Roles and Responsibilities
The board of directors (BOD) is accountable to ensure that the organization manages all risks. The BOD fulfills this duty by establishing the RSC, as well as an EROC for the governance process. The BOD evaluates the structure and effectiveness of the RSC and EROC yearly.
The chief risk officer (CRO) is an adviser to all committees. He or she is responsible for facilitating risk workshops and providing support to establish training curricula. He or she collaborates between the risk oversight and other risk management groups.
Risk Management Methodology
JAA uses the ISO 31000 Risk Management Standard and HB 436 to organize its risk management activities. The BOD oversees risk management through its established committees and delegates authority to management where needed. This mandate and commitment function is executed by the EROC. Risk policies adopted for the organization must be consistent with the ISO 31000 principles.
In the objective setting process, as part of business strategy, there must be an alignment with SMART criteria (i.e., specific, measurable, attainable, relevant, and timely). All company personnel need to understand the company's internal and external context. Risk assessment consists of event identification, risk analysis, and risk evaluation.
Scenario analysis and strengths, weaknesses, opportunities, and threats (SWOT) analysis are conducted to identify, analyze, and evaluate the risks. Surveys are conducted monthly to detect any changes in perception. Risk sources stated in the context are always included in threat and benefit analyses. Risk workshops are facilitated by the risk management department to identify, analyze, and evaluate JAA's risks.
All identified major risks are reported to the EROC, which in turn is responsible for the implementation and monitoring of risk treatment plans. Treatment plans include measurement and monitoring activities together with performance and success criteria. All risks are subjected to three different scenarios for what-if analysis. Each scenario set is divided into four categories as worst case, current conditions, best case, and most expected case, and is analyzed accordingly. The RSC oversees execution of the risk treatment plans.
Monitor and Review: At each fiscal year-end, monthly impacts of consequences are statistically combined and mapped to risk levels in the risk criteria to verify whether the previous predictions occurred. If there are any identified gaps and/or significant errors, the root cause of these gaps needs to be identified and results communicated to stakeholders to ensure that these can be included in the next assessment.