and COBIT
  • ITIL and COBIT
  • ISO/IEC 17799:2000 and COBIT
  • ISO/IEC 15408 and COBIT
  • Software and Spreadsheets
  • Is software necessary for risk and compliance?
  • Is software needed?
  • When and why
  • How large is your organization?
  • Is it geographically dispersed?
  • How many processes will you document?
  • Are there enough persons for that?
  • Selection process
  • Spreadsheets
  • It is just a spreadsheet …
  • Certain spreadsheets must be considered applications
  • Development Lifecycle Controls
  • Access Control (Create, Read, Update, Delete)
  • Integrity Controls
  • Change Control
  • Version Control
  • Documentation Controls
  • Continuity Controls
  • Segregation of Duties Controls
  • Spreadsheets – Errors
  • Spreadsheets and material weaknesses
  • Third-party service providers and vendors
  • Redefining outsourcing
  • Key risks of outsourcing
  • What is needed from vendors and service providers
  • SAS 70
  • Type I, II reports
  • Advantages of SAS 70 Type II
  • Disadvantages of SAS 70 Type II

PART C: SARBANES OXLEY

  • The Sarbanes Oxley Act
  • The Need
  • US Federal Legislation: Financial reporting or corporate governance?
  • The Sarbanes-Oxley Act of 2002: Key Sections
  • SEC, EDGAR, PCAOB, SAG
  • The Act and its interpretation by SEC and PCAOB
  • PCAOB Auditing Standards: What we need to know
  • Management's Testing
  • Management's Documentation
  • Reports used to Validate SOX Compliant IT Infrastructure
  • Documentation Issues
  • Sections 302, 404, 906: The three certifications
  • Sections 302, 404, 906: Examples and case studies
  • Management's Responsibilities
  • Committees and Teams
  • Project Team
  • Steering Committee
  • Disclosure Committee
  • Certifying Officers
  • Audit Committee
  • Report to the Board of Directors
  • Control Deficiency
  • Deficiency in Design
  • Deficiency in Operation
  • Significant Deficiency
  • Material Weakness
  • Is it a Deficiency, or a Material Weakness?
  • Reporting Weaknesses and Deficiencies
  • Examples
  • Case Studies
  • Public Disclosure Requirements
  • Real Time Disclosures on a rapid and current basis?
  • Whistleblower protection
  • Rulemaking process
  • Companies Affected
  • International companies
  • Foreign Private Issuers (FPIs)
  • American Depository Receipts (ADRs)
  • Employees Affected
  • Effective Dates
  • IT and Information Security Control Objectives and Control Framework

PART D: BASEL II / BASEL III

  • The Basel Capital Accords
  • Realigning the regulation with the economic realities of the global banking markets
  • New capital adequacy framework replaces the 1988 Accord
  • Improving risk and asset management to avoid financial disasters
  • "Sufficient assets" to offset risks
  • The technical challenges for both banks and supervisors
  • How much capital is necessary to serve as a sufficient buffer?
  • The three-pillar regulatory structure
  • Purposes of Basel
  • Pillar 1: Minimum capital requirements
  • Credit Risk – 3 approaches
  • The standardized approach to credit risk
  • Claims on sovereigns
  • Claims on banks
  • Claims on corporates
  • The internal ratings-based (IRB) approaches to credit risk
  • Some definitions:
  • PD - The probability of default,
  • LGD - The loss given default,
  • EAD - Exposure at default,
  • M – Maturity
  • 5 classes of assets
  • Pillar 2: Supervisory review
  • Key principles
  • Aspects and issues of the supervisory review process
  • Pillar 3: Market discipline
  • Disclosure requirements
  • Qualitative and Quantitative disclosures
  • Guiding principles
  • Employees Affected
  • Effective Dates
  • Operational Risk
  • What is operational risk
  • Legal risk
  • Information Technology operational risk
  • Operational, operations and operating risk
  • The evolving importance of operational risk
  • Quantification of operational risk
  • Loss categories and business lines
  • Operational risk measurement methodologies
  • Identification of operational risk
  • Operational Risk Approaches
  • Basic Indicator Approach (BIA)
  • Standardized Approach (SA)
  • Alternative Standardized Approach (ASA)
  • Advanced Measurement Approaches (AMA)
  • Internal Measurement Approach (IMA)
  • Loss Distribution (LD)
  • Standard Normal Distribution
  • “Fat Tails” in the normal distribution
  • Expected loss (EL), Unexpected Loss (UL)
  • Value-at Risk (VaR)
  • Calculating Value-at Risk
  • Stress Testing
  • Stress testing and Basel
  • (AMA) Advantages / Disadvantages
  • Operational Risk Measurement Issues
  • The game theory
  • The prisoner’s dilemma – and the connection with operational risk management
  • Operational risk management
  • Operational Risk Management Office
  • Key functions of Operational Risk Management Office
  • Key functions of Operational Risk Managers
  • Key functions of Department Heads
  • Internal and external audit
  • Operational risk sound practices
  • Operational risk mitigation
  • Insurance to mitigate operational risk
  • IT and Information Security in the Basel framework and projects
  • Basel II and other regulations
  • Capital Requirements Directive (CRD)
  • Aligning Basel II operational risk and Sarbanes-Oxley 404 projects
  • Common elements and differences of compliance projects
  • New standards
  • Disclosure issues
  • Multinational companies and compliance challenges

PART E: DESIGNING AND IMPLEMENTING A RISK AND COMPLIANCE PROGRAM

  • Designing and Implementing an enterprise wide Risk and Compliance Program
  • Designing an Internal Compliance System
  • Compliance programs that withstand scrutiny
  • How to optimize organizational structure for compliance
  • Documentation
  • Testing
  • Training
  • Ongoing compliance with laws and regulations
  • Compliance Monitoring
  • The company and other stakeholders
  • Managing change in regulations
  • International and national regulatory requirements
  • Regulatory compliance in Europe
  • Regulatory compliance in the USA
  • What is different
  • The GCC countries
  • The Caribbean
  • The Pacific Rim
  • Common elements and differences of compliance projects
  • New standards
  • Disclosure issues
  • Multinational companies and compliance challenges

PART F: CRITICAL INFRASTRUCTURE PROTECTION IN THE USA AND THE EUROPEAN UNION - International standards, principles and best practices

a. In the USA
Introduction
Executive Order 13587 - Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
Executive Order 13636 - Improving Critical Infrastructure Cybersecurity
Presidential Policy Directive (PPD) 21 - Critical Infrastructure Security and Resilience
NIST Releases Draft Outline of Cybersecurity Framework (July 2, 2013)

b. In the European Union
EU Cybersecurity plan to protect open internet and online freedom and opportunity
European Cybercrime Centre (EC3)
Cybersecurity Strategy of the European Union

  1. Achieving cyber resilience
  2. Drastically reducing cybercrime
  3. Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
  4. Develop the industrial and technological resources for cybersecurity
  5. Establish a coherent international cyberspace policy for the European Union and promote core EU values

Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection