ENTERPRISE RISK MANAGEMENT

2023 – Kelas A
H. Citra Sukmadilaga, S.E., MBA, Ak., Ph.D
Dr. (Cand.) Humbul Kristiawan SE, Ak., MBA, CA, CIA, CICA, CACP
humbul@gmail.com
+62 812 940 4396

1
AGENDA

• Pembukaan kelas ERM

• Perkenalan
• Penjelasan silabus
• Referensi
• Co-develop expectations
• Others

2
 My Professional Life Journey
Humbul Kristiawan

Komite Audit
Bank UOB Indonesia
Komite Tata Kelola Terintergrasi
Bank BJB
3
Understanding the Problem is Half of the Solution

4
What is Risk ???

5
Risk management case illustration – David Koenig Speech
Condition:
One day you find yourself walking down a hallway. There is a person standing by an
open doorway. That person offers you US$100 to walk into the room, go to the other
side of the room and then come back out. You sense an opportunity to earn US$100.
The room, is completely dark and you have no idea what is awaiting you upon your
entry, creating some uncertainty. You may rely on instinct, your experience with dark
rooms or some quick assessment of your potential business partner before deciding to
assume the risk of entering.
At this moment, you hear a scream come from the dark room. Your assessment of the
risk has hopefully changed. But, in fact, you still do not know very well what your risk
may be…why the scream was heard.
Next to the person offering you US$100 stands a second person holding a flashlight.
That person offers to sell the flashlight to you for US$10. The risk management
process has begun. With the flashlight you can shine it into the room and try to find out
from where the screams are coming. But risk still remains as you cannot see what is
just inside the door or in the nearest corners of the room, and you cannot illuminate
much of the room at any one time.
David Koenig is Executive Director of PRMIA
8
Case illustration (cont’d)
Condition:
Another person arrives and offers to sell you their floodlight for US$50. The floodlight
will illuminate all of the room at one time, except, again for the corners closest to you.
Your risk could be greatly diminished by purchasing the floodlight, so too will your
potential net reward. You are continuing to gather information, though, and will thus be
able to make a better decision.
A fourth person arrive who bravely offers to go into the room on your behalf if you will
pay them US$90. If they come back out, you can collect the US$100 and still be US$10
ahead. You have now been presented with the option of the risk transfer.
So, as good business person, you consider four alternatives that have been presented
to you. You can assume the full risk yourself and possibly to the full return for your risk,
pay to reduce your risk or transfer your risk and expect to possibly earn what appears
to be a risk-free reward.

9
Case illustration (cont’d)

However, our decision, seemingly simple is alas, not to simple. Our full decision process
must take into account the possibly that the person we meet doesn’t actually have US$100
to give us or that some better opportunity awaits us and our-risk taking capacity. Without
knowing the probability of these, we cannot make our best decision.
In this example, risk is the possibility that one might not come out of the room, or that we
might not be paid even if we did make it back.
Risk management is illustrated by the choices presented to us via the flashlight, floodlight
and deputized risk-taker.
Enterprise risk management is the incorporation of all of the data about the decision,
including and examination of what other doors might be open to us further down the hallway
or in different hallways together.

10
Case illustration (cont’d)

In this story, substitute a new product or new market for the dark room, view the man at the
door as a commission-hungry sales person, the losses experienced by pioneers with the
other new products to be scream you heard and you might more easily view this illustration
as it applies to your business.
The fact that there have been screams, there is darkness and there is possibility of loss is
not enough reason to avoid the room. All businesses exist to take risk. If one is not willing to
take risk, then there is no point to being in business.

Enterprise risk management is about knowing how to take risk, better…to be confident
about our choice to enter the room or not.

11
Definition of ERM and Risks
By COSO in ERM Integrated Framework (2004), as follows:
“Enterprise Risk Management is a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.

By COSO in ERM – Integrating with Strategy and Performance (2017), as follows:

“Enterprise Risk Management is the culture, capabilities and practices, integrated with
strategy-setting and performance, that organizations rely on to manage risk in creating,
preserving and realizing value.”

while,
“Risk is the possibility that events will occur and affect the achievement of strategy
and business objectives”

12
Definition of Risk and Risk Management

According to ISO 31000

13
Definition of ERM and Risks
Risk is effect of uncertainty to achievement of the objectives
An effect is a deviation from the expected – positive or negative
Uncertainty is the state, even partial, of deficiency of information related to, understanding
or knowledge of, and event, its consequence and the likelihood

AS/NZS 4360:1999
Risk is the chance of something happening that will have an impact upon objectives. It is
measured in terms of consequences and likelihood.

14
Why is Risk Management on the corporate agenda?
• High profile company collapses in US (Enron, Worldcom) followed by encouragement
from SEC and NYSE to adopt risk management activities

• Corporate governance standards and guidelines; especially in highly regulated industry

i.e. banking and other financial institutions

• Financial analysts and rating agencies are increasingly interested in a company’s ERM
capability. Moody’s and Standard & Poor’s have ERM listed as one of their evaluation
criteria.

15
A reference – rating agency criterion
CATEGORY S&P FITCH MOODY'S

Separate Rating Yes No To be determined

Category
ERM Rating Yes (Excellent, Strong,
Adequate or Weak)
Paper on ERM Original in October 2005,
preliminary results May 2006
and revised in June 2006. More
detail
use on companies' own models
to be released by end of 2006.
Consideration of Extent of consideration depends
ERM in Ratings in part on company’s abilities to
Process absorb risks and its complexity
of risks
Not applicable Developing Risk
Management
Assessment reports
that will characterize
ability as strength,
neutral or weakness
To be released 3rd April 2006 presentation at ERM
quarter 2006 symposium. Insurance ERM to be
released by end of 2006
To be determined Meeting with companies to discuss its
ERM process and will then
determine how ERM will be
incorporated into its rating
methodology. Have developed
Gold Benchmark standards for
risk governance, risk management,
risk measurement, risk intelligence
Source: Rating Agency Update, September 2006 16
Events – Risks and Opportunities

• Events can have negative impact, positive impact, or both.

• Events with a negative impact represent risks, which can prevent value
creation or erode existing value.
• Events with positive impact may offset negative impacts or represent
opportunities.
• Opportunities are the possibility that an event will occur and positively affect
the achievement of objectives, supporting value creation or preservation.
• Management channels opportunities back to its strategy or objective-setting
processes, formulating plans to seize the opportunities.

17
Overview of
COSO ERM
- Integrated Framework

18
About COSO
COSO is a voluntary private-sector organization dedicated to improving the
quality of financial reporting through business ethics, effective internal
controls, and corporate governance.
The members of COSO are: the American Institute of Certified Public
Accountants, the American Accounting Association, Financial Executives
International, the Institute of Management Accountants and The Institute of
Internal Auditors.
COSO was originally formed in 1985 to sponsor the National Commission
on Fraudulent Financial Reporting, known as the Treadway Commission, an
independent private-sector initiative which studied the causal factors that
can lead to fraudulent financial reporting and developed recommendations
for public companies and their independent auditors, for the SEC and other
regulators, and for educational institutions.

19
COSO ERM – Integrating with Strategy and Performance

20
COSO ERM – Integrating with Strategy and Performance
Focuses on Integration

ERM is defined as “the culture, capabilities and

practices, integrated with strategy-setting and
performance, that organizations rely on to
manage risk in creating, preserving and
realizing value.”

Integrating ERM with business practices results in better information that

supports improved decision-making and leads to enhanced performance

It helps organizations to:

• Anticipate risks earlier or more explicitly, opening up more options for
managing the risks
• Identify and pursue existing and new opportunities
• Respond to deviations in performance more quickly and consistently
• Develop and report a more comprehensive and consistent portfolio
view of risk
• Improve collaboration, trust, and information sharing

21
COSO ERM – Integrating with Strategy and Performance
Emphasizes Value

ERM is defined as “the culture, capabilities and

practices, integrated with strategy-setting and
performance, that organizations rely on to
manage risk in creating, preserving and
realizing value.”

Enhances the focus on value

(how entities create, preserve and realize value)

Embeds value throughout the framework, as evidenced by its:

• Prominence in the core definition of enterprise risk management
• Extensive discussion in principles
• Linkage to risk appetite
• Focus on the ability to manage risk to acceptable levels

22
COSO ERM – Integrating with Strategy and Performance
Links to Strategy

ERM is defined as “the culture, capabilities and

practices, integrated with strategy-setting and
performance, that organizations rely on to
manage risk in creating, preserving and
realizing value.”

Explores strategy from three different perspectives:

• The possibility of strategy and business objectives not aligning with
mission, vision and values
• The implications from the strategy chosen
• Risk to executing the strategy

23
COSO ERM – Integrating with Strategy and Performance
Links to Performance

ERM is defined as “the culture, capabilities and

practices, integrated with strategy-setting and
performance, that organizations rely on to
manage risk in creating, preserving and
realizing value.”

Enables the achievement of strategy by actively managing risk and

performance

Focuses on how risk is integral to performance by:

• Exploring how enterprise risk management practices support the
identification and assessment of risks that impact performance
• Discussing tolerance for variations in performance

Manages risk in the context of achieving strategy and business

objectives – not as individual risks

24
COSO ERM – Integrating with Strategy and Performance
Recognizes Importance of Culture

ERM is defined as “the culture, capabilities and

practices, integrated with strategy-setting and
performance, that organizations rely on to
manage risk in creating, preserving and
realizing value.”

• Addresses the growing focus, attention and Importance of culture

within enterprise risk management
• Influences all aspects of enterprise risk management
• Explores culture within the broader context of overall core
• Depicts culture behavior within a risk spectrum

• Explores the possible effects of culture on decision making

• Explores the alignment of culture between individual and entity
behavior

25
COSO ERM – Integrating with Strategy and Performance
The Five Components and 20 Principles

26
Correcting Some Misconceptions of ERM

• ERM is not simply a listing of risks (this is called a “risk inventory”). ERM
includes the practices, including creating an appropriate culture, to
manage risks.
• ERM is not just for big corporations. ERM is essential for all
organizations, regardless of size or mission.
• ERM is not the same as internal control. ERM includes a broader
mandate than internal control, in that ERM considers risk appetite and
strategy as central concerns.
• ERM cannot be an add-on activity that functions independent of the
organization’s structure and processes. Instead, ERM must be integrated
into and throughout the organization. Hence, ERM initiatives that are
isolated (not integrated) are likely to be less effective at managing
dynamic risks.
27
COSO ERM – Integrating with Strategy and Performance

• The initial focus is on mission, vision, and core values, and then onto strategy development and
objective setting.
• The focal point for risk identification may be at any level, such as the overall company, a strategic
business unit, a function, a project, a process, or an activity.
• Without clear objectives, it is impossible to identify events that might give rise to risks that could
impede the accomplishment of a particular strategy or objective—regardless of the scope of the
inquiry.
• Assuming those involved in identifying risks have a clear understanding of the mission, vision, core
values, strategies, and objectives, the appropriate questions to ask are: “What could stop us from
reaching our top goals and objectives?” and “What would materially damage our ability to survive?”
• Those above questions can be modified for the appropriate level of inquiry.
28
 COSO ERM – Integrating with Strategy and Performance

1. Governance and Culture: Governance sets the tone for the organisation and establishes oversight
responsibilities for ERM. Culture relates to ethical values, desired behaviours and understanding of risk.
2. Strategy and Objective-Setting: ERM, strategy and objective-setting work together in the strategic-planning
process. Risk appetite should be aligned with strategy and business objectives to successfully implement
strategy.
3. Performance: Risks that can impact achievement of strategy and business objectives need to be identified
and assessed and risks prioritised by severity in the context of risk appetite, so that risk responses can be
selected.
4. Review and Revision: By reviewing organisation performance, an organisation can consider how well the
ERM components are functioning over time and following substantial change, and what revisions are
necessary.
5. Information, Communication and Reporting: ERM requires a continual process of obtaining and sharing
necessary information, from both internal and external sources, which flows up, down, and across the
organisation. 29
 PERFORMANCE
10. Identifies Risk – The organisation identifies new and emerging risks, as well as
changes to known risks to the execution of its strategy. The risk identification process
should consider risks arising from a change in business context and risks currently
existing but not yet known.
11. Assesses Severity of Risk – Depending on the anticipated severity of the risk,
COSO suggests the use of qualitative and quantitative approaches in assessment
processes. Scenario analysis may be appropriate in assessing risks that could have
an extreme impact.
12. Prioritises Risk – The organisation prioritises risks as a basis for selecting risk
responses using appropriate criteria. Risk criteria might include adaptability,
complexity, velocity, persistence and recovery, as well as acceptable variation in
performance.
13. Implements Risk Responses – Risk responses may accept, avoid, exploit, reduce
and share risk. In selecting risk responses, management considers such factors as
the business context, costs and benefits, severity of the risk, and the appetite for risk.
14. Develops Portfolio View – Portfolio view is a composite view of the risks the
organisation faces relative to business objectives, which allows management and the
board to consider the nature, likelihood, relative size and interdependencies of risks,
and how they may affect performance.
30
Role of Risk in Strategy Selection
Three key risks exist in strategy selection and implementation.
1. Risk #1—Misalignment. Does our strategy align with our mission, vision, and core values?
– An organization or its executives may engage in behaviors that are inconsistent with the
organization’s values. For example, Enron’s Code of Ethics (easily findable online)
included many lofty statements about Enron’s outstanding reputation for fairness and
honesty. This is a slam-dunk example of a deceitful strategy (cheat shareholders and
customers) misaligning with a lofty mission and values statement.
2. Risk #2—Implications. Do we understand the risk implications of our chosen strategy?
– Every strategy has its own risk profile. Identifying and quantifying these risks is a part of
matching the strategy with the organization’s risk appetite. Identifying and quantifying risk,
as a portfolio view of risk, is challenging but essential to understanding the risk profile of
the strategy chosen.
3. Risk #3—Risks to Success. Will we be successful? Will we achieve the goals specified in
our strategy? What are the influences on the viability of our strategy? (This is the least
important of the three risks.)
– For example, what might threaten our sales goals for this quarter?

31
Important Factors on The Risk Identification Process

Several important factors to be noted about risk identification process :

• The end result of the process should be a risk language specific to the company or the unit,
function, activity, or process
• Clarify the actual risk vs. causes or impacts of the risk;
• Using a combination of techniques may produce a more comprehensive list of risks rather than
reliance on a single method;
• The techniques used should encourage open and frank discussion, and individuals should not fear
reprisal for expressing their concerns about potential events that would give rise to risks resulting
in major loss to the company;
• Consider cognitive biases (such as framing) that might limit a person’s ability to identify the risk
correctly.
• The process should involve a cross-functional and diverse team both for the perspectives such a
group provides and to build commitment to ERM; and
• Finally, the process will probably generate a lengthy list of risks, and the key is to focus on the
“vital few” rather than the “trivial many.”

32
Some techniques for identifying risk

• Brainstorming
• Event inventories and loss event data
• Interviews and self-assessment
• Facilitated workshops
• SWOT analysis
• Risk questionnaires and risk surveys
• Scenario analysis
• Using technology
• Other techniques

33