Anda di halaman 1dari 144

YAYASAN PENDIDIKAN INTERNAL AUDIT

An Overview
 The Chance of something happening that will
have an impact upon objectives (ARMS)

 Peristiwa (events) atau keadaan (circumstance)


yang dapat mempengaruhi pencapaian tujuan
organisasi
Kejadian alam Operational
Manusia Politik
Technology Commercial
Pegawai Financial
Legal Management

 “The Chance of something happening that will


have an impact upon objectives” (ARMS)

Aktiva Kinerja
Reputasi Biaya
Pendapatan People
Pendapatan Kinerja
Jasa Masyarakat
Aktiva Reputasi
Lingkungan
Jasa layanan People
Lingkungan Masyarakat
Finansial

Aset
Kondisi
Ekonoms
Liability
Ekspektasi
Investor Trend
Sosial / Business
Legal
Event
Lingkungan
Internal Operasi
Ekspansi
Kompetitor
Diversifikasi Iklim
Kultur Politik/ • Cara yang tepat dan efektif untuk
 Distribusi Kebijakan menciptakan value adalah dengan
 Risk Appetite memahami lingkungan risiko secara
 People keseluruhan dimana perusahaan
 Proses dioperasikan
 Teknologi
• Agar pelaksanaannya lebih efektif, risk
Behavior Kondisi
management memerlukan perubahan
Kustomer Ekonomi
persepsi dari para leader mengenai:
•Kemampuan membatasi risiko untuk
Reputasi/ mencapai tujuan
Rating •Kontrol dalam mengelola risiko
Agency
•Unit bisnis
 Opportunity
 Chance
 Threat
 Hazard
 Uncertainty
 Risk is the possibility that an event &
adversely affect the achievement of
objectives.

 Opportunity is the possibility that an


event will occur and positively affect
the achievement of objectives.
• Rugi tak terduga
• Lingkungan cepat berubah
• Mengembangkan corporate governance
• Menerapkan strategic management
• KPI turun dan profit margin tipis
• Meningkatkan pengelolaan intangibles
• Meningkatkan capital budgeting decisions
• Growth strategy (M&A)
• Mengurangi reactive decision making
Organization Roles and
Structure Responsibility
Operation &
Business
Optimum Performance
Plan
Return Measurement

Good Asset
Vision & Corporate Investment Investment
Mission Policy Allocation Portfolio
Governance Strategy

Risk Philosophy Risk


Risk
& Tolerance Mitigation
Management
RISK APPETITE

Standard Sistem – Manual, Kebijakan, Prosedur

Identifikasi Pengukuran Risiko Pengelolaan Risiko Evaluasi &


Risiko (Statis-Dinamis) (Pemilihan Risiko) Kontrol
 Produk  Project rating &  Risiko Kredit Proses:
 Operasi & Transaksi prioritisasi  Risiko Operasional  Review kinerja
 Pemasaran & Trading  Exp.&Un-exp. Loss  Risiko pasar & finansial  Validasi model dan
 Investasi Portfolio &  Optimalisasi Cost/risiko  Konsentrasi risiko bisnis  metode
strategis  Pricing  Diversifikasi portfolio  Back Testing
 Join Venture, Aquisisi  Analisis statistik  bisnis  Assesment Model
 Join Venture, Aquisisi  Risiko
 Perubahan lingkungan
 Analisis Skenario  Korporasi dan
 Ketidak pastian persaingan
 Modeling Cash flow & earning

CASH FLOW EARNING


Risk
Management.
I wonder
what that
is!

A process, effected by an entity’s


board of directors, management
and other personnel, applied in
strategy setting and across the
enterprise, designed to identify
potential events that may affect
the entity, and manage risk to be
within its risk appetite, to
provide reasonable assurance
regarding the achievement of
entity objectives.
 On going process
 Affected by people
 Should be applied in setting organization strategy
 Must be applied across the organization
 Risk appetite should be considered
 Will only provide “reasonable assurance”
 Must focus on the achievement of objectives
I Identifikasi • Identify
• Risk Awareness
• Risk drivers
• Risk holders
II Measure • Likelihood & impact
• Risk map (actual)

III Evaluasi • Risk map (target)


• Options for risk management

IV Manage • Key risks in business plan


• Value added
V Monitor • Review risk profile dan control
secara continue
• Reporting
Subsidiary
Buisness Unit
Internal Environment
Objective setting

Division
Event identification

Entity level
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
1. Strategic
2. Operations
3. Reporting
4. Compliance
Internal Environment
Risk Management Philosophy – Risk Culture – Board of Directors – Risk Appetite –
Organizational Structure

Objective Setting
Strategic Objectives – Related/Selected Objectives – Risk Appetite – Risk Tolerance

Event Identification
Factors Influencing Strategy & Objectives – Methodologies & Techniques – Risks &
Opportunities

Risk Assessment
Inherent & Residual Risk – Likelihood & Impact – Methodologies & Techniques – Correlation

Risk Response
Identify & Evaluate Possible Risk Response – Select Responses – Portfolio View

Control Activities
Integration with Risk Response – Types of Control Activities – General & Specific Controls

Information and Communications


Information – Strategic & Integrated Systems – Communications

Monitoring
Separate Evaluation – Ongoing Evaluations
 INTERNAL ENVIRONMENT : risk management philosophy, organization’s
risk appetite, organization risk culture, erm & the board of directors, integrity &
ethical values, erm commitment to competence, management’s philosophy &
operating style, organization structure, assigments of authority & responsibility,
and human resources policies & procedures.
 OBJECTIVE SETTING : ensure management has in place a process to set
objectives.
 EVENT IDENTIFICATION : internal & external events – risks & opportunities.
 RISK ASSESSMENT : analyze likelihood & impact, assessing inherent &
residual risks.
 RISK RESPONSE : avoiding, accepting, reducing, sharing risk,
development of actions.
 CONTROL ACTIVITIES : policies & procedures to ensure risk response
effective.
 INFORMATION & COMMUNICATION : relevant information
identified, captured, communicated – form & timeframe.
 MONITORING : ongoing & separate evaluation.
Internal Environment meliputi:
 Entity’s Risk Management Philosophy
 Risk Appetite
 Direksi/komisaris
 Integritas dan nilai Etika
 Komitmen terhadap kompetensi
 Struktur Organisasi
 Delegasi wewenang dan tanggung-jawab
 Kebijakan SDM
Risk Management Philosophy:
 Sikap dan keyakinan bersama terhadap
risk.
 Mempengaruhi cara identifikasi risiko,
jenis risiko apa yang diterima dan
bagaimana risiko dikelola.
 Manajemen menerjemahkan filosofi risk
management dalam kegiatan sehari-hari.
Risk Management Philosophy
 Pada prinsipnya harus konsisten dalam
seluruh perusahaan,

 Namun demikian, dapat saling


mengkompensir: penjualan & pengadaan
Risk Appetite:
 Jumlah risk yang dapat diterima dalam
rangka mengejar nilai tertentu,

 Cerminan dari risk management philosophy


 Manajemen harus menetapkan Objectives agar
dapat mengidentifikasi, mengassess, dan
mengelola risiko,
 Semua pegawai harus mengerti objectivesyang
terkait dengan tugasnya

 Membentuk risk appetite

 Risk tolerance: variasi objectives yang dapat


diterima
THE RISK MANAGEMENT PROCESS
Organizational
Objectives

Identify &
The Risk Assess Risks

Management Identify Current


Control s
Process
Identify & Assess
Residual Risks
Action

Acceptable
No
Yes

Document Risk
Acceptance Decision
Strategic Objectives
 High level goals,
 Aligned with entity’s mission/vision

Related Objectives
Activity level goals - 3 categories:
 Operations objectives
 Reporting objectives
 Compliance objectives
Risk Appetite
 Penetapan Strategy harus sejalan dengan
risk appetite.
 ERM dalam tahap penetapan strategi
membantu manajemen memilih strategi
dalam batas risk appetite-nya

Risk Tolerance
 variation dalam pencapaian objective yang
dapat diterima oleh manajemen
Value Uncertainty Map

VALUE UNCERTAINTY MAP


High 19 4 1
12

16
7
Strategic
11 6
17
10 15
2 9
13 Enabling
8
3
14
5
18
Non-
Strategic
Low
Low Variability High
User Computer chip User

Acceptable Acceptable
Failure Rate Failure Rate
Low NONE!
Objectives harus ‘SMART’:
S pecific
M easurable
A ttainable
R ealistic
T imeframe
Diskusikan dan buatkan daftar tujuan dari kegiatan
yang menjadi tanggung jawab unit kerja tertentu.
 Identifikasi kejadian potensial (internal
maupun external) yang mempengaruhi
strategy atau pencapaian tujuan.
 Events bisa positive bisa negaitive
Techniques untuk Identifikasi Events:
 Event inventories
 Internal analysis
 Escalation or threshold triggers
 Facilitated workshops and interviews
 Leading event indicators
 Loss event data methodologies
 Process flow analysis
 Exposure analysis
 Asset (Aktiva)
 Environmental analysis
 Lingkungan usaha
 Threat Scenario
 Ancaman terhadap proses
bisnis

 Brainstorming questions
Exposure analysis

 Financial Assets:
Cash, Securities, Credit

 Physical Assets: Land, Building, Equipment

 Human Assets: Knowledge, Skills

 Intangible Assets: Reputation, Information


Size, type, Risiko Risiko
portability, Kehilangan Penurunan
location nilai
(STPL)
Kecil, portable, Pencurian, Handling
bernilai kebakaran, handling
Besar, bernilai, Pencurian, Handling, dust,
portable kebakaran, handling fluktuasi power
Besar, bernilai, tidak Kebakaran, Handling, dust,
portable handling fluktuasi power
Buatkan daftar risiko minimal 5
risiko berdasarkan pendekatan
exposure analysis
 Physical
 Economic
 Regulation
 Competition
 Customers
 Suppliers
 Union
 Technology
Lingkungan Kondisi saat ini (what is) Kondisi mendatang
(what could happen)

Pelanggan Pelanggan lari Tidak mampu menarik


pelanggan baru

Pesaing Pelayanannya menyamai kita Mencoba menarik


pelanggan kita

Fisik Terpengaruh tarif telpon Penggunaan internet


Buatkan daftar risiko minimal 5
risiko berdasarkan pendekatan
perubahan lingkungan
Threat:
 Theft Scenario:
 Fraud  Penjelasan aset

 Disaster  Jenis ancaman

 Errors  Konsekuensi

 Omissions  Bagaimana terjadinya

 Delays
Buatkan daftar risiko minimal 5 risiko
berdasarkan pendekatan ancaman terhadap
proses kegiatan
Definisi Risiko :
Kemungkinan suatu “event” atau
“circumstance” pada suatu “operasional
set-up” tertentu akan menjadi hambatan
bagi pencapaian tujuan organisasi.
Tiga unsur risiko:

1.) “Event” dan “Circumstances”


Jenis Risiko
2.) “Operational Set-up”
 Internal Penyebab
 External
3.) Hambatan pencapaian tujuan
Konsekuensi
CAUSES EVENTS CONSEQUENCES
Inadequate Legal Liability
segregation of duties
Internal Regulatory, Compliance
Insufficient training Fraud & Taxation Penalties

External Loss or Damage


Lack of management
Fraud to Assets EFFECTS
supervision
Monetary
Employment Practices Losses
Inadequate Restitution
& Workplace Safety
auditing procedures
Clients, Products
Inadequate security Loss of Recourse
& Business Practices
measures
Damage to
• Physical Assets Write-down

• Business Disruption
& System Failures
• Reputation OTHER
Execution, Delivery & IMPACTS
Poor systems
Process Management Forgone
design
Business Interruption Income
Poor HR
policies
Uncertainties Affecting the
Environment Risk Viability of Our Business
Model

Sources Uncertainties Affecting the


of Uncertainty Process Risk Execution of Our Business
Model

Uncertainties Over the


Information For Relevance and Reliability of
Decision Making Risk Information That Support Our
Value Creation Decisions
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
 Sejauhmana dampak dari events
dapat mengganggu objectives.
 Menghitung Inherent maupun
Residual risk
 Events dianalisis dalam dua
perspectives:
 Likelihood
 Impact
Qualitative Techniques:
 Self-assessment (low, medium, high)
 Questionnaires
 Internal audit reviews

Quantitative Techniques:
 Probability based
 Non-probabilistic models – utilize impact
assumptions only, not likelihood
 Benchmarking
Events Relationships
 Events kecil yang berurutan bisa significant
 Jika ada korelasi, harus di assess bersama-
sama
 Risks yang mempengaruhi banyak
business units perlu dikelompokkan dalam
common event categories, dan diassess
secara aggregate
Risk
=
Likelihood
*
Consequence
Dampak (besarnya konsekuensi):

 Catastrophic

 Major

 Moderate

 Minor

 Insignificant
Kemungkinan terjadinya risiko:

 Certain
 Likely
 Moderate
 Unlikely
 Rare
High Mission Critical Risks
Probability of Occurrence

Your Risk Appetite

Medium

Low
Low Medium High
Magnitude of Impact
Risks
Likelihood of

Occurrence

Almost

Certain
S S H
dH H

Likely

fM S S H H
Likelihood

Moderate L S H H
2
b

Unlikely L
1 a M S H

e
Remote
L M S
c3
Insignificant Minor Moderate Major Catastrophic

Consequence
Risk Footprint
Risk Profile
EXECUTIVE
produces its
perception
of risks

ARC compare
RMC
compare
and merge
BUSINESS UNITS Aggregation andproduce
to merge
produce local and summary to produce
including:
Risk Assessments of results • Risk Profile
• management & mitigation
processes in place
• further Action Plans
• assurance processes

Risk Assessments including Action Plans


RISK MANAGEMENT PROCESS

RISK IDENTIFICATION

RISK
RISK MONITORING MGT RISK MEASUREMENT
PROCESS

RISK MITIGATION / CONTROL


RISK MEASUREMENT
OBJECTIVES / GOALS
RISK HANDLING PRIORITY

METHODS

QUALITATIVE EXPECTED LOSS (ON ASSETS)

QUANTITATIVE LIKELIHOOD – IMPACT MATRIX

RISK FACTORS

OUTPUT

RISK PROFILES
RISK MEASUREMENT PROCESS

ABSOLUTE / INHERENT RISK MEASUREMENT

EXISTING RISK MITIGATION / CONTROL EVALUATION

RESIDUAL RISK MEASUREMENT


RISK MEASUREMENT – ADDITIONAL PROCESS

ADDITIONAL RISK MITIGATION / CONTROL


IMPLEMENTATION & EVALUATION

EXPECTED / TOLERABLE RISK MEASUREMENT


RISK MEASUREMENT – GENERAL FORMULA

INHERENT RISK – EXISTING RISK MITIGATION / CONTROL = RESIDUAL RISK

RESIDUAL RISK – ADDITIONAL RISK MITIGATION / CONTROL = EXPECTED /


TOLERABLE RISK
RISK MEASUREMENT – FORMULA VISUALIZATION

EXISTING
CONTROL
ADDITIONAL
CONTROL
INHERENT
RISK

RESIDUAL
RISK
EXPECTED
RISK
RISK MEASUREMENT – METHODS

QUALITATIVE QUANTITATIVE

SUBJECTIVE IN NATURE OBJECTIVE IN NATURE

BASED ON EXPERT OPINION, BASED ON INTERNAL &


SCENARIO ANALYSIS, SELF EXTERNAL LOSSES DATABASE,
ASSESSMENTS, ETC STATISTICAL TOOLS, ETC

KISS
RISK MEASUREMENT – EXPECTED LOSS (ON ASSETS)

RISK OF LOOSING ASSETS

SMALL, PORTABLE, VALUABLE STOLEN

BIG, PORTABLE, VALUABLE STOLEN, FIRE

BIG, NOT PORTABLE, VALUABLE FIRE

RISK OF DECREASING VALUE OF ASSETS

SMALL, PORTABLE, VALUABLE POOR HANDLING

BIG, PORTABLE, VALUABLE POOR MAINTENANCE

BIG, NOT PORTABLE, VALUABLE POWER FAILURE


RISK MEASUREMENT – EXPECTED LOSS (ON ASSETS)
RISK PROFILE

RISK RISK HANDLING


ASSETS CHARACTERISTICS RISKS
EXPOSURES PRIORITY

SMALL,
STOLEN, POOR
A PORTABLE, HIGH 1ST
HANDLING
VALUABLE

STOLEN, FIRE,
BIG, PORTABLE, 2ND
B VALUABLE
POOR MEDIUM
MAINTENANCE

BIG, NOT
FIRE, POWER
C PORTABLE,
FAILURE
MEDIUM 2ND
VALUABLE

SMALL,
STOLEN, POOR
D PORTABLE,
HANDLING
LOW 3RD
VALUABLE
RISK MEASUREMENT (LIKELIHOOD – IMPACT MATRIX)

RISK MEASUREMENT FORMULA


RISK = LIKELIHOOD X IMPACT

LIKELIHOOD IMPACT
CERTAIN CATASTROPHIC / EXTREME

LIKELY MAJOR / HIGH

MODERATE MODERATE / MEDIUM

UNLIKELY MINOR / LOW

RARE INSIGNIFICANT
RISK MEASUREMENT (LIKELIHOOD IMPACT MATRIX)

I IMPACT

L I=1 L=2 M=3 H=4 E=5 RISK SCALE

L R=1 1 2 3 4 5 1–2=I
I
K U=2 2 4 6 8 10 3–4=L
E
L
M=3 3 6 9 12 15 5–9=M
I
H
O L=4 4 8 12 16 20 10 – 12 = H
O
D C=5 5 10 15 20 25 15 – 25 = E
RISK MEASUREMENT (LIKELIHOOD – IMPACT MATRIX)

IMPACT
LIKELIHOOD
FIN NON FIN

CERTAIN = MORE THAN 5 TIMES A YEAR EXTREME USD. > 1000 T INT’L

LIKELY = 3 – 5 TIMES A YEAR HIGH USD.>500–1000T NATIONAL

MODERATE = 2 TIMES A YEAR MEDIUM USD.>100–500 T ORG

UNLIKELY = ONCE IN A YEAR LOW USD.1 – 100 T DEPT

RARE = ONCE IN MORE THAN A YEAR INSIGN < USD.1 T SECT


RISK MEASUREMENT (LIKELIHOOD – IMPACT MATRIX)
RISK PROFILE

RISK VALUE RISK RISK HANDLING


ACTIVITIES RISKS
LH IP TV EXPOSURES PRIORITY

A 5 1 5 M 3RD
1
B 2 5 10 H 2ND

2 A 3 1 3 L 4TH

A 2 1 2 I 5TH
3
C 4 5 20 E 1ST

NOTES :

LH = LIKELIHOOD I = INSIGNIFICANT H = HIGH

IP = IMPACT L = LOW E = EXTREME

TV = TOTAL VALUE M = MEDIUM


RISK MEASUREMENT – RISK FACTORS

FACTORS  INCREASE / DECREASE RISK EXPOSURE

VALUE OF ASSETS

LIQUIDITY OF ASSETS

COMPLEXITY OF ACTIVITY

VOLUME OF ACTIVITY
RISK MEASUREMENT – RISK FACTORS
RISK PROFILE – ACTIVITY A

RISK
RISK RISK FACTOR RISK FACTOR
RISKS RISK VALUE HANDLING
FACTORS SCORE WEIGHT
PRIORITY

A 1 20%
1 0,2 + 1,6 = 1,8 2ND
B 2 80%

2 A 1 100% 1 3RD

A 1 40%
3 0,4 + 1,8 = 2,2 1ST
C 3 60%
High
Probability of Occurrence

Medium

Low
Low Medium High
Magnitude of Impact
 Avoidance
 Exit the activities causing the risk
 Reduction
 Take action to reduce the likelihood or impact of risk
 Sharing
 Transfer or share the risk or portion of the risk with
another party
 Acceptance
 Risk accepted, No action is taken
Yes Risk is inherent in
Accept Reject •Off strategy
No •Offers unattractive
business model or
normal future rewards
operations.

Retain Reduce Transfer Exploit Avoid

Leave risk alone - Control or disperse Requires a May increase Includes taking any
reprice, insure or the risk financially capable exposure and actions required to
plan depending independent third possibly lead to the completely remove
upon tolerance party that is willing assumption of all elements of
levels to accept risk additional risk while exposure to a
at the same time specified risk
increasing
competitive
advantage
Pertimbangan dalam memilih
response:
 Pengaruh tiap response terhadap risk
likelihood dan impact
 Response yang terbaik untuk
memenuhi risk appetite and tolerances
 Cost versus benefits
 Kemungkinan peluang yang dapat
timbul dari setiap risk response.
o Divestasi:

o Keluar dari pasar produk atau geografis

o Selling, liquidating, spinning off


o Melarang kegiatan, transaksi, kondisi yang berisiko
tinggi (dengan struktur kewenangan atau standar)
o Menghentikan kegiatan tertentu (tinjau ulang)
o Mengarahkan business development & market
expansion
o Screen alternative capital projects
o Menghilang risk pada sumbernya (internal
 Menerima risk apa adanya (tanpa
action)
 Menyesuaikan harga product
(service) dengan risk premium
 Self-insure
 Offset risiko
 Merumuskan contingency plan yang
bagus
 Distribusi assets (financial, physical,

intangible) secara geografis

 Control (mengurangi kemungkinan

terjadinya)
 Insure (re-insure)
 Hedge
 Share (alliance & joint venture)
 Outsource
 Alokasi sumberdaya internal
 Diversifikasi
 Memperluas portfolio
 Reorganisasi
 Renegotiate
 Influence regulators, public
opinion, & standard setters
ENTERPRISE RISK MANAGEMENT COMPONENTS

INTERNAL ENVIRONMENT OBJECTIVE SETTING

RISK ASSESSMENT EVENT IDENTIFICATION

RISK RESPONSE CONTROL ACTIVITIES

INFORMATION & COMMUNICATION MONITORING


RISK RESPONSE

RISK MITIGATION
(CONTROL)
RISK
RESPONSE
INHERENT
RISK
RESIDUAL
RISK
TOLERABLE
RISK
RISK RESPONSE

RISK AVOIDANCE

RISK REDUCTION

RISK RESPONSE
ALTERNATIVE
RISK SHARING

RISK ACCEPTANCE
RISK RESPONSE

RISK RESPONSE EXAMPLES

STOP PRODUCING HIGH RISK PRODUCT


RISK AVOIDANCE
SELL UNPROFITABLE BUSINESS UNIT

REDUCE HUMAN INVOLVEMENT


RISK REDUCTION
IMPROVE SOP

BUY INSURANCE

RISK SHARING HEDGE

OUTSOURCE
RISK RESPONSE

RISK RESPONSE EXAMPLES

ALLOWANCE FOR BAD DEBTS


RISK ACCEPTANCE
NO ACTION
RISK RESPONSE

RISK RESPONSE CONSIDERATION

BUSINESS STRATEGY & OPERATIONAL ALIGNMENT

RISK APPETITE & TOLERANCE

SHORT & LONG TERM COST & BENEFIT

SHORT & LONG TERM POTENTIAL OPPORTUNITIES

POSSIBILITY OF CREATIVE & INNOVATIVE RESPONSE

RISK ON RISK RESPONSE


CONTROL ACTIVITIES

RISK
RESPONSE CONTROL
ALTERNATIVE ACTIVITIES

RISK AVOIDANCE

POLICIES
RISK REDUCTION

RISK SHARING
PROCEDURES

RISK ACCEPTANCE
CONTROL ACTIVITIES

STRATEGIC

OPERATIONAL

CONTROL OBJECTIVES

REPORTING

COMPLIANCE
CONTROL ACTIVITIES

PREVENTIVE

CONTROL CLASSIFICATION DETECTIVE

CORRECTIVE
CONTROL ACTIVITIES

CONTROL CLASSIFICATION EXAMPLES (RISK SHARING-INSURANCE)

INSURANCE COMPANY RATING

REASSURANCE FACILITY
PREVENTIVE
GOVERNMENT REGULATORY &
SUPERVISORY

AUDITED FINANCIAL STATEMENT OF


INSURANCE COMPANY
DETECTIVE
MARKET SHARE OF INSURANCE
COMPANY
CONTROL ACTIVITIES

CONTROL CLASSIFICATION EXAMPLES (RISK SHARING-INSURANCE)

CHANGE TO ANOTHER INSURANCE


COMPANY
CORRECTIVE
CHANGE TO ANOTHER RISK RESPONSE
ALTERNATIVE
DOCUMENTATION

R IDENTIFICATION
I
D
S
O
K
C
U
M MEASUREMENT M
G
E
T RISK
N
REGISTER
T
P
A
R MITIGATION T
O
I
C
O
E
N
S
S MONITORING & REPORTING
DOCUMENTATION

RISK REGISTER
(SOURCES)

INTERNAL EXTERNAL

PAST EXPERIENCE PEER GROUP

SELF ASSESSMENT DATA PROVIDER


DOCUMENTATION

RISK REGISTER CONTENTS

- RISK MANAGEMENT COMMITTEE CHARTER 


RELATIVELY PERMANENT FILE
- RISK MANAGEMENT POLICIES 
RELATIVELY PERMANENT FILE
- RISK LIBRARY  RELATIVELY PERMANENT FILE
- RISK PROFILES  ACTIVE FILE
- LOSS OR NEARMISS EVENTS / INCIDENTS REPORTS  ACTIVE FILE
- OPINION OF RISK MANAGEMENT SYSTEM & PROCESS
ADEQUACY & EFFECTIVENESS  RELATIVELY PERMANENT FILE
DOCUMENTATION

GOOD RISK REGISTER CHARACTERISTICS

- SECURE
- OBJECTIVE
- COMPREHENSIVE
- RELIABLE
- ACCURATE
SOCRATES
- TIMELY
- EASY TO ACCESS
- SEAMLESS
MONITORING

ON GOING MONITORING SEPARATE EVALUATION REPORTING DEFICIENCIES

ANYTIME PERIODICALLY - ANYTIME (BY SYSTEM)


- PERIODICALLY

MANAGEMENT: INDEPENDENT EVALUATOR:


- MANAGEMENT
- EXECUTIVE MANAGER - INTERNAL AUDITOR
- INDEPENDENT EVALUATOR
- DEPT/DIV MANAGER - AUDIT COMMITTEE

- RISK MANAGER - RISK MANAGEMENT

- SUPERVISOR COMMITTEE
- EXTERNAL AUDITOR
MONITORING

ON GOING MONITORING SEPARATE EVALUATION REPORTING DEFICIENCIES

- RISK MANAGEMENT
DEFICIENCIES IN RISK
RISK EXPOSURES POLICY
MANAGEMENT PROCESSES,
- RISK MANAGEMENT
PROCEDURES & SYSTEM
SYSTEM & PROCESS

- BOARD OF DIRECTORS - BOARD OF DIRECTORS - BOARD OF DIRECTORS


- SENIOR EXECUTIVE - SENIOR EXECUTIVE - SENIOR EXECUTIVE
OFFICERS OFFICERS OFFICERS
- RISK MANAGEMENT - RISK MANAGEMENT - RISK MANAGEMENT
COMMITTEE COMMITTEE COMMITTEE
ENTERPRISE RISK MANAGEMENT APPROACHES

SILO APPROACH HOLISTIC APPROACH

DEPT A EWRM

DEPT A DEPT C
DEPT B

EWRM
DEPT C
DEPT B DEPT D

DEPT D
ENTERPRISE RISK MANAGEMENT APPROACHES

SILO APPROACH HOLISTIC APPROACH

DEPARTMENTAL BASED BUSINESS PROCESSES BASED

DECENTRALIZED RISK CENTRALIZED RISK


MANAGEMENT STRUCTURE & MANAGEMENT STRUCTURE &
SYSTEM SYSTEM

SCATTERED SYSTEM & PROCESS INTEGRATED SYSTEM & PROCESS

HETEROGEN RISK MANAGEMENT RELATIVELY HOMOGEN RISK


ACTIVITIES MANAGEMENT ACTIVITIES
ENTERPRISE RISK MANAGEMENT APPROACHES

SILO APPROACH HOLISTIC APPROACH

MULTIPLE RISK LIBRARY


SINGLE RISK LIBRARY (USE OF A
SCATTERED ACROSS DEPTS 
COMMON LANGUAGE) 
INCONSISTENCIES POSSIBLY
ASSURED CONSISTENCY
OCCURED

RISK MANAGEMENT OPINION –


RISK MANAGEMENT OPINION –
DIRECTLY CATCHES FROM THE
AGGREGATION ISSUES
RISK REGISTERS
ENTERPRISE RISK MANAGEMENT MODEL

MEASUREMENT MODEL CONTROL PROCESS MODEL

FOCUS ON SIGNIFICANT
FOCUS ON CONTROL OVER
MEASURABLE RISKS IN TERMS
IMPORTANT BUSINESS
OF IMPACT MATERIALITY &
PROCESSES
LIKELIHOOD OF OCCURENCE
Traditional RM vs. ERM: Essential Differences

Traditional risk management ERM


Risk as individual hazards Risk in the context of business
strategy
Risk identification and assessment Risk portfolio development

Focus on discrete risks Focus on critical risks

Risk mitigation Risk optimization

Risk limits Risk strategy

Risks with no owners Defined risk responsibilities

Haphazard risk quantification Monitoring and measuring of risks

“Risk is not my responsibility” “Risk is everyone’s responsibility”

Source: KPMG LLP.


 Applying management in strategy setting
 Risk appetite
 Risk tolerance
 Portfolio view
SENIOR
MGMT.
EWRM should CRO
provide a strategic Executive Management
and consolidated
picture from two credit market ops liquidity
risk risk risk
perspectives: risk

• individual risk LOB 1 LOB 2 LOB 3 LOB 4


classes across
credit
business lines risk
credit
• all key risk credit risk
credit
risk
risk
classes across market
the organization risk

market market
market risk
risk risk
ops
risk
ops ops
risk ops
risk
risk

liquidity liquidity
liquidity
risk risk
risk liquidity
risk
Establish Business Risk
Management Process
• Goals and Objectives
• Common Language
• Oversight Structure

Assess Business Risks


• Identify
• Source
• Measure

Develop Business Risk


Continuously Improve Information Management Strategies
Risk Management for Decision- • Avoid • Reduce • Retain
Capabilities Making • Exploit • Transfer

Monitor Risk Design/Implement


Management Risk Management
Performance Capabilities

Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Learning
1. Mantapkan kelembagaan & oversight:

a. Common language dan standards

b. Organisasi (oversight)

c. Tetapkan kebijakan (limit)

2. Process yang seragam

a. Tetapkan risk owners

b. Integrasi dengan strategi perusahaan


Learning
1. Kembangkan RM capabilities
2. Lakukan selangkah demi selangkah
3. Fokus pada semua sumber value
4. Kembangkan (latih) fasilitator
5. Tetapkan strategi manajemen risiko yang jelas
• Organisasi:
•Komite RM
•Fungsi RM
•Risk taking unit
Board of
Directors
• Standards
• Wewenang & tanggng-jawab
Senior
Management/ • Job description
RM Committees
Risk Management Function/
Compliance & IAD Areas

Operational Business Lines


I. Centralized: Divisi RM mengerjakan semua
• Industri khusus: Bank, Asuransi, RS, Airlines
• Memerlukan orang (divisi) Superman

II. Decentralised (Komite RM dan Divisi RM):


• Untuk industri lainnya
• Melakukan sosialisasi
• Memberikan guidelines
• Mendorong implementasi
• Koordinasi
Integrasi dengan strategi perusahaan

Business risk management


1. 2. 3. 4. 5. 6.
Identify Source Measure Evaluate Manage Monitor

1. Strategic 2. Strategic 3. Business


assessment development plan

Business planning

©2001 Arthur Andersen. All rights reserved. Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Kembangkan Risk Management Capability

Systematically Build and Improve Risk Management Capabilities

Organization
focused
Risks on continuous
measured and improvement of
managed business risk
Policies,
quantitatively management
Process processes and
established standards and aggregated
Capabilities
and defined and on an
are
repeating; formalized enterprise-wide
characteristic
reliance across the basis
of individuals,
not of the on people is company
organization reduced

Initial Repeatable Defined Managed Optimizing


Source: Derived from Carnegie Mellon model for inclusion in Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Improved ERM Capabilities: Managed/
Initial Repeatable Defined Optimizing

• Enterprise-wide risk
strategies
• Defined process
• Risk diversification
• EWRM responsibilities
exploited competitively
• Policy guidelines
• Quantification of risk
followed across the
versus tolerances
• Common language organization
• Integrated risk
• Dedicated resources • Risk measurement measurement systems
• Risk management • Consistent risk
• Risk measures applied
policy reporting
to business
• Risk Identification • Risk sourcing • Enterprise-wide limits performance goals

Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Level of Risk Management Capability

STAGE 2

STAGE 1 Desired level

Current level

Initial Repeatable Defined Managed Optimizing


Stakeholder Sources of
group Risk focus Value Uncertainty
• Business model • Competitor acts
• Business strategy • Customer wants
Strategists Environment • Asset portfolio • Technological innovation
• Image and reputation • Political trends
• Weather
• Equity market portfolio • Rates
Process/ • Receivables and debt • Prices
Treasurers • Foreign exchange • Changes in economy
financial • Commodity holdings • Customer performance
• Business plans
• Physical assets • Performance
Operating Process/ • Products and processes • External dependencies
• Brands • Demographics
managers operations • Relationships • Regulatory issues
• Work force • Raw material markets
• People • Catastrophic loss
Insurable • Products and processes • Terrorism and theft
risk Hazard • Earnings/cash flow • Regulatory issues
• Physical assets • Wear and tear
managers • Reputation • Health and safety
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
To:
Entire enterprise

Operations
From: Finance
Finance function
Technology
Financial risks Human resources
Risk insurance
Competition
Treasury risk
Foreign exchange Regulatory
Environmental
Global expansion
Source:
FutureBrand Reputation
Business
Business
and Risk Management Systems
strategies People Methodologies
Management reports and data
and policies
processes

Risk if component is deficient:

Process does People cannot Reports do not Methodologies Information is


not achieve perform provide do not not available
strategy process information for adequately for analysis
effective analyze and reporting
management information

Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Sesuaikan dengan peran
oversight BoD

External
Focus Reporting Strategy
INTERACTIVE ANTICIPATORY
• Financial reporting • Competitive landscape
• Other reporting • Business model
• Accountability • Strategic choices
• Accountability

Execution Policy
REACTIVE PROACTIVE
• Recent performance • Authorities
• Current situations • Boundaries
Internal • Operations • Balance
Focus • Accountability • Accountability
Past and Present Future
Orientation Orientation
These four oversight roles help a
board prioritize its focus as it works
with and through the CEO….
External
Focus

Reporting
Reporting Strategy
Strategy

Policy
Execution
Execution
Internal
Focus

Past and Present Future


Orientation Orientation
Governance oversight roles
highlight key questions relating
to risk management
• Is there a process for • Is there a process
reporting risk and for assessing risk
performance? and capabilities?
• Does the organization Reporting Strategy • Is Board advising on
structure support risk “mission-critical”
reporting? risks?

• All key uncertainties • Is opportunity-


being managed? seeking behavior
balanced with risk-
• Are there assurances Make taking?
that our capabilities
Execution Policy
Policy
are effective? • Are boundaries and
limits adequately
• Is risk-sensitive
defined ?
culture in place?
WHAT ABOUT US ?

CONTROL IS BUSINESS,
NOT BUREAUCRACY
“If everything seems under
control, you just not going
fast enough”

(Mario Andreotti, Formula 1 champion)


140 140

130 130

120 120

110 110

100 100

90 90

80 80

70 70

60 60
0 300 600 900 0 300 600 900
Time (seconds) Time (seconds)
Good Luck!