In addition to the oversight functions (described next), JAA has embedded risk management into underlying business operations. For example, a risk management policy (see Appendix B) has been implemented across the company to support the effective implementation of risk management. A risk management framework, supported by various risk policies, has been implemented to provide guidance to all employees on how to address organizational components, such as business and strategy planning, budgeting, and performance management and reporting, as well as human resources, compliance, and information security. Heads of departments are responsible for the maintenance of the risk registers, which include treatment actions. All risks in this register are further consolidated and reported to the EROC with possible treatment options.
The company's independent oversight functions, namely the Risk Management department, the Legal department, the Compliance department, and the Internal Audit department, provide the required assurance. These functions report periodically to the board and its committees as appropriate.
Risk Management Department
The Risk Management department has a unique advisory role to all management levels as well as to the board while managing risks. Also, the department reviews and challenges the outcome and results of risk assessment activities performed by management and the resulting risk registers produced that include the risks that constitute the risk profile of JAA.
The Legal department is responsible for providing advice to the company, its divisions, and its employees on matters of law and legal protection by:
• Representing the company in all meetings, conferences, and public forums
• Preparation of protocols, claims, and court counterclaims
• Representation of the company in court
• Protection of the company's rights and interests in judicial settings
• Creation of legal documentation requirements
The Compliance department helps in the following areas:
• Regulatory risk management – keeping company activities in strict compliance with current legislation
• Compliance monitoring – evaluating and measuring the state of compliance across the organization
• Investigations – managing investigations into wrongdoing and anything that increases regulatory-related risks
Internal Audit Department
The Internal Audit (IA) function is best in class. Matt Damison, who has 20 years of relevant internal audit and risk management experience, joined JAA in 2008 with strong academic and professional certifications. He belongs to several leading professional organizations such as the Institute of Risk Management in London, the Conference Board of Canada, and the Risk Management Institute of Australia. He also speaks and writes extensively on this subject matter.
Matt reports directly to the Audit Committee chair, Sally Hendrix, with dotted- line daily responsibilities to the chief executive officer, Michael Menorix. Matt meets with the Audit Committee on a periodic basis. He also attends the key meetings in the strategic planning process.
This is a summary of what he has done during this five-year period:
• The department adopted a comprehensive risk-based approach to the audit plan. All audit projects are derived from this risk-based plan. Special requests by management that are external to the risk assessment performed by management are reviewed very carefully, especially if the requests do not appear to address issues that are generating any new risks. Audits are thus focused on the company's highest risks or on the highest risks that are now reduced to within the stated risk criteria through management actions. Comprehensive reviews of every business/operational process are not performed, because such processes include areas of lower risks.
• Several senior-level personnel in the company formerly worked in the Internal Audit function, and Internal Audit has a track record of promoting high- quality performers to line management positions. The function has a solid track record with minimal turnover to outside the organization.
• The Internal Audit group consistently demonstrates how it has contributed to the success of the company by linking all commentaries on its accomplishments to the company's strategic objectives.
• Internal Audit annually evaluates risk management, and issues an opinion on it according to the 11 risk management principles stated in ISO 31000. This year, it has completed its third such review, focusing on:
• The design of the risk management framework, including such things as assignment of responsibilities and accountabilities, context of the company, communication with the stakeholders, and mandate and commitment by the board
• The implementation of the risk management framework
• The risk process implementation, culminating in the generation of the risk register
• Monitoring and review
• Continuous improvement