General Risk Management Policies
General risk management policies apply to the entire company. Policies provide high-level guidelines for managing risks within JAA. Commitment to comply with the general policies is a company-wide requirement. The following are key risk policies:
• Corporate ethics policy. Corporate ethics rules are monitored and maintained by the Audit Committee. Ethics are included in each training seminar and such seminars need to be taken periodically.
• Customer satisfaction and retention policy. Internal and external customer expectations are periodically monitored and communicated in a timely fashion to ensure that service levels are achieved for operational objectives.
• Ownership policy. No information, data, process, report, or asset can exist without having an owner attached to it. Change of ownership can be initiated only upon approval of a designated internal stakeholder. Ownership is assigned according to priority criteria of "most used by," "first created by," and "most impacted by."
• Training policy. Each item in this policy statement must be included in the company's training program. Corporate culture can be established and maintained only by providing timely and sufficient training to each employee. No employee can be assigned responsibilities without adequate measurement of his or her competencies.
• Information systems policy. Objectives at all levels (strategic, tactical, and operational) should be mapped down to the infrastructure level, (see Exhibit 22.2). Context definition should be monitored and reviewed at least yearly and whenever a major event occurs. All risk owners must be cognizant of their dependency on other areas of the business. Integrity, consistency, and accessibility objectives are set by business lines, and information technology (IT) hardware and software architectures are designed to ensure the achievement of such objectives.
• Access rights policy. Access rights should be provided according to each employee's responsibility level. Access rights should not be changed without approval of a senior manager. All access rights need to be consistent with the authorization levels in Exhibit 22.8. No conflict of interest and segregation of duties issues are permitted to exist.
• Human resources policy. Background screening and training are required for all employees. Compensation is evaluated and performance is monitored by the Compensation Committee. Compensation must be proportional to responsibilities and should not motivate unnecessary and inconsistent risk taking as compared with JAA's risk criteria. Especially, performance measures will include and reflect a fair amount of collaborative and teamwork performance as well as individual performance to prevent destructive competition. Any contrary action will be considered a failure to comply with the corporate policies and will be treated according to company laws and regulations.
• Outsourcing and contract management policy. Outsourcing is used whenever it is beneficial for the organization to do so. A comprehensive risk assessment must be conducted and results must be communicated among internal stakeholders before establishing any outsourcing engagement. Service- level agreements (SLAs) are determined according to business needs and set within the tolerance levels of the objectives. Monitoring of SLAs is the responsibility of the owner of the business line signing the contract. Dependency on a single outsource agreement must be avoided by establishing alternate sources.
• Business continuity policy. Impact analysis is conducted yearly to assess the impact level of disruption to all business units. Service-level agreements are based on this impact analysis and must be signed by all parties. IT departments use this impact analysis to determine parameters for service levels. Each employee must have a designated backup coordinator.
• Conflict of interest policy. Conflicts of interest must be avoided. Special emphasis needs to be given to those areas sensitive to public perceptions. Corporate ethics is included in each training curriculum to establish enhanced awareness at JAA.
• Segregation of duties policy. Critical processes as defined by business lines are subject to design criteria of the "four eyes principle." A commencer of any process should not have the capability to terminate it, and a second person should review and approve it.
• Internal communications policy. The company should establish specific communication channels. Stakeholders must be informed prior to any major changes being made. Communication response times should be created and compliance levels should be measured to ensure quality.
• Public relations and external communications policy. Corporate brand and reputation are our most critical assets. Therefore, maximum effort should exist to protect and increase their value. External communications must be carried out by trained and authorized personnel. All media and external relations need to be monitored by the public relations department. Any communications outside the company must be properly authorized.
• Patents, trademarks, and copyrights policy. Any type of innovation that would have an effect on corporate objectives is strongly encouraged and rewarded proportionally to its contribution to effectiveness or efficiency throughout the organization. Patent rights belong to JAA. Appropriate permission and rights can be granted with the approval of JAA.
• Sustainability and environmental protection policy. Maximum effort must be provided to preserving the environment and the resources in each project to enable achievement of business objectives. Carbon emissions must be reduced as a priority throughout the business. Green sources of energy must be utilized if available. Energy backups must contain solar cells in production locations where at least moderate seismic rates are recorded.
• Insurance policy. Insurance needs are decided upon after evaluating the current risk profile. Market research must be conducted annually to identify the best total value, which is not necessarily the lowest rate.
• Market risk policy. Fluctuations in market prices and exchange rates affect the valuation and cost of JAA's products. Therefore, JAA's ability to compete in the marketplace may change accordingly. Close monitoring of costs is required throughout the entire business. Exchange rate risks above the limit of accepted amounts in export contracts must be hedged by futures contracts to ensure cost/profit stability. Market risk attitude was provided in Exhibit 22.7. Also, key risk indicators must be accepted and reviewed periodically for effectiveness. Liquidity risks need to be managed by the financial control and accounting departments. Liquidity figures are updated monthly and projected for the fiscal year. This document is reviewed yearly and updated as necessary by the EROC. The Internal Audit department is responsible for assessing the adequacy and alignment with this policy document of the applications and procedures throughout the organization.
-  The "four eyes principle" refers to having two people view each transaction so that one checks on the other.