Enterprise Risk

Introduction
Management

Remarkable story of risk

.. To 1200 AD
Gambling without theory
Numbering system

1200-1700
Summa de arithmetic, geometria et proportionalita:
A and B are playing a game of Balla. They agree to continue until
one has won six round. The game actually stops when A has won 5
and B three. How should the stakes divided ?
This bring us to the threshold of quantification of risk

French connection (Blaise Pascal, Pierre de Fermat, Chevalier

de Mere)
Shipping

Remarkable story of risk

1700-1900
Bernoulli
Bayes Inferential Statistic How we can determine the probability that
an event will occur under circumstances where we know nothing about
it except that it has occured a certain number of times and has failed
to occur a certain number of other times
Average, Standard Deviation, Normal Distribution
Regression

1900-1960
Keynes uncertainty life is not only about probability
Von neumanns Game theory
Markowitz Portfolio Risk and Return Stock Market
Risk management

1980
Financial Risk Management

1990
ERM

What is ERM
Enterprise Risk Management
Enterprise (from french Entreprendre, : entre- inter- + prendre to
take)
a project or undertaking that is especially difficult, complicated, or risky
readiness to engage in daring or difficult action
a unit of economic organization or activity ; especially : a business
organization

Risk (From French risque)

danger, in which there is an element of chance

possibility of loss or injury
someone or something that creates or suggests a hazard
the chance of loss or the perils to the subject matter of an insurance contract
the degree of probability of such loss

Management
the act or art of managing : the conducting or supervising of something (as a
business)
judicious use of means to accomplish an end
the collective body of those who manage or direct an enterprise

What is ERM
Enterprise Risk Management (COSO ERM)

is a process, effected by an entitys board of directors,

management and other personnel, applied in strategy
setting and across the enterprise,
Entreprendre/enterprise economic unit/organization
(whole entity instead of unit)
designed to identify potential events that may affect the
entity Risque/risk danger in which there is an element
of chance, the degree of probability of such loss
and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity
objectives Management the act or art of managing :
the conducting or supervising of something (as a business)
or judicious use of means to accomplish an end

Lets examine key concept

of ERM based on Definition
Enterprise Risk Management (COSO ERM)

A process, ongoing and flowing through

Effected by people at every level of organization
Applied in strategy setting
Applied accross the enterprise, at every level and unit, and
includes taking entity-level portfolio view of risk
Designed to identify potential events affecting the entity
and manage risk within its risk apetite
Able to provide reasonable assurance to an entitys
management and board
Geared to the achievement of objectives

ERM Framework

COSO ERM
AS/NZS 4360
Basel II
PBI IT Risk Management
ISO 31000, International Risk Management Standard
(currently being voted around the world)

ERM Framework
COSO-ERM

AS/NZS 4360
Objective

Risk

Control

Whatever the framework is, the fundamentals are ORC (Objective, Risk, Control)

ORCA: Basic Management

Sequence
DO

PLAN
1.
Establish
Menetapkan tujuan
Organisation
organisasi
Objectives
(O)

1.

2.
Menilai Risiko
(R)

CHECK

4.
Mengevaluasi
Pencapaian
Tujuan

3.
Menentukan control
yang diperlukan
(C)

ERM Framework
OBJECTIVES

RISIKO

CONTROL

Segala sesuatu yang ingin dicapai oleh

organisasi
Segala sesuatu yang dapat menghambat
organisasi mencapai OBJECTIVE

Segala sesuatu yang membantu organisasi

mencapai objective dengan mengelola
RISIKO

Hubungan O, R, C
Suatu objective tanpa risiko tidak
mungkin
Suatu objective tanpa control
umumnya objective sulit dicapai
Suatu control tanpa risiko buangbuang waktu dan energi
Suatu risiko tanpa control risiko
bisa menjadi bom waktu

Objective (O)
Objective adalah hasil yang
diinginkan, bukan cara untuk
melakukan sesuatu
Merupakan hasil akhir, bukan alat

Objective (O)
Efektivitas dan
efisiensi operasi

Keandalan
laporan

Kepatuhan

Menghasilkan jasa/produk unggul (excellent)

Memberikan layanan customer yang unggul
Maksimalisasi pendapatan
Minimalisasi biaya
Merampingkan workflow
Mengamankan aset
Memenuhi kewajiban sosial
Menciptakan lingkungan kerja yang positif bagi
karyawan
Kendalan laporan internal bagi pengambilan
keputusan
Keandalan laporan eksternal
Keandalan laporan keuangan dan operasional

Kepatuhan terhadap peraturan

perundangan
Kepatuhan terhadap kebijakan dan
prosedur internal

Risk
Generic Definition of Risk: Possible
event or circumstance that can have
negative influences on the enterprise
in question
Risk Component are:
Possibility or probability or likelihood
Influences or impact or consequence

Risk is described both qualitatively

and quantitatively.

Risk Component
Ukuran yang dapat diterapkan yang
paling mudah adalah High,
Medium, atau Low atau 3, 2,
1

(Internal) Control
Merupakan suatu proses
Yang dipengaruhi Direksi, Komisaris, manajemen,
personil lainnya (orang)
Dirancang untuk memberikan keyakinan yang
wajar/memadai (reasonable assurance)
Mengenai pencapaian tujuan dalam kategori:

Efektivitas dan efisiensi operasi

Keandalan pelaporan keuangan

Kepatuhan terhadap peraturan perundangan

(Internal) Control
Merupakan suatu proses
Yang dipengaruhi Direksi, Komisaris, manajemen,
personil lainnya (orang)
Dirancang untuk memberikan keyakinan yang
wajar/memadai (reasonable assurance)
Mengenai pencapaian tujuan dalam kategori:

Efektivitas dan efisiensi operasi

Keandalan pelaporan keuangan

Kepatuhan terhadap peraturan perundangan

Perkembangan Konsep
Pengendalian Intern
1949

1958

Diperkenalkan
pertama kali oleh
American Institute
of Accountant
(sekarang AICPA)

Statement on
Auditing
Procedure
(SAP) No. 28

Definisi:

Pengendalian
Intern dibagi
(subdivision)
menjadi
Accounting
Control dan
Administrative
Control

Pengendalian Intern
terdiri dari rencana
organisasi dan
seluruh metode dan
pengukuran yang
dikoordinasikan
dalam rangka
pengamanan aset,
mengecek akurasi
dan keandalan data
akuntansi,
mendukung efisiensi
operasi dan
kepatuhan atas
kebijakan
manajemen
Elemen
Pengendalian Intern
Accounting Control
dan Administrative
Control

1988

SAS 55
Dikenal istilah
Struktur
Pengendalian
Intern
Dikenal 3 elemen
Pengendalian
Intern :
Lingkungan
Pengendalian
Sistem
Akuntansi
Prosedur
Pengendalian

1992

COSO
Framework:
Definisi
pengendalian intern
diubah seperti yang
kita gunakan sampai
sekarang ini.
Istilah Struktur
Pengendalian Intern
menjadi dirubah
menjadi
Pengendalian
Intern karena
dianggap terlalu
kaku
5 Elemen
pengendalian intern:
Lingkungan
Pengendalian
Penilaian Risiko
Aktivitas
Pengendalian
Informasi dan
Komunikasi
Monitoring

1996

2001

SAS 78

SAS 94

Definisi dan
konsep
internal control
dari COSO
diadopsi dalam
SAS
(mengamandem
en SAS 55)

The Effect of
Information
Technology On
the auditors
Consideration of
Internal Control in
a Financial
Statement Audit

2002

Sarbanes
Oxley Act
Perusahaan
publik diminta
untuk
memberikan
pernyataan dalam
laporan
keuangan bahwa
manajemen
bertanggungjawa
b untuk
menerapkan
pengendalian
intern bagi
pelaporan
keuangan dan
memberikan
penilaian atas
efektivitas
pengendalian
intern tersebut

COSO
COSO (Committee of Sponsoring Organization of Treadway
Commission) merupakan organisasi non-profit yang bekerja
untuk meningkatkan kualitas laporan keuangan, pengendalian
intern yang efektif dan corporate governance
Framework pengendalian intern yang digunakan oleh COSO
menjadi Standar bagi audit di Amerika dan diadopsi oleh dunia
(Statement of Auditing Standard No. 55) karena dianggap paling
spesifik dan layak (actionable)
Beberapa organisasi yang mengadopsi COSO sekaligus menjadi
Sponsor
American Accounting Association (AAA)
Financial Executives Institute (FIA)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)
American Institute of Certified Public Accountants (AICPA)

Components

Control Environment
Risk Assessment
Control
Activities
Information and
Communications

Fi
na
Re nc
po ial
rt
in
g

ns

O
pe

ra
tio

ia
pl
om

e
it v
ec
j
b

nc
e

COSOs Internal Control

Integrated
Framework
s
F
U
N
C
T
I
O
N
S

B
U
S
U
N
I
T
S

Monitorin
g
Framework di atas diarahkan untuk pengendalian intern di tingkat entitas
Framework ini bersifat control based (bukan risk based). Di masa depan kemungkinan
besar yang digunakan hanya satu framework yaitu COSO-ERM (risk based)

Control Limitation

Pengendalian intern cenderung diarahkan untuk proses

rutin daripada non-rutin
Pengendalian intern terganggu karena kesalahan manusia
(ketidakpedulian, ketidakhati-hatian dan kesalahpahaman)
Pengendalian intern tidak akan efektif pada lingkungan
yang kolusif diantara manajemen, karyawan dan pihak luar
Manajemen memiliki kemampuan untuk meng-override
pengendalian intern
Pengendalian intern tidak dapat menanggulangi masalah
yang disebabkan faktor luar seperti tindakan kompetitor
dan kondisi perekonomian
Pengendalian intern terbatas kepada aspek cost and benefit
(keterbatasan sumber daya)

How Control Works

Mitigasi risiko oleh control
Mengurangi probability dan/atau
dampak risiko
dengan tindakan preventif maupun
detektif/protektif
yang bersifat soft maupun hard (soft
control dan hard control)

Mitigasi ?

How Control Works

How Control Works

Why implement ERM

Reduce surprise
Integrating all risk management efforts that previously
disintegrated
Increase investor/stakeholders trust
Enhance GCG
Align strategy and corporate culture (balance in
entrepreneurship and control)

If we implement ERM, does

it guarantee success

ERM does not guarantee success because it involves

judgement and internal control limitation
ERM create better chances for objectives achievement

What is different between

ERM and management ?

ERM is integral part of managing organization, but not all

management aspects belong to ERM
Objective and strategy setting is not part of ERM

What you need to learn to

understand and practice
ERM
Basic
Math

Statistic
Management (Pengantar ilmu manajemen)
Strategic Management/corporate governance
Financial Management (Manajemen Keuangan)
Auditing (internal and external auditing, IT Auditing)

Advanced
Psychology and behaviour
Advanced corporate finance

Relationship with other

function in organization
Internal

External

Direksi, Komisaris dan

Komite

RM

Shareholders

Compliance

IA

KAP

Finance

Regulator

HR

Rating
Agency

Legal

Business Process and RM Process

Corporate
Banking

Retail
Banking

= First Line of Defense

Retail
Banking

Wealth
Management

= Second Line of
Defense

Broker
Dealer

Insurance

= Third Line of Defense

Relevant job

Internal Auditor
All bankers (BSMR)
Risk Manager/Risk Officer
Treasurer
Business Risk Consultant