At CGC we believe that, the success of any system implementation is dependent on the successful transfer of knowledge to our customer. For this reason, we offer a comprehensive range of training modules covering ERM, Internal Audit and Compliance.

  • Certified Operational Risk Executive I

    This course is designed to take an experienced, senior business executive through all of the developmental stages in Operational Risk Profiling during an intensive five-day residential course

    Read More
  • Certified Operational Risk Executive II

    This course follows on from CORE I. Delegates must either have successfully completed CORE I or be able to demonstrate at least two years' experience in Operational Risk Management before being able to register to attend.

    Read More
  • Risk Based Internal Audit Training (RiBIA)

    This course is designed to take an experienced Internal Auditor through the various disciplines needed to implement a fully operational Risk Based Internal Audit (RiBIA) approach.

    Read More
  • Control and Risk Self-Assessment

    This is a "hands on", practical workshop in which Risk Management, Internal Audit and Compliance Staff are trained on our methodology for efficiently and effectively risk profiling of their organizations. Practical case studies are used to implement the methodology using the CARE CRSA module.

  • Tailored ATMs (Audit Training Modules)

    A series of training courses ranging from three to five days' in duration, designed for Internal Auditors of all levels; from entry level auditors to those in charge of managing an internal audit function. All these courses are case study driven and provide practical guidance to the participants.

  • Insurance Training for Auditors

    This course is intended for experienced Internal Auditors who are new to the Insurance industry. Its intention is not to train the delegates in Internal Audit techniques, but to explain how this complicated industry works and to help delegates adapt their existing Internal Audit techniques to cater for the specific challenges of auditing the Insurance industry. The course covers all major aspects of the industry: life assurance, general insurance and reinsurance.

  • The Audit of the Actuarial Function

    This course follows on from the Insurance Industry Audit course; it examines the challenges presented to the Internal Auditor when embarking on an audit of this very complex area of the Life Assurance industry. Due to its perceived complexity, this is very often an area that is not examined in detail by Internal Auditors in the insurance industry.

Certified Operational Risk Executive I

This course is designed to take an experienced, senior business executive through all of the developmental stages in Operational Risk Profiling during an intensive five-day residential course. The following is an outline of the topics covered each day.

  • An outline of Corporate Governance;
  • The eight facts of business life as regards risk management;
  • The nature of risk;
  • Types of risk, including Credit, Market and Operational;
  • How all business risk can be said to fall under the umbrella of Operational Risk;
  • How risk is identified;
  • What is a risk, and what is simply a control not working;
  • Identifying Risk Parameters including Asset Types under threat, and Risk Appetite;
  • The need to manage risk, not simply to measure it;
  • Risk Management Standards – UK and Australia/New Zealand standards;
  • Moving from the general to the specific with a discussion on Sarbanes–Oxley as an example.

Case Study
The delegates, as a group, discuss the bank detailed in the case study and determine the overall risk parameters, which are then fixed for the rest of the case study sessions. They will identify what "assets" the bank would consider to be under threat and how important each one is; the types of Corporate Risks this bank may be subject to; and what weighting should be given to each of the Risk Planning parameters within the bank.
From a detailed written description of the bank's Electronic Banking activity, small groups of delegates are asked to determine an acceptable Risk Appetite; establish what range of values would constitute high risk, medium risk and low risk; identify the key risks and assign them to an asset category and Impact and Probability category. In addition each risk will be assigned to an Objective linked to the bank's overall Strategy if delegates feel this is required.

Overnight, the instructors will have reviewed the delegate group's printed output. Overall feedback will be given (in general terms), and a "model" answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.
The delegates next learn about Controls, the types of control, the difference between a control and a process and the concept of an Entity control.
Case Study
Using the comprehensive data supplied, the delegate groups then work to identify the controls in the Electronic Banking function and categorise them into their various types.
The delegates next learn about matching controls and risks; they will learn about the many-to-many relationships between risk and control and the varying impacts of controls to risks.
Whilst the "matching" lecture is underway the instructors will have reviewed the delegate group's printed output from the controls exercise; overall feedback will then be given (in general terms) and a "model" answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.
Case Study
Again using the comprehensive data supplied the delegate groups then work to match the "model" controls to the "model" risks. (This activity may well require the delegates to work in the evening).

Overnight the instructors will have reviewed the delegate group's printed output. Overall feedback will be given (in general terms) and a discussion will be held to explore any marked differences in "scoring". A "model" answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.
The concept of control testing will be discussed; Compliance and Substantive testing will be dealt with. The direction of testing will be covered as will frequency of testing. The topic of Control Risk Self Assessment (CRSA) will be covered.
Case Study
Once more using the comprehensive data supplied the delegate groups then work to write Compliance Tests for the "key" controls in the case study. The issue of whether to use questions or tests will need to be addressed by the delegates as will the questions of sample sizes and frequency of testing.
The instructors will review the delegate group's printed output from the exercise; overall feedback will then be given (in general terms) and a "model" answer will be provided to all delegates, showing the Compliance Tests for all of the controls, to ensure that everyone starts the next phase of the course at the same level.
Case Study
The delegates will next be supplied with documentation representing the results of certain Compliance Tests; delegate groups will need to evaluate this data and decide upon the degree of confidence that can be given to each control. This data then needs to be fed into the previously established control environment for the case study.

The concept of Incident Recording will be discussed; the concept of Incidents v Near Misses will be covered as will the concept of Incident Significance. Contingency Planning will also be dealt with.
Case Study
Delegate groups will be supplied with documentation about "events" relating to the case study, they will need to decide what to record and what to omit as well as what category the recorded items should fall into (incidents or "near misses").
The instructors will review the delegate group's printed output from the exercise; overall feedback will then be given (in general terms) and a "model" answer will be provided to all delegates.
Case Study
Using all of the "model answer" data the delegate group's will be required to prepare a report for senior management on the overall control environment for the Electronic Banking function.

The instructors will have reviewed the delegate group's printed output. Overall feedback will be given (in general terms) and a "model" answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.
The linkages between Risk Management, Internal Audit and Compliance will then be explored. The subject of Risk Based Internal Audit will then be addressed.
Case Study
Data will be supplied to each delegate relating to some of the controls surrounding the Corporate Risks identified on Day 1, as well as some overall data concerning five other functions within the bank. The delegates will then use the data, plus the output from the detailed case study to:

  • Prepare a Quarterly Report on Operational Risk for the Board
  • Prioritise the 5 functions within the bank from an Operational Risk perspective.
Test
This consists of 20 multiple-choice questions based around what has been learned on the course.
The instructors will mark the test and the marks scored will be used, in conjunction with the delegate's overall performance on the course, to determine whether the delegate has demonstrated sufficient proficiency to be awarded a CORE certificate.
Training for this qualification can also be undertaken on-line, at the individual's own pace. It covers the same ground as the course detailed above, and successful trainees are awarded the same standard of certificate. Register your interest now, without commitment or obligation, for the next round of on-line training.

Certified Operational Risk Executive II


This course follows on from CORE I. Delegates must either have successfully completed CORE I or be able to demonstrate at least two years' experience in Operational Risk Management before being able to register to attend. The course is spread over four days and, like CORE I, is a mix of presentations and case study work, with a formal examination at the end; in this case the examination takes up the whole of the final day.


Delegates will be provided with a detailed case study for an international bank, this will form the basis for the practical exercises on the course.

Delegates will learn about the need to decide how their organization is to be divided so as to ensure full risk coverage; what Entities do we need, functional, product or process – perhaps a mixture of all three!

Delegates, in groups, will interview members of the Board to obtain more detail about the bank and the directors' view of the risks that confront it.

Next we will discuss the concept of Corporate Risks; are they simply risks that are common across all areas of the organization or are they something different. Corporate Risks often need to be linked to individual Entities within the organization; this aspect will be fully covered here, as will the concept of Strategic Risk.

Delegates will discuss the concept of probability and how to decide on the frequency to apply; how many levels should there be? Also the various Risk Parameters that need to be considered at the Corporate Level will be discussed.

Finally, the subject of Risk Appetite will be discussed; should this be established at the corporate level or by entity, if it is to be by entity what if the entity is not a function? The "ownership" of the appetite will be discussed

Using the data gathered from their interviews, plus data in the case study, the delegate groups will have to determine:

  • The Asset Types to be used in their Risk Profiling;
  • The probability criteria to be used;
  • The Strategic Risks;
  • The corporate risks.

As part of the overall discussion the concepts of Emerging Risks and Composite Risks are covered; delegates will get a chance to define one of the latter.

Overnight, the presenters will debrief the delegate group's work and at the start of the day will provide feedback in general terms. A model answer will be provided.

Since delegates will be expected to understand the necessary liaison between Risk Management and Internal Audit, there will be a discussion about the Environment Ratings to be used by Internal Auditors, such as Complexity, Throughput etc., if they are using Risk Based Audit Planning techniques. What are these and how are they determined and updated?

Impact sizes will be discussed as will the need to decide whether to fix these by entity or for the organization as a whole.

Next delegates will discuss Key Risk Indicators. What they are and what they are not. What do we do with them? The linkage to risks will be discussed, as will the merits of internal and external indicators.

Using the case study material and their interview notes from Day 1, delegates will:

  • Decide upon the risk parameters to apply across the organization;
  • Decide upon the Impact sizes to apply to the entities in the case study model answer from Day 1;
  • Decide upon the Appetite for Risk and the Control Gap % to be applied to each entity;
  • Determine the control environment for the Corporate Risks.

The presenters will debrief the delegate group's work and will provide feedback in general terms. A model answer will be provided

The delegates will participate in a discussion about event capture and modelling of incident data. This will be an interactive session dealing with the practical issues raised by the need for capital adequacy modelling under BASLE II and so participants will be expected to have an understanding of these requirements. Delegates will be expected to summarize the AMA; discussions will be held around:

  • Analysing previous loss data;
  • "Tail" events;
  • Changes in the control environment both retrospective and prospective;
  • Modelling all losses or just "Basle" losses.

We will discuss the importance of event capture in modelling; do we model Gross or Net? We will look at the need to reconcile between Finance and Risk Management – how do Finance capture these events?

This will lead naturally into a discussion of how actual incident data should be used to refine previously developed Risk Models. Delegates will be given some actual incident data along with the Risk Profile to which it relates and will need to determine what changes, if any, to make to the model.

Next delegates will discuss the necessary components of a Risk Management Policy; this will include decisions on the parameters to be used by the organization, the type and frequency of reporting to be used and the Risk Committee and its link to the Audit Committee.

Using the Case Study materials and the notes taken so far, delegates will write the Risk Management Policy for the Group.

The model answer for this assignment will constitute a template for an Operational Risk Policy document.

Prior to the examination there will be a half-hour recap session, run on a question and answer basis, with delegates being able to put questions to the presenters.

Examination

This will take up most of the day and will be in three parts:

  1. Delegates will answer a 20 question test paper, the questions being multiple choice;
  2. Delegates will prepare a report to the Board on the current control environment across the Group;
  3. Using all of the materials accumulated so far, delegates are required to produce an Operational Risk Management Policy document for the HK & C Group. The document is not to exceed eight pages, with a two-page appendix if desired. Marks will be deducted for any document exceeding these ten pages.

Risk Based Internal Audit Training (RiBIA)


This course is designed to take an experienced Internal Auditor through the various disciplines needed to implement a fully operational Risk Based Internal Audit (RiBIA) approach.


The three basic elements of RiBIA are covered:

  • Introduction to methodology terms and definitions;
  • Using CARE system features;
  • A brief on Risk Based Audit Planning;
  • Risk Based Audit execution;
  • Risk Based Audit reporting;

The course utilizes CARE (Control And Risk Evaluation) Risk Management software and, whilst the techniques learned can be applied without the aid of software, CARE is the system recommended by the course providers.

The course is case study driven supported by traditional lectures; this allows delegates to put into practice the theory presented to them and ensures the maximum delegate involvement. Some evening work may be required to complete the practical examples. At all stages of the course “model” answers are supplied so that each delegate is brought up to a common level of achievement at all points in the course-work.

Case study Preparation

The Tailored material / case study will be developed to ensure:

  • Participants can easily use the methodology in the audit of other units (particularly other branches)
  • Controls, weaknesses identified, and recommendations made are relevant to the organization
  • The training material is detailed enough to become a future guide/reference for new auditors
  • Common exceptions (frequent problems) are raised in the case study.

Morning Session:

The day starts with an outline of the Risk assessment methodology to cover the definitions of the following terms:-

  • Risk
  • Control
  • Risk assessment
  • Linking controls to Risks
  • Risk Management
Case Study

Project 1: The delegates will need to read the manual procedure for one of the departments to identify Risks and to highlight the relevant controls.

Afternoon Session:

The delegates will learn how to enter the Risks and Controls’ Data into CARE system, Build the risk matrix and to assess the control environment for each risk.

Introduction to reports generated by the system. This would include the following reports:-

  • Risk Reports
  • Control Reports
  • Test Schedule
  • Workshop Summary Reports
  • Recommendation Reports

Introduction to system features and generating reports. This would include the following:-

  • Working papers module
  • Event tracking module
  • Recommendation follow-up

Morning Session:

The day starts with an outline of the history behind RiBIA and shows the delegates the 3 main elements Planning, Execution and Reporting.

A presentation on the first element of RiBIA – Risk Based Audit Planning; this will cover the basic elements needed in a Risk Based Internal Audit Planning system.

The concepts of Corporate Risks will be dealt with, particular emphasis will be placed upon where the controls for these risks reside.

Case Study
Project 1: The delegates will need to discuss Corporate Risks for the organization and highlight where the relevant controls are to be found.

Overall feedback will be given (in general terms) and a “model” answer will be provided

Afternoon Session:

The concept of Risk Based Audit Execution will be discussed; this involves making use of the data in the Risk Database of the organization. Internal Audit Compliance Testing will be contrasted with CRSA and the two systems brought together.

Case Study
Project 2: using the case study material (which will be based a selected branch CRSA data), delegates will be required to write the IA Compliance Tests program

Morning Session:

Project 2 (continued): Delegates will continue writing compliance tests

The instructors will review a sample of delegate groups' printed output; overall feedback will be given (in general terms) and a “model” answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.

Next, delegates will address the issue of Substantive Testing in a risk-based environment; the concept of using Risk Profiles to determine initial Substantive Testing work will be addressed as will refining Compliance Test work for use in Substantive Testing.

Afternoon Session:

Case Study
Project 3: Using a the same business unit as the case study, delegates will be expected to design and write the required Substantive Tests

Morning Session:

Overnight the instructors will have reviewed the delegate group’s printed output; overall feedback will be given (in general terms) and a “model” answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level

The concept of Risk Based Audit Reporting will be discussed; this will include Audit Rating schemes. Delegates will learn how such schemes can be driven from the output of Compliance Test work, Substantive Test work and CRSA. How to develop a “no surprises” reporting system.

Case Study
Project 4: using the case study material delegates will be required to write a risk-based audit report for the selected Business Unit.

Afternoon Session:

The instructors will review the delegate group’s printed output; overall feedback will be given (in general terms) and a “model” answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.

Delegates will next discuss the need for risk-based Internal Audit plans to be flexible and be capable of change over time; they will discuss what the drivers of such change would be, this will involve a discussion of Key Risk Indicators (KRI’s).

Case Study
Project 5: Delegates will be required to develop 3 KRI’s for the organization in the case study.
Note: This exercise might not be covered in case more time is required Reporting

SUMMARY AND CLOSING REMARKS

Control and Risk Self-Assessment

Insurance Training for Auditors

The Audit of the Actuarial Function