Nomor : S-42/DKU.

MBU/10/2022 Jakarta, 10 Oktober 2022

Sifat : Biasa
Lampiran : 1 (Satu) Berkas
Hal : Tindak Lanjut Sosialisasi Permen BUMN Nomor PER-5/MBU/09/2022

Kepada Yth.
1. Dewan Komisaris/Dewan Pengawas
2. Direksi
(Daftar BUMN Dalam Lampiran I)
di tempat

Menindaklanjuti sosialisasi Peraturan Menteri BUMN Nomor PER-5/MBU/09/2022

tentang Penerapan Manajemen Risiko pada BUMN (selanjutnya disebut PER-5) pada tanggal
7 Oktober 2022, dengan ini kami sampaikan hal-hal sebagai berikut:
1. Dewan Komisaris/Dewan Pengawas bersama-sama dengan Direksi agar melakukan self
assessment atas kondisi BUMN Saudara terhadap ketentuan-ketentuan dalam PER-5.
2. Dewan Komisaris/Dewan Pengawas BUMN dengan bekerja sama dengan Direksi untuk
memetakan:
a. Posisi BUMN dalam klasifikasi risiko berdasarkan tingkat intensitas risiko sesuai
dengan pasal 10 PER-5.
b. Posisi anak dan cucu perusahaan dalam klasifikasi risiko berdasarkan tingkat
intensitas risiko sesuai dengan pasal 10 PER-5.
Penjelasan lebih lanjut terkait dengan kerangka pemetaan sebagaimana pada Lampiran
II.
3. Hasil self assessment dan pemetaan pada butir 1 dan 2 di atas agar disampaikan kepada
Kementerian BUMN paling lambat tanggal 4 November 2022 dan softcopy filenya
dikirimkan melalui email asdep.mrk@bumn.go.id.
4. Dalam rangka memenuhi permintaan BUMN untuk diadakan capacity building penerapan
manajemen risiko pada BUMN, kami mengundang Saudara untuk hadir dalam Series
Pertama GRC Masterclass yang bekerja sama dengan BLMI yang akan diselenggarakan
pada:
Hari/tanggal : Jumat, 14 Oktober 2022
Waktu : 08:00 - 15:00 WIB
Tempat : Hybrid
Offline: Auditorium Plaza Mandiri Lantai 3
Jl. Jend. Gatot Subroto Kav.36-38, Jakarta
Online: Melalui zoom meeting
Link : https://bit.ly/GRCMasterClass
(Meeting ID : 861 6002 3448 Passcode : 223813)
Agenda : GRC Masterclass (Governance-Risk-Compliance) oleh BLMI
(Rundown dalam Lampiran III)

Materi GRC Masterclass sebagaimana terlampir dan apabila ada update materi lainnya
akan disampaikan selanjutnya oleh BLMI.
Demikian…/2
 -2-
Demikian kami sampaikan, atas perhatiannya kami ucapkan terima kasih.

Deputi Bidang Keuangan dan

Manajemen Risiko,
###Stampel 001###

Nawal Nely

Tembusan:
1. Menteri Badan Usaha Milik Negara;
2. Wakil Menteri BUMN I;
3. Wakil Menteri BUMN II;
4. Direktur Utama PT Bank Mandiri (Persero) Tbk.
 Lampiran I
Surat Deputi Bidang Keuangan dan Manajemen
Risiko
Nomor : S-42/DKU.MBU/10/2022
Tanggal : 10 Oktober 2022

Daftar BUMN
1. PT Pertamina (Persero)
2. PT Perusahaan Listrik Negara (Persero)
3. PT Indonesia Asahan Aluminium (Persero)
4. PT Krakatau Steel (Persero) Tbk
5. PT Perkebunan Nusantara III (Persero)
6. Perum Perhutani
7. PT Pupuk Indonesia (Persero)
8. Perum BULOG
9. PT Rajawali Nusantara Indonesia (Persero)
10. PT Bio Farma (Persero)
11. PT LEN Industri (Persero)
12. PT Biro Klasifikasi Indonesia (Persero)
13. PT Bank Mandiri (Persero) Tbk
14. PT Bank Rakyat Indonesia (Persero) Tbk
15. PT Bank Negara Indonesia (Persero) Tbk
16. PT Bank Tabungan Negara (Persero) Tbk
17. PT Bahana Pembinaan Usaha Indonesia (Persero)
18. PT Asuransi Jiwasraya (Persero)
19. PT ASABRI (Persero)
20. PT Taspen (Persero)
21. PT Reasuransi Indonesia Utama (Persero)
22. PT Hutama Karya (Persero)
23. PT Adhi Karya (Persero) Tbk
24. PT Waskita Karya (Persero) Tbk
25. PT Wijaya Karya (Persero) Tbk
26. PT Pembangunan Perumahan (Persero) Tbk
27. Perum Perumnas
28. PT Brantas Abipraya (Persero)
29. PT Jasa Marga (Persero) Tbk
30. PT Semen Indonesia (Persero) Tbk
31. PT Kereta Api Indonesia (Persero)
32. PT Industri Kereta Api (Persero)
33. PT Pelabuhan Indonesia (Persero)
34. PT ASDP Indonesia Ferry (Persero)
35. PT Pelayaran Nasional Indonesia (Persero)
36. PT Pos Indonesia (Persero)
37. Perum Damri
38. Perum PPD
39. Perum LPPNPI
40. PT Aviasi Pariwisata Indonesia (Persero)
41. PT Garuda Indonesia (Persero) Tbk
42. PT Pengembangan Pariwisata Indonesia (Persero)
43. PT Telekomunikasi Indonesia (Persero) Tbk
44. Perum Percetakan Uang Republik Indonesia
45. Perum Produksi Film Negara
46. Perum LKBN Antara
47. PT Danareksa (Persero)
 Lampiran II
Surat Deputi Bidang Keuangan dan Manajemen
Risiko
Nomor : S-42/DKU.MBU/10/2022
Tanggal : 10 Oktober 2022

Kerangka Pemetaan Klasifikasi Risiko Berdasarkan Tingkat Risiko

I. Dimensi Ukuran
1. BUMN dianggap besar jika memiliki:
a. Total modal lebih besar atau sama dengan Rp 25 triliun; atau
b. Total aset lebih besar atau sama dengan Rp 100 triliun.
2. Anak dan cucu perusahaan BUMN dianggap besar jika:
a. Memiliki total modal lebih besar atau sama dengan 5% dari total modal konsolidasi BUMN
Induk, atau
b. Memiliki total aset lebih besar atau sama dengan 1% dari total aset konsolidasi BUMN Induk
jika saldo modal BUMN Induk negatif.
3. Total modal dedefinisikan sebagai modal berdasarkan angka audit terakhir yang terdiri dari:
a. Modal disetor;
b. Akumulasi labat ditahan;
c. Aneka macam pencadangan modal;
d. Other comprehensive income;
e. Akun-akun lainnya yang dianggap dalam kategori ekuitas sesuai dengan perlakukan
akuntansi yang berlaku umum di Indonesia.
4. Total aset dedefinisikan sebagai total aset sesuai dengan praktik akuntansi yang berlaku umum
di Indonesia.

II. Dimensi Kompleksitas

1. BUMN, anak dan cucu perusahaan memiliki kompleksitas tinggi apabila memenuhi salah satu
dari parameter berikut:
a. Memiliki peran dalam menjalankan kewajiban pelayanan umum (public service obligasi)
yang ditandai dengan adanya:
1) Penerimaan subsidi untuk melayani segmen masyarakat yang berhak menerima
subsidi,
2) Penerimaan kompensasi atas penjualan barang/jasa di bawah nilai ekonomi, dan/atau
3) Menjalankan Proyek Strategis Nasional.
b. Memiliki hubungan kelembagaan strategis dengan kementerian teknis yang didefinisikan
sebagai hubungan dimana kementerian teknis terlibat secara langsung maupun tidak
langsung dalam:
1) Menjalankan fungsi perencanaan strategis, termasuk perencanaan dalam menentukan
belanja modal, penetapan wilayah pasar, penetapan harga jual, dan atau peentapan
harga pokok produksi, dan/atau
2) Memiliki kontrak penyediaan barang dan jasa yang material dengan kementerian teknis
selain Kementerian BUMN.
 c. Memiliki pangsa pasar dan potensi substitusi dari sektor swasta dalam jangka pendek dan
menengah yang sulit tergantikan, serta menjalankan usaha yang menguasai hajat hidup
orang banyak.
d. Memiliki struktur korporasi yang kompleks yang ditandai dengan:
1) Memiliki lebih dari 5 anak perusahaan yang dikonsolidasikan kepada induk;
2) Memiliki anak perusahaan yang beroperasi di luar negeri;
3) Memiliki perusahaan JV dan atau SPV yang dirancang untuk menjalankan proyek
dengan skema project finance yang material; dan/atau
4) Memiliki anak perusahaan yang dikategorikan sebagai anak perusahaan kompleks.
e. Memiliki interkoneksi dengan BUMN dan/atau anak perusahaan lain yang ditandai dengan:
1) Jumlah transaksi inter BUMN dan/atau anak perusahaan lain yang material (minimal
20% dari total transaksi); dan/atau
2) Memiliki interdependensi yang signifikan dengan pekerjaan BUMN lain dan/atau anak
perusahaan lain.
2. Berikut ilustrasi alur keputusan dalam menentukan tingkat kompleksitas BUMN, anak dan cucu
perusahaan.

Apakah BUMN/Anak, Cucu Perusahaan BUMN/ Investasi Saham Material BUMN

memiliki kompleksitas tinggi ?

1
Memiliki peran dalam menjalankan kewajiban pelayanan umum (public service
YA
obligasi) ?

TIDAK

2 Memiliki hubungan kelembagaan strategis dengan kementerian teknis yang

YA didefinisikan sebagai hubungan dimana kementerian teknis terlibat secara langsung
maupun tidak langsung
TIDAK

BUMN/Anak, Cucu Perusahaan 3

BUMN/Investasi Saham YA Memiliki pangsa pasar dan potensi substitusi dari sektor swasta dalam jangka pendek dan
Material BUMN memiliki menengah sulit tergantikan
Kompleksitas Tinggi
TIDAK

4
YA Memiliki Struktur Korporasi yang kompleks ?

TIDAK

5
YA Memiliki interkoneksi dengan BUMN dan/atau anak perusahaan lain

TIDAK

BUMN/Anak, Cucu Perusahaan BUMN/ Investasi

Saham Material BUMN memiliki Kompleksitas
Tidak Tinggi
 Lampiran III
Surat Deputi Bidang Keuangan dan Manajemen
Risiko
Nomor : S-42/DKU.MBU/10/2022
Tanggal : 10 Oktober 2022

Rundown Acara

No. Waktu Durasi Agenda Pembicara Partisipan

1. 08.30–08.40 10 Min Pembukaan Bp. Agus Dwi Offline
Handaya - Direktur
(Board of Executive Keuangan/Direktur
Manajemen Risiko
BLMI)
2. 08.40–08.50 10 Min Sambutan Bp. Tedi Bharata Online
(Deputi SDM & - Direktur Utama
Teknologi Informasi - Komite Pemantau
Kementerian BUMN) Risiko
3. 08.50-09.00 10 Min Sambutan Ibu Nawal Nely
(Deputi Keuangan &
Manajemen Resiko
Kementerian BUMN)
4. 09.00–09.10 10 Min Keynote Speech*) Bp. Kartika
Wirjoatmodjo
(Wakil Menteri BUMN
II)
5. 09.10–10.40 90 Min Risk Management Tim Mc Kinsey
Socialization:
1. ERM
Fundamentals
2. Risk Strategy &
Appetite
3. Risk Taxonomy
6. 10.40-10.45 5 Min Coffee Break
7. 10.45–11.45 60 Min Compliance & Legal Tim AHP Offline
- Direktur
Keuangan/Direktur
Manajemen Risiko

Online
- Direktur Utama
- Komite Pemantau
Risiko
7. 11.45 - 13.30 105 Sholat Jumat dan Makan Siang
Min
8. 13.30–14.50 80 Min ICOFR Tim Ernst & Young Offline
9. 14.50–15.00 10 Min Penutup MC - Direktur
Keuangan/Direktur
Manajemen Risiko

Online
- Komite Audit
- Kepala SPI
Keterangan:
*) To be Confirm
BUMN MIS –
Executive Masterclass
on Risk management
October 2022

CONFIDENTIAL AND PROPRIETARY

Any use of this material without specific permission of McKinsey & Company
is strictly prohibited
The Executive Masterclass series aims to socialize KBUMN’s ongoing
effort to transform risk management, helping SOEs best prepare for
changes
The Ministry of SOEs is in the process of transforming risk management which includes two main stages:
1) Establishing the foundation for risk governance regulations and 2) ERM development in the Ministry

Focus for today

Stage l: Stage Il:

Risk Guidelines and Policy Implementation of ERM in the Ministry of SOEs
1 2 3 4 5
SOE Portfolio Measurement and Risk Risk prioritization Risk mitigation
Strategic Direction prioritization of Quantification for heatmap and reporting
SOEs based on monitoring
intensity and and development
taxonomy of risk

1 2 3 4
Impact
Low Medium High Critic

▪ Lower than 1% of the ▪ Between 1% and 3% ▪ Between 3% and 5% ▪ Greater than 5% of the
Company’s equity of the Company’s of the Company’s Company’s equity

Dampak
Economic equity equity
impact

▪ The event has an ▪ The event has an ▪ The event has an ▪ The event has an
Reputational impact at local level impact at regional impact at national impact at international
impact level level level or on the
economic-financial
press Sangat Rendah Rendah Menengah Tinggi Sangat Tinggi
▪ Legal proceedings ▪ Legal proceedings ▪ Legal proceedings ▪ Legal proceedings with
with low probability of with low probability with medium high probability of
succeeding succeeding. probability of succeeding. Sanctions
Impact Sanctions with succeeding. Sanctions with vast level of
related to non medium level of with large level of impact, potentially with Hampir Selalu Rendah - Menengah -
compliance impact, with effect on impact, with effect on Menengah Tinggi Tinggi
management management
detrimental damages
to the Company’s
Terjadi Menengah Tinggi
capabilities in the capabilities in the long business

Kemungkinan Terjadi
short term term

1 2 3 4 Rendah - Menengah -
Probability
Rare Improbable Probable Highly probable Sering Terjadi Rendah Menengah Tinggi
Menengah Tinggi
▪ Events that may ▪ Events that may ▪ Events that may ▪ Events that may
occur once every 5 occur once between 2 occur once between 1 occur once or more
Occurrence years or more to 5 years to 2 years times every year
probability
Rendah - Menengah - Menengah -
Mungkin Terjadi Rendah Menengah
Menengah Tinggi Tinggi

Rendah - Rendah – Menengah -

Jarang Terjadi Rendah Menengah
Menengah Menengah Tinggi

Hampir Tidak Rendah -

Rendah Rendah Menengah Menengah
Pernah Terjadi Menengah

McKinsey & Company

2
Our topics for the Masterclass today link
closely to the new documentations

KBUMN’s documentation Focused topics Expected outcomes

For this Introduction session, we

expect SOEs to:
KEPMEN Elements of Enterprise  Understand the Risk strategy and
(Keputusan
Risk Management taxonomy to be introduced by
Menteri)
Risk taxonomy KBUMN and the implications for
the SOEs
 Collect comments from SOEs
on the upcoming changes
 Have the same understanding of
the risk terminologies (e.g., risk
APS Risk Strategy and taxonomy) that will be used by
letter Appetite KBUMN
 Learn good practices for the
focused topics, and prepare to
adapt to the upcoming changes

McKinsey & Company 3

 1 Elements of Enterprise Risk 20 minutes
Management

Risk strategy, appetite & risk

Key 2
taxonomy
44 minutes

contents
for today 3 Closing remarks 11 minutes

4 Q&A session 10 minutes

McKinsey & Company 4

Elements of
Enterprise Risk
Management

McKinsey & Company 5

 20 minutes

Overview of 1 Re-emphasize why companies should

Enterprise care about risk management

Risk
Management 2 Understand the key elements of ERM
framework
(“ERM”):
objectives of
this session 3 Acknowledge good practice for ERM

McKinsey & Company 6

Activity: What are the
good practices for
effective ERM?
Instruction

 Common practices that company

usually adopt for their ERM will be
To be provided on the flashed on the screen
day of event
 Scan the QR code, using poll, please
vote if you think it is a good or an
ineffective practice for ERM

Or go to www.pollev.com/

McKinsey & Company 7

 1

Risk culture and

performance ERM is broader than a
transformation Insight
specific process or
ERM needs to 5
and risk
transparency organizational function
take an 2 It needs to be an
integrated
Integrated
Enterprise
effective component of
Risk organi-
zation and Risk the overall
approach with governance management
management system,
5 key elements
Risk appetite,
and
adapted to a
strategy company’s specific
Risk-related needs and culture
4 decisions and
managerial
processes
3

Source: McKinsey (adapted from HBR article in 2008 by McKinsey authors Buehler, Freeman, Hulme) McKinsey & Company 8
SOEs can think along the 5 dimensions, using self-check questions
to start thinking about their strengths and weaknesses

1 Suggested self-assessment questions

Risk culture and  Do you understand your risks (in your current business as well as new
performance
transformation Insight
1 
businesses)?
Can you measure them? Do you have true insight into risks that matter most?
and risk
5 transparency
 What is your overall appetite (or capacity) for risk? Which risks are you

Integrated
2 2 
advantaged to own?
Which should you transfer or mitigate?
Risk organi- Enterprise
zation and Risk
management  Are critical business decisions made with a clear view of how they change
governance
Risk
appetite,
3 your company’s risk profile?

and
strategy  Are structures, systems, controls, and infrastructure in place for you to manage

4
Risk-related
decisions and
4 risk across the whole business? Is your governance model robust?

managerial
processes
3  Does your culture reinforce risk management principles?
5  What formal and informal mechanisms support the right mindsets and
behaviours?

Source: McKinsey (adapted from HBR article in 2008 by McKinsey authors Buehler, Freeman, Hulme) McKinsey & Company 9
Companies are adopting ERM practices that are strategy driven to
assist decision-making process, instead of pure compliance
Examples of strategy-driven practices for ERM

Insight and risk Risk appetite Risk-related Risk organization Risk

transparency and strategy decisions and and governance culture
processes

 Clarity on top 10-  Deliberate  Risk analysis  Board and top  Clarity on
20 mega risks choices on risk done in management specific risk
 Deep insights ownership and conjunction – priority; explicit culture
that facilitate risk level and supports ownership by vulnerabilities
business decision key strategic staff and action plan
and operational  Perceived as in place to
decisions core to strengthen risk
managing the culture
business

McKinsey & Company 10

Risk Strategy,
Appetite &
Taxonomy

McKinsey & Company 11

 44 minutes

1 Understand the standard process to

Risk Strategy, create your risk strategy and define the
risk appetite statements
Appetite &
Taxonomy: Acknowledge KBUMN risk taxonomy
2
objectives of and understand the implications for
this session SOEs

3 Understand the elements that

make good risk appetite
statements

McKinsey & Company 12

There is a standard 5-step process to formulate the risk
strategy/risk appetite statements for your organizations
Focus for next page
Preliminary

Strategy-driven Risk
risk focus areas taxonomy
Identification of top risk, Identify key risk drivers as
based on benchmarks, fleshed out in a risk taxonomy
business context (e.g., up to T3
strategy, CxO discussions)
Aligned and syndicated with
inputs from key stakeholders
Risk Appetite
Statements (RAS)
Prioritize T3 risk areas from
taxonomy for expanding into
qualitative RAS
Determine posture for each
T3 risk area
Define qualitative RAS
Key Risk
Indicators, Risk
Limits & Risk Operationali-
Tolerance zation
Formulate key risk Cascade RAS and set up
indicators (KRI) to measure tracking mechanisms
and track key risk drivers at
T3
Setting of risk limits and
risk tolerance for KRIs of top
risk areas identified in RAS

Source: Team analysis, Expert interviews McKinsey & Company 13

Case Study of Italian Railways: launched a 360° transformation to
fully include risk management perspective into business decisions
Not Exhaustive
Detailed next

Context: European integrated transport group, active in multiple market segments (train operations, infra, …)

A B C D E

Redefinition of Definition of a Overall Support to Review of

operating model, risk appetite redefinition of conduct: Insurance
both at Holding framework Risk Identification • Strategic Management
and Subsidiary framework planning target operating
levels model
• M&A decisions

McKinsey & Company 14

Activity:
Taxonomy
Instruction

 A question regarding risk taxonomy

will be flashed on the screen
To be provided on the
day of event  Scan the QR code, using your phone,
please select the closest answer in
your opinion

Or go to www.pollev.com/

McKinsey & Company 15

High–level view on KBUMN Risk taxonomy
Preliminary

Risk Themes Characteristics of risk events captured Examples

A KBUMN Portfolio  Risk events directly impacting KBUMN’s performance as portfolio  Budget contribution
Risks manager; OR risk
 Risk events directly impacting KBUMN’s ability and/or risk of KBUMN’s  Subsidy risk Monitored in
inability to fulfil duty as an agent of national development; OR KBUMN
 Policy enablement risk
 Risk events directly impacting specific SOEs within portfolio that only
KBUMN has the power to control or remedy

B SOE Conglomerate Risk events caused by KBUMN’s choice of SOE conglomeration  Subsidiary Monitored by
Structure & structures that: interdependency risk Holding SOEs,
Organization Risks with potential
 Impede the control, monitoring or mitigation of business risks; AND/OR  Intra-group competitive concurrent
risk
 Amplify existing business risks; AND/OR reporting to
 SOE corporate KBUMN
 Result in performance weaknesses in SOEs
restructuring risk

C Business Risks of Risk events caused by the internal running of business AND/OR external  Market risk of FX Monitored by all
SOEs (& KBUMN as factors that directly impact the business of SOEs1 or KBUMN in its movements affecting SOEs, with
an organization) capacity as an organization IDR potential
concurrent
 Technology risks reporting to
 People risks KBUMN

Overarching guideline: No duplication of risks across categories

1. The direct impact to the SOEs would necessarily have an indirect secondary impact on KBUMN as portfolio manager. Nevertheless, the focus here should be the direct impact

Source: Team analysis; Expert interviews McKinsey & Company 16

High–level view on KBUMN Risk taxonomy
Preliminary
Mapped to OJK Regulations for Financial Conglomerates

Less frequent, qualitative reporting only KBUMN to separately track as an organization for itself
T1 T2 T3
Dividend contribution & equity Subsidy & compensation risk
Fiscal Risk injection risk (e.g., insufficient (e.g., timing and amounts of
dividends, funding conditions) disbursements)
Inter-ministry policy alignment
A. Business Portfolio Governance Portfolio governance risk
risk (i.e., risk from misaligned
Portfolio Risks & Alignment Risk (KBUMN over holdco)
policies affecting SOEs)
Portfolio concentration risk Portfolio strategic risk (e.g.,
Portfolio corporate actions risk SOE interdependency risk Inter-SOE competitive risk
Composition Risk (i.e., over-concentration in top few new market entry, choice of
(SOE-level M&A and PMI) (between SOEs) (between SOE)
SOEs) markets to exit etc.)

Contribution risk (subsidiaries to Intra-group competitive risk Subsidiary interdependency • KBUMN to monitor, but likely require SOE conglomerates
B. SOE Structural Risk holdco) (between subsi) risk (between subsi) to provide information to assist with monitoring
Conglomerate
Structure & SOE Governance & • For Financial conglomerates under OJK: Mandatory to
SOE governance risk (holdco SOE corporate actions risk
Organization Risks Corporate Actions over subsidiaries) (subsidiary-level M&A & PMI) track “subsidiary interdependency risk”
Risk
Strategic risk (incl. M&A, Market & macroeconomic Operational risk (incl. supply Technology, cyber &
Legal & compliance, (incl.
business environment shifts, risk (incl. FX, interest rates, chain, resource risk, product information security risk (e.g.,
regulatory & PSO compliance)
competitive risk etc.) commodity prices etc.) risk, people risk etc.) software or network failure)
General Business Environmental and social Project risk (e.g., timing, quality Investment risk (incl. Sharia
Reputational risk (i.e., risk of Financial risk (incl. funding
Risks (applicable risk (incl. physical & transition
suffering reputational harm)
and costs of execution; also incl.
risk and accounting risk)
banking investments,
to all SOEs) risks, community relations etc.) PSN execution) concentration risk etc.)
C. Business Risks
of SOEs (and Political risk (incl. local politics & Third Party risk (incl. JV vehicle, Emerging risk(s) (e.g., new risks
KBUMN as an geopolitics) e.g., KSO) not yet well understood)
organization)
Cluster-specific Risks: Credit risk (e.g., potential of Liquidity risk (i.e., inability to Model risk (i.e., inadequate
Banking counterparties defaulting) pay debts as they come due) model performance)

Cluster-specific Risks: Credit risk (e.g., potential of Liquidity risk (i.e., inability Actuarial risk (incl. pricing risk, Model risk (i.e., inadequate
Insurance counterparties defaulting) to pay debts as they come due) reserve risk etc.) model performance)

SOE Risks falling under Risk Theme 3 may still be reported to KBUMN (aggregated or otherwise) if KBUMN deems necessary

Source: Team analysis; Expert interviews McKinsey & Company 17

Example of three potential risk postures, with increasing
tolerance levels
Preliminary
Conservative
Statements relating to risks for
which zero tolerance is
accepted, e.g., pertaining to
issues mandated by law
We have no tolerance for risks that could
damage Temasek's reputation and
credibility
Source: Expert interviews, press search
Moderate
Statements relating to risks
that are inevitable in the
course of operations, and for
which a certain level can be
tolerated
We manage the Fund such that we have
a high probability of avoiding a large
negative return over any 3-year period
Strategic
Statements relating to risks
that come with a strategic
benefit, which the company
would actively pursue
Companies can
have less or more
than 3 risk postures,
depending on what works
Disguided example from an well and makes sense for
Oil & Gas company
the organization
[…] We understands that a certain amount
of IT/ Cyber risk events are to be expected
in a given time period.
[…] We expect to accept aids in
prioritization, resource allocation, and
decision making around IT and Cyber
initiatives
McKinsey & Company 18
5 key principles to formulate best practice risk appetite statements
Preliminary

(1) (2) (3) (4) (5)

Strategy- Forward Transparent Realistic Selective
driven Looking
Strategic Medium to long- Acknowledgement Capacity for risk No more than 10-
objectives driven term horizon of trade-offs, with based on current 15 as a general
expectations no hidden risks or state of operations practice
dependencies is considered

Source: Expert interviews; Team analysis McKinsey & Company 19

Activity : Risk appetite
statement
Instruction

 A question regarding risk appetite

statement will be flashed on the
To be provided on the screen
day of event
 Scan the QR code, using your phone,
please select the closest answer in
your opinion

Or go to www.pollev.com/

McKinsey & Company 20

 Final
Activity!

McKinsey & Company 21

Closing activity
Instruction

 Scan the QR code using your phone

To be provided on the  Multiple choice questions will be
day of event shown on your screen – choose the
most correct answer

Or go to www.pollev.com/

McKinsey & Company 22

 10 minutes

Time for

Q&A

McKinsey & Company 23

 Integrity of Financial Reporting
Common Issues and Leading Practices for
Ensuring High Quality Financial Reporting

A sharing session for Audit Committees and Internal

DRAFT
Audit for SOEs

[●] October 2022

The better the question. The better the answer.

The better the world works.
DISCLAIMER

Seminar ini diberikan oleh EY ke audiens dari KBUMN hanya untuk tujuan melakukan sharing atas salah satu aplikasi
entity level control, yaitu Management Review Control (“MRC”). Materi seminar ini disusun dengan
mempertimbangkan tren tertentu dan memasukkan pengalaman dan observasi presenter selama 16 tahun di North
America (dalam kapasitasnya sebagai audit partner di EY Canada yang terlibat dalam sertifikasi SOX) terkait aplikasi
MRC oleh manajemen dan komite audit di perusahaan-perusahaan di North America. Materi ini tidak mengacu kepada
perusahaan tertentu di Indonesia, klien EY maupun kantor akuntan lain.Aplikasi MRC ini mengacu kepada PCAOB
auditing standard, yang tidak diterapkan di standar auditing IAPI.

Materi ini digunakan hanya untuk keperluan diskusi dengan audiens dari KBUMN di seminar hari ini dan untuk
menjelaskan konsep MRC dan bukan merupakan suatu advis professional. Materi ini tidak boleh disebarluaskan,
dijadikan acuan atau dikutip, sebagian atau keseluruhan, di dokumen apapun tanpa izin tertulis dari EY.
Audiens disarankan untuk mempertimbangkan kesesuaian penggunaan MRC di perusahaan masing-masing dan
melakukan konsultasi dengan advisor mereka sebelum memutuskan untuk menerapkan MRC. Kebijakan pengguna
disarankan. Penggunaan materi maupun isi seminar ini untuk keperluan perusahaan tertentu adalah merupakan
tanggung jawab dari pihak pengguna. EY atau presenter tidak bertanggung jawab atas kerugian apapun yang
dikarenakan pemakaian informasi dari seminar dan materi ini.

2
Agenda

1 • Overview dan Benchmarking Internal Control

Over Financial Reporting

2 • Management Review Control

3 • Sesi Tanya Jawab

 Overview dan
Benchmarking
Internal Control
Over Financial
Reporting
 Regulasi Terkait & Peran yang Mencakup ICOFR (1/2)

PER – Pasal 25 Ayat 1

5/MBU/09/2022
BUMN wajib melaksanakan Sistem Pengendalian Intern secara efektif.
Penerapan Manajemen Risiko pada
Badan Usaha Milik Negara Pasal 25 Ayat 3
Sistem Pengendalian Intern dalam penerapan Manajemen Risiko paling sedikit mencakup:

e Pelaporan keuangan dan kegiatan operasional yang akurat dan tepat waktu.

Dekom / Dewas
Pasal 14 Ayat 3

e Mengkaji efektivitas dan efisiensi Sistem Pengendalian Intern berdasarkan informasi yang diperoleh
dari SPI paling sedikit sekali dalam 1 (satu) tahun;

g Melaksanakan pengawasan terhadap pelaksanaan fungsi Audit Intern lainnya sesuai dengan ketentuan
peraturan perundang-undangan, anggaran dasar dan/atau keputusan RUPS/Pemilik Modal

Pasal 14 Ayat 4

b Mengawasi pelaksanaan tugas dan tanggung jawab Direksi BUMN Induk, serta memberikan arahan atau
nasihat kepada Direksi BUMN Induk atas pelaksanaan Kebijakan Tata Kelola Terintegrasi;

d Mengawasi penerapan Audit Intern pada Anak Perusahaan agar selaras dengan kebijakan Audit Intern
BUMN Induk;

5
 Regulasi Terkait & Peran yang Mencakup ICOFR (2/2)

Direksi
PER – Pasal 15 Ayat 1
5/MBU/09/2022 Direksi sebagai organ pengelola Risiko memiliki fungsi:

Penerapan Manajemen Risiko pada

Badan Usaha Milik Negara
a Manajemen Risiko;

b Audit intern; dan

c Tata Kelola Terintegrasi.

Komite Audit
Pasal 16

d Memastikan kredibilitas dan objektivitas laporan keuangan BUMN yang akan diterbitkan untuk pihak
eksternal dan badan pengawas, termasuk penindaklanjutan keluhan dan/atau catatan ketidakwajaran
terhadap laporan selama periode pengkajian Komite Audit;

l Melakukan pemantauan dan evaluasi atas kesesuaian penerapan kebijakan keuangan dan Audit Intern
BUMN Induk maupun Anak Perusahaan;

m Memberikan rekomendasi kepada Dekom atau Dewas atas hal yang mendukung efektivitas dan akurasi
proses pelaporan keuangan dan kesesuaian antara kebijakan Audit Intern BUMN Induk dan Audit Intern
Anak Perusahaan.
Unit Audit Internal (SPI)
Pasal 21

6
t Melakukan pemeriksaan dan penilaian atas efisiensi dan efektifitas di bidang keuangan,
operasional, sumber daya manusia, teknologi informasi, dan kegiatan lainnya.
 Peran Komite Audit terkait ICOFR

PER —
Pasal 13 Ayat 1
12/MBU/2012
Organ Pendukung Dewan
Komisaris/Dewan
Pengawas BUMN
a Membantu Dewan Komisaris/Dewan Pengawas untuk memastikan efektivitas sistem
pengendalian intern dan efektivitas pelaksanaan tugas eksternal auditor dan internal auditor;

POJK No. 55
/POJK.04/2015
d Memastikan telah terdapat prosedur evaluasi yang memuaskan
terhadap segala informasi yang dikeluarkan Perusahaan.

Pembentukan dan
Pedoman Pelaksanaan Pasal 10
Kerja Komite Audit

a Melakukan penelaahan atas informasi keuangan yang akan dikeluarkan Emiten atau
Perusahaan Publik kepada publik dan/atau pihak otoritas antara lain laporan keuangan,
proyeksi, dan laporan lainnya terkait dengan informasi keuangan Emiten atau Perusahaan Publik;

c Memberikan pendapat independent dalam hal terjadi perbedaan pendapat antara manajemen dan
akuntan atas jasa yang diberikannya

Peran yang diharapkan terhadap Komite Audit terkait ICOFR

► Membantu Dewan Komisaris untuk memastikan efektivitas ICOFR.
► Mengawasi Management Assessment atas efektivitas ICOFR dan, Jika terdapat material weaknesses, Komite Audit ikut memantau
rencana remediasi manajemen guna memastikan dilakukan remediasi dengan prioritas tinggi dan efektif.

7
 Peran Unit Audit Internal terkait ICOFR

POJK No. 56
Pasal 7 Ayat 1
/POJK.04/2015
Pembentukan dan Pedoman Penyusunan
Piagam Unit Audit Internal
b menguji dan mengevaluasi pelaksanaan pengendalian internal dan
sistem manajemen risiko sesuai dengan kebijakan perusahaan;

c Melakukan pemeriksaan dan peilaian atas efisiensi dan efektivitas di bidang

keuangan, akuntansi, operasional, sumber daya manusia, pemasaran, teknologi
informasi, dan kegiatan lainnya;

g bekerja sama dengan Komite Audit.

Pengaturan tugas dan tanggung jawab Audit Internal dilakukan melalui Piagam Audit
Internal

8
ICOFR Meningkatkan Trust dari Stakeholders

“Internal control over financial reporting (ICOFR) is a process designed by, or under the supervision of, the company's
principal executive and principal financial officers, or persons performing similar functions, and effected by the
company's board of directors, management, and other personnel, to provide reasonable assurance regarding:
► the reliability of financial reporting and
► the preparation of financial statements for external purposes in accordance with GAAP”

Source: Auditing Standard No. 5 paragraph A5

Internal Control
Operational
ICOFR merupakan salah satu bagian dari cakupan
pengendalian intern, yang berfokus pada
Coverage

Reporting pengendalian intern yang mempengaruhi

kehandalan laporan keuangan
Compliance
 Tanggung jawab atas laporan keuangan dan pengendalian intern

Implikasi

Perlu adanya bukti yang

memadai untuk mendukung ICOFR
dan melindungi pernyataan
Direksi di atas

10
 Design of Internal Control Over Financial Reporting

Untuk mempunyai ICOFR yang efektif, perusahaan perlu mengimplementasikan tiga level control yaitu Entity Level Control (ELC),
Process Level Control (PLC) and ITGC. Proses level controls terintegrasi dalam business processes perusahaan.

Entity Level Controls

Process level controls

Finance Governance
Financial Entity and sub
Financial Event Daily Group period Reporting and
Event group period
Creation accounting end closing Analyzing
Accounting end closing

Supporting processes

IT application
IT General Controls
IT processes

Technology
Change Access IT operations

IT risk IT risk IT risk IT risk

ITGC ITGC IT substantive

11
 Proses Top-down risk based approach (terintegrasi)

Aktivitas
Akun keuangan dan sistem terkait Sistem dokumentasi dan kontrol Evaluasi/Monitor

Implikasi
keuangan
Laporan

?
Keuangan
Akun signifikan
Proses

Laporan
Keuangan Proses What Can Evaluasi/
Go Wrong? Kontrol Monitor
signifikan
Asersi Laporan
Implikasi
proses Keuangan
Manajemen
Risiko bawaan dan
risiko bisnis

Pengaplikasian

cakupan top-down risk based

1
Risiko
Laporan
3 4 5
Keuangan
Penentuan Asersi Risiko Penentuan
Risiko pada
akun Laporan Proses
level proses
2 signifikan Keuangan Signifikan

Risiko Akun

12
Design of Internal Control Over Financial Reporting
 Beberapa Praktik ICOFR di Negara Lain Selain USA & Japan

Negara Tahun Regulator Nama Peraturan Internal Control Pernyataan Opini atas efektivitas
Framework Manajemen ICOFR dari Eksternal
bertanggung jawab Auditor
atas ICOFR
China Latar Belakang:
China dalam ekonomi dunia meningkat secara signifikan, pemerintah China menyadari bahwa perlu untuk meningkatkan kualitas pelaporan keuangan dan
menyelaraskan dengan standar internasional. Untuk meningkatkan dan menstandardisasi pengendalian internal, pemerintah China berusaha
mengembangkan serangkaian standar pengendalian internal.
Tahun peraturan Ministry of Finance, Basic Standard for -
diterbitkan 2008. China Security Enterprise Internal
Tahun peraturan Regulatory Control
diimplementasikan Commission
2012. (CSRC), Banking
Regulatory,
Insurance
Regulatory, and
National Audit
Commission
India Latar Belakang:
Di India, kontrol keuangan internal dianggap penting setelah skandal Satyam meletus pada tahun 2009. Companies Act mewajibkan auditor perusahaan
untuk melaporkan bahwa sistem kontrol keuangan internal sudah ada. Selain itu, auditor juga harus secara eksplisit menyatakan efektivitas operasi dari
pengendalian tersebut.

Tahun Peraturan - Ministry of - Companies Act -

Companies Act Corporate Affairs 2013
diterbitkan 2013. - The Institute of - Guidance Note on
Tahun Peraturan Chartered Audit of Internal
Guidance Note Accountants of Financial Controls
diterbitkan 2014. India (ICAI) Over Financial
Reporting

14
 Beberapa Praktik ICOFR di Negara Lain USA & Japan

Negara Tahun Regulator Nama Peraturan Internal Control Pernyataan Opini atas efektivitas
Framework Manajemen ICOFR dari Eksternal
bertanggung jawab Auditor
atas ICOFR
Qatar Latar Belakang
Pengendalian internal adalah bagian dari tata kelola yang merupakan salah satu sistem manajemen dan kontrol yang paling penting bagi perusahaan pada
umunya, terutama bagi perusahaan yang tercatat di pasar finansial. Semua ini dapat meningkatkan performa perusahaan secara umum dan meningkatkan
kepercayaan para pemegang saham serta masyarakat.
Tahun peraturan Qatar Financial Governance Code for COSO Internal Control
diterbitkan 2016. Markets Authority Companies & Legal Framework
Entities Listed on the
Main Market

Korea Selatan Latar Belakang:

Merebaknya skandal akuntansi (DaeWoo ShipBuilding & Marine), perubahan kepercayaan masyarakat terhadap perusahaan-perusahaan yang membuktikan
pentingnya akuntabilitas serta transparansi pelaporan perusahaan, serta tingkat perekonomian Korea Selatan yang terus berkembang sehingga toelransi
terhadap kesalahan sangat jauh berkurang.

Tahun peraturan South Korean Korea’s Internal COSO Internal Control

diimplementasikan National Assembly Accounting Framework
2019. management system
that is introduced as
part of
2017 regulatory
reform

15
Roles of Audit Committee
SOX Overview
2001 Year of the “Perfect Storm”

Sarbanes- Oxley Act (SOX) Dodd- Frank Act (2010) JOBS Act
(2012)
2003 2010 2012
2001 2002

Exempted listed
Qwest, Exempted Emerging
Enron WorldCom companies not classified
Growth Companies
Tyco as “accelerated filers” or
Q4 Q3
Q2 “large accelerated filers”
2001 2002
2002

What has been achieved?

Enter your subheadline here

SOX

Other rules and regulations

Those charged with governance

SA700: Forming an opinion and reporting on

financial statements

SA 701: Communicating Key Audit Matters in the

Independent Auditor’s Report
 Management
Review Control
 Fact # 1- Regulators: Trending Down is Good

20
 Fact # 2 - Regulators: Who Says Accounting Is Simple

21
 Fact # 3: A Real Headache for Management

√
√
√

22
 Fact # 4: A Real Headache for Auditors

√ √ √ √

√ √ √

Deficiencies in FS are mainly in the areas of key

estimates/judgment
23
 Fact # 5: Another Headache for Auditors – Auditing Review Control

Deficiencies in auditing ICFR are mainly in the

areas of auditing management review control
24
 So, What Causes Most Problems in Financial Reporting?

Key Complex
Estimates/ Accounting
Significant Rules
Judgment

25
 “Sweet Spot” - Management Review Control (“MRC”)

Definition
Control that places reliance on management’s review and approval of particular quantitative /
qualitative information and reports.

Examples of review controls:

➢ Controls designed to determine that important estimates are complete and accurate and potential
errors are detected and corrected:
Goodwill impairment, business combinations, income taxes
Other estimates – revenue allowances, warranties
Assumptions and data used, and conclusions reached, by third party specialists in valuing assets/liabilities in
a business combination

➢ Detect controls designed to determine that other controls continue to function as designed
Review of account reconciliations
➢ Direct entity level controls designed to identify unusual trends or inaccuracies in financial
reporting
Quarterly balance sheet fluctuation analyses
Quarterly budget to actual/actual to actual reviews
 Identifying Key Review Controls

Significant unusual or non-

routine classes of
transactions

Fraud or other Group-wide controls

significant risks

Peran
Komite Key
Audit, management
Compensating
Internal Higher risk estimation
review
controls controls that are
Auditor dan processes being relied on to
Manajemen mitigate deficiencies
 3-Steps in Dealing with Financial Reporting Issues

Identifikasi Isu Analisa / Kajian

► Perubahan standar akuntansi atau ► Kajian dampak perubahan standar
adopsi standar akuntansi baru akuntansi
► Perubahan situasi bisnis ► Kajian dampak perubahan situasi
bisnis terhadap aplikasi standar
akuntansi

Seberapa jauh MRC

akan diterapkan oleh
Komite Audit dan
Internal Audit?

Rekomendasi dan Implementasi

► Pembentukan team implementasi
► Rekomendasi perubahan bisnis proses dan kontrol
► Rekomendasi berdasarkan analisa akuntansi
28
Management Review Controls (MRC)
How the review is performed – the control owner

Who / Competency Assessment?

• Who is the control owner?

• Are there others who assist the control owner?
• What are the control owner’s role and responsibilities?
• Is the control owner competent and do they have appropriate authority?

Fact TBD

4. Investigate
1. Control 2. Systems 3. Criteria
and resolve
and data used to
identified
owner sources used investigate
items
Management Review Controls (MRC)
How the review is performed - systems and data sources used

What / Information Produced by Entity?

• What information is used in the review (information produced by

the entity, service providers, others) and what are the relevant
systems?
• What ensures the completeness and accuracy of each piece of
important information?

2.
Systems 3. Criteria
4. Investigate
1. Control and resolve
owner and data used to
identified
investigate
sources items

used
Management Review Controls (MRC)
How the review is performed - criteria used to investigate

How / Level of Precision?

• For quantitative thresholds, what is the stated threshold and why is

it appropriate to detect errors?
• For qualitative thresholds, what does the control owner consider
“significant,” “unusual” or “reasonable”?
• Is there evidence of these criteria being applied?

3. Criteria 4. Investigate
2. Systems
1. Control and resolve
owner
and data used to identified
sources used
investigate items
Management Review Controls (MRC)
How the review is performed – investigation and resolution

Why / Follow up

• What types of questions are raised in the review?

• What is the nature of the follow-up?
• How did the reviewer resolve the items raised?

4. Investigate
2. Systems 3. Criteria and resolve
1. Control
and data used to identified
owner sources used investigate
items
 Illustrative Accounting Issues by Sector

Construction and
Banking Insurance Energy Plantation Mining
Engineering

▪ Expected credit ▪ Insurance ▪ Recoverability of ▪ Impairment of ▪ Revenue ▪ Recoverability of

losses contract liabilities non-current bearer plants recognition under non-current
▪ Fair values of (estimated assets ▪ Biological assets IFRS 15/ PSAK assets
financial assets claims, liabilities (impairment) valuation 72 (impairment)
and financial for future policies ▪ Decommissioning ▪ Recovery of ▪ Lease accounting ▪ Closure
liabilities claims and IBNR) obligation plasma receivable under (restoration and
▪ Regulatory ▪ Fair value of ▪ Deferred tax IFRS16/PSAK73 rehabilitation)
provisions financial assets assets provision
(e.g. investments recoverability ▪ Deferred tax
in unquoted ▪ Lease accounting assets
securities) under recoverability
▪ Onerous IFRS16/PSAK73 ▪ Lease accounting
contracts under
▪ Recognition of IFRS16/PSAK73
profit ▪ Deferred
stripping

33
Sesi Tanya
Jawab
EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital markets
and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a
better working world for our people, for our clients and for
our communities.

EY refers to the global organization, and may refer to one or

more, of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young
Global Limited, a UK company limited by guarantee, does not
provide services to clients. Information about how EY
collects and uses personal data and a description of the
rights individuals have under data protection legislation are
available via ey.com/privacy. For more information about
our organization, please visit ey.com.

© 2022 PT Ernst & Young Indonesia.

A member firm of Ernst & Young Global Limited.
All Rights Reserved

ED 0000

In line with EY's commitment to minimize its impact on the

environment, this document has been printed on paper with
a high recycled content.
This material has been prepared for general informational purposes only and is
not intended to be relied upon as accounting, tax or other professional advice.
Please refer to your advisors for specific advice.

ey.com/id