This document provides an overview of PBI TSI review and implementation services offered by Veda Praxis. It discusses Veda Praxis' background and vision, the types of review services it offers (quick scan, high level, full scope), and its methodology for conducting reviews and implementations. The review services involve defining the scope, analyzing the IT environment and complexities, performing interviews and reviews at different levels of depth, and delivering findings and gap analyses. The implementation methodology involves planning improvements based on gaps, designing changes to people, processes and technology, implementing those changes, monitoring effectiveness, and continually improving over time.

1. New PBI TSI Review and Implementation Services

2. Veda Praxis: Introduction

3. Who are we? PT Veda Praxis is your business partner in risk & control advisory. Formed in October 2005 by experienced and dedicated professional who are internationally certified and have wide experiences in variety of industries and professional services in multinational consulting firm and started its business operations in December 2005 “Veda” is originally from Sanskrit language means “Knowledge”. “Praxis” is originally from an ancient European language means “Practicing”.

4. Our Vision & Mission Vision become your partner in establishing effective business control Mission Deliver value services at full disclosure to our clients Participate on ever-increasing business consciousness in control awareness Build a strong and on-going relationship with our clients in regards to continuous control implementation

5. Our Value We help you better understand and manage your business risk We assist you improve your business process We assist you improve your operating efficiency We assure the validity of your business information We deliver “down to earth” recommendations and assist you with the implementation We provide cost effective solutions for you

6. Our Services Risk Management Information Technology Governance Internal Audit Business Process Improvement

7. Why Veda Praxis We have internationally certified professionals We deliver results according to world class quality standard and based on world class knowledge and methodology combine with local values Extensive knowledge and experience in delivering Control and Risk Based services Committed to work on the basis of knowledge transfer for the clients long term investment instead of creating dependencies from clients to consultants

8. Background and Point of View

9. Background Information technology development enables banks to improve operational activities efficiency and services quality to customer. The use of IT in bank’s operational activities exposes new risks to the bank, therefore an effective IT Risk Management is needed IT is a valuable asset to the bank, the management of IT is not just the responsibility of IT working unit, however it is the responsibility of all related parties The IT infrastructure needs to be adequate in terms of Basel II implementation A set of regulations covering the Implementation of Risk Management on the Utilization of Information Technology is needed

10. Structure of PBI and Guidelines

13. General Approach Types Related to Control Selection

14. Combination of Top-Down and Risk Driven Approach (Optimum Benefit)

15. Our Services Related to PBI TSI

16. Review/Assess Service

17. Implementation Services

18. Type of Review Service

19. Quick Scan Review

20. High Level Review

21. Full Scope Review

22. By Area Review

23. Type of Implementation Service

24. Full Scope Implementation

25. By Area Implementation

26. Review Services Methodology

27. Review Methodology Define Analyze Review Deliverables Executive Summary Identify PIC Quick Scan Perform Interviews Identify IT Environment Compliance Gap Schedule Interview Management Presentation Analyze IT Complexities Findings & Recommendation Perform High Level Review Identify review scope High Level Perform Detail Review Existing Maturity Full Scope/ By Area Determine Required Maturity Identify Benefits Required Maturity Determine Existing Maturity Identify Risks Maturity Gap

28. Detail Review Methodology

30. Persons in charge for every review area is identified. Identify PIC is needed to obtain review information effectively by interviewing the responsible person.

31. Schedule Interview

33. Quick Scan - Review Define Analyze Review Deliverables Perform Interviews Bank’s compliance towards PBI is reviewed using our compliance checklist tools developed based on the “KonsepPedomanPenggunaan TSI olehBank” issued by the Central Bank of Indonesia. The tool will assist the review process to be performed effectively and efficiently. The review is performed solely to obtain a “comply/not comply” information for each control related to the area. The information is obtained only through interviews with related PIC.

34. Define Analyze Review Deliverables Quick Scan - Deliver Executive Summary Result of all activities in three phase before will be summarized and reported in Executive summary. Compliance Gap A completed compliance checklist is prepared based on the review compliance in previous the phase. Management Presentation The report will be presented to the management.

35. High Level - Define Define Analyze Review Deliverables The “Define” phase in the High Level Review service has the same activities as those in the Quick Scan services (Identify PIC, Schedule Interview) with the following additional activity: Identify Review Scope Identify scope of PBI TSI high level review. This identification will determine scope of our project review, such as scope of bank’s branches, organizations, processes, procedures, etc.

36. High Level - Analyze Define Analyze Review Deliverables The “Analyze” phase in the High Level Review service has the same activities as those in the Quick Scan services (Identify IT Environment) with the following additional activity: Analyze IT Complexities Based on the IT Environment identified, the IT complexities will be assessed. The assessment result is used to determine the review areas of focus.

37. High Level - Review Define Analyze Review Deliverables The “Review” phase in the High Level Review service has the same activities as those in the Quick Scan services (Perform Interviews) with the following additional activity: Perform High Level Review A high level review is performed using more than interview techniques. Documentation reviews, walkthroughs, observations and inspections is done in a high level approach. A high level review will assess bank’s control design effectiveness. How effective a control is implemented will not be assessed.

38. High Level - Deliver Define Analyze Review Deliverables The “Deliver” phase in the High Level Review service has the same deliverables as those in the Quick Scan services (Executive Summary, Compliance Gap, Management Presentation) with the following additional deliverable: Findings & Recommendation Based on the review, a list of findings and recommendations is prepared. The executive summary will also include a findings and recommendation summary.

39. Define Define Analyze Review Deliverables The “Define” phase in the By Area/Full Scope Review service has the same activities as those in the Quick Scan plus the High Level services (Identify PIC, Schedule Interview, Identify Review Scope) with the following additional activities: Identify Risks A set of risks (may be provided by the bank) is scored using out tools. The scoring process is performed through workshops with management. Identify Benefits A set of benefits (may be provided by the bank) is scored based on the bank’s business and IT goals. The scoring process is performed through workshops with management.

40. Analyze Define Analyze Review Deliverables The “Analyze” phase in the By Area/Full Scope Review service has the same activities as those in the Quick Scan plus the High Level services (Identify IT Environment, Analyze IT Complexities) with the following additional activity: Determine Required Maturity The required maturity for each control stated in the “Konsep Pedoman Penggunaan TSI oleh Bank” is set. The process is done through the mapping of each control towards each risk and and benefit.

41. Analyze Define Analyze Review Deliverables The “Review” phase in the By Area/Full Scope Review service has the same activities as those in the Quick Scan plus the High Level services (Perform Interviews, Perform High Level Review) with the following additional activities: Perform Detail Review A Detail Review is performed using the same techniques as the high level review but on a different depth. The review is done up to the level of determining the control implementation effectiveness. Determine Existing Maturity Existing control maturity level is determined for each control based on the detail review.

42. Deliver Define Analyze Review Deliverables The “Deliver” phase in the By Area/Full Scope Review service has the same deliverables as those in the Quick Scan plus the High Level services (Executive Summary, Compliance Checklist, Management Presentation, Findings & Recommendation) with the following additional deliverables: Existing Maturity A report document describing the bank’s current control maturity Required Maturity A report document describing the bank’s required control maturity Maturity Gap Based on the existing and required maturity level, a gap analysis is performed.

43. Detail Implementation Methodology

44. Implementation Methodology People Process Technology Gap Analysis PLAN Develop IT Plan DO Design Standards, Policies, and Procedures Align IT Organization Design Technology Architecture Implement Standards, Policies, and Procedures Implement IT Organization Implement Systems Improvement Develop/Acquire New Systems OPERATE Monitor and Evaluate CHECK ACT Maintain and Improve

45. Plan : Develop IT Plan Based on the gap analysis, an IT plan is developed. The plan contains projects to improve the IT in the area of people, process and technology. The project does not necessarily divided by these areas (people, process and technology). A project may involve improvement on all of the areas. PLAN DO CHECK ACT

46. Do : People Align IT Organization: A design of the IT organization is developed based on the gap analysis. The design is not limited to organization structure and job description, but also committees and other improvements that has significant effect on the aspect of organization (people). The design may include the following: IT Steering Committee Information Security Incident Response Team IT Strategic Plan Training and recruitment plan Implement IT Organization: The IT organization design is implemented. The activities may involve but not limited to recruitment, socialization, training and management meetings. Our services in this phase is limited to assist the bank the new IT Organization socialization. PLAN DO CHECK ACT

47. Do : Process Design Standards, Policies, and Procedures Standards, policies and procedures are designed based on the PBI. The activities may involve further interviews to the process owner to obtain accurate information on the process. Deliver Standards, Policies, and Procedures The standards, policies and procedures are socialized. The activities may involve: Training and workshops Socializations through emails, banners, etc Our services in this phase is limited to assist the bank in socializing the standards, policies and procedures. PLAN DO CHECK ACT

48. Do : Technology Design Technology Architecture A future technology architecture is developed as guidelines on improving the technology of the organization. The future architecture will cover all technology aspects; applications, network, information, hardware. Develop/Acquire New System & Implement System Improvement Based on the future technology architecture, improvements are made and new systems are acquired or developed. Our role in this activities is to help the bank to make sure that improvements and new systems are made as required and done using the correct change management framework. We will also perform a Post Implementation Review at the end of each implementation. PLAN DO CHECK ACT

49. Check Once the implementation is finished and has gone to operation, the bank should monitor and evaluate the operation to Ensure the operational effectiveness of control as required based on the “required control maturity level”. PLAN DO CHECK ACT

50. Act Based on the improvement plan, bank will perform improvements on required areas. We do not provide any services at this stage. PLAN DO CHECK ACT

51. Questions and Answers