Enterprise Risk Management
JC Jones offers Risk Management services to ensure an entity incorporates risk evaluation as part of developing and executing its strategy. Working with management we design processes that can help to identify potential events that may affect the entity, and manage risks to be within its risk appetite. This increases the likelihood that an entity is able to achieve its overall objectives.
Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.
Enterprise Risk Management (ERM) supports value creation by enabling management to deal effectively with potential future events that create uncertainty and allows management to respond in a manner that reduces the likelihood of downside outcomes.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations (AIPCA, AAA, FEI, IMA, IIA) and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
The COSO ERM framework:
- Defines essential components of risk management,
- Suggests a common language, and
- Provides clear direction and guidance for enterprise risk management.
COSO defines Enterprise Risk Management as:
- A process,
- Effected by an entity’s board of directors, management and other personnel,
- Applied in strategy setting and across the enterprise,
- Designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite,
- To provide reasonable assurance regarding the achievement of entity objectives.
It is important that any ERM process is supported, and owned, by Senior Management. After all, identification of risks and establishing risk appetite are their responsibility. Therefore the tone set for any ERM initiative must be set at the top and include a holistic approach rather than be an event-based activity. Risk management should be incorporated into the strategic tactical and operational initiatives of the organization.
- Does your organization have a common definition of risk?
- Is there strong risk governance, infrastructure and ownership?
- Does unmitigated residual risk appear to be within the appetite of the company, for that type of risk? Has it been effectively communicated?
- Does the risk analysis encompass likelihood and impact?
- How are risk assessment and planned mitigation steps communicated? To whom? How frequently?
- How are high risk decisions approved? Is there a policy and is it followed?
- Do results of risk assessment align with public risk disclosures?
- Are the board and executive management satisfied with the risk management activities?
If you are unsure of the answers, or if the answer to many of these questions is “No”, it may be time to evaluate an ERM approach in your organization.
Internal Audit, Risk and Compliance Services: Areas of Expertise
The JC Jones top-down, risk based approach to Sarbanes-Oxley (SOX) compliance, coupled with our automated software solution, has a proven track record of providing substantial savings in compliance costs.Learn More
JC Jones provides System and Organization Controls (SOC) reporting focused on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.Learn More
Internal Audit Quality Review
JC Jones provides Quality Assurance Reviews (QAR) in accordance with IIA Standards while leveraging our 20+ years of internal audit experience to assess the image and credibility of your department.Learn More
Internal Audit Outsourcing
JC Jones is a full service internal audit outsource partner, including, data analytics, fraud/forensic audits, cybersecurity assessments, SOX compliance, internal control testing and operational audit. Our client list ranges from large privately held companies to IPO registrants to multi-billion and multinational public companies.Learn More
IT General Controls
Risk based focus on information systems and technology is core to our strategy. Our professionals are trained in computer aided audit techniques (CAAT) such as ACL and Microsoft Access.Learn More
Enterprise Risk Management
JC Jones offers Risk Management services to ensure an entity comprehensively and systematically incorporates risk evaluation as part of developing and executing its strategy.Learn More