Sa snz hb 436 2013

CHAPTER 22

JAA Inc.—A Case Study in Creating Value from Uncertainty Best Practices in Managing Risk

JULIAN DU PLESSIS Head of Internal Audit, AVBOB Mutual Assurance Society

ARNOLD SCHANFIELD Principal, Schanfield Risk Management Advisors LLC

ALPASLAN MENEVSE Risk Officer, Sekerbank T.A.S., Turkey

This case study describes how enterprise risk management (ERM) was imple-mented at a fictitious company, JAA Inc. It provides extensive detail as to thegovernance structure, the processes, and the various tools used. The case is built on the principles/guidance of ISO 310001 and the implementation guidance created by HB 436.2 The key players in this case are the heads of Internal Audit and Risk Management. It is interesting to see what they have done in the five years expended to implement ERM. We offer special thanks and appreciation to Grant Purdy from Broadleaf International in Australia for his continued support, dedi- cation, and help provided to our efforts.

SETTING THE CONTEXT It was a beautiful Wednesday afternoon in Chicago. Matt Damison, the chief inter- nal auditor (CIA), and Frank Gillespie, the chief risk officer (CRO), were hav- ing lunch in JAA’s cafeteria and reminiscing about the times at JAA when the company’s performance was much lower than the current state. Only five years earlier, in 2008, the company had embarked on a comprehensive enterprise risk management (ERM) program. Both Matt and Frank, together with executive man- agement and the board, had been actively involved in this initiative. At that time, JAA was also undergoing various regulatory audits, and employee morale was

427

www.it-ebooks.info

http://www.it-ebooks.info/
428 Implementing Enterprise Risk Management

quite poor. The company has now been able to satisfactorily address these issues, and in fact has won numerous awards and been written about in various journals for its risk management program. JAA has progressed from being considered risk management novices to one of being leaders in the field of effective risk manage- ment, having accomplished this in less than four years but still recognizing that improvements need to be made. Matt and Frank have just received a phone call from the Wall Street Journal press. They agreed to be interviewed to explain the gen- esis of JAA’s ERM implementation undertaken five years previously and how as a company it has since flourished. Senior and executive management have encour- aged Matt and Frank to conduct such an interview to highlight the company’s achievements.

Business Background

In 1972, JAA commenced operations as a private company founded by three broth- ers (Emile, Robert, and Frank Bergand) in Chicago, Illinois. In 1988 the brothers decided to take the company public and launched an initial public offering (IPO), as market conditions at that time were quite favorable and the brothers wished to reap financial benefits (i.e., cash out) after years of hard work. The brothers remained with the company and served in executive roles until they retired in 2003. JAA is listed on major stock exchanges, is headquartered in Chicago, and has a December 31 year-end. The financial statements appear in Appendix A.

The company has three operating segments:

1. A U.S. wholesale business 2. A U.S. retail business 3. An international business (wholesale and retail)

The aforementioned segments reflect the way the business is managed and performance is evaluated. The wholesale business focuses on the sale of undeco- rated apparel products to distributors in the United States and internationally. The international wholesale operating segments also produce apparel products that satisfy the preferences of those customers that favor a more local traditional style, to stay sufficiently competitive in those markets. This was determined from a risk workshop that identified the loyalty factor of international customers as a major business opportunity.

The company operates 57 retail stores in 10 different countries:

� North America—United States (28) � South America—Argentina and Brazil (7) � Asia—China, South Korea, and Japan (11) � Australia (4) � Europe—Switzerland and Turkey (4) � Africa—South Africa (3)

The retail stores cater directly to the consumer, and most such stores are sit- uated in major shopping malls using leased space. The stores target middle-aged men and women. Retail store customers represent quite a sophisticated group of

www.it-ebooks.info

http://www.it-ebooks.info/
JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 429

shoppers. The stores compete on the basis of location, merchandise availability, price, and customer service. Retail sales are promoted via major newspapers and online media. JAA’s major competitors are McCory, Bertang, and Keramtor.

The wholesale customer base comprises 100 key distributors. The split between retail and wholesale is 40 percent/60 percent, respectively. Competition at both the retail and wholesale levels is fierce and has necessitated that the company out- source part of its manufacturing to lower-cost countries. Key product cost compe- tition is from China, Bangladesh, and Vietnam.

The apparel business/industry is characterized by rapid movements in fash- ion, changing consumer demand, and significant competitive pressures. JAA has emphasized quality merchandise at an affordable price. Wholesale customers are secured through a lean, but stellar, sales force established in the major cities around the globe (45 major cities). No one single distributor exceeds 5 percent of the com- pany’s sales. JAA also has an online catalog operation, whose critical success fac- tors are website availability and design, advertising response times, and social media recognition.

The Bergand brothers are now the largest company shareholders, owning some 22 percent of the stock. There are a couple of large institutional investors that collectively own an additional 12 percent of the outstanding shares.

The executive and senior management teams comprise:

� President and CEO Michael Menorix � Chief Financial Officer Jillian Verdiger � VP of Marketing and Sales Mary Mordensti � VP of Production Boris Dentiger � VP of Human Resources Francine Tanserki � Chief Internal Auditor Matt Damison � Chief Risk Officer Frank Gillespie � VP of Legal and Compliance Michael Perstay

JAA has its core U.S. manufacturing in a 360,000-square-foot facility, which also contains the corporate/executive offices and warehousing/distribution. The company also has two small satellite manufacturing facilities in Tampa, Florida, and Los Angeles, California, on company-owned properties. JAA has outsourced 25 percent of production in various agreements with third parties in Turkey, China, and South Africa. The company’s apparel product line initially focused on men’s coats, but over a period of time expanded to include a full line of men’s clothing inclusive of pants, shirts, and coats. In 1999, an upscale line of women’s clothing was added to the product portfolio.

The company purchases all fabric from 50 key suppliers, having trimmed its supplier base from 400 over the past five years. All suppliers are ISO 9000 certified and, as such, are subject to rigorous reviews prior to becoming JAA’s suppliers. JAA uses state-of-the-art technology to enhance marketplace competitiveness.

The company has been fortunate in attracting high-caliber employees. It has had minimal turnover over the past three years, and it provides a generous com- pensation and incentive package to its employees. It is not subject to any collec- tive bargaining agreements but to various environmental regulations in the United States and overseas. One other key area JAA is heavily focused on, and in strong

www.it-ebooks.info

http://www.it-ebooks.info/
430 Implementing Enterprise Risk Management

compliance with, is monitoring compliance at third-party manufacturing facilities overseas.

Effective management of risk was recognized by the current management team as being critical to JAA’s success. Thus the company sought individuals who were experienced in this field for key leadership positions in Internal Audit and Risk Management, as well as for the key board positions. When the current heads of Internal Audit and Risk Management joined the company in 2008, JAA had sustained six years of losses. JAA’s creditworthiness is currently BBB as rated by the major rating agencies, having improved from junk status to this rating within four years.

Initial Steps: Strategic Planning and Business Objectives

JAA’s management recognized in 2008 that there were concerns with the annual strategic planning process because the board members typically did not attend such meetings. This impeded their ability to address the key strategic questions JAA faced, and did not create an environment that could generate fresh insights. Typically, the focus on short-term performance was failing to identify risks that threatened long-term objectives. Such short-term thinking also neglected to think about untapped business opportunities.

JAA decided to discard the annual process and replace it with a much more intense form of strategic engagement with management and the board. They are now devoting extra time at each board meeting to pressure-test the strategy in view of its progress and changes in critical variables. There is a strong communi- cation process of this new strategy throughout the organization to both the inter- nal and external stakeholders. JAA prides itself in doing this well under President Michael Menorix’s leadership. Management knows who the stakeholders are and their needs and has established different communication channels with them as appropriate, including webinars, phone conference calls, town hall meetings, writ- ten media, and so on.

JAA’s management is aware of the many pitfalls of strategic planning and has recognized the need to view risk and strategy as two sides of the same coin because it knows that the two are linked. The company aims to increase shareholder value and to address the needs of the other stakeholders through successful pursuit of the following strategic objectives:

� Maintaining market leadership � Sustaining technology leadership � Strengthening global presence � Delivering quality service � Being seen as a leader in compliance with all laws and regulations

Establishing the Governance System

JAA has developed an excellent governance system by using many different met- rics as described later. The Governance Framework is depicted in Exhibit 22.1. The board consists of external directors, including Sally Hendrix, who serves as chair of the Audit Committee. The Audit Committee members have served for periods

www.it-ebooks.info

http://www.it-ebooks.info/
JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 431

Main Board

Risk and Strategy

Committee

Audit Committee

Compensation and Nominating

Committee

B o

ar d

a n

d B

o ar

d C

o m

m it

te es

E xe

cu ti

ve F

u n

ct io

n s

Executive Risk Oversight Committee

B u

si n

es s

F u

n ct

io n

s

Responsible for managing risk and implementing internal controls

C o

n tr

o l

F u

n ct

io n

s

Internal Audit

Compliance Monitoring

Risk Management

Exhibit 22.1 Governance Framework

ranging from two to seven years. All committee members, in addition to their pro- fessional qualifications and experience, are well versed in risk management. They have all attended formal training in this subject matter at leading risk organiza- tions and have received training by both the Internal Audit and Risk Management groups of JAA as well.

The company’s risk governance framework illustrates the governance arrange- ments for the board, management, independent control functions, and ongoing business operations that exercise governance over risk.

JAA’s board is responsible for the governance processes that it requires man- agement to execute. The company understands that effective oversight by its board and senior management is critical to the overall governance effort. It protects its shareholders and other stakeholders by ensuring sustainability of the business through achievement of superior performance. The board provides leadership to JAA by understanding and accepting its responsibilities for the adoption of strate- gic plans, monitoring of operational performance and management, determining the philosophy and effectiveness of the approach for managing risk (including internal controls for managing the day-to-day operations), and compliance with all relevant laws and regulations.

www.it-ebooks.info

http://www.it-ebooks.info/
432 Implementing Enterprise Risk Management

The directors of JAA Inc. have applied the principles of discipline, trans- parency, independence, accountability, responsibility, fairness, and social respon- sibility to ensure that sound governance is practiced consistently throughout the company. Being listed on the New York Stock Exchange and subjected to its listing requirements emanating from the Securities Exchange Act, the company requires:

� An independent board of directors with a majority of nonexecutive directors (NEDs)

� An Audit Committee � Compensation and Nominating Committees � That board members must gain approval prior to undertaking any other

board assignments and in no event can any board member serve on more than three other boards

� Attendance of at least 75 percent of board meetings and its subcommittees annually

� Strong continuing education in various areas, including risk management, governance, and internal control

� Presence and functioning of an Executive Risk Oversight Committee (EROC) � Presence and functioning of a Risk and Strategy Committee (RSC)

JAA continually seeks to improve its knowledge of international frameworks and standards to augment its governance processes. As such, it has incorporated best practices from South Africa (King III),3 Canada (Criteria of Control),4 United Kingdom (Combined Code,5 Risk Management Consultation Draft—FRC6), and Australia (ASX and HB 4367) to update its risk management and governance frameworks.

The board of directors has delegated certain functions to the various commit- tees. The board is kept up to date on:

� Business performance relative to strategy, budgets, business plans, risk cri- teria, capital adequacy and preservation, and earnings volatility

� Noncompliance with board policies, regulations, statutes, and accounting policies

� Significant breakdowns in operations, unsatisfactory financial performance, noncompliance with laws and regulations, ineffective management supervi- sion and monitoring, internal controls or process failure, and organizational system or structure failure

� Effectiveness of the corporate governance process � Corrective actions implemented in respect of these

Specific responsibilities of different committees are discussed next in the fol- lowing subsections, namely Compensation Committee, Risk and Strategy Com- mittee, and Executive Risk Oversight Committee.

The Compensation Committee � Reviews and approves remuneration policy throughout the business � Ensures that the remuneration policies adopted do not result in excessive

risk taking

www.it-ebooks.info

http://www.it-ebooks.info/
JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 433

� Ensures that the compensation plans and compensation awarded to senior management are based on the achievement of objectives as a result of man- aging risks effectively

� Designs and approves the principles to be used in the performance agree- ments of management to ensure that key performance indicators (KPIs) of management encourage prudent risk taking and the management thereof

The Risk and Strategy Committee � Sets and reviews JAA’s risk criteria � Oversees the risks to which the company is exposed, and monitors the activ-

ities of the Executive Risk Oversight Committee (EROC) � Approves the risk management policy on behalf of the board � Reviews the design, completeness, and effectiveness of the risk management

framework to ensure that changes and updates to risk management are per- formed in accordance with processes approved by the board as documented in the risk management policy and that oversight of it is effective

� Ensures that infrastructure, resources, and systems exist to adequately over- see and monitor JAA’s risks (this is done to ensure that risk taking is consis- tent with the risk criteria set by the board; at all times the board is aware of the comprehensiveness, accuracy, and status of the risk attitude)

� Reviews the effectiveness of risk reporting (including timeliness and events that could impact business objectives and the company’s risk profile)

� Ensures that all strategic transactions undergo appropriate review and due diligence before submission to the board, particular focus being accorded to the risk criteria

� Reviews and challenges capital and liquidity stress testing

The Executive Risk Oversight Committee (EROC) � Scrutinizes and challenges the risks identified to which the company is

exposed and evaluates the assessment of these risks � Assists the board in defining JAA’s risk criteria that align with the objec-

tives and strategies of the organization and monitors that risks are managed within the risk criteria

� Establishes the risk management policy � Ensures that the framework for managing risk continues to remain effective � Ensures that the necessary resources are allocated to manage risk � Determines that the risk management performance indicators are aligned

with KPIs of management performance of the organization � Ensures and monitors legal and regulatory compliance � Reviews results of stress and scenario testing for JAA’s strategic objectives

and attainment of them � Assigns accountabilities and responsibilities at appropriate levels within the

organization � Reports on how managing risk is performed to provide assurance to

stakeholders

www.it-ebooks.info

http://www.it-ebooks.info/
JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 459

He is a silver member of Information Systems Audit and Control Association (ISACA) and holds Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) certificates where he was one of the members of the review work group of the CRISC 2011 manual, which is the first book published in this area. He joined Sekerbank as the Internal IS Auditor and started working with AS/NZS 4360 in 2007. He is responsible for implementing ISO 31000 throughout the organization. He has a special interest in human behav- iors and the human side of change management. Additionally, he is a member of the ISO 31000 TC 262 Technical Committee, United Nations Economic Commission for Europe (UNECE) - Risk Management Group (GRM) and also the chairman of the Turkish Standards Institute TS ISO 31000 MTC 132 Risk Management National Mirror Technical Committee.

Note: Authors of this case study manage the group on LinkedIn titled “Risk Man- agement: Creating Value From Uncertainty.” Any questions or comments can be forwarded either personally or as a discussion topic.

Website: http://lnkd.in/djN94XJ.

www.it-ebooks.info

http://lnkd.in/djN94XJ
http://lnkd.in/djN94XJ
http://www.it-ebooks.info/
434 Implementing Enterprise Risk Management

Business Operations

In addition to the oversight functions (described next), JAA has embedded risk management into underlying business operations. For example, a risk manage- ment policy (see Appendix B) has been implemented across the company to support the effective implementation of risk management. A risk management framework, supported by various risk policies, has been implemented to provide guidance to all employees on how to address organizational components, such as business and strategy planning, budgeting, and performance management and reporting, as well as human resources, compliance, and information security. Heads of departments are responsible for the maintenance of the risk registers, which include treatment actions. All risks in this register are further consolidated and reported to the EROC with possible treatment options.

Oversight Functions The company’s independent oversight functions, namely the Risk Management department, the Legal department, the Compliance department, and the Internal Audit department, provide the required assurance. These functions report period- ically to the board and its committees as appropriate.

Risk Management Department The Risk Management department has a unique advisory role to all management levels as well as to the board while managing risks. Also, the department reviews and challenges the outcome and results of risk assessment activities performed by management and the resulting risk registers produced that include the risks that constitute the risk profile of JAA.

Legal Department The Legal department is responsible for providing advice to the company, its divi- sions, and its employees on matters of law and legal protection by:

� Representing the company in all meetings, conferences, and public forums � Preparation of protocols, claims, and court counterclaims � Representation of the company in court � Protection of the company’s rights and interests in judicial settings � Creation of legal documentation requirements

Compliance Department The Compliance department helps in the following areas:

� Regulatory risk management—keeping company activities in strict compli- ance with current legislation

� Compliance monitoring—evaluating and measuring the state of compliance across the organization

� Investigations—managing investigations into wrongdoing and anything that increases regulatory-related risks

Internal Audit Department The Internal Audit (IA) function is best in class. Matt Damison, who has 20 years of relevant internal audit and risk management experience, joined JAA in 2008

www.it-ebooks.info

http://www.it-ebooks.info/
JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 435

with strong academic and professional certifications. He belongs to several leading professional organizations such as the Institute of Risk Management in London, the Conference Board of Canada, and the Risk Management Institute of Australia. He also speaks and writes extensively on this subject matter.