Risk Management

Essential

Tim BPKP Pusat

Todays organizations are

concerned about:
Risk

Management
Governance
Control
Assurance (and Consulting)

ERM Defined:
a process, effected by an entity's
board of directors, management and
other personnel, applied in strategy
setting and across the enterprise,
designed to identify potential events that
may affect the entity, and manage risks
to be within its risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives.
Source: COSO Enterprise Risk Management Integrated Framework. 2004.
COSO.

Why ERM Is Important

Underlying principles:

Every entity, whether for-profit

or not, exists to realize value for
its stakeholders.
Value is created, preserved, or eroded by
management decisions in all activities, from
setting strategy to operating the enterprise
day-to-day.

Why ERM Is Important

ERM supports value creation by enabling
management to:
Deal

effectively with potential future events

that create uncertainty.
Respond in a manner that reduces the
likelihood of downside outcomes and
increases the upside.

Internal Control
A strong system of internal control
is essential to effective enterprise
risk
management.

Relationship to Internal Control

Integrated Framework

Expands and elaborates on elements

of internal control as set out in COSOs
control framework.

Includes objective setting as a separate

component. Objectives are a prerequisite for
internal control.

Expands the control frameworks Financial

Reporting and Risk Assessment.

Tata Kelola Manajemen Risiko

ASPEK STRUKTURAL

ASPEK OPERASIONAL

ASPEK
PEMELIHARAAN

Komitmen

Pedoman MR

Pelatihan
berkelanjutan

Kebijakan MR

Peluncuran,
sosialisasi, pelatihan

Komunikasi &
Publikasi

Akuntabilitas &
Kepemimpinan

Teknik & metodologi

penerapan

Riviu & Audit

penerapan MR

Keberadaan Unit Kerja

MR

Sistem pelaporan

Benchmarking

Administrator MR pada Monitoring &

masing2 unit kerja
Pengukuran Kinerja
Penyediaan Sumber
Daya

Tata usaha,
administrasi data, &
informasi MR

ERM Roles & Responsibilities

Management
The

board of directors

Risk

officers

Internal

auditors

Contoh Responsible, Accountable, Consulted, &

Informed (RACI) Matrix
No

Tahap

Dekom

Persiapan

Komunikasi & Konsultasi

Menetapkan konteks

Risk Assessment

Komite
Risiko

Direksi Satker
MR

RTU

a. Identifikasi

A/R

b. Analisis

A/R

c. Evaluasi

A/R

Perlakuan/ Respon Risiko

Monitoring & Review

Pelaporan

R/C

Risk

Management PT ABC
Dewan Komisaris
Komite
Pengembangan
Usaha & Risk
Management

Komite Audit

Direktur Utama
Div. Of Corp.
Secretary
Div. Of
Internal Audit

Dir. Operasi

BoD = Investment & Risk

Management Executive
Committee

Dir.
Keuangan

Div. Of Legal

Div. HSE

Dep.
Investment
& Risk
Management

Div. Of
GSC

Div. Of
EDS

Risk
Champio
n (GSC)

Risk
Champio
n (EDS)

Div. Of
OFS

Risk
Champio
n (OFS)

Dir. SDM &

Umum

Dir.
Pengemban
gan Usaha

Administrati
ve
Reporting
Line
Functional
Reporting
Line

Internal Auditors
Play

an important role in monitoring ERM, but

do NOT have primary responsibility for its
implementation or maintenance.

Assist

management and the board or audit

committee in the process by:
- Monitoring
- Evaluating
- Examining
- Reporting
- Recommending improvements

Internal Auditor (The IIA, 1999)

Internal

auditing is an independent,
objective assurance and consulting
activity designed to add value and improve
an organization's operations.

It

helps an organization accomplish its

objectives by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of risk
management, control, and governance
processes
13

Internal Auditors
Visit the guidance section of
The IIAs Web site for The IIAs
position paper, Role of Internal
Auditings in Enterprise Risk
Management.

Internal Audits Role

Legitimate IA roles
with safeguards
Core risk-based
internal audit
roles
Maintaining & developing the ERM framework

Roles
internal
audit should
not
undertake

Central co-ordinating point for Consolidated

ERM
reporting on risks
Championing establishment of ERM
Giving advice on managing risks
Facilitating risk responses
Reviewing the management of key risks
Evaluating risk management reporting
Giving assurance that risks assessed appropriately
Giving assurance on risk management processes

Developing risk management

strategy for board approval
Setting risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses
Accountability for risk management
15

Standards

2010.A1 The internal audit activitys plan

of engagements should be based on a risk
assessment, undertaken at least annually.

2120.A1 Based on the results of the risk

assessment, the internal audit activity should
evaluate the adequacy and effectiveness of
controls encompassing the organizations
governance, operations, and information
systems.

2210.A1 When planning the engagement,

the internal auditor should identify and
assess risks relevant to the activity under
review. The engagement objectives should
reflect the results of the risk assessment.

ERM Key Implementation

Factors
1.
2.
3.
4.
5.
6.
7.
8.

Organizational design of business

Establishing an ERM organization
Performing risk assessments
Determining overall risk appetite
Identifying risk responses
Communication of risk results
Monitoring
Oversight & periodic review
by management

Organizational Design
Strategies
Key

of the business

business objectives

Related

objectives that cascade

down the organization from key
business objectives

Assignment

of responsibilities to
organizational elements and leaders
(linkage)

Example: Linkage
Mission

To provide high-quality accessible

and affordable community-based health
care

Strategic

Objective To be the first

or second largest, full-service health
care provider in mid-size metropolitan
markets

Related

Objective To initiate
dialogue with leadership of 10 top underperforming hospitals and negotiate
agreements with two this year

Di mana Manajemen Risiko

diterapkan?
Risiko
Risiko
Risiko
Risiko
Risiko
Risiko

keseluruhan perusahaan
lintas bagian
tingkat bagian
pada tingkat stratejik
pada tingkat program
pada tahap proyek dan operasional

Establish ERM
Determine
Survey

a risk philosophy

risk culture

Consider

organizational integrity
and ethical values

Decide

roles and responsibilities

Kunci Keberhasilan MR
Dukungan penuh manajemen dan staf
Ketersediaan informasi dan proses yang mudah dipahami
Tanggung jawab dari pelaksana/pemilik kegiatan/pemilik

risiko
Sumberdaya yang memadai untuk mendukung
pelaksanaan manajemen risiko
Komunikasi dan pelatihan yang berkelanjutan
Sarana untuk mengukur hasil yang dicapai
Penegakan peraturan
Pemantauan yang berkesinambungan