Governance, Risk and Compliance (GRC)
After completing this course you will be able to:
- Understand the requirements and benefits of GRC
- Develop and review the Corporate Governance process
- Manage risk at an enterprise level
- Implement effective techniques for the Identification, measurement assessment and management of risks
- Analyse and assess the effectiveness of controls in the business environment and ensure effective compliance
- Build an environment that supports business controls
- Ensure an effective framework is in place to assess the adequacy of internal controls
Who should attend
Who should attend
- Senior management responsible for GRC
- Functional managers who need a greater understanding of Corporate Governance
- Internal Audit Managers and senior auditors
- Compliance professionals
- Risk managers
- Quality audit professionals
- This is an intermediate/senior level course and delegates should have a broad business knowledge
- There are no minimum educational requirements
- No advance preparation is required
- Delivery method – Group-live (with exercises and role-plays to simulate scenarios and situations that business managers, risk professionals and others will encounter)
Participants will earn 15 CPE credits (in the Management Advisory Services field of study).
Day 1: The Principles of Governance
- The increasing importance of Corporate Governance
- Corporate Governance explanation
- 6 core principles of governance
- 7 governance warning signs
- New corporate governance insights paper will be shared
- Meeting Stakeholder requirements
- Record of accountability
- Protecting the financial position
- Alliances, partnerships and contracts
- Fulfillment of promises
- Top down management of reputation
- Media management
- Business continuity
- Community and other stakeholder requirements
- Environmentally responsible sources / treatments
- Communication – internally and externally
- Exercise 1 Corporate Governance evaluation
The role of Senior Management in relation to Governance
- Senior Management’s role is to oversee the management and governance of the business
- Review and approve significant corporate actions
- Review and monitor implementation of management’s strategic plans
- Monitor corporate performance and evaluate results compared to the strategic plans and other long-range goals
- Review and approve the Company’s annual operating plans and budgets
- Review the financial controls and reporting systems
- Oversee the management of enterprise risk
- Review the ethical standards and legal compliance process
- Monitor relations with shareholders, employees, and the communities in which the business operates.
- A guidance paper on Board assessment of organizational governance will be provided
- Exercise 2 – The challenges of Corporate Governance for senior management
Meeting Stakeholder expectations
- Who are the stakeholders?
- Are stakeholders’ expectations known?
- Are the expectations clear?
- How can you meet the widely differing expectations?
- Are there any areas where expectations could be exceeded?
- Are there any quick wins?
- What reports should be provided to stakeholders?
- A new paper on working with stakeholders will be shared
- What every Director should know– new guidance
- Exercise 3 Meeting the ever expanding needs of stakeholders
- The rise of reputation as a key risk
- The increasing importance of a positive image – the need to be admired
- Where does reputation come from?
- How do you measure it?
- The magnifying effect on reputation of business failures
- Global brands
- How to judge reputation
- The explosion of regulation and external assurance
- Identifying reputational risks
- Identifying Reputational Risks
- A checklist for reviewing reputational risk will be provided
- Exercise 4 Assessing reputational management
The Audit Committee and Governance
- The Audit Committee role
- The governance custodians
- Structure and independence
- Considering the reports of external audit and other external agencies?
- Reviewing the effectiveness of relationships between IA and EA and other bodies reviewed
- Assessing the effectiveness of the risk management environment and anti-fraud arrangements
- The Audit Committee / Internal Audit relationship
- Reviewing Governance statements and the annual statement of accounts to ensure both properly reflect the risk
- An Audit Committee checklist will be shared
- Exercise 5 The Audit Committee challenges
Day 2: Enterprise Risk Management
The key aspects of ERM
- Explanation of ERM and why it is not fully understood
- The role and responsibilities of directors and senior management with respect to ERM
- ERM roles
- ERM value statements
- Strategic, financial and operational risk.
- The key link between corporate governance and risk
- Selling the benefits to top management
- Exercise 6 – 20 ERM questions
The link between ERM and strategic objectives
- The need to understand the organisation’s strategic objectives
- Developing a programme to reflect these objectives
- Risk appetite – the least understood aspect of risk?
- External risk statements – principal risk factors
- Examples of risk appetite statements will be provided
- Categories of risk
- Establishing a risk management framework
- The results of a Global RM study will be shared
- Exercise 7 – Analysing a disaster
Establishing an Embedded Risk Management Process
- Risk management framework guide
- Surprises and risk
- Why financial risks are only the tip of the iceberg
- The widening of the risk portfolio
- Risk cultures
- IRM paper on risk culture assessment
- The challenges
- New and emerging risks- reputation, social, environmental
- Updating the risk strategy for your organisation
- Establishing the business case
Selling the benefits to management
- The need for risk champions
- Risk and competitive advantage
- Exercise 8 – Risk Taking In Action
Linking the output into the Business Planning Process
- Linking corporate risks with the strategic planning process
- Linking operational risks into service planning
- Risk owners – how to determine such personnel and enforce ownership
- Annual statements by risk owners
- Developing risk tracking
- Using the risk register as a decision skeleton
- Quarterly board reporting to review progress in addressing the exposures
- Risk management committee reporting
- Half yearly evaluation of key risks to ensure new risks identified and included
- Emerging risks
- Exercise 9 –The emerging risks
Reviewing the wider risk process
- A risk based programme example will be walked through
- Reviewing the business objectives
- Are the objectives comprehensive and SMART?
- Do the risks in the register relate properly to the objectives?
- Are they specifically linked to the objectives and recorded?
- Are the inherent risks correctly evaluated?
- Are any key risks missing?
- Are the causes of the event identified?
- Have mitigating actions been recorded for each risk?
- Is such mitigating detailed enough?
- Are there any actions in progress to deal with risk?
- Are there any management decisions pending?
- Has a target risk been established?
- Assess confidence level in the potential for such actions to reduce the risk required
- Is the target risk realistic?
Day 3: Compliance
The Internal Control integrated framework
- The need for an effective system of internal control
- The changing business environment
- Impact of and increased reliance on technology
- Increas¬ing regulatory requirements and scrutiny
- Globalisation challenges
- The need for systems of internal control to be flexible
- The principles based approach
The need to understanding controls
- Types of control
- Preventative, corrective and detective controls
- Getting to the causes of control failure
- Questions to ask
- How to gather and evaluate information
- Documenting controls
- Exercise 11 – The control pressures
How to get senior management to take compliance seriously
- Promoting the benefits of effective internal control
- The directions of the board and senior management are implemented as intended;
- Operations and activities are carried out efficiently and meet their objectives
- The assets used in an organization are not only properly accounted for, but also that they are used effectively and efficiently
- Good internal control will also protect an organization and its staff against the temptations of dishonesty, fraud, and theft.
- The opportunity cost of poor internal control
- Exercise 12 – Convincing management
General controls over technology
- Risk and Control Matrices to Document Technology Dependencies
- Evaluating End-User Computing
- Implementing or Monitoring Control Activities when Outsourcing IT Functions
- Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties
- Configuring IT to Support the Complete and Accurate Processing of Transactions and Data
- Administering Security and Access
- Applying a System Development Life Cycle over Packaged Software
- Exercise 13 – Assessing technology controls
Compliance with policies and procedures
- Developing and Documenting Policies and Procedures
- Requiring policies and procedures to be regularly updated
- Deploying Control Activities through Business Unit or Functional Leaders
- Conducting regular and Ad Hoc Assessments of Control Activities
- Inventory of Information Requirements
- Validating Information from External Sources
- Information from Non-Finance Management
- Creating and Maintaining Information Repositories
- Enhancing Information Quality Though a Data Governance Program
- Identifying, Protecting, and Retaining Financial Data and Information
- Adopts ISO 27000
- Exercise 14 – Assessing information management
Ongoing evaluations to ascertain whether the components of internal control are present and functioning
- Develop a baseline for effective internal control processes
- Case study will be provided
- Have a mix of evaluations from different sources
- Use the most knowledgeable personnel
- Adjust scope and frequency
- Change the monitoring processes as the business activities and risk profile changes
- Develop metrics
- Consider a continuous monitoring/ audit approach
- The psychological problem with highlighting deficiencies
- The need to focus on benefits rather than problems
- The need to drive action
- Creating rapport with your customers – tips and techniques
- The need to understand the people receiving the informationExercise 15: Dealing with the monitoring feedback
About Phil Griffiths
Phil Griffiths, FCA
Phil Griffiths is founder and Managing Director of Business Risk Management Ltd.
A Chartered Accountant, he has over 30 years experience in risk management, Corporate Governance, internal audit and fraud prevention as practitioner, professional adviser, facilitator and trainer.
His areas of specialism are:
- Assisting Senior Management to identify, manage and then exploit the risks within their business via facilitated business risk management programmes
- Helping Internal Audit functions to implement world class standards.
- Developing fraud prevention, detection and investigation programmes
- Training both private and public sector organisations in all the above disciplines.
He has extensive experience of the European, Asian, Middle Eastern, and African markets having trained professionals from over 1000 organisations in these regions during the past 15 years
He has extensive experience of managing and auditing major International projects. He has also direct experience of negotiating major contracts (including the largest mobile telecommunications contract in the world at the time)
Phil has developed strategic alliances with professional bodies and world renowned training companies, to deliver training and consultancy services across Europe, Asia, the Middle East and Africa.
He has developed over 300 training courses on all aspects of internal audit, risk management and fraud and delivered them across the globe.
He has led risk management programmes for more than 120 private and public sector clients tailored specifically to include facilitated workshops, development of risk strategies and assistance with implementation
He is an accomplished author. His book ‘Risk Based Auditing’ is an international best seller and his new book ‘Enterprise Risk Management – the key to business success’ is receiving much acclaim
Phil has published research into many aspects of internal audit and risk management best practice, including “Strategic Risk management” “The Need to Co-ordinate Assurance Providers” and “The Expectations of Chief Executives towards Internal Audit and its future”
He is recognised as an accomplished and charismatic facilitator, trainer and lecturer and is in continual demand to speak at the most prestigious events on risk management, internal audit and fraud.
Course Fee and Timings
The fee for the 3-day course is GBP 550 (US$ 665) which includes comprehensive course materials. The course will consist of three 1.5 hour sessions each day.