This case study describes how enterprise risk management (ERM) was implemented at a fictitious company, JAA Inc. It provides extensive detail as to the governance structure, the processes, and the various tools used. The case is built on the principles/guidance of ISO 31000¹ and the implementation guidance created by HB 436.² The key players in this case are the heads of Internal Audit and Risk Management. It is interesting to see what they have done in the five years expended to implement ERM. We offer special thanks and appreciation to Grant Purdy from Broadleaf International in Australia for his continued support, dedication, and help provided to our efforts.

SETTING THE CONTEXT

It was a beautiful Wednesday afternoon in Chicago. Matt Damison, the chief internal auditor (CIA), and Frank Gillespie, the chief risk officer (CRO), were having lunch in JAA's cafeteria and reminiscing about the times at JAA when the company's performance was much lower than the current state. Only five years earlier, in 2008, the company had embarked on a comprehensive enterprise risk management (ERM) program. Both Matt and Frank, together with executive management and the board, had been actively involved ...