At Risk Oversight Solutions Inc, our professionals are global experts in understanding developments in board developments, risk oversight, and other governance, compliance and risk matters.  We can provide the innovative, cost-effective solutions and training to help elevate high retained risk positions and emerging risk areas to senior management and boards.

Below are just a few of the important resources worth noting:

redlist Resources for Boards

redlist Resources for Audit & Risk Specialists

redlist Risk Oversight Expectations – U.S.

redlist Risk Oversight Expectations – Canada

redlist Other Governance, Risk & Compliance Expectations




Resources for Boards

↑ Back to the top
National Association of Corporate Directors (NACD)
  • NACD was founded in 1977 and its mission is to advance exemplary board leadership—for directors, by directors.

  • NACD offers two reports.

  • The more recent one published in 2009, “Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward,” is an excellent source of information. It offers questions and guidance of directors, and their overall Ten Principles to guide directors in their efforts to provide effective risk oversight.

  • The other, published in 2006, “Risk Oversight: Board Lessons for Turbulent Times” is the predecessor document.

  • Both can be purchased at member and non-member prices.

Visit Site
Corporate Board Member
  • Corporate Board Member, published quarterly, is the leading information resource for senior officers and directors of publicly-traded corporations, large private companies, and Global 1000 firms.

  • Provides readers with decision-making tools to deal with the strategic and corporate governance challenges confronting their boards.

  • Recent events offered include a one-day event on Risk Oversight. Also, their 2010 Supplement, titled “Boardroom Liabilities: Shining a Spotlight on Risk,” includes important questions for directors to consider.

Visit Site
View Boardroom Liabilities Shining a Spotlight on Risk article
Canadian Institute of Corporate Directors (ICD)
  • The Institute of Corporate Directors (ICD) is a not-for-profit, member-based association representing Canadian directors and boards across the for-profit, not-for-profit, and government sectors.

  • They offer events and directors education programs, such as the ICD.D certification, and more.

Visit Site
Compliance Week
  • A leading information source on governance, risk and compliance offering insightful and up-to-the-minute articles and information.

  • Offer a very well attended annual conference featuring leading directors and leading GRC experts.

  • Includes articles on risk oversight, such as a recent one entitled, “Directors Still Failing to Bring Risk Oversight Up to Par,” (February 1, 2011).

  • Editor, Matt Kelly, offers insights and guidance through twitter. This twitter feed, and Risk Oversight’s twitter page, is well worth signing up for.

Visit Compliance Week

International Corporate Governance Network (ICGN)
  • ICGN is a not-for-profit body.

  • It has evolved into a global membership organization of over 500 leaders in corporate governance in 50 countries, with institutional investors representing assets under management of around US$12 trillion.

  • The ICGN’s mission is to raise standards of corporate governance worldwide.

  • Best practice guidance includes “Corporate Risk Oversight Guidelines,” an excellent document describing risk oversight guidance for the board and company, including disclosure.

  • Note: you can download an extract of this report but must be a member or contact ICGN to obtain a full copy of the guidelines.

Visit Site
  • COSO recently released guidance and surveys relating to the current state of board risk oversight.

  • The survey, “Board Risk Oversight. A Progress Report: Where Boards of Directors Currently Stand in Executing their Risk Oversight Responsibilities,” sought input directly from over 200 corporate directors to obtain deeper knowledge of the current state and desired future state of the risk oversight process.

  • They also offer another survey, COSO’s 2010 “Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework.”

  • Another document released in 2009, “Effective Enterprise Risk Oversight: The Role of the Board of Directors,” is a brief document on the role of directors in risk oversight.

  • More guidance is expected from COSO as they ramp-up efforts to support boards.

Visit Site
Canadian Institute of Chartered Accountants (CICA), Risk Oversight and GovernanceThe CICA offers research and guidance for boards of directors and senior managers on risk oversight and governance.

  • Formerly known as the Risk Management and Governance Board, the name has recently been changed to better reflect the nature of their directors’ oversight role.

  • Guidance includes the 20 Questions Series, which offers directors information relating to risk, strategy, internal audit, crisis management, codes of conduct and more.

Visit Site
Conference Board of Canada
  • The Conference Board of Canada is a not-for-profit applied research organization in Canada.

  • Offer publications such as the 2011 “Risk Oversight Practices: Two Success Stories”; the September 2010 Review, “Risk Watch: Thought Leadership in Risk and Governance.

  • Offer forums and conferences on risk management topics.

Visit Site
Senior Supervisors Group
Risk Management Lessons from the Global Banking Crisis of 2008 (October 2009)
  • Regulators in the world’s biggest financial powers got together to identify the root causes of the global financial crisis.

  • They identified weak board oversight of risk as a key element of ‘what went wrong?’

  • Their report proposes steps that companies and countries should take to prevent another global meltdown.

Visit Site
Improving Board Risk Oversight: Eight Simple Steps Show You How
Mark Beasley, PhD (February 3, 2011)
A great article that describes the board's responsibility to understand management’s risk management processes and approve the process (as well as understanding the most significant risks the organization faces) and determine what risk responses have been taken to align to stakeholder appetite. Visit Site
U.S. Securities and Exchange Commission (SEC)
Speech by Carlo V. di Florio, Director, Office of Compliance Inspections and Examinations
CCOutreach National Seminar (February 8, 2011)
This speech includes information on risk management and the role of the board and senior management with regards to:

  • potential expectations from the SEC in understanding how risk management is embedded in key business processes and decision-making;

  • risk appetite and tolerances set by the board and senior management;

  • structure, resources and internal audit processes, and how the board of directors is staffed and structured to ensure it can effectively set risk parameters;

  • fostering an effective risk management culture;

  • overseeing risk-based compensation systems and effectively overseeing the risk profile of the firm.

Visit Site

Resources for Audit and Risk Specialists

↑ Back to the top
ISO 31000
Best Global Risk Management Guidance
  • ISO has published a guide (31000) that has risk management terminology definitions

  • The intent of this document is to encourage standard-setters in countries around the world to use standardized terms in regulatory guidance related to risk.

Visit Site
Australia/New Zealand Risk Management

Best Short Risk Management Guidance
  • Australia/New Zealand played a key role bringing structure to the risk management discipline with the release of risk management standard 4360 in the 1980s.

  • Every risk professional should have a copy of this short and powerful risk management standard in their library.

Visit Site
U.S. COSO Enterprise Risk Management (ERM) Guidance
  • COSO, the committee that was responsible for the 1992 COSO Integrated Framework, which formed the foundation for this framework, issued guidance on ERM in 2004.

  • The guidance was authored by specialists from a Big 4 public accounting firm, with input from the committee members of the five accounting-centric organizations that comprise COSO.

  • As ERM guidance, it has been criticised by risk specialists for: its length; the absence of a process to update and improve it; the distortion created by its foundation on the out-dated 1992 control framework; its lack of appeal to senior executives; and other technical deficiencies.

  • In spite of its deficiencies, it is heavily promoted and referenced by the IIA, AICPA, IMA and academics, and is listed as a “must read/have” for any risk practitioner.

Visit Site
Open Compliance and Ethics Group (OCEG)
  • The Open Compliance and Ethics Group (OCEG) is a relatively new but highly influential resource in the GRC space.

  • OCEG has produced an excellent resource in the form of the OCEG GRC Capability Model.(“the Red Book”)

  • This framework, in our opinion, is in many respects technically superior to the COSO ERM framework.

  • The OCEG framework, currently in Version 2, has already undergone one full round of improvements, and future enhancement based on input from users and OCEG members is expected.

  • Access to the full GRC Capability Model is restricted to full OCEG members however membership is relatively inexpensive – money well spent for those interested in corporate governance.

Visit Site
Risk and Insurance Management Society (RIMS)
  • RIMS stands for the Risk and Insurance Management Society.
  • The roots and primary focus of this organization has been on insurable risks; however, there has also been some coverage of the evolution of the ERM movement.

  • All GRC practitioners should be knowledgeable about the opportunities to share/transfer risk via insurance.

  • RIMS provides a resource to learn and track developments in the insurance area with some very good ERM commentary.

  • It’s our experience that many internal auditors and ERM practitioners are not knowledgeable enough, and don’t take adequate steps to learn and consider the impact of insurance coverage and self-insurance options on their findings and recommendations. Joining RIMS is a good way to “skill-up” in this area.

Visit Site
Risk Management Association (RMA)
  • For GRC practitioners in the financial services sector.

  • Provides coverage of relevant developments in the credit, market and operational risk arenas.

  • Although RMA coverage tends to be U.S. centric, many of the articles are relevant to financial sector entities anywhere in the world.

Visit Site
Global Risk Regulator
  • For those from the EU or that work for international financial institutions, an excellent resource that tracks global developments in the risk and compliance field is a monthly newsletter out of the UK called Global Risk Regulator.

  • A subscription is required for this resource.

Visit Site
Institute of Internal Auditors (IIA)

-Assessing the Adequacy of Risk Management
  • Resource for internal auditors, or any other assurance group for information on various topics.

  • Includes information such as a “Practice Guide on Assessing the Adequacy of Risk Management,” based on ISO’s 31000 guidance.

Visit Site
Enterprise Risk Management (ERM) Initiative

-North Carolina State University Poole College of Management
  • The mission of this group is to be a national and international thought leader in enterprise risk management (ERM) and in the implementation of ERM in strategy development and corporate governance.

  • They have partnered with COSO to release numerous documents on ERM and risk oversight.

Visit Site
FCPA Blog:
  • An up-to-date blog, which is very informative on developments in the anti-corruption world

  • Tracks developments and enforcement on the Foreign Corrupt Practices Act (FCPA), as well as other developments around the world, such as the UK Bribery Bill.

Visit Site

Risk Oversight Expectations – U.S.

Issuing Body
Risk Oversight Requirement
RO Services
↑ Back to the top
Securities & Exchange Commission (SEC)

Speech by Carlo di Florio, Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission

CCOutreach Seminar (February 2011)
Comments include:

  • Boards should generally understand how risk management is embedded in key business processes and decision-making, including how business units ensure they are in accordance with the risk appetite and tolerances set by the board and senior management of the whole organization.

  • How key risk management, control and compliance functions are structured and resourced.

  • How senior management ensures effective oversight of ERM and embedding risk management in key business processes.

  • How internal audit processes independently verify and provide the board and senior management with assurance regarding the operating effectiveness of risk management, compliance and control functions.

  • How the board of directors (if one exists in the organization) is staffed and structured to ensure it can effectively set risk parameters, foster an effective risk management culture, and oversee risk-based compensation systems, and effectively oversee the risk profile of the firm.

Visit LinkRisk Oversight Gap Assessments

Risk Oversight Support Packages

Enterprise Risk Management (ERM)

Risk and Control Self-Assessment

SOX/GRC/ERM Software Implementation
Securities & Exchange Commission (SEC)

Proxy Disclosure Enhancements (2009)
  • Requires disclosure of the board’s role in risk oversight and, to the extent that risks arising from a company’s compensation policies and practices are reasonably likely to have a material adverse effect on the company, disclose such policies and practices as they relate to risk management.

  • Companies face a variety of risks, including credit risk, liquidity risk, and operational risk.

  • As we noted in the Proposing Release, similar to disclosure about the leadership structure of a board, disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.

Visit SiteRisk Oversight Gap Assessments

Risk Oversight Support Packages

Enterprise Risk Management (ERM)

Risk and Control Self-Assessment

SOX/GRC/ERM Software Implementation
New York Stock Exchange (NYSE)

Final Rules (2003)
  • Discuss policies with respect to risk assessment and risk management.

  • While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled.

View PDFRisk Oversight Gap Assessments

Risk Oversight Support Packages

Enterprise Risk Management (ERM)

Risk and Control Self-Assessment

SOX/GRC/ERM Software Implementation

Risk Oversight Expectations – Canada

Issuing Body and Regulation Area
Description of Risk Oversight Requirement
RO Services
↑ Back to the top
Canadian Securities Administrators (CSA)

National Policy (NP) 58- 201: Corporate Governance Guidelines (2005)

  • The board should adopt a written mandate in which it explicitly acknowledges responsibility for the stewardship of the issuer, including responsibility for activities such as:

  • adopting a strategic planning process and approving, on at least an annual basis, a strategic plan which takes into account, among other things, the opportunities and risks of the business;

  • the identification of the principal risks of the issuer’s business, and ensuring the implementation of appropriate systems to manage these risks;

  • the issuer’s internal control and management information systems.

Visit SiteRisk Oversight Gap Assessments

Risk Oversight Support Packages

Enterprise Risk Management (ERM)

Risk and Control Self-Assessment

SOX/GRC/ERM Software Implementation
Toronto Stock Exchange (TSX)

Guide to Good Disclosure for NP 58-201 (2005)

  • Suggested additional voluntary disclosure by TSX includes describing principal risks identified by the board; the process that the board or committee follows to evaluate risk; the structures and procedures in place to manage identified and potential risks; and if the board has adopted a specific approach to corporate social responsibility.

  • It also suggests voluntary disclosure relating to internal controls, such as discussing whether the board assumes responsibility for implementing appropriate internal control and management information systems to ensure that it can carry out its responsibilities, describing how the board or committee reviews internal control and management information systems, and discussing how frequently the board or committee reviews these systems.

View PDFRisk Oversight Gap Assessments

Risk Oversight Support Packages

Enterprise Risk Management (ERM)

Risk and Control Self-Assessment

SOX/GRC/ERM Software Implementation

Other Governance, Risk & Compliance Expectations

Issuing Body and Regulation Area
Description of Risk Oversight Requirement
RO Services
Internal Audit

-New York Stock Exchange (NYSE) Final Rules (2003)
  • Each listed company must have an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control.

  • A company may choose to outsource this function to a third party service provider other than its independent auditor.

View PDFFactional Chief Audit Executive/Chief Risk Officer

Internal Audit Outsourcing/Cosourcing

Internal Audit Quality Assurance Reviews

Internal Audit Software Implementation Support
Internal Controls over Financial Reporting (ICOFR)

-U.S. Listed Companies, Accelerated Filers
-Sarbanes-Oxley (SOX) 404(a)(b)
  • CEO/CFO must certify the effectiveness of Internal Controls Over Financial Reporting (ICOFR) or disclose material deficiencies.

  • Company’s external auditor must certify the effectiveness of ICOFR or disclose material deficiencies.

View PDFU.S. Sarbanes-Oxley 404 Implementation & Reviews
Internal Controls over Financial Reporting (ICOFR)

-U.S. Listed Companies, Non Accelerated
-Sarbanes-Oxley (SOX) 404(a)
  • CEO/CFO must certify the effectiveness of ICOFR.

  • No external audit opinion is required.

View PDFU.S. Sarbanes-Oxley 404 Implementation & Reviews
Internal Controls over Financial Reporting (ICOFR)

-Canada, National Instrument 52-109 (2007)
  • Internal Controls over Financial Reporting (ICOFR)

  • Officers must certify that the company has an effective system over financial reporting or disclose material weaknesses.

View LinkCanada 52-109 Implementation & Reviews

-U.S. Foreign Corrupt Practices Act (FCPA) (also applies to foreign companies on U.S. stock exchanges) (1977)

-Canadian Corruption of Foreign Public Officials Act (CFPOA)

-UK Bribery Act (2011)
  • The U.S. has enacted and is vigorously enforcing The Foreign Corrupt Practices Act.

  • There are a wide range of controls companies are expected to have in place to ensure compliance with this legislation and massive penalties if U.S. Justice determines an impacted company has not complied.

  • Canada and the U.K. also have similar laws.

View LinkFCPA/Anti-Bribery Due Diligence & Reviews

Fraud Risk Assessments
Anti-Money Laundering (AML)

-All Canadian Financial Institutions – AML Compliance, December (2008)
Ontario Superintendent of Financial Institutions (OSFI) has defined specific expectations related to control systems in Guideline B-8 Deterring and Detecting Money Laundering and Terrorist Financing.View PDFAnti-Money Laundering (AML)

Fraud Risk Assessments
Alberta Oil & Gas Companies

-Enhanced Production Audit Program (EPAP) (2011)
  • Effective 2011, oil and gas companies that operate in Alberta have to comply with Directive 76: Operator Declaration Regarding Measurement and Reporting Requirements and the EPAP Operator’s Handbook.

  • This new directive parallels SOX 404/NP 52-109 for external financial reporting customized for oil and gas measurement and reporting.

View PDFOil & Gas Loss Control

Enhanced Production Audit Program (EPAP)

Joint Venture/Royalty/Contract Audits