Certified Compliance Professional VENUE: VIRTUAL/ZOOM

The Risk Management Academy would be organizing this Program in November 2019 in Lagos, Nigeria.

Participants will obtain a clear understanding of and appreciation for the necessity of a strong and well-equipped compliance function within any financial services institution.

Through lecture, class exercises, highly interactive participation, and case studies, participants will review the need for financial services regulation, the markets/participants/institutions/instruments over which regulation proceeds, the use of the compliance function as a risk mitigator, the various methods and approaches to compliance with regulatory requirements, establishment of a well-functioning compliance department, and the skills required to succeed as a compliance officer.

Through intense analysis of specific cases concerning compliance and ethical lapses, money laundering, rule violations, delegates will obtain keen insights to reduce the risk of regulatory and compliance problems and to foster a culture of compliance within their own firms.


  • New Compliance Officers
  • Risk Managers
  • Control Function Managers
  • Legal Department Managers
  • Management Consultants
  • Equities Sales and Trading Desk Operations Managers
  • Fixed Income Sales and Trading Desk Operations Managers
  • Investment Banking Administrative Officers
  • Treasurers
  • Financial decision makers in corporations
  • Strategists 


  • How to successfully structure and manage an effective compliance function
  • The immediate impact of an ineffective compliance program
  • The comprehensive loss of revenue, trust, and reputation resulting from a weak compliance environment
  • How regulatory changes can quickly impact your organization and bottom line
  • How to prepare for intense regulatory scrutiny and examinations
  • From multiple case studies that globally illustrate cultures of compliance and strong compliance departments

For details about the program, please contact Dr. Neville Odafe on 09071941111;08021003297 or send an e-mail to: info@theriskacademy.org or info@grcprofessionals.com.ng


Comparing ISO 31000 and ISO 27005

Comparison between ISO 31000 and ISO 27005 risk management processes

by Geraldo Ferreira

Organizations of different sizes and types face both internal and outside influences that can make it uncertain whether or not they will be able to accomplish their objectives. The impact of this uncertainty over a company’s goals is called “risk”. In order to effectively address this issue, two international standards stand out in the risk management space, both of which provide crucial information for performing activities.

The first of these is ISO 31000. With its launch anticipated in October of this year, this norm will serve as a master standard for each and every risk management standard. Because of its general context, it provides overall guidelines to any area of risk management (i.e., finance, engineering, security, among others). Although most organizations already have a defined methodology in place to manage risks, this new standard defines a set of principles that must be followed in order to ensure the effectiveness of risk management. It suggests that companies should continually develop, implement, and improve a framework whose goal is to integrate the process for managing risks associated with governance, strategy, and planning, as well as management, the reporting of data and results, policies, values and culture throughout the entire organization.

The other is ISO 27005. Part of the ISO 27000 since 2008, this standard establishes risk management best practices specifically geared towards risk management for information security, particularly with regards to complying with the requirements of an Information Security Management System (ISMS), as mandated by ABNT NBR ISO/IEC 27001. It establishes that risk management best practices should be defined in accordance with the characteristics of the organization, taking into account the scope of its ISMS, the risk management context, as well as its industry. According to the framework described in this standard for implementing the requirements of ISMS, several different methodologies may be used and different approaches to risk management as it relates to information security may are introduced in the appendix of the document.

Risk Management Best Practices for ISO 31000

Although ISO 31000 depicts the management process more thoroughly, and has differing terms and expressions, both standards address the risk management process in a similar fashion.

According to ISO 31000, organizations typically determine the context and manage risk by identifying it, analyzing it, and subsequently assessing whether the risk should be modified by a strategic approach so as to comply with its risk criteria. Throughout this entire process, these organizations must communicate and consult with stakeholders, while critically monitoring and analyzing the risk and controls that modify it, so as to ensure that no additional risk management approach will be required (see the flow in Figure 1).

Risk Management Best Practices for ISO 27005

As for ISO 27005, risk management as it relates to information security should define the context, evaluate the risks, and address them through a plan, in order to implement the recommendations and decisions. Risk management analyzes the potential events and its consequences prior to deciding what to do and when to do it, so as to reduce risks to an acceptable level. Additionally, the standard includes decisions on the analysis and treatment of risks (illustrated by the two decision points in Figure 2), since risk acceptance activities will ensure that residual risks be explicitly accepted by company management. This is particularly important in situations where control implementation is either omitted or postponed, for example, because of cost.

Although risk management best practices have been developed through time in order to meet specific needs in many areas and industries through the use of distinct methodologies, the adoption of consistent processes within an overarching structure may help ensure that risks are efficiently, effectively, and coherently managed throughout the organization.  ISO 31000 is the parent standard, which provides the overall guidelines and principles to manage any type of risk in a systemic, transparent, and reliable manner, within any scope and context; whereas, ISO270005 is the specialized standard that complements the parent by providing the best practices for managing the risks related to information security.