Memaksimalkan Waktu untuk Mendapatkan Kampus Impian melalui SBMPTN (1).pptx
ERM OPTIMAL
1. Jakarta, April 2016
an Enterprise Risk Management in Practice
towards
Business Competitiveness
Risk & Process Management
PT. Telekomunikasi Indonesia, Tbk
I Nyoman Wisnu Wardhana
Senior Advisor II – PT. Telkom
2. Disclaimer
This document may contain forward-looking statements within the meaning of safe-harbor. Actual results could differ materially from
projections, estimations or expectations. These may involve risks and uncertainty, and may cause actual results and development to
differ substantially from those expressed or implied in the statements. The company does not guarantee that any action, which may
have been taken in reliance of this document will bring specific results as expected.
Subdit Risk & Process Management
PT. Telekomunikasi Indonesia, Tbk
3. O U T L I N E
Telkom at glance
ERM – Latest Concept
ERM Framework
ERM‘ Processes
Takeaway
The latest of risk management, GRC, Risk Based approach
Framework
Risk Profile and Treatment
4. Total Shares
100,799,996,400 shares
Market Capitalization at IDX
Telkom Indonesia is listed at
Indonesia Stock Exchange (TLKM IJ)
and New York Stock Exchange (TLK US)
Public 46.76%
Government 53.24%
Treasury Shares 2.6%
IDR 333,14 Tn.
Telkom at a glance
6. Telkom at a glance – Corporate philosophy
Telkom ada untuk memberikan yang terbaik bagi bangsa Indonesia dan
semesta alam
Telkom memberikan service dan solusi terbaik yang dibutuhkan dan
dicintai oleh Customer
Telkom meningkatkan value perusahaan,. profesionalisme dan
kesejahteraan pegawai serta return yang optimal bagi shareholder
MEGA
MAKRO
MIKRO
Warna Merah Putih:
Persembahan Telkom Indonesia
untuk Indonesia dan semesta alam
The World in Your Hand:
Yang terbaik untuk pelanggan
Company:
Value perusahaan,
professionalisme,
shareholder
7. Telkom at a glance – Corporate Strategy
Vision Be the King of Digital in the Region
Mission Lead Indonesian Digital Innovation and Globalization
Strategic
Objective
Corporate
Strategy
Directional Strategy : Sustainable Competitive Growth
Portfolio Strategy : Converged TIMES Portfolio
Parenting Strategy : Strategic Guidance
Top 10 Market Capitalization Telco in Asia-Pacific by 2020
8. • RPM & Personnel
• Framework
• Methodology & Tool
• Policy & Procedure
• Risk Ownership
Assured by Internal Audit
Telkom‘s BOC and BOD Support
and Oversight
Risk management Vision:
Bring Risk Management into Telkom‘s
culture that embedded to PT. Telkom‘s
business process and operational
Risk Management Mission:
To be a ―Partner‖ for all PT. Telkom‘s
business unit and operational
Sukses Implementasi ERM di PT. Telkom bergantung kepada adanya dukungan dan komitmen dari BoD
dan BoC (Tone at the Top) serta adanya Fungsi yang menjamin Efektivitas Implementasi dan memberi
masukan untuk pengembangan lebih Lanjut (IA)
Telkom at a glance – Visi, Misi Telkom ERM
9. Telkom at a glance – Corporate Legal Consideration
Consider
PT. Telekomunikasi
Indonesia, Tbk.
Sebagai Perseroan Terbatas
Law UU No. 40/2007 tentang Perseroan Terbatas
Regulation Per-Pres, Kep-Pres, Per-Men, Per-
Pem, etc.
Sebagai Perusahaan Milik Negara
Law UU No. 19/2003 tentang BUMN;
UU No. 17/2003 tentang Keuangan Negara, etc.
Regulation Per-Pres, Kep-Pres, Per-Men, Per-
Pem, etc.
Sebagai Perusahaan Telekomunikasi
Law UU No. 36/1999 tentang Telekomunikasi;
UU No. 11/2008 tentang ITE, etc.
Regulation Per-Pres, Kep-Pres, Per-Men, Per-
Pem, etc.
Sebagai Perusahaan Publik
Law UU No. 8/1995 tentang Pasar Modal;
Regulation Per-Pres, Kep-Pres, Per-Men, Per-
Pem, Per-OJK (Bapepam), SOX-SEC, IDX Reg, etc.
Consider
Consider
Consider
The Bylaw
Company‘ internal regulations:
Peraturan Direksi
Peraturan Direktur
Peraturan Kepala Unit Bisnis
Policies
Procedures
SOP/SMP
Etc.
Other public
laws, for
instance:
- UU No. 31/1999
- UU No. 5/1999
- KUHP
- Etc.
11. Latest Concept of ERM – Business Turbulence
Latest
Progress
New Concept
The Fact
Challenge
Perubahan yang sangat cepat bahkan seringkali
tidak terduga (highly volatile)
Pentingnya memberi perhatian khusus pada
kebijakan dan proses yang berkaitan dengan
Tatakelola Perusahaan (GCG), Manajemen Risiko,
dan Kepatuhan (increasing attention to GRC)
Pentingnya memberi perhatian Kebanyakan
perusahaan mengelola GCG, Manajemen Risiko,
dan Kepatuhan berjalan sendiri-sendiri bahkan
terjadi silo-silo diantara mereka
Bagaimana perusahaan mampu mengelola risiko
bisnisnya yang sangat efisien dan lincah dengan
dimilikinya sistem Pemantauan Pengendalian yang
seimbang dan terintegrasi
12. Financial risk Liquidity risk
Diversification risk –
No-diversification risk
Development risk
Growth risk -
Stagnation risk
Income stream risk
Political risk Regulation risk
Demand risk Supply risk
Sale & Marketing risk Reputational risk
Business continuity
risk
Health and safety risk,
….
Latest Concept of ERM – Risk is everywhere
Operational
Failure
Disruption of
Main Process
Decreasing of
Quality of
service
Shrinkage of
Market and
Investor
Business
Performance
Inflammation
Raising
Cost
13. Latest Concept of ERM – Fragmentation Increases Risk
Supplier ―black list‖
Anti – terrorist trade practices
High credit risk
customer
Balance credit profile
Data leakage &
security
Security IT
infrastructure
Employee safety
compliance
Environmental health & safety
compliance
Disconnected risk
analysis
Integrated risk analysis
Complex, Int.
compliance req.
Global finance reporting
compliance
Exc. Compensation
practices
Evidence for decision &
directives
Incomplete
global risk profile
Increase confidence in
business result
ProcurementSales, Services
IT OperationHuman ResourcesCompliance /Risk Office
FinanceDireksi/Dekom & Audit Comittee Executive& Managers
New pressures, new risks
• Diversification - range of business
streams
• Commercial competition
• Care & support; social enterprise
• Market renting; market sale
• New partners; joint ventures
• New funding models
• Emphasis on self-regulation, co-
regulation
• Increasing focus on governance
16. Latest Concept of ERM – Don‘t to be a stranger man
TOP 10 RISK
1 Damage to reputation/brand
2 Economic slowdown/slow recovery
3 Regulatory/ legislative changes
4 Increasing competition
5 Failure to attract or retain top talent
6 Failure to innovate/meet
customer needs
7 Business interruption
8 Third-party liability
9 Computer crime/ hacking/viruses/
malicious codes
10 Property damage
TOP 10 Global Risk 2015 Top 10 Risk in Telecommunications 2014
17. Latest Concept of ERM – TOP 10 Risks
Competitive is a must!
1
Damage to
reputation/brand
2
Economic
slowdown/slow
recovery
3
Regulatory/
Legislative
changes
4
Increasing
Competition
5
Failure to attract
or retain top talent
6
Failure to
innovate/meet
customer needs
7
Business
Interruption
8
Third party
liability
9
Computer
crime/hacking/viruses/
malicious codes
10
Property
damage
1
Increasing
Competition
2
Economic
slowdown/slow
recovery
3
Regulatory/
Legislative
changes
4
Failure to
innovate/meet
customer needs
5
Damage to
reputation/brand
6
Failure to attract or
retain top talent
7
Computer
crime/hacking/viruses/
malicious codes
8
Commodity
price risk
9
Political
risk/uncertainties
10
Growing burden and
consequences of corporate
governance/compliance
2015‘ risks 2018 projected
18. Latest Concept of ERM – Going to risk based approach
Risk & Strategic
Planning
Risk & ICoFR
Risk & BCMS
(ISO 22300)
Risk & ISMS
(ISO 27000)
Risk & Asset
Management
Toward intelligent Risk Taking
Ensure reliability of financial reporting
Prevent business disruption
Protected of asset information (CIA)
Effective and efficient, and well protected of asset
19. Latest Concept of ERM – The Survey
How challenging is each of the following in defining and implementing your organization‘s enterprise-
level risk appetite statement?
Complying with regulatory expectation regarding risk appetite
55%
55%
38%
37%
35%
21%
18%
11%
Defining risk appetite for strategic risk
Defining risk appetite for reputational risk
Defining risk appetite for operational risk
Allocating the risk appetite among different business units
Translating the risk appetite for individual risk types
into quantitative risk limits
Integrating stress testing results when defining risk appetite
Gaining the active participation of business units in implementing
the risk appetite and risk limits
20. ―Nearly 90 percent of firms
do not conduct a risk
assessment when
outsourcing production.‖
―Risk: It's Time to Measure It,‖
Harvard Business Review
21. ERM Framework – The History
1970s
Risk management gains
wider acceptance
1980s
Companies begin Risk
departments, typically
focused on insurance
1990s
Risk management matures
as companies begin to
focus on ―business risk‖
19801970 1990 2000
2004
Release of COSO
ERM Integrated
Framework
19601950
1950s-1960s
Traditional Risk
Management (―TRM‖)
1977
Foreign
Corrupt
Practices
Act (―FCPA‖)
Early1980s
Increased focus on
internal control and
compliance
1985
National Commission
on Fraudulent
Financial Reporting
— Treadway
Commission
1992
Committee of
Sponsoring
Organizations
(―COSO‖) published
Internal Control —
Integrated
Framework
1990s-2000
Continued focus on internal
control, risk management, and
responsibilities
(Blue Ribbon Commission,
Competency Framework for
Internal Audit, others)
2002
Sarbanes-Oxley Act of
2002
Enterprise Risk Management is intertwined with the
development of internal control standards and the
regulatory environment.
22. ERM Framework – The Defined Framework
Japan Financial Services Agency (JFSA) – ERM Framework 2013
ISO 31000:2009 the new International Risk Management Standard
Federation of European Risk Management Association (FERMA)
Risk and Insurance Management Society (RIMS)
Basel II – Integrated Risk Management Solution
COSO ERM framework
AS/NZS 4360:2004
RIMS Risk Maturity Model
23. ERM Framework – The COSO Framework
1. Entity objectives
2. Activities at all levels
3. The eight
components of the
framework
1
2
3
24. ERM Framework – Telkom ERM Framework
Telkom ERM system with reference to the COSO ERM framework. Risk management is inherent
in the implementation of GCG as well as internal control mechanism within the
company.
Therefore, since 2008 we have established and developed:
Structural Aspects which include developing risk management vision, mission, commitment,
tone at the top, conducive internal environment, policy, competence development, IT tools and
systems.
Operational Aspects which include determination of Risk Acceptance Criteria, conducting risk
assessment and developing specific-functions risk management.
Maintenance Aspects which include monitoring risk management implementation, periodical
risk reporting report, safeguarding the continuity of competency development. Regularly
assessing the quality of implementation of risk management through Risk Management Index,
Risk Culture Survey and Risk Maturity Level.
25. ―An ounce of prevention is worth
a pound of cure.‖
- BF
26. ERM Framework – Road Map
2008
2010
2012
2015
Beyond
Developed Risk Management Implementation and Creating values
2009
2011
2013
2014
2016
• Restrukturissi
Kebijakan
• Risk Assessment
• Review Risiko Inisiatif
• Sosialisasi dan
internalisasi
• Risk Management
Information System
dan ISMS
terimplementasi
• Protap dan standar
perjanjian maupun
standar proses
penyelesaian
dokumen hukum dan
bantuan hukum
menjadi acuan baku
dalam setiap
pelaksanaan aktivitas
Legal Compliance
• Tersedianya Sistem
Informasi Legal
Compliance
• Peningkatan
kompetensi bidang
C&RM
• Implementasi
ketegasan pemberian
sanksi atas
pelanggaran service
level & kebijakan
• Memastikan adanya
suatu ukuran risiko
dalam setiap KPI suatu
unit
• Implementasi
Kejelasan reward &
punishment terkait
dengan pemenuhan
risk indicator/ rasio
yang ada
• Risk monitoring and
reporting system
terimplementasi
• Meningkatnya
pemahaman dan
kesadaran akan peran
hukum
• Sistim informasi
menjadi bagian dalam
setiap pelaksaan tugas
karyawan.
• Effisiensi ratio, loss
ratio, potensial risk ratio
menjadi salah satu KPI
utama dari ―enterprise-
wide‖
• Memastikan Risk
assessment dilakukan
pada setiap proses
bisnis, inisiatif kebijakan
maupun pengambilan
keputusan
• Memastikan tersedianya
informasi tepat waktu
tentang kondisi risiko
awal (Early warning
signal)
• Kepatuhan hukum
merupakan bagian
dalam setiap
pelaksanaan aktivitas
• Terlaksananya transaksi
perusahaan yang aman
dan terlindungi dari
aspek hukum.
• Adanya Nilai tambah
atas tiap produk /
inisiatif yang sdh
dilakukan risk
assessment
• Memastikan
Efektivitas mitigasi
plan risk control
• Perusahaan memiliki
sistim kontrol dari
aspek hukum yang
mampu mendeteksi
secara dini terjadinya
pelanggaran/permas
alahan .
• Implementasi
Governance Risk
Compliance +
Culture (GRC)
• Menjadi role model
pengelolaan risiko di
industri Telco
• Memastikan system
enterprise security
yang aman pada
seluruh system yang
ada dan zero
revenue leakage
(tidak ada
kebocoran)
• Terpenuhinya
kepatuhan hukum
atas setiap tindakan
Manajemen dalam
pengelolaan
perusahaan sesuai
dengan peraturan
internal dan external.
• Memastikan
pelaksanaan risk
management
berlangsung efektif
dalam setiap level
entitas perusahaan
• Memastikan
pelaksanaan risk
mangement pada
subsidiaries (Telkom
Group)
• Integrated risk
assessment untuk
operasional
(Security, IT, Asset,
Infrastruktur/network)
• Kepatuhan hukum
atas setiap tindakan
Manajemen terhadap
seluruh boundary
Governance
(Mandatory and
Voluntary)
• Penyusunan Konsep
GRC berbasis IT
• Eksploitasi data
berbasis risk
management dalam
pengambilan
keputusan
perusahaan berbasis
early warning
System
• Kolaborasi data Key
Risk dan Key
Performance dalam
penyusunan RKAP
• Integrated risk based
dalam management
system (IMS: BCMS,
ISMS, QMS)
• Fully Comply to all
boundary of
Governance
(Mandatory and
Voluntary)
• Scheme of GRC
berbasis IT
developing
• New Concept of Risk
Management
implemented coincide
with Organization Re-
structuring.
• Enhancement
Integrated risk based
dalam management
system (IMS: BCMS,
ISMS, QMS, dan IT-
SMS)
• Fully Comply to all
boundary of
Governance
(Mandatory and
Voluntary)
• IT system of GRC
• Early warning for
all system
management.
• Fully Integrated
risk based dalam
management
system (IMS:
BCMS, ISMS, QMS)
• Fully Comply to all
boundary of
Governance
(Mandatory and
Voluntary)
• IT system of GRC
run
27. ERM Framework – Telkom ERM activities
Telkom‘s ERM activities is done through:
1. Quarterly review and monitoring of unit
(and subsidiaries) risk management.
2. Preparation of regular quarterly Risk
and Compliance Analysis Reports.
3. Meetings to discuss corporate risks
through meetings at BoD as well as
BoC level.
4. Measurement of risk culture
implementation through internal
surveys conducted on a number of
respondents.
5. Measurement of risk management
maturity level (ERM Maturity Level).
The data to be considered:
1. Country-related risks such as
changes in politics, society, macro
economy and natural disasters.
2. Company-related risks (Operational,
Financial, Legal compliance,
Regulatory, Competition, Market,
etc.)
3. Any external and Internal change.
4. Governance requirement.
5. Interested parties requirement.
28. RKAP
2016
Risk
Profile
2016
RISK APPETITE 2015
Risk Profile 2015
Makro Ekonomi, Industri,
kompetisi, Teknologi,
Regulasi
Benchmark &
RiskAssessment
CSS 2016-2020
RKAP 2015
LM TW 1,2 2015
Draft CAM 2015
Masukan BOD
Risk Profile Unit
Memberikan indikasi
tingkat risiko dan prioritas
program mitigasi dalam
rangka menghindari risiko
gagalnya pencapaian
tujuan perusahaan
ERM Framework – Risk Based RKAP
29. ERM Framework – ERM Process
VISI & MISI
STRATEGIC OBJECTIVE
DIRECTIONAL -
Disruptive competitive
growth: Need to achieve
double digit growth by
2020.
PORTFOLIO - Customer
value through Digital
TIMES portfolio: More
focus on Digital
businesses.
PARENTING - Strategic
Control: More streamlined
control on subsidiaries
Corporate Strategy
10 Strategic Initiative
2016’s Corporate Risk
GBP/MPCAM 2016
RKAP
2016
RKM
Mitigation Plan
Corporate
Risk factor
2016-2020
Risk & Opportunity
Subsidiaries Business Unit Division
TopDownRiskAssessmentScheme
ButtomupRiskAssessmentScheme
30. ERM Framework – Risk Map
O4C3; O1 S1; C1
F1; F2;
F3
C2; S3;
S4
S2 O2
O3
Appetite
Likelihood
Impact
Very Low Low Medium High Very High
VeryLowLowMediumHighVeryHigh
VL L M H VH
Increased Foreign exchange
Increased Interest Rate
Fail in Managing Liquidity
F.1
F.2
F.3
S.1
S.2
S.3
S.4
Less/decline Product Competitiveness
Failure in M&As activities and Partnership
Failure to maximize technology as a
competitive value
Failure in Corporate University program
C.1
C.2
C.3
Regulatory Pressure and Impediments
Business dispute and litigation
Late submission of Financial Statements and Deficiency on
ICOFR
O.1
O.2
O.3
O.4
Failure in managing Information and Technology
Revenue Leakage
Business Interruption
Failure to max. Revenue Over Invested Capital expenditure
31. ERM Framework – Risk Radar
Less/decline Product
Competitiveness
Failure in managing Information
and Technology
Increase
d Forex
Business dispute and
litigation
Failure to maximize
technology as a
competitive value
Failure in Corporate University
program
Failure in M&As activities
and Partnership
Revenue Leakage
Regulatory Pressure and
Impediments
Business Interruption
Failure to Max. Rev.Over Invested Capex
Increased
Interest Rate
Fail in Managing
Liquidity
Late submission of
Financial Statements and
Deficiency on ICOFR
Increased Forex
Increased Interest Rate
Fail in Managing Liquidity
Strategic Risks Operation Risks
Financial RisksCompliance Risks
Less/decline Product
Competitiveness
Failure in M&As activities and
Partnership
Failure to maximize
technology as a competitive
value
Failure in Corporate
University program
Regulatory Pressure and
Impediments
Business dispute and
litigation
Late submission of Financial
Statements and Deficiency
on ICOFR
Failure in managing
Information and Technology
Revenue Leakage
Business Interruption
Failure to Maximize Revenue
Over Invested Capex
32. Dikonotasikan dengan langkah men-tansfer risiko kepada
pihak ketiga.
Misal: Outsourcing, Partnership, Insurance, etc.
Dalam hal ini, perusahaan berarti akan menerima risiko tersebut,
berdasarkan perhitungan bahwa di bawah appetite perusahaan.
Langkah ‗optimization‘ merupakan program yang diambil untuk
mengurangi severity yang ditimbulkan oleh potensi risiko yang ada
(self insured)
Menghindari terjadinya risiko , dipilih apabila suatu langkah (inisiatif,
mitigasi, rencana bisnis, dll) akan dilakukan dengan
mempertimbangkan potensi risiko.
ERM Framework – Risk Treatment
Commonly, there are 4 types of risk treatment could be taken:
Risk Transfer (Sharing Risk)
To move the exposure and its severity
(risks) through 3rd party.
Risk Accepted (Retention)
If cost beyond its risk (exposure).
Note: Cost > Risk
Risk Reduction (Limitation)
Optimization process of remedy, to reduce its
severity
Risk Avoidance (Elimination)
Escaping from any initiative, business plan,
etc. Considering the potential risks.
33. ERM Framework – Operational Risk Management in Telkom
Operation Risks
Failure in managing
Information and
Technology
Revenue Leakage
Business Interruption
Failure to Maximize
Revenue Over
Invested Capital
expenditure
High
Very High
Very High
Very High
Risk Level Risk Treatment
Mitigation
Key Risk
Indicators
Risk Dashboard
Reduce: Update Tech.
Transfer: Partnership
Reduce: Control, System
Update, Process update,
Customer check, etc.
Reduce: Asset protection,
Early warning system
security, BCMS,
Simulation/exercise.
Transfer: Outsources,
Insurance.
Reduce: Asset
Management, CAPEX-
tracking, Synergy, total
solution, product
management.
Applications and IT System
IT Security, Customer Base,
Big Data, Data Warehouse
System
Fraud, Transaction, No Bill
Bad debt
Network failure, human
error, downtime network,
SLG, SLA
Catastrophe; natural hazard,
earthquake, fire, lightning,
tsunami, etc.
ROA, ROI, Revenue, Cost,
Impairment Value, etc.
Asset Failure
Business Interruption
Revenue Leakage
34. If your User Interface even
vaguely resembles an
airplane cockpit, you‘re doing
it wrong.
— JOHN GRUBER
35. Take away
Beware of risk as a ‘black swan’ phenomena
It‘s a ‗weird‘ doing business with no risk
Risk is like fire: If controlled it will help you; if uncontrolled it will
rise up and destroy you.
Risk is about running the business, manage it!
If you only take small risks, you are only entitled to a small life
36. Implementasi ERM di TELKOM
Company‘ Objectives
1. Memastikan reliability Objectives Perusahaan.
2. Memberikan gambaran stepping/milestone pencapaian
Objectives yang terukur.
3. Memberikan alternatives dalam pencapaian Objectives.
4. Memperhitungkan alokasi resources dalam pencapaian
Objectives.
5. Mengantisipasi terhadap perkembangan yang berpengaruh pada
pencapaian Objectives.
6. Mengoptimalkan potensi dan kesempatan (Opportunities) dalam
pencapaian Objectives.
10 Strategic Initiatives:
1. Optimizing POTS and Strengthening Broadband
2. Consolidate& Grow FWA Business and Manage
Wireless Portfolio
3. Integrated Telkom Group Ecosystem Solutions
4. Invest in IT Services
5. Invest in Media & Edutainment Business
6. Invest in Wholesale and Strategic int’l Opportunities
7. Invest in Strategic domestic opportunities that
leverage the assets
8. IntegrateNGN & OBCE
9. Align Business Structure and Portfolio Management
10. Transforming Culture
Objectives v. Risk Management
STRATEGIC OBJECTIVE
Creating Superior Position by Strengthening The Legacy &
Growing New Wave
Businesses to Achieve 60% Of Industry Revenue in 2015
37. RISK BASED KRIs and KPIs – Company‘ Objectives
Menentukan ‘key business objectives’
berdasarkan strategi korporasi
Identifikasi Risiko-Risiko yang
berpengaruh terhadap pencapaian
objectives.
Menyusun Profil Risiko (a company-
wide risk profile)
Menentukan kriteria/level toleransi risiko
berdasarkan hasil assessment likelihood and
potential impact.
Menentukan alokasi rencana mitigasi (strategi
yang tepat), sumberdaya, dan akuntabilitas untuk
mengelola risiko.
Eksekusi strategi (mitigasi) dan
melakukan identifikasi KRIs dan KPIs
yang terukur secara financial dan
operational.
Monitoring progress untuk identifikasi potensi
peningkatan performansi (kinerja) dalam
pencapaianobjectives.
1
2
3
4
5
38. Business
Objectives
Event
Identification
Significant
Business
Issues
Control
Activities
Risk
Response
Risk
Assessment
Client Mission
Statement
Client Objectives
Business Unit
Objectives
Targets
Performance
Measures
Current Major Issues
Potential Future Events
Capture Process
Impacts Analyses
Response Management
Planning Process
Key Drivers
Dependencies
Performance
Management
Track Record
Completeness
Integration
SMART
Roles &
Responsibilities
Data Management
Issues Management
Integration with
Business Planning
Event Portfolio
Internal/External
Capture Process
Repository
Maintenance /
Refresh
Roles &
Responsibilities
Data Management
Event Management
Integration with
Business Planning
Risk Portfolio
Definitions
Categorizations
Assessment Criteria
Structure
Roles &
Responsibilities
Timing & Frequency
Expert Involvement
Consistency
Client Business
Process Model
Policies
Procedures
Response Portfolio
Definitions
Decision Drivers
Decision Criteria
Process
Completeness
Communications
Training
Roles & Responsibilities
Monitoring Effectiveness
Process
Roles &
Responsibilities
Decision Protocols
Reporting
Timing
Review Areas Review AreasReview AreasReview AreasReview AreasReview Areas
Focus FocusFocusFocusFocusFocus
RISK BASED KRIs and KPIs – Company‘ Objectives
Managing Business Risk within your organization
39. RISK BASED KRIs and KPIs – Company‘ Objectives – cont.‘
1. Management mengetahui secara dini potensi tidak tercapainya
target/objective perusahan karena perkembangan risiko.
2. Management dapat menyusun program mitigasi yang efektif untuk
mengantisipasi perkembangan risiko.
Dengan demikian Objective Perusahaan apabila dikelola tanpa
memperhatikansistem manajemen risiko (ERM), alignment dengan
isu strategis, arah perkembangan bisnis, dan kondisi operasional, maka sistem
tersebut akan kehilangan pijakan dalam operasional perusahaan. Sehingga,
diperlukan penghubung sebagai alat navigasi dan kontrolnya, dalam hal ini
sistem manajemen risiko yang didasarkan pada KRIs dan KPIs.
agar:
40. RISK BASED KRIs and KPIs – Risk Identification
Identifikasi Risiko,
Adalah proses untuk menemukenali segala kemungkinan (kejadian) yang muncul dalam
suatu aktivitas usaha yang berhubungan dengan objective perusahaan.
Identifikasi risiko secara akurat dan menyeluruh menjadi sangat vital dalam suatu
manajemen risiko.
Salah satu aspek penting dalam identifikasi risiko adalah melakukan pencatatan (me-
register) risiko-risiko yang mungkin terjadi sebanyak mungkin.
Dalam Framework COSO, dilakukan pem-bedaan antara Risiko dan Peluang,
dimana kemungkinan (kejadian) yang berdampak negatif disebut Risiko, sedangkan
Peluang merupakan kemungkinan (kejadian) yang dapat berdampak positif (natural
offsets/opportunities) yang mendukung strategi dalam pencapaian objectives.
41. RISK BASED KRIs and KPIs – Risk Identification…The Technique
Dengan melakukan identifikasi risiko, akan diperoleh sekumpulan informasi
tentang kejadian risiko, informasi mengenai penyebab risiko, bahkan informasi
mengenai dampak apa saja yang bisa ditimbulkan oleh risiko tersebut. Teknik-
teknik yang dapat digunakan dalam melakukan identifikasi risiko antara lain:
Benchmark
Professional Judgement (Pendapat Para Ahli di Bidangnya)
Wawancara, Survey (Pengamatan)
Informasi historis (analysis data historis)
Kelompok kerja (Brainstorming)
dll.
42. RISK BASED KRIs and KPIs – Risk Identification…The Technique Cont.‘
Benchmark
Mencari informasi tentang risiko di tempat atau perusahaan lain yang memiliki
kesamaan pada tataran tertentu. (eg. Kesamaan pasar, portofolio bisnis, industri, dlsb.)
Data hasil benchmark harus disesuaikan dengan kondisi aktual yang terjadi dan dihadapi
langsung oleh perusahaan.
Contoh:
– dari berita di media massa, atau internet, dapat diketahui bahwa tingkat kejadian bencana
alam di Indonesia memiliki peluang yang sangat tinggi. Hal ini menunjukkan, bahwa secara
umum risiko Business Interruption akibat bencana alam sangat besar.
– Harga minyak dunia naik?......
– Suku bunga perbankan di US turun?.....
– Harga tiket pesawat naik?.....
43. RISK BASED KRIs and KPIs – Risk Identification…The Technique Cont.‘
Professional Judgment (Pendapat Para Ahli di Bidangnya)
Mencari informasi dari ahli di bidang risiko tertentu, terkait risiko yang
berpengaruh terhadap suatu objective perusahaan
Contoh:
Dari bertanya pada bankir, dapat diketahui bahwa ketidak-stabilan
kondisi ekonomi di US memiliki risiko pada Foreign Exchange terkait
transaksi yang menggunakan mata uang asing (US Dollar)
Dari bertanya pada dokter, dapat diketahui bahwa orang dengan
tingkat kolesterol tinggi berisiko kena penyakit jantung
44. RISK BASED KRIs and KPIs – Risk Identification…The Technique Cont.‘
Pengamatan/Survey
Melakukan investigasi atau pencarian data langsung di tempat kejadian dengan
mengajukan kuesioner atau wawancara (data primer)
Contoh:
Dengan melakukan CSLS (Cust. Loyalty and Satisfaction Survey), dapat
diketahui bahwa tingkat kepuasan yang rendah akan berisiko pada
churn pelanggan
Dengan mengamati proses produksi dan availabilitas dari catu daya
PLN, dapat diketahui bahwa perusahaan menghadapi risiko lampu
mati (Interruptable Power Supply)
Validitas data sekunder?.....
45. RISK BASED KRIs and KPIs – Risk Identification…The Technique Cont.‘
Analisis Data Historis
• Menggunakan berbagai informasi dan data yang tersedia dalam perusahaan mengenai segala
sesuatu yang pernah terjadi
• Biasanya data historis harus menggunakan lebih dari satu periode kebelakang agar prediksi
risiko dapat lebih akurat
• Contoh:
Dari data historis kepegawaian, dapat diketahui bahwa perusahaan menghadapi
risiko kehilangan karyawan yang penting
Dari data historis keuangan, dapat diketahui risiko penurunan growth revenue
Dari data historis market, dapat diketahui risiko tingkat kompetisi dalam suatu
industri
46. RISK BASED KRIs and KPIs – Risk Identification…The Technique Cont.‘
Kelompok Kerja (Brainstorming)
Menggunakan berbagai informasi dan data, dilakukan diskusi creative thinking
(brainstorming) oleh tim manajemen risiko untuk menemukenali potensi risiko
dari suatu objective
Creative thinking yang sukses, biasanya menghasilkan suatu rumusan risiko yang
tepat dari suatu objective
Contoh:
Dari data global market, dilakukan brainstorming sehingga dapat
diketahui bahwa terkait objective perusahaan untuk ‘invest
broadband’ akan menghadapi risiko; teknologi dan kompetisi,
country risk factors, etc.
47. Alignment Process
Dengan demikian, alignment antara KRIs dan KPIs sangat signifikan untuk dilakukan agar
pencapaian objective dapat terlaksana.
Proses Alignment KRIs dan KPIs:
Identify
risks
Quantify
risk
Identify
Actions
required
Monitor
Performance
Monitor
Changes
(internal/
external)
Update
objectives
Agree
Acceptable
Risk levels
Identify
risk related
Actions
Agree
Strategic
objectives
Risk Management
PerformanceManagement
RISK BASED KRIs and KPIs – Alignment KPIs and KRIs
48. RISK BASED KRIs and KPIs – Defining Key Risk Indicators
Key Risk Indicator (KRIs), adalah faktor-faktor kunci dari suatu risiko yang digunakan dalam proses
manajemen untuk menentukan tingkat risiko pada suatu aktifitas usaha. Merupakan indikator dari
kemungkinan dampak negative dimasa yang akan datang (the possibility of future adverse impact).
KRIs memberikan suatu sinyal/tanda ‘Early Warning’ bagi manajemen untuk identifikasi kejadian yang
berpotensi menghambat suatu program/aktifitas.
Biasanya ukuran ini disajikan berupa data statistik atau matriks tertentu dengan formula atau model
tertentu yang menyediakan informasi terkait posisi dari suatu risiko yang dihadapi oleh perusahaan.
KRIs berbeda dengan Key Performance Indicators (KPIs), dimana KPIs dimaksudkan sebagai ukuran
kesuksesan/keberhasilan dari suatu program kerja (aktifitas usaha terkait objectives).
Definisi
49. Key Risk Indicator (KRIs), pada dasarnya dapat dikelompokan ke dalam 4 (empat) kategori:
Coincident indicators, ukuran yang mewakili kegagalan yang terjadi secara bersamaan pada proses
bisnis internal. Misal, kegagalan penyelesaian proyek pengadaan/investasi yang secara bersamaan
berisiko pada kegagalan pengembangan produk berbasis teknologi.
Causal indicators, Ukuran kegagalan yang berasal dari turunan kegagalan suatu kejadian (root causes
event). Misal, risiko kegagalan teknologi yang menyebabkan terjadinya risiko churn pelanggan.
Control effectiveness indicators, merupakan ukuran tingkat kegagalan yang berasal dari proses
monitoring performansi. Misal, prosentase kenaikan ARPU pelanggan Flexi.
Volume indicators (Inherent Risk Indicators) biasanya disamakan dengan KPIs, yang dapat
menentukan posisi peluang kejadian dan dampak dari suatu risiko (indikator ini biasanya ber-korelasi
dengan risiko lainnya). Misal, Jumlah pelanggan, Kapasitas bandwidth, dll.
Pengelompokan KRIs
RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
50. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
Metode Menentukan KRIs
Untuk dapat menentukan KRIs secara tepat dan efektif dapat menggunakan beberapa
pendekatan. Salah satu pendekatan yang efektif dan terstruktur dengan baik adalah dengan
menggunakan 6 langkah (berhubungan dengan 6-sigma tools):
1. Identify existing metrics.
2. Assess gaps.
3. Improve metrics.
4. Validate and determine trigger levels.
5. Design dashboard.
6. Establish control plan.
Ke-enam langkah tersebut merupakan salah satu pendekatan yang dapat diterapkan untuk
menentukan KRIs, mulai dari proses melakukan Identifikasi KRIs, Validasi, dan meng-
implementasikannya kedalam Early Warning pada segala macam bisnis model.
51. 1. Identify existing metrics.
Untuk menentukan KRIs, langkah pertama yang harus ditempuh adalah dengan Risk Assessment sehingga semua kejadian
(events) dapat di-identifikasi, di-assess, dan di-kelompokan bersama sesuai dengan kriteria tertentu yang dapat di monitor
dan di-analisa berdasarkan root-causes (analisa sebab-akibat). Tools yang dapat digunakan misalnya, diagram tulang ikan, dll.
Biasanya dalam menentukan KRIs, kejadian penting yang berpengaruh langsung terhadap risiko (inherent risk) maupun
residual risk di-identifikasi
Langkah selanjutnya adalah menentukan metric (calon KRIs) bagi masing-masing kejadian yang ber-risiko tinggi (high risk
potensial events)
Dalam menentukan kRIs, semakin banyak ukuran kejadian (metric) yang mempengaruhi suatu risiko, maka semakin efektif
KRIs dalam memberikan gambaran potensi risiko
Common practice, biasanya untuk penentuan KRIs yang efektif, suatu risiko terdiri atas 5 sampai 10 metric potensial KRIs dan
mengandung minimal 1 atau lebih kategori KRIs (type—coincident, causal, control, and volume).
Contoh:
Menentukan risiko pada operasional call-center.
Risiko yang ter-identifikasi adalah: Pelanggan tidak tertanggani secara profesional dan tidak akuratnya informasi
pelanggan
RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
52. 2. Assess gaps.
Setelah proses inventory seluruh potensi KRIs selesai, langkah berikut adalah melakukan evaluasi kelayakan
dan efektifitas tiap-tiap indicators (metric). Terdapat 2 (dua) tools yang digunakan:
the gap assessment
the design matrix
Gap Assessment akan
memberikan gambaran,
apakah indicators (metrics)
dalam inventory akan efektif
untuk dijadikan KRIs.
Dimana, ukuran yang
digunakan adalah
berdasarkan composite
score tabel, biasanya score
diatas 4 merupakan syarat
cukup untuk dijadikan KRIs.
RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
53. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
Digunakan scoring kriteria 0-1-3-9. Dengan
menggunakan design matrix, maka tiap-
tiap indikator yang mendapat score 9 akan
mendapat rating Y.
Dengan memperhatikan 2 tools ini, dapat
ditentukan indicators (metrics) yang layak
dan efektif untuk dijadikan KRIs.
Design Matrix merupakan tabel matrik berbasis 6-sigma, dimana akan dilihat keterkaitan Risk Events Driver
(RED)dengan indicators yang terdapat dalam inventory. RED merupakan root-causes yang berpengaruh pada
munculnya kejadian (indicators). Masing-masing RED diberi pembobotan sesuai dengan prosentase
kontribusi.
54. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
3. Improve metrics.
Proses ‘improve metric’ dilakukan dengan cara membandingkan hasil assessment dari 2 (dua) tools gap dan design
matrix. Proses komparasi dilakukan dengan cara:
Analisa indicators di design matrix yang mempunyai score ‘9’ , namun mendapat score rendah di gap
assessment. Apabila scoring rendah tersebut dapat dicarikan solusi atau justifikasinya, maka indicators tersebut
dapat dipertimbangkan untuk dijadikan KRIs.
Analisa berikutnya dilakukan pada indicators yang mendapat score tinggi di gap assessment, namun tidak
mendapat ‘9’di design matrix. Apabila terdapat modifikasi yang berpengaruh pada peningkatan rating di design
matrix dan signifikan, maka indicators tersebut juga dapat dijadikan alternative KRIs. Pada tahap ini,
dimungkinkan untuk dilakukan modifikasi pada potensial KRIs (indicators).
Langkah ini ditutup dengan menghapus seluruh indicators yang tidak mempunyai relasi yang cukup dari
penilaian ke-dua tools tabel.
55. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
4. Validation and trigger-level identification.
Langkah sebelumnya biasanya menggunakan ‘subjective judgment’ untuk meng-assess relasi antara the risk-
event drivers dan the metrics. Untuk indicators dimana relasi antara ‘the risk-event drivers dan the metrics’
dapat dinyatakan secara wajar (dalam tataran operasional –self evident), maka validasi tidak perlu dilakukan.
Namun bila terdapat Metric baru (lihat
langkah 3-modifikasi metric), maka
diperlukan proses validasi untuk
memastikan bahwa metric tersebut
adalah KRIs.
Validasi, umumnya menggunakan data
historis, bila tidak tersedia maka dapat
dilakukan asumsi yang sesuai untuk
menggambarkan korelasi antara ‘the risk-
event drivers dan the metrics hasil
modifikasi’ sehingga didapat trigger level
identifikasi. (lihat contoh disamping)
56. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
5. Dashboard design.
Sebagai bagian dalam penentuan KRIs yang layak dan efektif untuk memberikan gambaran perkembangan risiko, maka
‘dashboard’ merupakan bagian yang sangat penting bagi business managers, process owners, and senior management.
Dashboard adalah bagian dalam proses mamajemen risiko dan bermanfaat dalam ‘monthly business review’, dan meeting-
meeting lainnya terkait pencapaian objective perusahaan.
Dashboard biasanya menggunakan gambar grafik dan tabel yang menunjukkan informasi yang tepat dan komprehensif terkait
kondisi risiko perusahaan dan KRIs yang menjadi konsen manajemen.
57. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
6. Control plan and escalation criteria.
Fungsi utama dari ‘Control plan’ adalah memastikan tersedianya kriteria eskalasi (‘escalation criteria and
roles ‘) untuk intervensi terhadap KRIs yang telah disepakati. Sehingga, siapa-pun, dan kapan-pun dilakukan
treatment terhadap KRIs yang berpengaruh terhadap Objective perusahaan tidak menimbulkan efek
perubahan baik proses dan prosedur yang telah ditetapkan diawal.
Umumnya, ‘control plan’ berisi: the KRI metric, the measurement frequency, a description of the
measurement system, goals, trigger levels, escalation criteria, dan the owner for the escalation criteria.
(sebagaimana terlihat pada contoh tabel dibawah).
58. RISK BASED KRIs and KPIs – Defining Key Risk Indicators…cont.‘
Siap jual
Eks cabutan
Repair
Potensi Eksisting
Deployment
Sales
Churn
Net Add &
ARPU
Qualitas produk kurang baik
Layanan purna jual kurang baik
Harga tidak competitif
Usage
Price
Tariff
Gimmick
Tunggakan
Aps
Cabut Manajemen
Omset
Competitor
Voice
Data
SMS
Demand
Pnetrasi
59. RISK BASED KRIs and KPIs – Structuring Vision-Mission - KRIs
Vision - Mision
STRATEGIC OBJECTIVE
Creating Superior Position by Strengthening The Legacy & Growing New Wave
Businesses to Achieve 60% Of Industry Revenue in 2015
Corporate’ 10-StrategyInitiatives
Significant Risks
Notable Significant Risks
Deployment
Thru
Risk Identification & Assessment
Risk Relate to Performance
Financial RiskStrategic Risk Operational Risk
Business Growth Revenue Leakage
Business Interruption
Forex
Interest Rate
Liquidity
Cost Eff. & Effect.
Control Eff. & Effect .Co-Incident Indicators Causal Indicators Volume Indicators
Key Risk Indicators
60. RISK BASED KRIs and KPIs – Defining Dashboard
Business Growth
Business Growth
Early Warning SystemRISKS RISK MAP/LEVEL
KEY RISK
INDICATORs
Business Growth
Strategic Risks
Financial Risks
Operational Risks
Market Risks
Minutes of usage
# LIS Current
# LIS Churn
Tariff
FlexiFlexiFlexiFlexiSpeedy
TLKM’ Products
Data
Ware-house
TLKM’ Existing
Applications
TiBs TREMs TiCAREs
External Info.Internal Sources
PTA1 = f [KRI1,KRI2, …,KRIn]
if, for instance
f (x) = KRI1 x (KRI2 - KRI3)
KRI1
KRI2
KRI3
S1
Appetite
S1
S1
S1
S1
Dynamic MAP Indicators
61. Level of Maturity and Its Measurement
Telkom‘s Perspective
Public Relation
Compliance
Protection
Optimization
Value Creation
Risk Maturity Graph
Level Maturity
Excellent Strong Adequate Weak Weak [Nonexistent]
Level 5: Level 4: Level 3: Level 2: Level 1: Nonexistent
Leadership Managed Repeatable Initial Ad hoc
Excellent
Advanced capabilities to identify, measure, manage all risk exposures within tolerances
Advanced implementation, development and execution of ERM parameters
Consistently optimizes risk adjusted returns throughout the organization
Strong
Clear vision of risk tolerance and overall risk profile
Risk Control exceeds adequate for most major risks
Has robust processes to identify and prepare for emerging risks
Incorporates risk management and decision making to optimize risk adjusted returns
Adequate
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Performing good classical “silo” based risk management
Not fully developed process to optimize risk adjusted returns.
Weak
Incomplete control process for one or more major risks
Inconsistent or limited capabilities to identify, measure or manage major risk exposures
Standard & Poor’s
ERM Quality Classifications
Where does your
organization been
stood?
62. MATURITY LEVEL – Revenue Assurance Framework
1
2
3
4
5
Dependent
Repeatable
Defined
Managed
Optimizing
Ad-hoc, chaotic.
Dependent on
individual heroic.
Basic Project/
Process
management.
Repeatable tasks.
Standardized
approach
developed.
Designing-in
control
commences.
Leakage
quantitatively
understood and
controlled.
Continuous
improvement via
feedback.
Decentralized
ownership,
holistic control.
63. MATURITY LEVEL – ERM Maturity Methodology
Tahapan dari ERM maturity assessment adalah sebagai berikut:
64. MATURITY LEVEL – ERM Maturity Methodology
Model dari ERM maturity assessment adalah terdiri dari 3 komponen penilaian
sebagai berikut:
65. MATURITY LEVEL – ERM Maturity Methodology
Berdasarkan riset/kaji pustaka dan kasus-kasus internasional serta interaksi mendalam
dengan sejumlah besar perusahaan di Indonesia baik dalam konsultasi maupun kegiatan
pengembangan kompetensi, dikembangkan sebuah model untuk mengukur tingkat
maturitas implementasi ERM di sebuah perusahaan, dengan model sebagai berikut:
66. MATURITY LEVEL – ERM Maturity Methodology
Ad hoc level: No ERM policy. ERM is a compliance issue and implemented by a so called
risk management team or persons. Commitment of corporate board, executive, and
management arelacking.
Basic level : ERM policy and structure. Risk assessment is conducted by some units of the
entity. Silo and fragmented approach. Commitment of corporate board, executive, and
management are weak.
Defined level : ERM is conducted through out the entity. Risk data is available but limited.
Qualitative and some degree of quantitative approaches to risk assessment. Risk management
is reported regularly. Commitment of corporate board, executive, and management are normally
strong.
Quantified level : Extensive use of internal and external data for risk quantification. Utilising
quantitative methods in analysing risks. Confidence level towards risk management results is
strong and high. Commitment of corporate board, executive, and management are very strong.
Optimised level : All decisions are risk based, risk-adjusted performance measures. Risk
optimisation to achieve strategic competitiveness. Commitment of corporate board, executive,
and management are extremely strong.
67. MATURITY LEVEL – ERM Maturity - Result
Total, Korporat dan Unit - Maturity Assessment Score
68. Ad hoc level: No ERM policy. ERM is a compliance issue and implemented by a so called
risk management team or persons. Commitment of corporate board, executive, and
management arelacking.
Basic level : ERM policy and structure. Risk assessment is conducted by some units of the
entity. Silo and fragmented approach. Commitment of corporate board, executive, and
management are weak.
Defined level : ERM is conducted through out the entity. Risk data is available but limited.
Qualitative and some degree of quantitative approaches to risk assessment. Risk management
is reported regularly. Commitment of corporate board, executive, and management are normally
strong.
Quantified level : Extensive use of internal and external data for risk quantification. Utilising
quantitative methods in analysing risks. Confidence level towards risk management results is
strong and high. Commitment of corporate board, executive, and management are very strong.
Optimised level : All decisions are risk based, risk-adjusted performance measures. Risk
optimisation to achieve strategic competitiveness. Commitment of corporate board, executive,
and management are extremely strong.
Total - Maturity Assessment Level
MATURITY LEVEL – ERM Maturity - Result