JAA Inc. – A Case Study in Creating Value from Uncertainty: Best Practices in Managing Risk


Head of Internal Audit, AVBOB Mutual Assurance Society


Principal, Schanfield Risk Management Advisors LLC


Risk Officer, Sekerbank T.A.S., Turkey

This case study describes how enterprise risk management (ERM) was implemented at a fictitious company, JAA Inc. It provides extensive detail as to the governance structure, the processes, and the various tools used. The case is built on the principles/guidance of ISO 31000[1] and the implementation guidance created by HB 436.[2] The key players in this case are the heads of Internal Audit and Risk Management. It is interesting to see what they have done in the five years expended to implement ERM. We offer special thanks and appreciation to Grant Purdy from Broadleaf International in Australia for his continued support, dedication, and help provided to our efforts.


It was a beautiful Wednesday afternoon in Chicago. Matt Damison, the chief internal auditor (CIA), and Frank Gillespie, the chief risk officer (CRO), were having lunch in JAA's cafeteria and reminiscing about the times at JAA when the company's performance was much lower than the current state. Only five years earlier, in 2008, the company had embarked on a comprehensive enterprise risk management (ERM) program. Both Matt and Frank, together with executive management and the board, had been actively involved in this initiative. At that time, JAA was also undergoing various regulatory audits, and employee morale was quite poor. The company has now been able to satisfactorily address these issues, and in fact has won numerous awards and been written about in various journals for its risk management program. JAA has progressed from being considered risk management novices to one of being leaders in the field of effective risk management, having accomplished this in less than four years but still recognizing that improvements need to be made. Matt and Frank have just received a phone call from the Wall Street Journal press. They agreed to be interviewed to explain the genesis of JAA's ERM implementation undertaken five years previously and how as a company it has since flourished. Senior and executive management have encouraged Matt and Frank to conduct such an interview to highlight the company's achievements.

  • [1] ISO 31000:2009, "Risk Management – Principles and Guidelines," was issued by the International Organization for Standardization (ISO) and provides principles, framework, and a process for managing risk. It can be used by any organization regardless of its size, activity, or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.
  • [2] HB 436.SA/SNZ HB 436:2013, "Risk Management Guidelines: Companion to AS/NZS ISO 31000:2009."
< Prev   CONTENTS   Next >