2. • Objectif modul: Peserta
mengerti konsep risiko,
ERM, dan mampu
menjelaskan benefit
pengimplementasian ERM
dalam mengendalikan
objective perusahaan.
• Durasi: 2 JP
• Pre-requisite Modul : NA
4. Risk & Business Balancing
• No risk – No return
• Risiko harus sejalan dengan
return yang diperkirakan
akan didapat
• Risiko dapat dikelola dan
dikurangi dampaknya bila
terjadi
• Risk Management adalah
– good management
– avoiding losses
– increasing returns
5. Definisi Risiko
“the chance of something happening that will have an impact upon objectives.”
(The Australian/New Zealand Standard for Risk Management)
“the possibility that an event will occur and adversely affect the achievement of
objectives” (COSO ERM Framework)
“any event which is likely to adversely affect the ability of the organization
to achieve the defined objectives” (Method 123)
“the possibility of suffering injury, damage or loss or uncertainty about achieving a
certain outcome”
(Martin C. Leinweber - Managing Director CERMAS, Risk and the Audit Committee)
Definisi Risiko di TELKOM
Risiko adalah segala kemungkinan kejadian dalam aktivitas perusahaan yang
mengandung potensi menghambat pencapaian tujuan perusahaan.
6. Konsep Problems & Risks
Problems/Crisis
• Terjadi saat ini
• Akibat dari keputusan/aktivitas yang lalu
Risks
• Potensial Problem
• Akibat dari keputusan/aktivitas saat ini
Past Present Future
Problem
Decisions/Ac
tivities Risk
Decisions/
Activities
• ERM bertujuan agar risk yang mungkin terjadi di masa datang dapat diantisipasi sejak saat pengambilan
keputusan, agar kemungkinan terjadinya diperkecil dan/atau dampaknya bila terjadi dapat diperkecil,
sehingga tujuan dari keputusan yang diambil bisa diraih.
• Crisis/Problem Management is not Risk Management.
Action
Crisis/Problem Management
Action
Risk Management
• No surprise
• Objectives
achievement
7. Key Words ERM
1. Terdapat satu proses risk management yang sama yang berlaku
diseluruh perusahaan.
2. Terdapat bahasa/definisi/istilah risk management yang sama
yang berlaku diseluruh perusahaan.
3. Terdapat besaran yang sama untuk mengukur tingkat risiko yang
berlaku diseluruh perusahaan.
4. Terdapat batasan penerimaan suatu risiko yang sama yang
berlaku diseluruh perusahaan.
5. Merupakan proses yang berulang/siklus.
9. The Benefit in Numbers
Benefits bagi Organization
Avoid Surprises- dengan risk
management, maka potensial risiko sudah
teridentifikasi dan dikelola sebelum
menjadi hal yang serius/berdampak besar.
Better Governance- terdapat pembagian
peran dan tanggung jawab yang jelas,
metode komunikasi dan pelaporan yang
lancar, serta mekanisme eskalasi
permsalahan.
Better Decision Making- membantu
proses pengambilan keputusan, karena
sudah memperhitungkan dampak suatu
potensi kejadian atas keputusan yang
akan diambil.
Efficiencies, fungsi pengelolaan risiko di
perusahaan lebih efektif, mudah
koordinasi risiko, dan mengurangi overlap
atau adanya gap dalam pengelolaan
risiko.
Benefits bagi Stakeholders
Meningkatkan value perusahaan.
10. Other Benefits
Investor-investor besar percaya
bahwa perusahaan yang
menerapkan ERM layak
memiliki saham dengan harga
premium.
EY Global Risk Survey of 441 Corporate CEOs, CFOs and FinancialExecutives, March 2006
11. GRCB INTERNATIONAL
THIRD PARTY SECURITY REVIEW
QUESTIONNAIRE
FOR
Company Name:
Company Confidential
Issue Date: 05/02/09
Reference: GRCBI/Information Security/Indonesia/BBI/05022009
Copyright 2006,
Barclays Bank PLC,
GRCB International
1 GENERAL
1.1 Completion Details
1.2 Commercial Background
2 RISK MANAGEMENT
2.1 Risk Management
3 SECURITY POLICY
3.1 Security Policy
4 ORGANISATIONALSECURITY
4.1 Information Security Management Framework
4.2 3rd Party Access
4.3 Outsourcing
5 PERSONNEL SECURITY
5.2 Responding to Security Incidents and Malfunctions
6 PHYSICAL AND ENVIRONMENTAL SECURITY
6.1 Building Security
6.2 Physical Access Controls
7 COMMUNICATIONSAND OPERATIONS MANAGEMENT
7.1 Documented Operating Procedures
7.2 Operational Change Control
7.3 Incident management procedures
7.4 Protection against malicious software
7.5 Network Management
8 ACCESS CONTROL
8.1 Business requirements
8.2 User Access Management
8.3 Network Access Controls
8.4 Monitoring of System Access and Use
9 BUSINESS CONTINUITY
9.1 Business Continuity
10 BARCLAYS DATA HANDLING
10.1 Barclays Data Handling
12.
13.
14. Telkom’s Risk Culture Score: Scale: 100%
Telkom’s Risk Culture Score Total 79.45%
Leadership & Strategy 80.53%
Accountability & Reinforcement 77.07%
People & Communication 78.33%
Risk Management & Infrastructure 78.78%
Domestic
Target 70%
Global
Benchmark
Telkom’s Risk Culture 2011 Score is 79.45%
According to Mckinsey & Company, Global
Benchmark is 82% (for lower risk accepted)
Attribute
Dit. CRM RiskCulture Survey 2011
15. The information gathered provides value to the
broader risk and organizational culture
Encourages collaboration between organizational
units and functions
Can help to streamline GRC processes
Reduces duplication of efforts
A critical component in developing and
enhancing an integrated approach to
governance, risk and compliance
16. Leadership & Strategy 80.53%
Domestic
Target 70%
Global
Benchmark
Scale: 100%
81.77% 79.29%
Implied:
Excellent business ethics
Good Leadership
High internalization
Company implemented an excellent risk culture
through its business ethics and leadership, whereas
all employees sense this corporate culture.
17. Domestic
Target 70%
Global
Benchmark
Scale: 100%Telkom’s Risk Culture Score – per Indicator
Accountability & Reinforcement 77.07%
79.46% 74.69%
Implied:
Sufficient Empowerment
Fairly linked performance
Incentive & Discipline separately
There is an empowerment across the company, though,
its fairly linked to performance, and need more fasten
between incentive and discipline.
18. Domestic
Target 70%
Global
Benchmark
Scale: 100%Telkom’s Risk Culture Score – per Indicator
Implied:
Competent people
Clearly Communicated information
Competence & information related
Company appointed competent people, however,
information path among the layers have to be focused .
People & Communication 78.33%
79.80% 76.87%
19. Domestic
Target 70%
Global
Benchmark
Scale: 100%Telkom’s Risk Culture Score – per Indicator
Implied:
Risk Management Highly Deployed
Risk Management Tools integrated with processes
Developed Process
Risk Management is deployed around the company
processes, and has been integrated, however, Control
processes aren’t optimized yet.
Risk Management & Infrastructure 78.78%
80.20% 77.35%
20. 92%
Agree that information
about risk is either
important or critical to their
long-term success
23%
But only 23% of them
believe they have
comprehensive
information about risk to
their business.
CEOs recognize the importance of risk
information to the success of
their organizations…
…but lack actionable information to
allow for effective risk decisions
with clarity and confidence
22. Japan Financial Services Agency (JFSA) – ERM Framework 2013
ISO 31000:2009 the new International Risk Management Standard
Federation of European Risk Management Association (FERMA)
Risk and Insurance Management Society (RIMS)
Basel II – Integrated Risk Management Solution
COSO ERM framework
AS/NZS 4360:2004
RIMS Risk Maturity Model
24. COSO singkatan dari Commitee of Sponsoring Organizations of the Treadway
Commission, yaitu sebuah badan berskala dunia berkedudukan di Amerika Serikat yang
mensponsori dan menyebarkan guidance dan framework terkait tata laksana
organizational governance, business ethics, internal control, enterprise risk
management, fraud, and financial reporting.
Sponsoring organizations:
American Accounting Association.
American Institute of CPAs.
Financial Executives International.
The Association for Accountants and Financial Professionals in Business.
The Institute of International Auditors.
Telkom menggunakan COSO Sebagai framework ERM karena beberapa alasan:
Telkom listing di NYSE
Telkom terlebih dahulu mengimplementasikan SOX yang berbasis COSO
Agar terjadi alignment antara ERM dan SOX.
Memudahkan pihak eksternal pada saat melakukan audit.
25. Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
DIVISION
BUSINESSUNIT
SUBSIDIARY
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
ENTITY-LEVEL
Enterprise Risk Management:
Is a process
Is effected by people
Is applied in strategy setting
Is applied across the enterprise
Is designed to identify potential events
Manages risk with risk appetite
Provides reasonable assurance
Supports achievement of objectives
26. O4C3; O1 S1; C1
F1; F2;
F3
C2; S3;
S4
S2 O2
O3
Appetite
Likelihood
Impact
Very Low Low Medium High Very High
VeryLowLowMediumHighVeryHigh
VL L M H VH
Increased Foreign exchange
Increased Interest Rate
Fail in Managing Liquidity
F.1
F.2
F.3
S.1
S.2
S.3
S.4
Less/decline Product Competitiveness
Failure in M&As activities and Partnership
Failure to maximize technology as a
competitive value
Failure in Corporate University program
C.1
C.2
C.3
Regulatory Pressure and Impediments
Business dispute and litigation
Late submission of Financial Statements and
Deficiency on ICOFR
O.1
O.2
O.3
O.4
Failure in managing Information and Technology
Revenue Leakage
Business Interruption
Failure to max. Revenue Over Invested Capital
expenditure
27. Less/decline Product
Competitiveness
Failure in managing Information
and Technology
Increase
d Forex
Business dispute and
litigation
Failure to maximize
technology as a
competitive value
Failure in Corporate University
program
Failure in M&As activities
and Partnership
Revenue Leakage
Regulatory Pressure and
Impediments
Business Interruption
Failure to Max. Rev.Over Invested Capex
Increased
Interest Rate
Fail in Managing
Liquidity
Late submission of
Financial Statements and
Deficiency on ICOFR
Increased Forex
Increased Interest Rate
Fail in Managing Liquidity
Strategic Risks Operation Risks
Financial RisksCompliance Risks
Less/decline Product
Competitiveness
Failure in M&As activities
and Partnership
Failure to maximize
technology as a
competitive value
Failure in Corporate
University program
Regulatory Pressure and
Impediments
Business dispute and
litigation
Late submissionof
Financial Statements and
Deficiency on ICOFR
Failure in managing
Information and Technology
Revenue Leakage
Business Interruption
Failure to Maximize Revenue
Over Invested Capex