Dasar-Dasar ERM Untuk Direktur Dan Komisaris (Englishversion)

Dasar-dasar
ENTERPRISE
RISK MANAGEMENT
Untuk Direktur dan Komisaris
Disusun oleh:
Antonius Alijoyo
with Deddy Jacobus
The Essentials of
ENTERPRISE
RISK MANAGEMENT
For Directors and Commissioners
Antonius Alijoyo
with Deddy Jacobus
TABLE OF CONTENTS
TABLE OF CONTENTS 1
MESSAGE FROM CHAIRMAN LKDI 3
PROFILE OF LKDI 5
Chapter One: Introduction 6

Why ERM is relevant and importance for Director and Commissioner
The need of ERM competency for Director and Commissioner
ERM requirements
Review questions
Chapter Two: Concept, Principles and Framework 16

Definitions, Concept and Components of ERM
Available Frameworks of ERM: AS/NZS and COSO
Review questions
Chapter Three: Putting into Context 41

Risk environment
Risk management and board accountability
Risk appetite and tolerances
The role of committees to the Board of Commissioners and audit function
Review questions
Chapter Four: Implementing ERM 48

Risk Culture
Internal Capacity
Alignment with Vision, Mission, and Strategy
Review questions
Chapter Five: Measures of effectiveness 61

Measurement Tools and Approach
A simple check list
Case Study 69
Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 1

MESSAGE FROM CHAIRMAN LKDI
Indonesian Institute of Commissioners and Directors, or commonly known as LKDI,

was established in 2001 with the aim to accommodate commissioners and directors
in the enhancement of their competence, knowledge, and integrity as part of Good
Corporate Governance (GCG) implementation. To attain this objective, LKDI has
intensively organized a program called "Training and Directorship Certification for
Commissioners and Directors" since the beginning of 2005. Furthermore, LKDI has
also conducted continuous professional education for commissioners and directors
by emphasizing the fundamental and current issues surrounding GCG practices in
both national and international horizons.
In order to enhance the quality of "Training and Directorship Certification for

Commissioners and Directors" program, LKDI has developed a set of modules with
the support of the Center for International Private Enterprises (CIPE), an
international institution based in the US. This support is part of LKDI's collaboration
in conducting a series of programs with the theme "Strengthening Corporate
Governance in Indonesia".
Such modules serve as a reference for the facilitators as well as participants of LKDI
training program which have become a standardized reference comparable to the
curriculum of the directorship program conducted by the UK Institute of Directors,
Australian Institute of Company Directors, and Singapore Institute of Directors.
In this first stage, LKDI prepared five modules: "GCG Concepts, Principles and
Practices", "Boards' Duties, Liabilities and Responsibilities", "Enterprise Risk
Management", "Corporate Social Responsibility", and "High Quality Corporate
Reporting". These modules were developed by senior academicians under the
umbrella of Academic Network Indonesia on Governance (ANIG), a network
established and run by the Board Member of National Committee on Governance, or
commonly known as KNKG.
At last, please allow us to take this opportunity to express our gratitude to CIPE,
KNKG, and ANIG for their good support in the preparation of these training modules,
and we hope that we will continue this solid collaboration for the enhancement of
GCG in Indonesia.
Best wishes,
Hoesein Wiriadinata
Chairman

THE PROFILE OF LKDI
Directors and Commissioners have strategic role in successful

implementation of Good Corporate Governance. The crisis of 1997 brought
valuable lessons for Indonesia as it has shown beyond any reasonable doubt
fragility of economic structure and prevalence of irregular corporarte
practices. However it is very encouraging that many companies have taken
the initiative to reform themselves toward better governance.
To ensure business sustainability and to cope with international

governance challenge, it is important that Directors and Commissioners are
competent and empowered in order to efectively complete their
responsibility. Based on that comprehension, Lembaga Komisaris dan
Direktur Indonesia LKDI (Indonesian Institute for Commissioners and
Directors) was established by the National Committee on Governance in
2000. It was founded by notarial act of Notary Imas Fatimah, SH No.10 on
July 6, 2001.
LKDI was aimed to enchance the quality of members who become the avant
garde of corporate governance practices by providing networking
opportunities and continous professional education programs.
Founder : National Committee of Corporate Governance
Advisor : Mar'ie Muhammad
Advisory Board : Amrin Siregar Kartini Muljadi

Gunarni Soeworo Ratnawati Prasodjo
Mas Achmad Daniri
Executive Board : Hoesein Wiriadinata (Chairman)

Eva Riyanti Hutapea (Vice Chairperson)
Fachry Aly
Fred B.G.Tumbuan
Jos F. Luhukay
Partomuan Pohan
Irwan M. Habsjah
Adi Rahman Adiwoso

CHAPTER I INTRODUCTION
In this chapter, we will discuss about the significance and importance of ERM
for Directors and Commisioners, and the need of board's competencies in
enterprise risk management. We will set out all aspects that are needed for
Directors and Commissioners to undertand and implement ERM. At the end of
this chapter we will present 5 questions in multiple choice for material
review.
Why ERM is important for both Directors and Commissioners

The future cannot be predicted. It is uncertain, and no one has ever been
successful in forecasting strategic, operational, and systemic events with
major financial implications. In this sense, growth and profitability can be
destructive measures of performance in the absence of risk control and risk
management.
Enterprise Risk Management (ERM) can help both Directors and

Commissioners to develop the mindset and tools to explore the many
dimensions of risk associated with each activity and opportunity so that they
can balance these against the more obvious signs of rewards.
What is Risk and Why Manage Risk

In order to understand the important of ERM firstly we need to understand
what we mean with "risk". Enterprise Risk Management Integrated Framework
(COSO, 2004) defined risk as "the possibility that an event will occur and
adversely affect the achievement of objectives." International standards
(guidelines) for risk management, AS/NZS: 4360 (2004), says that risk is "the
chance of something happening that will have an impact on objectives." In this
sense, risk:
1. Is often specified in terms of an event or circumtances and the

consequences that may flow from it.
2. Is measured in terms of a combination of the consequences of an event and
their likelihood.
3. May have a positive or negative impact.
6 Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris

Risk is a function or relates with uncertainties and an entity's exposures to
them. The higher the uncertainties and exposures faced by any organization,
the higher the risk consequences and likelihood.
Risk is inherent in everything we do, whether it be riding a bicycle, managing a

project, dealing with clients, determining work priorities, purchasing new
systems and equipment, taking decisions about the future or deciding not to
take any actions at all.
We manage risk continuously, sometimes conciously and sometimes without

realizing it. The need to manage risk systematically apprlies to all
organizations and individuals and to all functions and activities within an
organization. This need should be recognized as of fundamental importance by
all corporate directors and commissioners.
The alternative to risk management is risky management, or making reckless

decisions, or decisions that are not based on a careful consideration of the
facts. Risky management is unlikely to ensure desired outcomes.
On the contrary, risk management helps an entity achieve its performance and
profitability targets, and prevent loss of resources. It helps ensure effective
reporting. And, it helps ensure that the entity complies with laws and
regulations, avoiding damage to its reputation and other consequences. In
sum, it helps an entity get to where it wants to go and avoid pitfalls and
surprises along the way.
From the risk/return point of view, sound risk management helps us to

balance between risk and return. The concept of "no risk, no return" is widely
accepted in the business world. A corollary to that concept is "higher risk,
higher return." In the real world however, there is no such absolute risk and
return. At a certain point, taking excessive risk will create disaster not return.
It means we need to be able to optimizes our risk/return profile. The problem is
that most companies do not even have good information on enterprise wide
risk exposures (which is to say whether they are taking insufficient risk or
excessive risk. To answer the need, enterprise risk management concept and
understanding come into existance.

What is enterprise risk management
The underlying premise of enterprise risk management is that every entity,
whether for-profit, not-for-profit, or a governmental body, exists to provide
value for its stakeholders. All entities face uncertainty, and the challenge for
management is to determine how much uncertainty the entity is prepared to
accept as it strives to grow stakeholder value. Uncertainty presents both risk
and opportunity, with the potential to erode or enhance value. Enterprise risk
management provides a framework for management to effectively deal with
uncertainty and associated risk and opportunity and thereby enhance its
capacity to build value.
Enterprise risk management (ERM) is best defined by the Committee of

Sponsoring Organizations of the Treadway Commission (COSO) which has
initiated a project to develop a conceptually sound framework providing
integrated principles, common terminology and practical implementation
guidance supporting entities' programs to develop or benchmark their
enterprise risk management processes, well known as Enterprise Risk
Management Integrated Framework (2004).
Enterprise risk management is defined as follows:
Enterprise risk management is a process, effected by an entity's board of

directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the
entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
As a process enterprise risk management is a means to an end, not an end in

itself. It's not merely policies, surveys and forms, but involves people at every
level of an organization, applied in strategy setting, across the enterprise, at
every level and unit, and includes taking an entity-level portfolio view of risks.
Enterprise risk management is designed to identify events potentially affecting
the entity and manages risk within its risk appetite, with the objective of
providing reasonable assurance to an entity's management and board and is
geared to the achievement of objectives in one or more separate but overlapping
categories.
Benefits of enterprise risk management

No entity operates in a risk-free environment, and enterprise risk management

does not create such an environment. Rather, enterprise risk management
enables management to operate more effectively in environments filled with
risks.
Enterprise risk management provides enhanced capability to:
Align risk appetite and strategy Risk appetite is the degree of risk, on a
broad-based level, that a company or other entity is willing to accept in

pursuit of its goals. Management considers the entity's risk appetite first in
evaluating strategic alternatives, then in setting objectives aligned with the
selected strategy and in developing mechanisms to manage the related
risks.
Link growth, risk and return Entities accept risk as part of value creation
and preservation, and they expect return commensurate with the risk.
Enterprise risk management provides an enhanced ability to identify and
assess risks, and establish acceptable levels of risk relative to growth and
return objectives.
Enhance risk response decisions Enterprise risk management provides
the rigor to identify and select among alternative risk responses risk
avoidance, reduction, sharing and acceptance. Enterprise risk
management provides methodologies and techniques for making these
decisions.
Minimize operational surprises and losses Entities have enhanced
capability to identify potential events, assess risk and establish responses,

thereby reducing the occurrence of surprises and related costs or losses.
Identify and manage cross-enterprise risks Every entity faces a myriad
of risks affecting different parts of the organization. Management needs to

not only manage individual risks, but also understand interrelated
impacts.
Provide integrated responses to multiple risks Business processes
carry many inherent risks, and enterprise risk management enables

integrated solutions for managing the risks.
Seize opportunities Management considers potential events, rather than
just risks, and by considering a full range of events, management gains an

understanding of how certain events represent opportunities.
Rationalize capital More robust information on an entity's total risk
allows board of directors and management to more effectively assess overall

capital needs and improve capital allocation.

Enterprise risk management is not an end in itself, but rather an important
means. It cannot and does not operate in isolation in an entity, but rather is an
enabler of the management process. Enterprise risk management is
interrelated with corporate governance by providing information to the board
of directors on the most significant risks and how they are being managed.
And, it interrelates with performance management by providing risk-adjusted
measures, and with internal control, which is an integral part of enterprise risk
management.
The need for competency in enterprise risk management among

corporate Directors and Commissioners
History has repeatedly demonstrated how bad things can and do happen to
good companies. In this section, we will show how critical is risk management
for the boards that competency in enterprise risk management is now a must.
Corporate disasters can come in many different forms, and can strike any
company within any industry.
Beyond purely financial losses, the mismanagement of risks can result in

damage to the reputation of the individual companies, or a setback for the
careers of the individual executives. The damage can quickly escalate until a
previously healhty firm suddenly faces bankruptcy; at times the damage event
shakes industry and the market foundation severely. Table 1.1 shows us how
once were good and renown companies in their respective industries
experienced great financial disasters.
Table 1.1 List of misfurtune

Losses
Companies Industries Issues
(USD)
Cendant Korporasi Fraud di bidang akunting $ 300 juta
Bausch
& Lombs Korporasi Kesalahan laporan revenu $ 42 juta
Pharmor Korporasi Charge-off $ 350 juta
PCA Perusahaan
energi Klaim $ 236 juta
MG Perusahaan
energi Kerugian perdagangan $1 miliar

Llyod's Asuransi Settlement 3.2 miliar
Confed Life Asuransi Kerugian real estate $ 1.3 miliar
Morgan Grenfell Manajemen Perdagangan yang

aset meragukan $ 300 miliar
LTCM Manajemen
aset Rescue fund required $ 3.5 miliar
Barings Bank Kerugian perdagangan $1 miliar
Bankers Trust Bank Gugatan hukum $ 737 juta
Source: James Lam, Enterprise Risk Management, From Incentives to Controls, JWS, 2003, p. 10.
In most of the above cases, either boards were provided with misleading
information or there was a breakdown in the process by which information
was transmitted to the board and shareholders. In many cases, the breakdown
involved financial engineering and the nondisclosure of economic risks as well
as outright fraud.
The dramatic collapse in public confidance caused by these scandals and

disasters continues to put pressure on boards and management to carry out
their corporate governance and risk management responsibilities in a more
effective manner. The regulatory and rating agencies are themselves under
significant pressure to upgrade their capabilities in order to protect all
stakeholders.
There is no shortage of learning opportunities. It seems as if a mojor business

disaster happens every few months, reminding us of the dangers faced by all
enterprises. Organizations fortunate enough to avoid a major crisis often
experience lesser problems or "near misses" that highlight underlying
exposures to risk.
For Indonesian boards of directors and commissioners, the implementation of

enterprise risk management is a part of corporate governance regulatory
requirement and best practices. OECD requires that corporate boards to
implement appropriate system and policies for risk management. It is a key
responsibility of the board. (OECD Principles of Corporate Governance.
Principles V.D.1 and V.D.5)

ERM requirements
We have mentioned previously that the underlying premise of enterprise risk
management is that every entity, whether for-profit, not-for-profit, or a
governmental body, exists to provide value for its stakeholders. All entities face
uncertainty, and the challenge for management is to determine how much
uncertainty the entity is prepared to accept as it strives to grow stakeholder .
value. Uncertainty presents both risk and opportunity, with the potential to
erode or enhance value. Enterprise risk management provides a framework for
management to effectively deal with uncertainty and associated risk and
opportunity and thereby enhance its capacity to build value.
Uncertainty
Enterprises operate in environments where factors such as globalization,
technology, regulation, restructurings, changing markets, and competition
create uncertainty. Uncertainty emanates from an inability to precisely
determine the likelihood that potential events will occur and the associated
outcomes.
Value
Value is created, preserved or eroded by management decisions ranging from
strategy setting to operating the enterprise day-to-day. Inherent in decisions is
recognition of risk and opportunity, requiring that management
considers information about internal and external environments, deploys
precious resources and recalibrates enterprise activities to changing
circumstances.
Entities realize value when stakeholders derive recognizable benefits that they
in turn value. For companies, shareholders realize value when they recognize
value creation from share-value growth. For governmental entities, value is
realized when constituents recognize receipt of valued services at an
acceptable cost. Stakeholders of not-for-profit entities realize value when they
recognize receipt of valued social benefits. Enterprise risk management
facilitates management's ability to both create sustainable value and
communicate the value created to stakeholders.
In order to be able to implement enterprise risk management (ERM) effectively,

from boards' point of view, firstly there has to be a tone of strong commitment
at the top, a clear definition of organization's risk appetite in terms of its risk

policies and risk tolerance, appropriate organizational structure, and the
awareness that they need to ensure that their behavior is in line with their risk
management policy. This is to ensure the integration of risk into a company's
culture and values.
Boards can't monitor and control the financial condition of a risk taking
institution without excellent risk management and risk metrics. Meanwhile,
the risk management function depends on sponsors at the senior executive
and board level to gain the investment it requires and the influence it needs to
balance out powerful business leaders.
At a best-practice institution, everything flows from a clear and agreed-upon

risk management policy at the top. For example, senior management or board
of directors must approve a clear notion of the institution's risk appetite and
how this can be linked to a system of limits and risk metrics.
The risk committee of the institution also need to be involved, to some degree,
in setting the basic risk measurement methodologies employeed by the
institution. It's important that risk committees understand the strengths and
weaknesses of any new operational-risk metrics if they are to make sens of risk
reports.
Succesful enterprise risk management implementation also requires risk-

return management via integration of ERM into strategic planning, business
processes, performance measurement, and incentive compensation. All these
will be discussed later in the main section of this book.

Review questions
5 questions in multiple choices for a review of material in Chapter One.
1. Why ERM is important for both Directors and Commissioners?

(a) Growth and profitability can be destructive measures of performance in
the absence of risk control and risk management.
(b) Enterprise Risk Management (ERM) can help both Directors and
Commissioners to develop the mindset and tools to explore the many
dimensions of risk associated with each activity and opportunity so that
they can balance these against the more obvious signs of rewards.
(c) Well-designed and operated enterprise risk management can provide
management and the board of directors reasonable assurance
regarding achievement of an entity's objectives.
(d) All the choices are correct.
2. The following gives the correct understanding of risk set out by

AS/NZS 4360: 2004, except for:
(a) Risk is "the chance of something happening that will have an impact on
objectives."
(b) Risk Is often specified in terms of an event or circumtances and the
consequences that may flow from it.
(c) Risk is measured in terms of a combination of the consequences and the
of an event and their likelihood.
(d) Risk always relates to negative impact.
3. The following gives the correct understanding of enterprise risk

management set out by COSO, except for:
(a) Enterprise risk management is a process, effected by an entity's board
of directors, management and other personnel,
(b) Applied in strategy setting and across the enterprise,
(c) Designed to identify potential events that may affect the entity, and
manage risks to be within its risk appetite,
(d) To provide unbiased data regarding the achievement of entity
objectives.
4. Why competency in enterprise risk management among corporate

Directors and Commissioners is very critical?
(a) History has repeatedly demonstrated how bad things can and do
happen to good companies. Beyond purely financial losses, the

mismanagement of risks can result in damage to the reputation of the
individual companies, or a setback for the careers of the individual
executives.
(b) The dramatic collapse in public confidance caused by corporate
scandals and disasters continues to put pressure on boards and
management to carry out their corporate governance and risk
management responsibilities in a more effective manner.
(c) For Indonesian boards of directors and commissioners, the
implementation of enterprise risk management is a part of corporate
governance regulatory requirement and best practices.
(d) All of the above are correct.
5. The followings are fundamental for effective enterprise risk

management, except for:
(a) There has to be a tone of strong commitment at the top,
(b) A clear definition of organization's risk appetite in terms of its risk
policies and risk tolerance,
(c) Appropriate organizational structure, and the awareness that they
need to ensure that their behavior is in line with their risk management
policy.
(d) Risk management should not be integrated into a company's culture
and values because it is should be an independent process.

CONCEPTS, PRINCIPLES
CHAPTER II
AND FRAMEWORK
In this chapter, we will discuss further on the concepts, framework, and the
importance of integrating enterprise risk management program into business
process and show how risk management has evolved from a control function
strictly concerned about minimizing downside risk to one that enables
performance optimization.
Risk Definition and Concepts

This section elaborates further on existing frameworks commonly used across
the globe, especially AS/NZS 4360:2004 standards, and Enterprise Risk
Management Integrated Framework by COSO. We will be dealing with
definition of ERM, risk concepts, and ERM key components/building blocks
such as risk governance, risk infrastructure, risk management process, risk
communication and reporting.
Risk Concepts
Risk in the widest sense is not new to business. All companies are exposed to
traditional business risks: earnings go up and down as a result of such things
as changes in the business environment, in the nature of competition, in
production technologies, and in factors affecting suppliers. This is a classic
understanding of risk.
Risks come in all shapes and sizes. It has been defined in the previous part
as"the chance of something happening that will have an impact on objectives."
In this sense risk is often specified in terms of an event or circumtances and the
consequences that may flow from it. It is measured in terms of a combination of
the consequences of an event and their likelihood. Risk may have a positive or
negative impact.
Traditionally risk professionals recognize three major types of risk: market

risk, credit risk, and operational risk. Market risk is the risk that prices will
move in a way that has negative concequences for a company; credit risk is the
risk that a customer, counterparty, or supplier will fail to meet its obligations;
and operational risk is the risk that people, processes, or systems will fail, or
that an external events (e.g., earthquake, fire, flood) will negatively impact the

company. But other types of risk also have been suggested such as legal risk,
business risk, strategic risk and reputation risk (see Figure 2.1).
Figure 2.1- Typology of Risk
Market Risk
Market Risk
Operasional Risk } Finansial Risk
Legal & Regulatory

Risks Risk
Business Risk
Strategic Risk
Reputation Risk
Although there are commonalities and interdependencies between these risks,

each ultimately requires specialized attention. And each of these broad risk
types, encompases a host of individual risks. Credit risk, for example, includes
everything from a borrower default to a supplier missing deadlines because of
credit problems.
Risk needs to be recognized and assessed in ways that are relatively easy to
understand. However this requires a substantial effort in training and
education. Many board members, staff, whether junior or senior, will not be
familiar with risk management, and particularly not with quantitative forms of
risk analysis. Furtunately, there are key risk concepts that will help us to have
a better understanding of risk and would apply to the risks of any kind of
business and must be addressed by any effective risk management program.
Table 2-1 Key Risk Concepts
Uncertainty Risk is not synonymous with uncertainty. Risk is best

thought as variability that can be quantified in terms of
probabilities; while uncertainty is varibility that cannot
be quantified at all
Exposure The amount of damage that will be suffered if some

event occurs. For example, a lender is exposed to the
risk that a borrower will default. A flight pessanger is
exposed to the risk that an airplane might crash.

Event Occurance of a particular set of circumstances (AS/NZS
4360:2004).
- The event can be certain or uncertain.
- The event can be a single occurance or a series of
occurances.
Likelihood A general description of probability or frequency

(AS/NZS 4360: 2004). Likelihood represents the
possibility that a given event will occur (COSO). How
likely is it that some risky event will actually occur? The
more likely the event is to occur in other words the
higher the probability or frequency the greater the risk.
Likelihood can be expressed qualitatively or

quantitatively.
Volatility The variability of potential outcomes. It is to answer the

question of 'how uncertain is the future?' Generally, the
greater the volatility, the greater the risk.
Consequence Output or impact of an event (AS/NZS 4360:2004). The

effect of an event should it occur (COSO).
There can be more than one consequence from one

event. Consequences can range from positive to
negative. Conseqences can be expressed qualitatively or
quantitatively. Consequences are considered is relation
to the achievement of objectives.
Loss Any negative consequence or adverse effect, financial or

otherwise.
Probability A measure of the chance of occurance expressed as a

number between 0 and 1.
Time Horizon How long will I be exposed to the risk. The longer the
duration of an exposure, the higher the risk.
Correlation The relations between risks within a business or entity.

If two risks behave similarly they increase for the same
reasons, for example, or by the same amount they are
considered highly correlated.

Available Framework of ERM: AS/NZS 4360:2004 and COSO Enterprise
Risk Management Integrated Framework
Managements of some companies and other entities have developed processes
to identify and manage risk across the enterprise, and many others have
begun development or are considering doing so. While considerable
information on enterprise risk management is available, including much
published literature, no common terminology exists, and there are few if any
widely accepted principles that can be used by management as a guide in
developing effective risk management architecture.
At least there are two available framework widely accepted and can be adopted
by institutions planning for enterprise risk management initiative. The two
framework or standards are AS/NZS 4360:2004 and COSO Enterprise Risk
Management Integrated Framework.
Let us consider the two frameworks one by one.
AS/NZS 4360:2004
AS/NZS 4360:2004 is a Joint Australian/New Zealand Standard on risk
management. This standard provides a generic guide for managing risk. This
standard may be applied to a very wide range of activities, decisions or
operations of any public, private or community enterprise, group or individual.
This standard specifies the elements of the risk management process which
should be applied at all stages in the life of an activity, function, project,
product or asset. The maximum benefit is ussually obtained by applying the
risk management process from the beginning.
The objective of the standard is to provide guidance to enable public, private or

community enterprises, groups or individuals to achieve:
A more confident and rigorous basis for decision-making and planning;

Better identification of opportunities and threats;
Gaining value from uncertainties and variabilities;
Pro-active rather than re-active management;
More effective allocation and use of resources;
Improved incident management and reduction in loss and the cost of risk,
including commercial insurance premiums;

Improved stakeholders confidence and trust;
Improved compliance with relevant legislation; and

Better corporate goveranance
AS/NZS 4360:2004 Risk Management Process Overview

This section gives a brief overview of the risk management process based on
that of AS/NZS 4360:2004.
The main elements of the risk management process are:

(a) Communicate and consult
(b) Establish the context
(c) Identify risks
(d) Analyse risks
(e) Evaluate risks
(f) Treat risks
(g) Monitor and review
Risk management can be applied at many levels in an organization. It can be

applied at a strategic level and at tactical and operational levels. It may be
applied to specific projects, to assist with specific decisions or to manage
specific recognized risk areas.
For each stage of the process records should be kept to enable decisions to be
understood as part of a process of continual improvement.
The process can be overviewed as seen in Figure 2.2.
The main elements of the risk managemen process, as shown in Figure 2.2, can
be elaborated further as follows:
(a) Communication and consultation - Involving others, or at least looking at

things from another point of view, is an essential and crucial ingredient of
an effective approach to risk management. Therefore communication and
consultation with internal and external stakeholders should be considered
at each step of the risk management process.
(b) Establishing the context - This step is concerned with understanding the
background of the organization and its risks, scoping the risk management
activities being undertaken and developing a structure for the risk
management tasks to follow

COMMUNICATE AND CONSULT ESTABLISH THE CONTEXT
MONITOR AND REVIEW

IDENTIFY RISKS
RISK ASSESSMENT
ANALYZE RISKS
EVALUATE RISKS
TREAT RISKS
Source: AS/NZS 4360: 2044

Figure 2.2 Risk Management Process Overview
(c) Risk identification - This step seeks to identify the risks to be managed.
Comprehensive identification using a well-structured systematic process is
critical because a risk not identified at this stage may be excluded from
further analysis. Identification should include risks whether or not they
are under the control of the organization.
(d) Risk analysis - Risk analysis is about developing an understanding of the
risk. It provides an input to decision on whether risks need to be treated
and the most appropriate and cos-effective risk treatment strategies. Risk
analysis involves consequences and the likelihood that those
consequences may occur. Factors that affect consequences and likelihood
may be identified, risk is analyzed by combining consequences and their
likelihood. In most circumstances existing controls are taken into account.
Table 2.2 - Example of simple risk level matrix

Consequences
Likelihood Major Moderate Minor
Likely Red Red Yellow
Possible Red Yellow Green
Unlikely Yellow Green Greeen

High
Problem
Range
of credible
outcomes
Probability
"Catastrophe
Low
Low High
Consequense
(e) Risk evaluation - The purpose of risk evaluation is to make decisions, based
on the outcomes of risk analysis, about which risks need treatment and
treatment priorities.
(f) Risk treatment - Risk treatment involves the range of options fro treating
risks, assessing these options and the preparation and implementation of
treatment plans. The starting point for identifying options is often a review
of existing guides for treating that particular type of risk. For example, in
many safety, environmental and construction areas there are requirements
laid down in legislation and standards. However, these will need to be
reviewed for completeness and suitability.
(g) Monitoring and review - Ongoing review is essential to ensure that the
management plan remains relevant. Factors that may affect the likelihood
and consequences of an outcomes may change, as may the factors that
affect the suitability or cost of the treatment options. It is therefore
necessary to repeat the risk management cycle regularly.
(h) Recording the risk management process - Each stage of the risk
management process should be recorded appropriately. Assumptions,
methods, data sources, analyses, results and reasons for decisions should
all be recorded.
Enterprise Risk Management Integrated Framework (COSO)

Recognizing the need for definitive guidance on enterprise risk management,
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) initiated a project to develop a conceptually sound framework

providing integrated principles, common terminology and practical
implementation guidance supporting entities' programs to develop or
benchmark their enterprise risk management processes.
The resulting framework is what we know as The Enterprise Risk Management

Integrated Framework. This framework serves as a common basis for
managements, directors, regulators, academics and others to better
understand enterprise risk management, its benefits and limitations, and to
effectively communicate about enterprise risk management issues.
As already discussed in Chapter One, COSO framework defines enterprise risk

management as:
a process, effected by an entity's board of directors, management and other

personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risks to be
within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
This definition reflects certain fundamental concepts. Enterprise risk

management:
Is a process it's a means to an end, not an end in itself
Is effected by people it's not merely policies, surveys and forms, but
involves people at every level of an organization
Is applied in strategy setting
Is applied across the enterprise, at every level and unit, and includes taking
an entity-level portfolio view of risks
Is designed to identify events potentially affecting the entity and manage
risk within its risk appetite
Provides reasonable assurance to an entity's management and board
Is geared to the achievement of objectives in one or more separate but
overlapping categories.
This definition captures key concepts fundamental to how companies and

other organizations manage risk, providing a basis for application across
different types of organizations, industries and sectors. It focuses directly on
achievement of entity objectives. The definition also provides a basis for
defining enterprise risk management effectiveness.

Let us discuss the fundamental concepts outlined above in more details.
A Process
Enterprise risk management is not one event or circumstance, but a series of
actions that permeate an entity's activities. These actions are pervasive and
inherent in the way management runs the business.
Enterprise risk management is different from the perspective of some

observers who view it as something added on to an entity's activities, or as a
necessary burden. That is not to say effective enterprise risk management does
not require incremental effort. For instance, risk assessment may require
incremental effort to develop needed models and make necessary analysis and
calculations. However, these and other enterprise risk management
mechanisms are intertwined with an entity's operating activities and exist for
fundamental business reasons. Enterprise risk management is most effective
when these mechanisms are built into the entity's infrastructure and are part
of the essence of the enterprise. By building in enterprise risk management, an
entity can directly affect its ability to implement its strategy and achieve its
vision or mission.
Building in enterprise risk management also has important implications for

cost containment, especially in the highly competitive marketplaces many
companies face. Adding new procedures separate from existing ones adds
costs. By focusing on existing operations and their contribution to effective
enterprise risk management, and integrating risk management into basic
operating activities, an enterprise can avoid unnecessary procedures and
costs. And, a practice of building enterprise risk management into the fabric of
operations helps identify new opportunities for management to seize in
growing the business.
Effected by People
Enterprise risk management is effected by a board of directors, management
and other personnel. It is accomplished by the people of an organization, by
what they do and say.
People establish the entity's mission/vision, strategy and objectives and put
enterprise risk management mechanisms in place.

Similarly, enterprise risk management affects people's actions. Enterprise risk
management recognizes that people do not always understand, communicate
or perform consistently. Each individual brings to the workplace a unique
background and technical ability, and has different needs and priorities.
These realities affect, and are affected by, enterprise risk management. Each
person has a unique point of reference which influences how they identify,
assess and respond to risk. Enterprise risk management provides the
mechanisms needed to help people understand risk in the context of the
entity's objectives. People must know their responsibilities and limits of
authority. Accordingly, a clear and close linkage needs to exist between
people's duties and the way in which they are carried out, as well as with the
entity's strategy and objectives.
An organization's people include the board of directors and commissioners, as

well as management and other personnel. Although commissioners primarily
provide oversight, they also provide direction and together with board of
directors they approve strategy and certain transactions and policies. As such,
boards of commissioners are an important element of enterprise risk
management.
Applied in Setting Strategy

An entity sets out its mission or vision and establishes strategic objectives,
which are the high-level goals that align with and support its vision or mission.
An entity establishes a strategy for achieving its strategic objectives. It also
sets related objectives it wants to achieve, flowing from the strategy, cascading
to business units, divisions and processes. In setting strategy, management
considers risks relative to alternative strategies.
Applied Across the Enterprise

To successfully apply enterprise risk management, an entity must consider its
entire scope of activities. Enterprise risk management considers activities at
all levels of the organization, from enterprise-level activities such as strategic
planning and resource allocation, to business unit activities such as
marketing and human resources, to business processes such as production
and new customer credit review. Enterprise risk management also applies to
special projects and new initiatives that might not yet have a designated place
in the entity's hierarchy or organization chart.

Enterprise risk management requires an entity to take a portfolio view of risk.
This might involve each manager responsible for a business unit, function,
process or other activity developing an assessment of risk for the unit. The
assessment may be quantitative or qualitative. With a composite view at each
succeeding level of the organization, board of directors is positioned to make a
determination whether the entity's overall risk profile is commensurate with its
risk appetite.
Management considers interrelated risks from an entity-level portfolio

perspective. Interrelated risks need to be identified and acted upon to bring the
entirety of risk within the entity's risk appetite. Risks for individual units of the
entity may be within the units' risk tolerances, but taken together may exceed
the risk appetite of the entity as a whole. The overall risk appetite is reflected
downstream in an entity through risk tolerances established for specific
objectives.
Risk Appetite
Risk appetite is the amount of risk an entity is willing to accept in pursuit of
value. Entities often consider risk appetite qualitatively, with such categories
as high, moderate or low, or they may take a quantitative approach, reflecting
and balancing goals for growth, return and risk.
Risk appetite is directly related to an entity's strategy. It is considered in

strategy setting, where the desired return from a strategy should be aligned
with the entity's risk appetite. Different strategies will expose the entity to
different risks. Enterprise risk management, applied in strategy setting, helps
management select a strategy consistent with the entity's risk appetite.
The entity's risk appetite guides resource allocation. Management allocates

resources across business units with consideration of the entity's risk appetite
and individual business units' strategy for generating a desired return on
invested resources. Management considers its risk appetite as it aligns its
organization, people and processes, and designs infrastructure necessary to
effectively respond to and monitor risks.
Risk tolerances are the acceptable level of variation relative to the achievement
of objectives. In setting specific risk tolerances, management considers the
relative importance of the related objectives and aligns risk tolerances with its
risk appetite. Operating within risk tolerances provides management greater

assurance that the entity will remain within its risk appetite and, in turn,
provides a higher degree of comfort that the entity will achieve its objectives.
Provides Reasonable Assurance

Well-designed and operated enterprise risk management can provide
management and the corporate boards reasonable assurance regarding
achievement of an entity's objectives. As a result of enterprise risk
management determined to be effective, in each of the categories of entity
objectives, the corporate boards and management gain reasonable assurance
that:
They understand the extent to which the entity's strategic objectives are
being achieved,
They understand the extent to which the entity's operations objectives are
being achieved,
The entity's reporting is reliable, and
Applicable laws and regulations are being complied with.
Reasonable assurance reflects the notion that uncertainty and risk relate to
the future, which no one can predict with certainty. Limitations also result
from the realities that human judgment in decision making can be faulty,
decisions on risk responses and establishing controls need to consider the
relative costs and benefits, breakdowns can occur because of human failures
such as simple errors or mistakes, controls can be circumvented by collusion
of two or more people, and management has the ability to override enterprise
risk management decisions. These limitations preclude board of directors and
commissioners from having absolute assurance that objectives will be
achieved.
Achievement of Objectives
Effective enterprise risk management can be expected to provide reasonable
assurance of achieving objectives relating to the reliability of reporting and to
compliance with laws and regulations. Achievement of those categories of
objectives is within the entity's control and depends on how well the entity's
related activities are performed.
However, achievement of strategic and operations objectives is not always

within the entity's control. For these objectives, enterprise risk management
can provide reasonable assurance only that board of directors, and the board

of commissioners in its oversight role, are made aware, in a timely manner, of
the extent to which the entity is moving toward achievement of the objectives.
Components of Enterprise Risk Management

According to this framework, enterprise risk management consists of eight
interrelated components. These are derived from the way management runs a
business, and are integrated with the management process. The components
are:
(a) Internal environment
(b) Objective setting
(c) Event identification
(d) Risk assessment
(e) Risk response
(f) Control activities
(g) Information and communication
(h) Monitoring
Let us consider each of these components in the following paragraphs.
Internal Environment
The entity's internal environment is the foundation for all other components of
enterprise risk management, providing discipline and structure. The internal
environment influences how strategy and objectives are established, business
activities are structured and risks are identified, assessed and acted upon. It
influences the design and functioning of control activities, information and
communication systems, and monitoring activities.
The internal environment comprises many elements, including an entity's

ethical values, competence and development of personnel, management's
operating style and how it assigns authority and responsibility. A board of
directors and commissioners are critical parts of the internal environment and
significantly influences other internal environment elements.
As part of the internal environment, board of directors establishes a risk

management philosophy, establishes the entity's risk appetite, forms a risk
culture and integrates enterprise risk management with related initiatives.
An enterprise risk management philosophy that is understood by all

personnel facilitates employees' ability to recognize and effectively manage

risk. The philosophy the entity's beliefs about risk and how it chooses to
conduct its activities and deal with risk reflects the value the entity seeks from
enterprise risk management and influences how enterprise risk management
components will be applied. Board of directors communicates its enterprise
risk management philosophy to employees through policy statements and
other communications. Importantly, board of directors reinforces the
philosophy not only with words but with everyday actions as well.
Risk appetite, established by board of directors and reviewed by the board of

commissioners, is a guidepost in strategy setting. Usually any of a number of
different strategies can be designed to achieve desired growth and return
goals, each having different associated risks. Enterprise risk management,
applied in strategy setting, helps management select a strategy consistent
with its risk appetite. Management looks to align the organization, people,
processes and infrastructure to facilitate successful strategy implementation
and enable the entity to stay within its risk appetite.
Risk culture is the set of shared attitudes, values and practices that
characterize how an entity considers risk in its day-to-day activities. For many
companies, the risk culture flows from the entity's risk philosophy and risk
appetite. For those entities that do not explicitly define their risk philosophy,
the risk culture may form haphazardly, resulting in significantly different risk
cultures within an enterprise or even within a particular business unit,
function or department.
Objective Setting
Within the context of the established mission or vision, board of directors
establishes strategic objectives, selects strategy and establishes related
objectives, cascading through the enterprise and aligned with and linked to
the strategy. Objectives must exist before management can identify events
potentially affecting their achievement. Enterprise risk management ensures
that board of directors and management have a process in place to both set
objectives and align the objectives with the entity's mission/vision and are
consistent with the entity's risk appetite.
According to COSO framework, there are four categories of objectives namely

strategic, operations, reporting, and compliance objectives as seen in Figure
2.4.

Figure 2.4 Categories of objectives
Strategic objectives Operations objectives
Relating to high-level goals, aligned Relating to effectiveness and efficiency

with and supporting the entity's of the entity's operations, including
mission/vision performance and profitability goals.
They vary based on board of directors'
choices about structure and
performance.
Compliance objectives Reporting objectives

Relating to the entity's compliance Relating to the effectiveness of the
with applicable laws and regulations. entity's reporting. They include internal
and external reporting and may involve
financial or non-financial information.
This categorization of entity objectives (Figure 2.4) allows board of directors

and commissioners to focus on separate aspects of enterprise risk
management. These distinct but overlapping categories a particular objective
can fall under more than one category address different entity needs and may
be the direct responsibility of different executives. This categorization also
allows distinguishing between what can be expected from each category of
objectives.
Some entities use another category of objectives, "safeguarding of resources,"

sometimes referred to as "safeguarding of assets." Viewed broadly, these deal
with prevention of loss of an entity's assets or resources, whether through
theft, waste, inefficiency or what turns out to be simply bad business decisions
- such as selling product at too low a price, failing to retain key employees or
prevent patent infringement, or incurring unforeseen liabilities. This broad-
based safeguarding of assets category may be narrowed for certain reporting
purposes, where the safeguarding concept applies only to the prevention or
timely detection of unauthorized acquisition, use, or disposition of the entity's
assets.
Event Identification
Board of directors recognizes that uncertainties exist that it cannot know with
certainty whether and when an event will occur, or its outcome should it occur.
As part of event identification, board of directors and management consider
external and internal factors that affect event occurrence. External factors

include economic, business, natural environment, political, social and
technological factors. Internal factors reflect management's choices and
include such matters as infrastructure, personnel, process and technology.
Event identification methodology may comprise a combination of techniques

together with supporting tools. Event identification techniques look to both
the past and the future. Techniques that focus on past events and trends
consider such matters as payment default histories, changes in commodity
prices and lost-time accidents. Techniques that focus on future exposures
consider such matters as shifting demographics, new markets and competitor
actions.
It may be useful to group potential events into categories. By aggregating

events horizontally across an entity and vertically within operating units,
board of directors and management develops an understanding of the
interrelationships between events, gaining enhanced information as a basis
for risk assessment.
Events potentially have a negative impact, a positive impact or both. Events

that have a potentially negative impact represent risks, which require
management's assessment and response. Accordingly, risk is defined as the
possibility that an event will occur and adversely affect the achievement of
objectives.
Events with a potentially positive impact represent opportunities or offset the

negative impact of risks. Events representing opportunities are channelled
back to management's strategy or objective-setting processes, so that actions
can be formulated to seize the opportunities. Events potentially offsetting the
negative impact of risks are considered in management's risk assessment and
response.
Risk Assessment
Risk assessment allows an entity to consider how potential events might affect
the achievement of objectives. Management assesses events from two
perspectives: likelihood and impact.
Likelihood represents the possibility that a given event will occur, while impact
represents its effect should it occur. Estimates of risk likelihood and impact
often are determined using data from past observable events, which may

provide a more objective basis than entirely subjective estimates. Internally
generated data based on an entity's own experience may reflect less subjective
personal bias and provide better results than data from external sources.
However, even where internally generated data are a primary input, external
data can be useful as a checkpoint or to enhance the analysis. Users must be
cautious when using past events to make predictions about the future, as
factors influencing events may change over time.
An entity's risk assessment methodology normally comprises a combination of

qualitative and quantitative techniques. Management often uses qualitative
assessment techniques where risks do not lend themselves to quantification or
when sufficient credible data required for quantitative assessments either are
not practicably available or obtaining or analyzing data are not cost-effective.
Quantitative techniques typically bring more precision and are used in more
complex and sophisticated activities to supplement qualitative techniques. An
entity need not use common assessment techniques across all business units.
Rather, the choice of techniques should reflect the need for precision and the
culture of the business unit. In any event, the methods used by individual
business units should facilitate the entity's assessment of risks across the
entity.
Management often uses performance measures in determining the extent to

which objectives are being achieved. It may be useful to use the same unit of
measure when considering the potential impact of a risk to the achievement of
a specified objective.
Management may assess how events correlate, where sequences of events

combine and interact to create significantly different probabilities or impacts.
While the impact of a single event might be slight, a sequence of events might
have more significant impact. Where potential events are not directly related,
management assesses them individually; where risks are likely to occur within
multiple business units, management may assess and group identified events
into common categories.
There is usually a range of possible results associated with a potential event,

and management considers them as a basis for developing a risk response.
Through risk assessment, management considers the positive and negative
consequences of potential events, individually or by category, across the entity.

Because risks are assessed in the context of an entity's strategy and objectives,
management often tends to focus on risks with short- to mid-term time
horizons. However, some elements of strategic direction and objectives extend
to the longer term. As a result, management needs to be cognizant of the longer
timeframes, and not ignore risks that might be further out.
Risk assessment is applied first to inherent risk the risk to the entity in the
absence of any actions management might take to alter either the risk's
likelihood or impact. Once risk responses have been developed, management
then uses risk assessment techniques in determining residual risk the risk
remaining after management's action to alter the risk's likelihood or impact.
Risk Response
Management identifies risk response options and considers their effect on
event likelihood and impact, in relation to risk tolerances and costs versus
benefits, and designs and implements response options. The consideration of
risk responses and selecting and implementing a risk response are integral to
enterprise risk management. Effective enterprise risk management requires
that management select a response that is expected to bring risk likelihood
and impact within the entity's risk tolerance.
Risk responses fall within the categories of risk avoidance, reduction, sharing
and acceptance (see Figure 2.5). As part of enterprise risk management, for
each significant risk an entity considers potential responses from a range of
response categories. This gives sufficient depth to response selection and also
challenges the "status quo."
Figure 2.5 Categories of risk responses

Avoidance Reduction
Avoidance responses take action to exit Reduction responses reduce risk

the activities that give rise to the risks. likelihood, impact, or both.
Risk acceptance Sharing
Acceptance responses take no action Sharing responses reduce risk

to affect likelihood or impact. likelihood or impact by transferring or
otherwise sharing a portion of the risk.

Having selected a risk response, management recalibrates the risk on a
residual basis. Board of directors considers risk from an entity-wide, or
portfolio, perspective. The board may take an approach in which the manager
responsible for each department, function or business unit develops a
composite assessment of risks and risk responses for that unit. This view
reflects the risk profile of the unit relative to its objectives and risk tolerances.
With a view of risk for individual units, the board of directors is positioned to
take a portfolio view, to determine whether the entity's risk profile is
commensurate with its overall risk appetite relative to its objectives.
Board of directors and management should recognize that some level of

residual risk will always exist, not only because resources are limited, but also
because of inherent future uncertainty and limitations inherent in all
activities.
Control Activities
Control activities are the policies and procedures that help ensure risk
responses are properly executed. Control activities occur throughout the
organization, at all levels and in all functions. Control activities are part of the
process by which an enterprise strives to achieve its business objectives. They
usually involve two elements: a policy establishing what should be done and
procedures to affect the policy.
With widespread reliance on information systems, controls are needed over

significant systems. Two broad groupings of information systems control
activities can be used. The first is general controls, which apply to many if not
all application systems and help ensure their continued, proper operation. The
second is application controls, which include computerized steps within
application software to control the technology application. Combined with
other manual process controls where necessary, these controls ensure
completeness, accuracy and validity of information.
General controls include controls over information technology management,

information technology infrastructure, security management and software
acquisition, development and maintenance. These controls apply to all
systems ? from mainframe to client/server to desktop computing
environments. General controls include information technology management
controls addressing the information technology oversight process, monitoring
and reporting information technology activities, and business improvement
initiatives.

Application controls are designed to ensure completeness, accuracy,
authorization and validity of data capture and transaction processing.
Individual applications may rely on effective operation of controls over
information systems to ensure that interface data are generated when needed,
supporting applications are available and interface errors are detected
quickly.
Because each entity has its own set of objectives and implementation
approaches, there will be differences in objectives, structure and related
control activities. Even if two entities had identical objectives and structures,
their control activities would likely be different. Each entity is managed by
different people who use individual judgments in effecting internal control.
Moreover, controls reflect the environment and industry in which an entity
operates, as well as the complexity of its organization, its history and its
culture.
Information and Communication

Information is needed at all levels of an organization to identify, assess and
respond to risks, and to otherwise run the entity and achieve its objectives.
Relevant information from internal and external sources must be identified,
captured and communicated in a form and timeframe that enable personnel to
carry out their responsibilities. This flow of information takes place through
out the organization, flowing down, across and up the entity and to external
parties, such as customers, suppliers, regulators and shareholders.
The challenge for management is to process and refine large volumes of data
into actionable information. This challenge is met by establishing an
information systems infrastructure to source, capture, and process, analyze
and report relevant information. These information systems usually
computerized but also involving manual inputs or interfaces often are viewed
in the context of processing internally generated data relating to transactions.
To support effective enterprise risk management, an entity captures and uses

historical and current data. Historical data allows the entity to track actual
performance against targets, plans and expectations. It provides insights into
how the entity performed under varying conditions, allowing management to
identify correlations and trends and to forecast future performance. Historical
data also can provide early warning of potential events that warrant
management attention.

Present or current state data allow an entity to assess its risks at a specific
point in time and remain within established risk tolerances. Current state data
allow management to take a real-time view of existing risks inherent in a
process, function or unit and to identify variations from expectations. This
provides a view of the entity's risk profile, enabling management to alter
activities as necessary to calibrate to its risk appetite.
Information is a basis for communication, which must meet the expectations of

groups and individuals, enabling them to effectively carry out their
responsibilities. Among the most critical communications channels is that
between the board of directors/top management and the board of
commissioners. Board of directors and management must keep the board of
commissioners up-to-date on performance, developments, risks and the
functioning of enterprise risk management, and other relevant events and
issues. The better the communication, the more effective the board of
commissioners will be in carrying out its oversight responsibilities, in acting as
a sounding board on critical issues and in providing advice, counsel and
direction. By the same token, the board of commissioners should
communicate to the board of directors/management what information it needs
and provide feedback and direction.
Board of directors provides specific and directed communication addressing

behavioural expectations and the responsibilities of personnel. This includes a
clear statement of the entity's enterprise risk management philosophy and
approach and delegation of authority. Communication about processes and
procedures should align with, and underpin, the desired risk culture. In
addition, communication should be appropriately "framed" the presentation
of information can significantly affect how it is interpreted and how the
associated risks or opportunities are viewed.
Communication should raise awareness about the importance and relevance

of effective enterprise risk management, communicate the entity's risk appetite
and risk tolerances, implement and support a common risk language, and
advice personnel of their roles and responsibilities in effecting and supporting
the components of enterprise risk management.
Communications channels also should ensure personnel can communicate

risk-based information across business units, processes or functional silos. In
most cases, normal reporting lines in an organization are the appropriate

channels of communication. In some circumstances, however, separate lines
of communication are needed to serve as a fail-safe mechanism in case normal
channels are inoperative. In all cases, it is important that personnel
understand that there will be no reprisals for reporting relevant information.
External communications channels can provide highly significant input on

the design or quality of products or services. Management considers how its
risk appetite and risk tolerances align with those of its customers, suppliers
and partners, ensuring that it does not inadvertently take on too much risk
through its business interactions. Communication from external parties often
provides important information on the functioning of enterprise risk
management.
Monitoring
Enterprise risk management is monitored a process that assesses both the
presence and functioning of its components and the quality of their
performance over time. Monitoring can be done in two ways: through ongoing
activities or separate evaluations. Ongoing and separate monitoring ensures
that enterprise risk management continues to be applied at all levels and
across the entity.
Ongoing monitoring is built into the normal, recurring operating activities of

an entity. Ongoing monitoring is performed on a real-time basis, reacts
dynamically to changing conditions and is ingrained in the entity. As a result,
it is more effective than separate evaluations. Since separate evaluations take
place after the fact, problems often will be identified more quickly by ongoing
monitoring routines. Many entities with sound ongoing monitoring activities
nonetheless conduct separate evaluations of enterprise risk management.
The frequency of separate evaluations is a matter of management's judgment.

In making that determination, consideration is given to the nature and degree
of changes, from both internal and external events, and their associated risks;
the competence and experience of the personnel implementing risk responses
and related controls; and the results of the ongoing monitoring. Usually, some
combination of ongoing monitoring and separate evaluations will ensure that
enterprise risk management maintains its effectiveness over time.
The extent of documentation of an entity's enterprise risk management varies

with the entity's size, complexity and similar factors. The fact that elements of

enterprise risk management are not documented does not mean that they are
not effective or that they cannot be evaluated. However, an appropriate level of
documentation usually makes monitoring more effective and efficient. Where
management intends to make a statement to external parties regarding
enterprise risk management effectiveness, it should consider developing and
retaining documentation to support the statement.
All enterprise risk management deficiencies that affect an entity's ability to

develop and implement its strategy and to achieve its established objectives
should be reported to those positioned to take necessary action. The nature of
matters to be communicated will vary depending on individuals' authority to
deal with circumstances that arise and on the oversight activities of superiors.
The term "deficiency" refers to a condition within the enterprise risk
management process worthy of attention. A deficiency, therefore, may
represent a perceived, potential or real shortcoming, or an opportunity to
strengthen the process to increase the likelihood that the entity's objectives will
be achieved. Information generated in the course of operating activities usually
is reported through normal channels. Alternative communications channels
also should exist for reporting sensitive information such as illegal or improper
acts.
Providing needed information on enterprise risk management deficiencies to

the right party is critical. Protocols should be established to identify what
information is needed at a particular level for effective decision making. Such
protocols reflect the general rule that a manager should receive information
that affects actions or behaviour of personnel under his or her responsibility,
as well as information needed to achieve specific objectives.
Risk governance
All the above discussion provide us a relatively comprehensive understanding
of how the risk governance should be established in an organization. It comes
to the front that the primary responsibility of the corporate boards (board of
commissioners and board of directors) is to ensure that it develops a clear
understanding of the company's business strategy and the fundamental risks
and rewards that this implies. The board also needs to make sure that risks are
made transparent to al stakeholders through adequate internal and external
disclosure.

Although board of commissioners is not there to manage the business, it is
responsible for overseeing management and holding it accountable. It must
also contribute to the development of the overall strategic plan for the firm,
taking into consideration how any changes might affect business
opportunities and the strategy of the firm. This necessarily includes the
extent and types of risks that are acceptable for the firm; i.e., the board must
characterize an appropriate "risk appetite" for the firm.
In particular, the board should ensure that business and risk management
strategis are directed at economic rather than accounting performance,
contrary to what happened at Enron and some of the other firms involved in
highly publicized corporate goverannce scandals.
To fulfill its risk goveranance responsibilities, the board of commisioners along

with board of directors must ensure that the firm has put in place an effective
risk management program that is consistent with these fundamental strategic
and risk appetite choices. And it must make sure that there are appropriate
policies, methodologies, and infrastructure are in place. The infrastructure as
already mentioned previously includes both operating elements (e.g.,
sophisticated software, hardware, data, and operational processes) and
personal.
An effective board of commissioners will establish strong ethical standards.

Some best practices in banks recently have set up ethics committees to try to
make sure that "soft" risks such as unethical business practices don't slip the
mesh of their "hard" risk reporting framework.
The board should also ensure that the information it obtains about the risk
management is accurate and reliable. Board of commissioners demonstrate
healthy skepticism and require information frokm a cross section of
knowledgeable and reliable resources, such as the CEO, senior management,
and internal and external auditors. Commissioners should be prepared to ask
tough questions, and they should make themselves able to understand the
answers.
The board of commissioners, however, should refrain itself from undertaking

risk management on a day-to-day basis, rather it should make sure that all
mechanism used to making risk management decisions are functioning
properly.

Review questions
5 questions in multiple choices for a review of material in Chapter Two.
1. Name three major types of risk traditionally recognized.

(a) Market risk, credit risk, and financial risk.
(b) Market risk, financial risk, and operational risk.
(c) Business risk, market risk, and financial risk.
(d) Market risk, credit risk, and operational risk.
2. The following gives the correct elements of the risk management

process according to AS/NZS 4360: 2004, except for:
(a) Establish the context
(b) Identify and analyze risks
(c) Treat risk and monitor and review.
(d) Internal environtment.
3. Risk reduction responses means:

(a) Take action to exit the activities that give rise to the risks
(b) Reduce risk likelihood or impact by transferring or otherwise sharing a
portion of the risk
(c) Take no action to affect likelihood or impact
(d) Reduce risk likelihood, impact, or both.
4. Taking into Indonesian context, acording to COSO Enterprise Risk

Management Integrated Framework, who is responsible for
establishing an entity's risk appetite?
(a) Management and reviewed by board of commissioners and board of
directors
(b) Board of commissioners
(c) Board of directors.
(a) Board of directors and reviewed by board of commissioners
5. The followings are components of enterprise risk management

according to COSO framework, except for:
(a) Internal environment
(b) Objective setting
(c) Risk assessment
(d) Risk governance

PUTTING ERM
CHAPTER III
INTO CONTEXT
Chapter Three is our effort to put ERM into Indonesian context, its related
corporate regulations either for private, public or state-owned enterprises, its
legal and litigation risk, its culture and circumstances. This chapter will
provide the readers with a contextual understanding of how relevance and
importance of ERM in Indonesia's today's business and regulatory
environment. By the end of this chapter we also mention the important roles of
the committees to board in ensuring that risk management policies and
strategies (e.i., its risk appetite and tolerances) are transmitted and monitored
down the lines.
Risk Environment
Since a company does not operate in a vacuum, rather it owes its very
existence to its environment, it subjects or exposed to any relevant or related
rules and regulations. For that reason, the
regulator and regulatary environment become
very crucial to consider and comprehend. In fact,
the very basic requirement of a sound risk
management practice, is that a company is run in
compliance with all relevant and related rules and
regulations.
For a state owned enterprise (SOE), for instance,

the regulator and regulatary environment could be so extensive that it may
subject to the requirement of the state constitution, company law (UUPT), SOE
law (UU BUMN), capital market law (UU Pasar Modal), capital market rules
and regulations, public rules and regulations, etc. See Figure 3.1. If it is a
bank, than it also subjects to the rules issued by the central bank such as
Peraturan Bank Indonesia (PBI). These rules and regulations sometimes
incongruent event contradictary to each other! Inherently the risk exposures
for this SOE is already high enough.
The extensiveness of this legal and regulatory environment that it should be

classified specifically as legal and regulatory risk. The exposures of this risk
could arise either from being incompliance, such as to engage in an illegal

transaction, to the potential impact of a change in law. The change of tax law,
for example, could create unexpected losses such as that when the British
government changed the tax code to remove a particular tax benefit during the
summer of 1997, one major invesment bank suffered huge losses.
We need to realize that this risk is also closely related to reputation risk. An
exposed breach of the law will have a direct impact to your reputation, both
corporate and individually. Reputation risk poses a special threat to financial
institutions because the nature of their business the confidence of customers,
creditors, regulators, and the general marketplace. A survey released in
August 2004 by PriceWaterhouse Coopers (PWC) and the Economist
Intelligence Unit (EIU), 34 percent of the 134 international bank respondents
believed that reputation risk is the biggest risk to market and shareholder
value faced by banks, while market and credit risk scored only 25 percent each.
Risk management and board accountability

The recent regulations across many sectors, banking, corporations, and
government agencies alike, driven by corporate governance issues, have
brought in a better understanding of the the fiduciary duties of the Indonesian
corporate boards. More than before corporate boards are required to be more
responsible in running their companies and this fact exposes them to
legal/regulatory and litigation risk.
Any company i.e., a limited company (or "Perseroan Terbatas"), is bound to be

under the Indonesian company law (Undang-undang Republik Indonesia No. 1
Tahun 1995) which while this book is written was in the process of
amendment. The company law introduces two board rooms, not single board
room which is common under the anglo-saxon system, they are the board of
Figure 3.2 - Indonesias limited directors (the executive board) and the board of
companys organ
commissioners (the oversight board). Both
board is responsible to the shareholders
thr ough the General Meeting of the
Shareholders (GMOS). The corporate boards
and its relationship to each other and to the
shareholders (i.e., through the General Meeting
of the Shareholders/GMOS) can be seen in
Figure 3.2.
This two board rooms model is actually a

conducive environment for a check and balances mechanism between that of
the executive role of the BoD and that of the oversight role of the BoC provided
it works effectively. Working effectively, this mechanism will inherently
provides a strong control environment, right from the top. Otherwise, it will
create unnecessary frictions and resistence coming from both side or abusive
relationship situation which will expose inherent risks to the company's
effective decision making process.
Furthermore, according to the law, governing and managing a company is the

execution of the fiduciary duty of the two boards. This fiduciary duty is a very
important doctrine in our company law, that is to ensure that the company will
be governed and managed responsibly and all members of the board will be
held responsible and accountable for all the corporate actions, see Figure 3.3.
Risk appetite and tolerance

Since each sector has its own characteristics, driven by all related regulations
and market uniqueness, it requires that Indonesian corporate boards should
be able to develop the appropriate risk appetite and tolerance, balancing the
return and risk profile of the company.
Risk appetite and risk tolerances (in terms of limits) along with a statement of
commitement to risk management is formulated as risk policy of a company.
We have mentioned that at a best-practice institution, everything flows from a
clear and agreed-upon risk management policy at the top. Thus it is a very
sound practice for board of directors to approve a clear notion of the
institution's risk appetite and how this can be linked to a system of limits and
risk metrics.
Without this kind of platform, it's very difficult for risk managers further down
the management chain to make key decisions on how they approach and
measure risk. For example, without a clearly communicated concept of an
institution's risk appetite, how would risk managers define a "worst-case risk"
in any extreme risk scenario analysis?
Risk appetite is the degree of risk, on a broad-based level, that a company or

other entity is willing to accept in pursuit of its goals, while risk tolerances are
the acceptable level of variation relative to the achievement of objectives. In
setting specific risk tolerances, management considers the relative
importance of the related objectives and aligns risk tolerances with its risk

appetite. Operating within risk tolerances provides management greater
assurance that the entity will remain within its risk appetite and, in turn,
provides a higher degree of comfort that the entity will achieve its objectives.
Board of Directors considers the entity's risk appetite first in evaluating

strategic alternatives, then in setting objectives aligned with the selected
strategy and in developing mechanisms to manage the related risks.
Thus, it is clear that risk appetite is directly related to an entity's strategy. It is

considered in strategy setting, where the desired return from a strategy should
be aligned with the entity's risk appetite. Different strategies will expose the
entity to different risks.
The entity's risk appetite guides resource allocation. Management allocates

resources across business units with consideration of the entity's risk appetite
and individual business units' strategy for generating a desired return on
invested resources. Management considers its risk appetite as it aligns its
organization, people and processes, and designs infrastructure necessary to
effectively respond to and monitor risks.
A clear definition of organization's risk appetite in terms of its risk policies and
risk tolerance constitutes an element of a strong commitment at the top along
with appropriate organizational structure, and the awareness that the boards
need to ensure that their behavior is in line with their risk management policy.
As already discussed in early chapter, this is to ensure the integration of risk
into a company's culture and values.
A board of directors with a sound understanding of the risk profile of its key
existing or anticipated business lines can support aggressive strategic
decisions with much more confidence. The adoption of sophisticated risk
measures such as Value-at-Risk (VaR) and economic capital offer could be very
useful in this case, not only as a way of setting risk limits but also in helping the
institution decide which business lines are profitable (once risk is taken into
account).
Since the boards have to be able to consider risk from an entity-wide, or

portfolio, perspective, taking into consideration all related and applicable
regulations, they need to establish a process where managers are assigned to
develop a composite assessment of risks and risk responses for the units they

are responsible for. The output of the process should be the risk profile of the
unit relative to its objectives and risk tolerances. With a view of risk for
individual units, the board of directors is positioned to take a portfolio view
and to determine whether the entity's risk profile is commensurate with its
overall risk appetite relative to its objectives.
The role of committees to the Board of Commissioners and audit function

To achieve best practice corporate governance, a corporation must be able to
tie its board-approved tolerance to particular business strategies. This
means, in turn, that an appropriate set of limits and authorities must be
developed for each portfolio of business and for each type of risk (within each
portfolio of business), as well as for the entire portfolio.
The challenge remains: how can agreed risk appetite and tolerance be
transmitted down the line to business managers in a way that can be
monitored and that makes sense in terms of day-to-day business decisions?
How does the board of commissioners know that the executives and business
managers are living up to the minimum legal and regulatory requirements, for
intance.
It is clear that the duty of the boards is not, however, to undertake risk
management on a day-to-day basis, but to make sure that all the mechanism
used to delegate risk management decisions are functioning properly.
In most cases, the board of commissioners may charges its main committess,
e.g., the audit and risk management committees, with reviewing and
examining the key policies and associated procedures of the entity's risk
management activities. These committees also make sure that the
implementation of these key policies is effective.
The committees may also help recommends the best way to translate the
overall risk appetite of the company, approved by the board of directors and
commissioners, into a set of limits that flow down through the corporate
executive officers and business divisions.
Specifically worth mention here is the role of the Audit Committee, since this
committee is now found in mostly Indonesian limited companies, both private
or public, SOEs or non-SOEs. The role of the Audit Committee is critical to the
board's oversight of the company. According to the Audit Committee Manual

issued by the Ikatan Komite Audit Indonesia (IKAI Indonesian Institute of
Audit Committee) the Audit Committee is responsible not only for the accuracy
of a company's financial reporting, but also for ensuring that the company
complies with minimum or best practice standards in other key activities, such
as regulatory, legal, compliance, and risk management activities.
The Audit Committee's duties involve not just checking for infringements, but
also overseeing the quality of the processes that underpin financial reporting,
regulatory compliance, internal controls, and risk management.
On the other side, Risk Management Committee is responsible for

independently reviewing the identifications, measurement, monitoring, and
controlling process of risk management, including the adequacy of policy
guidelines and systems. If the committee identifiies any issues concerning the
operational risk, it typically refers these to the Audit Committee review.
Audit function (internal audit or satuan pengawas intern) should also be

empowered to assist the committees through its regular/periodic
investigations it carries across the company. A key role of the audit function is
to provide an independent assessment of the design and implementation of the
company's risk management. This means that the audit function has to
address the adequacy of documentation, the effectiveness of the process, the
integrity of the risk management system, athe organization of the risk control
unit, the integration of risk measures into daily risk management, and so on.
Audit also should evaluate the soundness of elements of the risk management
information system (the "Risk MIS"), such as the processes used for coding and
implementation of internal models (for Banks). This should include examining
controls over market position data capture, as well as controls over the
parameter estimation processes (such as the volatility and correlation
assumptions). It should also examine the documentation relating to
compliance with the qualitative/quantitative criteria outlined in any
regulatory guidelines. It should comment on the reliability of any value-at-risk
reporting framework.

Review questions
5 questions in multiple choices for a review of material in Chapter Three.
1. Based on the Indonesian company law (Undang-undang Perseroan

Terbatas), Indonesian limited company knows:
(a) Two boardrooms: the general meeting of the shareholders and the
board of commissioners.
(b) Three boardrooms: the general meeting of the shareholders, the board
of commissioner, and the board of directors.
(c) One boardroom: the board of directors.
(d) Two boardrooms: the board of directors and the board of
commissioners.
2. Name two committees that assist the board of commissioners in

overseeing the risk management of a company:
(a) Audit and corporate governance committees
(b) Risk management and corporate governance committees
(c) Corporate governance and remuneration and nomination committees
(d) Audit and risk management committees
3. The following statements are true, except for:

(a) Board of commissioners is responsible for reviewing the risk
management policies of the company.
(b) Board of commissioners can assign Audit Committee to review the
quality of the risk management policies and procedures.
(c) Board of commissioners should be involved in reviewing the risk
appetite of a company.
(d) Board of commissioners should involve on a day to day basis in the
implementation of the company's risk management process.
4. The board of directors is to ensure that:

(a) A sound risk management is in place.
(b) The audit function is working effectively.
(c) Risk profile of the company is within its risk appetite.
(d) All the above choices are correct.
5. Based on the best practice, the followings are the role of the risk
management committee, except for:
(a) Independently review the risk management process
(b) Reviewing the adequacy of policy guidelines and systems.
(c) Working with the Audit Committee on reviewing the issues relating to
the operational risk.

CHAPTER IV IMPEMENTING ERM
(d) Establishing the risk appetite of an entity.

ERM framework requires that the risk management process should be
integrated into all aspects of corporate lives, its culture, vision, mission, and
strategy, as well as its business process. All this in turn requires an internal
capacity to carry out the process effectively. This chapter will discuss all these
issues in length.
Risk culture
Much of the focus of risk management has to date been on building
infrastructure such as independent risk functions and oversight committee;
risk assessments and audits; risk management policies and procedures;
systems and models; measures and reports; and risk limits and exception
processes. However, it is equally important that companies focus on the other
side, the "softside", of risk management.
Risk culture and corporate values is a very important "softside" of risk

management, but most frequently neglected. Setting and developing a right
corporate risk culture and values is a must for the successful implementation
of ERM. Just as an organization's overall culture can be critical in determining
how successful it will be, so its risk culture will determine how successful its
ERM will be. A weak risk culture is one in which employees have little sense of
the imporantance of risk management and their role in it. If, on the other
hand, risk management is seen a central part of day-to-day operations, it is
likely that a strong risk culture is likely in place. Such an environment allows
for truly efffective risk management.
Risk culture is the set of shared attitudes, values and practices that
characterize how an entity considers risk in its day-to-day activities. For many
companies, the risk culture flows from the entity's risk philosophy and risk
appetite. For those entities that do not explicitly define their risk philosophy,
the risk culture may form haphazardly, resulting in significantly different risk
cultures within an enterprise or even within a particular business unit,
function or department.

Therefore, it is a crucial role of the boards to set out the right risk culture and
corporate values, both through relevant behavior and written policies. Like all
cultural issues, a key factor is whether management "walks the walk" as well
as "talks the talk." For example, how does senior management react when a
high revenue producer blatantly violates risk management policies? Do they
take corrective action or simply turn their backs on the problem? The
decisions and actions of the board of directors and the senior management will
do more to influence behavior than any written policies. It's critical that they
act accordingly.
In this regard, the board of directors should make sure that the flow of
information through an effective communication channel should be in place.
The communication should address behavioral expectations and the
responsibilities of personnel. It should facilitate the cascading down of a clear
statement of the entity's enterprise risk management philosophy and
approach and delegation of authority. It also should facilitate open
discussions on risk issues, escalating exposures, and facilitating sharing
lessons learned and best practices. Communicate about processes and
procedures should align with, and underpin, the desired risk culture.
Risk culture, together with entity's ethical values, competence and

development of personnel, management's operating style and how it assigns
authority and responsibility will form what we know as the internal
environment within the ERM integrated framework of COSO. The entity's
internal environment is the foundation for all other components of enterprise
risk management, providing discipline and structure. The internal
environment influences how strategy and objectives are established, business
activities are structured and risks are identified, assessed and acted upon. It
influences the design and functioning of control activities, information and
communication systems, and monitoring activities.
Internal capacity
At the end of the day, risk management is about people, process, and
infrastructure, e.g., the internal capacity of the company to manage risks. The
failure to address these three components will bring so much a disaster to any
company.

People
People, skills, culture, values, and incentives are the softside of risk
management. In many respects, these components are the key drivers of risk-
taking activities. Our COSO definition of enterprise risk management says that
ERM is affected by people that is it's not merely policies, surveys and forms, but
involves people at every level of an organization.
The quality output of a risk management process is very much affected by the
realities that human judgment in decision making can be faulty, breakdowns
can occur because of human failures such as simple errors or mistakes,
controls can be circumvented by collusion of two or more people, and
management has the ability to override enterprise risk management decisions.
Therefore, tone from the top and people's training and education in risk
management is a critical part of buidling the internal capaticity of a company
that is about to implement a successful enterprise risk management program.
Risks come in all shapes and sizes; risks are liquid. In chapter two, we have
discussed about the various types of risks such as market risk, credit risk,
oprational risk, legal and regulatory risk, business risk, strategic risk, and
reputation risk. The question is: how can a manager with responsibilities for
enterprise-wide risk hope to stay on top of all these various risks? It is
impractical to simply hire an expert for every risk since risk is a part of every
business decision, this approach would require a risk manager for every
business manager.
For that reason, a systemic process for capturing and learning from incidents
and losses should be in place. An organization open to learning is less likely to
repeat past mistakes, and more likely to benefit from new development and
innovations in the field of risk management that is to be smart and wise, and
not to make a fool of itself. Lessons learned from mistakes and from the best
practices of other companies can be a valuable supplement to those learned
from examination of a company's own operations.
Enterprise risk management requires us to make risk a part of every

employee's thinking and job responsibility. However, this means a substantial
effort in training and education. Many staff, whether junior and senior, will not
be familiar with risk management, and particularly not with quantitative forms

of risk analysis. Although these quantitative analyses are often very
important, they are not practical for every type of risk and fall under the remit
of the corporate risk management function. General employees therefore need
to be taught to recognize and assess risks in ways that are relatively easy to
understand. Our discussion on risk concepts in chapter two is a good thing to
start with.
Risk awereness training is the starting point of any successful risk

management program. The objective of such training is to ensure that
everyone within a business is able to proactively identifying the key risks for
the company; seriously thinking about the consequences of the risks for which
he or she is responsible; communicating up and down the organization those
risks that warrant others' attention. In a risk-aware environment, most risk
management issues will be addressed promptly before they become bigger
problems.
In addition to promoting risk awareness, training should also be targeted for

equiping employees with the skills and tools they need to manage risks for
which they are responsible.
Risk education should start at orientation, with new employees being

introduced to risk management concepts and briefed on the various risk
function within the company just as they are introduced to tis other
operational functions. It should also include ongoing training programs that
are tailored to the skills required for the individuals job responsibilities. It is
essential that employees be equipped to tackle new challenges as issues and
risks throughout the entity change and become more complex driven in part
by rapidly changing technologies and increasing competition. Education and
training whether classroom instruction, self-study or on-the-job training,
must help personnel keep pace and deal effectively with the evolving
environment. Hiring competent people and providing one-time training are not
enough. The education process is ongoing.
People naturally pay the most attention to what their job accountabilities are
and how their financial incentives are tied to their performance. Clearly risk
awareness can be most powerfully cultivated by making sure that employee
undertand that risk management is part of their job, and that their incentive
compensation is linked to the business and risk performance at both the
business and individual levels. It is important that these facts should be seen

to be true for all employees. If there is a perception that the same ground for
rules don't apply to all employees (particularly senior ones), others will soon
stop paying attention or see the rules as something that can be circumvented
in the pursuit of a career.
Process
Enterprise risk management is different from the perspective of some
observers who view it as something added on to an entity's activities, or as a
necessary burden. Enterprise risk management is most effective when it is
built into the entity's infrastructure and is part of the essence of the enterprise.
There are three critical processes that should be in place to ensure that our
enterprise risk management process is rigorous:
Linking the ERM components with corporate objectives

Regular evaluation of the risk management process
Documentation of the risk management process
Linking the ERM components and corporate objectives

The enterprise risk management eight interrelated components (based on
COSO ERM integrated framework, discussed in length in chapter two i.e., the
internal environment, objective setting, event identification, risk assessment,
risk response, control activities, information and communication, monitoring)
should be integrated with the management process. A good model depicted
how the integration would be, that is the linkages between the enterprise risk
management components and the entity objectives (strategic, operations,
reporting, and compliance) and levels (entity, division, business unit, and
subsidiary) is that of COSO presented in Figure 4.1.
This COSO model shows that there is a direct

relationship between objectives an entity strives to
achieve, and the enterprise risk management
components, which represent what is needed to
achieve them. The relationship is depicted in a
three-dimensional matrix, in the shape of a cube.
The four objectives categories strategic, operations,
reporting and compliance are represented by the
Figure 4.1 Risk Management vertical columns, the eight components are
Components and Linkages
COSO ERM Integrated Framework represented by horizontal rows, and the entity and

its units are depicted by the third dimension of the matrix.
This model demonstrates that each component of ERM applies to all four
objectives categories. For example, financial and non-financial data generated
from internal and external sources, which is part of the information and
communication component, is needed in strategy setting, and to effectively
manage business operations, report effectively and determine that the entity is
complying with applicable laws. Similarly, looking at the objectives categories,
all eight components are relevant to each. Taking one category, effectiveness
and efficiency of operations, for example, all eight components are applicable
and important to its achievement.
Evaluation of the risk management process

One important process is the process of evaluating the risk management
process itself. While approaches or techniques vary, a discipline should be
brought to the process, with certain basics inherent in it.
Evaluation should be to ensure whether our risk management process (along

with its tools, methodologies, and procedures) still meets the management's
established standards for each component, with the ultimate goal of
determining whether the process provides reasonable assurance with respect
to the stated objectives.
Documentation of the risk management process

Another important process is recoding the risk management process.
Assumptions, methods, data sources, analyses, results and reasons for
decisions should all be recorded.
The record of such processes is an important aspect of good corporate

governance.
Decisions concerning the making and capture of records should take into
account:
The legal and business needs for records;

The cost of creating and maintaining records; and
The benefits of re-using the information.
Documentation of the risk management process is important:
(a) to demonstrate to stakeholders that the process has been conducted
properly;

(b) to provide evidence of a systematic approach to risk identification and
analysis;
(c) to enable decisions or processes to be reviewed;
(d) to provide a record of risks and to develop the organization's knowledge
database;
(e) to provide decision makers with a risk management plan for approval and
subsequent implementation;
(f) to facilitate continuing monitoring and review;
(g) to provide an audit trail; and
(h) to share and communicate information.
Infrastructure
Enterprise risk management process requires a well-designed risk
infrastructure. Risk infrastructure necessary to effectively respond to and
monitor risks. But a note should be made here that though a well-designed risk
infrastructure is a necessary, it does not mean that having it alone is sufficient.
Only with having the right people and process, risk infrastructure will then
provide real benefits. Risk infrastructure includes all management
infrastructure such as the control infrastructure and information system
infrastructure. The challenge for management is to process and refine large
volumes of data into actionable information. This challenge will be met by
establishing an information systems infrastructure to source, capture,
process, analyze and report relevant information.
Institutions, however, need to move toward risk solutions and specialized

computational technologies that are capable of facilitating the rapid
computation and distribution of risk information (including massively fast
cluster computing network). This risk information infrastructure should be
able to serve the board of directors as "ERM dashbord" providing answers to
the following strategic questions:
1. Are any of our business objectives at risk?

2. Are we in compliance with policies and regulations?
3. What risk incidents have been escalated?
4. What KRIs and trends require immediate attention?
5. What risk assessments need to be reviewed?
Alignment with vision, mission, and strategy

ERM is essentially the top down initiative and it should start with the boards
and be aligned with corporate vision, mission, and strategy. The board of
commissioner and board of directors are critical parts of this process. Since
they share the duty of formulating and approving the overall corporate
strategy, it is very obvious that they need to ensure that risk has been
integrated into corporate strategy. Risk management targets should be
included among corporate goals, and major corporate initiatives should
incorporate risk assessment and risk mitigation strategies.
Cascading down the line, management, as part of enterprise risk

management, is to ensure that the entity has selected objectives and
considered how they support the entity's strategy and mission/vision. Entity
objectives also should align with the entity's risk appetite. Misalignment could
result in an entity not accepting enough risk to achieve its objectives or,
conversely,
accepting undue
risks, see Figure
4.2.
Alignment with
entitys risk
appetite
Misalignment 1 MIsalignment 2
Not taking Accepting undue
enough risk - risks
Zone of optimum
risk taking
Figure 4.2 Misalignment & alignment of

objectives and risk appetite of an entity.

Vision/Mission - To provide high-quality, accessible and affordable community-based health care.
- Be the first- or second-largest, full-service health care provider in mid-size

Strategic
metropolitan markets.
Objectives - Rank in the top quartile in quality for our core medical services.
- Be recognized in the local marketplaces as quality/price leaders.
Strategies
- Align with stand-alone hospitals in the target markets in which we do not currently
have a presence.
- Acquire high-quality under-performing service providers in target markets where
feasible. Otherwise, consider lesser programs to revamp and rebuild.
- Develop ownership participation or profit-sharing programs to attract top local
medical talent.
- Develop tailored, targeted marketing programs for large and middle market
businesses in target markets.
- Bring our state-of-the-art infrastructure systems to provide effective management
and cost control.
- Achieve leading track record of compliance with all healthcare and other applicable
laws and regulations.
Related Objectives
- Operations - Initiate dialogue with leadership of 10 top under-performing hospitals and negotiate
agreements with two this year.
- Target 10 other programs in key target markets and execute agreements with five
this year.
- Identify needs and motivations of leading practitioners in major markets and
structure alternative model terms.
- Ensure at least one top medical talent is on board in each core discipline in at least
five major markets this year.
- Hold focus groups with business leaders in key markets to determine program
needs.
- Develop alternative model programs for business customers
- Develop methodologies for quick-start implementation of information and
operational systems in acquired/rebuilt hospitals.
- Set protocols for migration from existing systems.
- Implement new systems in one new location to serve as model going forward.
- Reporting
- Install our foundation systems in newly acquired facilities to provide management
reports on key performance measures, with exception and trend line analysis, within
four working days of month-end.
- Ensure all facilities accurately and timely report compliance performance and issues
for management review
- Establish uniform reporting system/accounts for assembly of accurate and complete
information required for external reporting
- Compliance
- Establish compliance office with charter, leadership and staffing centrally, providing
support to local units.
- Ensure line recognizes its primary compliance responsibilities, building into HR
objectives and performance assessments.
- Develop company-wide protocols for medical procedures, drug storage and
dispensing, staffing assignments and schedules, and all aspects of patient care.
- Review privacy policies and practices and benchmark against federal requirements
and best practices
Source: Enterprise Integrated Framework (COSO, 2004)
Figure 4.3 Linking corporate objectives with strategy and mission

Every entity faces a variety of risks from external and internal sources, and
a precondition to effective risk management process, i.e., event
identification, risk assessment and risk response, is establishment of
objectives, linked at different levels and they have to be internally
consistent. Objectives are set at the strategic level, establishing a basis for
operations, reporting, and compliance objectives. Objectives should be
aligned with the entity's risk appetite, which drives risk tolerance levels for
the entity's activities, see Figure 4.3.
An entity's mission (others prefer the terms such as vision or purpose) in broad
terms is what the entity aspires to achieve, or its reason for being. It is an
important duty of the Board of Directors (executives) ? with Board of
Commissioners oversight ? to explicitly establishes the entity's broad-based
reason for being. From this statement for being, BoD and management set the
strategic objectives, formulate strategy and establish related objectives for the
organization. While an entity's mission and strategic objectives are generally
stable, its strategy and related objectives are more dynamic and are adjusted
for changing internal and external conditions.
Strategic objectives are high-level goals, aligned with and supporting the
entity's mission/vision. Strategic objectives reflect Board of Directors' choice
as to how the entity will seek to create value for its stakeholders. In considering
alternative strategies to achieve its strategic objectives, the BoD and
management identify risks associated with a range of strategy choices and
consider their implications. Various event identification and risk assessment
techniques can be used in the strategy-setting process. In this way, enterprise
risk management techniques are used in setting strategy and objectives.
Establishing objectives is a component of enterprise risk management.

Although objectives provide the measurable targets toward which the entity
moves in conducting its activities, they may have differing degrees of
importance and priority. Although an entity should have reasonable
assurance that certain objectives are achieved, that may not be the case for all
objectives.
Effective enterprise risk management would provide reasonable assurance

that an entity's reporting and compliance objectives are being achieved.
Achieving reporting and compliance objectives is largely within the entity's
control. That is, once the objectives have been determined, the entity has

control over its ability to do what's needed to meet them.
But there is a difference when it comes to operations objectives, for a number of
reasons. An entity may perform as intended, yet be outperformed by a
competitor. It is subject to external events such as a change in government,
poor weather and the like where an occurrence is beyond its control. It may
even have considered some of these events in its objective-setting process and
treated them as having a low likelihood, with a contingency plan in case they
occurred. However, such a plan only mitigates the impact of external events. It
does not ensure that the objectives are achieved.
Enterprise risk management over operations focuses primarily on:

developing consistency of objectives and goals throughout the organization;
identifying key success factors and risks;
assessing the risks and making informed responses;
implementing appropriate risk responses;
establishing needed controls; and
timely reporting of performance and expectations.
For these objectives, enterprise risk management can provide reasonable

assurance that management, Board of Directors and Board of Commissioners
are made aware, in a timely manner, of the extent to which the entity is moving
toward these objectives.
In a nutshell, risk appetite which is established by the Board of Directors and

reviewed by the Board of Commissioners must be the guidepost in this strategy
setting process. Different strategies have different associated risks. Enterprise
risk management has to be applied in strategy setting, and this will help
management in selecting a strategy that consistent with its risk appetite.
Management then has to align the organization, people, processes and
infrastructure to facilitate successful strategy implementation and enable the
entity to stay within its risk appetite.

Review questions
5 questions in multiple choices for a review of material in Chapter Four.
1. The followings are true statements abour risk culture, except for:
(a) It is a crucial role of the boards to set out the right risk culture and
corporate values, both through relevant behavior and written policies.
(b) Risk culture and corporate values is a very important "softside" of risk
management, but most frequently neglected.
(c) Risk culture is the set of shared attitudes, values and practices that
characterize how an entity considers risk in its day-to-day activities.
(d) Risk culture is the risk that caused by the entity weakness in relevant
culture.
2. Chose the correct answer for the objective of risk awareness training is
to ensure that:
(a) Everyone within a business is able to proactively identifying the key
risks for the company
(b) Seriously thinking about the consequences of the risks for which he or
she is responsible
(c) Communicating up and down the organization those risks that warrant
others' attention
(d) All the above answers are correct.
3. The following statements about the importance of the documentation

of the risk management process are true, except for:
(a) To demonstrate to stakeholders that the process has been conducted
properly;
(b) To provide evidence of a systematic approach to risk identification and
analysis;
(c) To enable decisions or processes to be reviewed;
(d) To add unnecessary burden to the daily routine job of a line manager.
4. "ERM dashbord" is meant to provide Board of Directors and

management information on:
(a) What business objectives are at risk
(b) Degree of complience with policies and regulations
(c) Incidents that have been escalated
(d) All the above choices are correct.

5. Why enterprise risk management process could not provide reasonable
assurance of achieving operations objectives, compare to other
objectives such as reporting and compliance objectives? All the
anwers below are correct, except for:
(a) An entity may perform as intended, yet be outperformed by a
competitor.
(b) It is subject to external events
(c) Contingency plan only mitigates the impact of external events.
(d) Reporting and compliance objectives are very easy to achieve.

MEASURES OF
CHAPTER V
EFFECTIVENESS
This chapter is dedicated to dig out available tools and approach to measure
the successful implementation of ERM. We will also present a simple checklist
to the readers which could be used for self-evaluation or self-assessment as far
as the ERM initiative concerns.
Measurement Tools and Approach

Performance measurement is an essential and integral part of managing risk.
This section will provide a map of available tools and approach to measure the
effectiveness of ERM initiative.
ERM clearly links the risk management with the creation of organizational
value and expresses risk in terms of impact on organizational objectives. An
important aspect of ERM is therefore the strong linkage between measures of
risks and measures of overall organizational performance. It is very important
for the boards to ensure that the performance are measured using risk based
metrics reflecting capital consumption, return, and volatility.
The following table demonstrates some corporate performance measures both

for financial and non-financial industries that can be linked to measure the
effectiveness of ERM implementation. These financial measures share a basic
premise that cost of capital must be covered before value is created. However,
financial measures need not always be used as the sole proxy for value.
Table 5.1 Financial (performance) measures for non-financial industries
ROE Operating EBITDA CFROI WACC EVA- Economic value

return on equity earnings Earnings Cashflow return Weighted avarage added. A corporate
before interest, on investment. cost of capital. performance measures
tax, depreciation, The sum of the that stresses the ability
and amortization EBITDA devided required market to achieve returns
by tangible returns of each above the firms cost of
assets component of capital. It is often
corporate started as net
capitalization, operating profits after
weigthed by that tax less the product of
component's required capital times
share of the total the firms weighted
capitalization. avarege cost of capital.

Table 5.2 Financial (performance) measures for financial industries
RORAC - Return on risk adjusted ECAP - Economic capital. Embedded value CAR
capital; RAROC Risk adjusted Market value of assets a measure of the Capital Adequacy
return on capital; RARORAC Risk minus fair value of value of business Ratio;
adjusted return on risk adjusted liabilities. Used in currently on the
capital. practice as a risk books of an RBC
adjusted capital measure; insurance company. Risk based capital
RORAC is a target ROE measure in specifically the amount of
which the denominator is adjusted capital required to meet CAR or RBC
depending on the risk associated an explicit solvency is a specific regulatory
with the instrument or project. constraint capital requirement.
( e.g., a certain probability CAR for banks and
RAROC is a target ROE measure in of ruin) RBC for insurance
which the numerator is reduced companies
depending on the risk associated
with the instrument or project.
RARORAC is a combination or
RAROC and RORAC in which both
the numerator and denominator are
adjusted (for different risks).
Stage 1: White-belt Company

The first stage of ERM development.
The focus of ERM development: definition, organization, and planning.
Most companies spend between six months to a year in this stage
At this stage, your company is just starting to figure out how to define,develop and implement ERM
Stage 2: Yellow-belt Company

The second stage of ERM development.
The focus of ERM development: risk identification and assessment processes.
Most companies spend between one and two years in this stage.
At this stage, your company is behind its peers in terms of ERM.
Stage 3: Green-belt Company

The third stage of ERM development.
Focus of ERM development: risk quantification and reporting.
Most companies spend between two to three years in this stage.
At this stage your company is consistent with their peers in terms of ERM.
Stage 4: Brown-belt Company

The fourth stage of ERM development.
Focus of ERM development: integrating ERM into key business processes.
Companies that desire to achieve "best practice" risk management may spend between two to three years
in this stage, and then move on to the next level. Most companies, however, would be satisfied to achieve
"best-in-class" risk management and maintain their ERM programs at this level.
At this stage, your company is ahead of their peers in terms of ERM.
Stage 5: Black-belt Company

The fifth and final stage of ERM development.
Focus of ERM development: optimizing business performance.
It would take significant resources and many years for a company to reach this level of ERM development.
At this stage, your company operates at the leading edge of ERM.
Figure 5.1 ERM maturity model based on James Lam model

One of the most common approach to measure the effectiveness of ERM
initiative is to compare the ERM program with ERM maturity model based on
industry practices. In this section, we introduce the ERM maturity model
developed by James Lam, the first CRO in the world and one of the ERM
frontier today. His maturity model is an activity-based benchmarks and is
derived from dozens of ERM projects and benchmarking studies conducted by
James Lam over the past ten years, as well as reviews of two 2005 global
surveys conducted by the Conference Board and Mercer Oliver Wyman and
the Conference Executive Board. The purpose of this ERM Maturity Model is to
enable companies to conduct self assessments of their enterprise risk
management programs relative to industry benchmarks. See Figure 5.1.
Methods of reviewing ERM performance are listed below (see also tables 5.3
and 5.4):
self assessment
physical inspections
checking and monitoring success of actions
audit and reassessment of risk to achieving specified objectives
key dates, timeframes and deadlines for commencement and

communications, monitoring, reporting and review.
As already discussed in previous chapters, enterprise risk management
performance monitoring can be done in two ways: through ongoing activities
or separate evaluations. Enterprise risk management mechanisms usually are
structured to monitor themselves on an ongoing basis, at least to some degree.
The greater the degree and effectiveness of ongoing monitoring, the less need
for separate evaluations. Usually, some combination of ongoing monitoring
and separate evaluations will ensure that enterprise risk management
maintains its effectiveness over time. See tables 5.3 and 5.4 for examples of
ongoing monitoring and separate evaluation activities and tools respectively to
measure the effectiveness of your enterprise risk management program.
As a conclusion, it is worth mention that the review process should integrate

Table 5.3 Ongoing ERM performance monitoring (activities and tools)
Report and communications from Value-at-risk models Internal, external auditors and Training seminars,
internal and external. are used to evaluate advisors may provide planning sessions
the impacts of recommendations to and other
Example: potential market strengthen enterprise risk meetings provide
An insurance company's review of movements on an management. important
safety policies and practices provides entity's financial feedback to
information on the functioning of position. Auditors can assess the key management on
enterprise risk management, from risks of the enterprise or unit, whether enterprise
both operational safety and These models can the risk response selections risk management
compliance perspectives, thereby serve as effective and the related design of is effective.
serving as a monitoring technique. tools in determining control activities, and on
whether business testing their effectiveness.
Regulators may also communicate units or functions
with the entity on compliance or are staying within Potential weaknesses may be
other matters that reflect on the identified risk identified, and alternative
functioning of the enterprise risk tolerances. actions recommended to
management process. management, accompanied by
information useful in making
cost-benefit determinations.

Table 5.4 Separate evaluations on ERM performance monitoring .
Scope and Frequency Who Evaluates The Evaluation Process Methodology

Scope and frequency Person in charge:
Understand each of the entity
Checklists,

depends on the significance self-assessments activities and each of the questionnaires
of risks and importance of (where persons components of enterprise risk and flowcharting
the risk responses and responsible for a management being addressed. techniques.
related controls in managing particular unit or
the risks. Higher-priority function determine Focus on how enterprise risk
Comparing or

risk areas and responses the effectiveness of management purportedly benchmarking
should be evaluated more enterprise risk functions ? this is sometimes enterprise risk
often. management for their referred to as the system or management
activities.) process design. process against
Evaluation of the entirety of those of other
enterprise risk management Internal auditors: Determine how the system
entities.
will be needed less frequently internal auditors actually works. Procedures
than the assessment of normally perform designed to operate in a An entity may,
specific parts, prompted by evaluations as part of particular way may be modified for example,
a number of reasons: their regular duties, over time to operate differently measure its process
or at the specific or may no longer be performed. against those of
major strategy or request of senior Sometimes new procedures are companies with
management change, management, the board established but are not known reputations for
major acquisitions or or subsidiary or to those who described the having particularly
dispositions, divisional executives. process and are not included in good enterprise risk
significant change in available documentation. management.
economic or political External auditors:

conditions, or significant input for management Discussions with personnel
Comparisons might
changes in operations or
who perform or are affected by be done directly
methods of processing enterprise risk management, with another
information. by examining records on company or under
performance or a combination the auspices of
Note: When a decision is of procedures. trade or industry
made to undertake a associations.
comprehensive evaluation of Analyze the enterprise risk
Other organizations
an entity's enterprise risk management process design may provide
management, attention and the results of tests comparative
should be directed to performed. The analysis is information, and
addressing its application in conducted against the peer review
strategy setting as well as backdrop of management's functions in some
with respect to significant established standards for each industries can help
activities. component, with the ultimate a company evaluate
goal of determining whether the its process against
The evaluation scope also process provides reasonable those of its peers.
will depend on which assurance with respect to the
objectives categories stated objectives. Note: When
strategic, operations, conducting
reporting and compliance comparisons,
are to be addressed consideration must
be given to
differences that
always exist in
objectives,
facts and
circumstances

with the key performance indicators of the organisation. The risk management
plan should link to personal performance and key drivers and make sure they
are measurable at all levels of the organisation. The monitoring and review
process should ensure that effective risk management programs are those that
deliver cost effective risk outcomes and reflect the strategic and operational
goals and objectives of the organisation.
A simple checklist
Most companies are interested in how their enterprise risk management
programs compare to industry practices. Developing a checklist based on
international best practices is one of the widely adopted approaches in doing
this.
This checklist below is provided for a self-evaluation or self-assesment which

can be used for directors and commissioners to evaluate or assess their
contribution and effectiveness in leading the ERM initiative in their own
companies against international best practices.
This checlist is devided into five different levels related to the maturity of ERM
level of a given company.
Formulation and initiation checklist

As the corporate boards, have you required the management to conduct a
sufficient research on regulatory requirement and industry practices in
this aspect?
Have you helped the management defining the scope for enterprise risk
management (including credit, market, and operational risks)?
Have you developed an overall enterprise risk management strategy and
plan?
Have you established a team to conduct a benchmarking exercise with
other companies?
Have you provided risk education for corporate and business executives?
Have you appointed a chief risk officer (CRO) and staffing the Office of
the CRO?
Have you established an enterprise risk management framework,
including a common taxonomy?
Have you established a risk management committee as one of the board of
commissioners' committee?

Early implementation checklist
Have you established an ERM Policy, including roles and responsibilities?
Have you required the management to perform annual control self-
assessments across business units?
Have you required the management to integrate the risk identification
processes across risk management, audit, compliance, and other
oversight activities?
As the corporate boards, have you provided yourself with risk education as
well required the management to provide risk training for a wider group of
employees?
Have you required the management to establish risk functions across the
business units?
Controlling and monitoring checklist

Have you required the management to develop risk measurement models
and databases?
Have you required and monitored the process of developing the KRIs and
reporting on enterprise-wide risks on a monthly basis?
Have you required the management to develop the risk-adjusted
performance measurement methodologies?
Have you required the management to update control self assessments on
a quarterly or monthly basis?
Integration process checklist

Have you required and led the process of expanding the scope of ERM to
include both financial (market and credit risks) and non-financial risks
(operational, business, and possibly legal and reputation risks)?
Have you led the integration of risk reviews into business development and
product/services approval processes?
Have you required the management to automate ERM reporting from
monthly reports to electronic dashboards, including customized queries
and real-time escalations?
Have you established "trigger points" to make timely business decisions,
including risk mitigation and exit strategies?
Have you linked risk management performance into executive
compensation?

Optimization checklist
Have you expanded the scope of ERM to include strategic risk?
Have you required the management to integrate ERM into strategic
planning processes?
Have you maximized the shareholder value by actively managing the
business resource allocation at the "efficient frontier"?
Have you established a mechanism for risk transparency process to key
stakeholders regulators, investors, rating agencies with respect to current
risk exposures and future risk drivers?
Have you required the management to leverage their risk management
skills, tools, and information to deepen customer relationships by helping
them manage their risks?

CASE STUDY
PT Astra International Tbk will be chosen as comprehensive but open ended

case studies to allow an open ended questions for discussion. The case will be
targeted for the directors and commissioners, inviting practical and
experiential debates among them.

Dasar-Dasar ERM Untuk Direktur Dan Komisaris (Englishversion)

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Dasar-Dasar ERM Untuk Direktur Dan Komisaris (Englishversion)

Загружено:

Авторское право:

Доступные форматы

Dasar-dasar

MESSAGE FROM CHAIRMAN LKDI 3

Chapter One: Introduction 6

Chapter Two: Concept, Principles and Framework 16

Chapter Three: Putting into Context 41

Chapter Four: Implementing ERM 48

Chapter Five: Measures of effectiveness 61

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 1

Indonesian Institute of Commissioners and Directors, or commonly known as LKDI,

In order to enhance the quality of "Training and Directorship Certification for

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 3

Directors and Commissioners have strategic role in successful

To ensure business sustainability and to cope with international

Founder : National Committee of Corporate Governance

Advisor : Mar'ie Muhammad

Advisory Board : Amrin Siregar Kartini Muljadi

Executive Board : Hoesein Wiriadinata (Chairman)

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 5

Why ERM is important for both Directors and Commissioners

Enterprise Risk Management (ERM) can help both Directors and

What is Risk and Why Manage Risk

1. Is often specified in terms of an event or circumtances and the

6 Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris

Risk is inherent in everything we do, whether it be riding a bicycle, managing a

We manage risk continuously, sometimes conciously and sometimes without

The alternative to risk management is risky management, or making reckless

From the risk/return point of view, sound risk management helps us to

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 7

Enterprise risk management (ERM) is best defined by the Committee of

Enterprise risk management is defined as follows:

Enterprise risk management is a process, effected by an entity's board of

As a process enterprise risk management is a means to an end, not an end in

Benefits of enterprise risk management

8 Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris

Enterprise risk management provides enhanced capability to:

broad-based level, that a company or other entity is willing to accept in

capability to identify potential events, assess risk and establish responses,

of risks affecting different parts of the organization. Management needs to

carry many inherent risks, and enterprise risk management enables

just risks, and by considering a full range of events, management gains an

allows board of directors and management to more effectively assess overall

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 9

The need for competency in enterprise risk management among

Beyond purely financial losses, the mismanagement of risks can result in

Table 1.1 List of misfurtune

Pharmor Korporasi Charge-off $ 350 juta

10 Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris

Confed Life Asuransi Kerugian real estate $ 1.3 miliar

Morgan Grenfell Manajemen Perdagangan yang

Barings Bank Kerugian perdagangan $1 miliar

Bankers Trust Bank Gugatan hukum $ 737 juta

The dramatic collapse in public confidance caused by these scandals and

There is no shortage of learning opportunities. It seems as if a mojor business

For Indonesian boards of directors and commissioners, the implementation of

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 11

In order to be able to implement enterprise risk management (ERM) effectively,

12 Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris

At a best-practice institution, everything flows from a clear and agreed-upon

Succesful enterprise risk management implementation also requires risk-

Dasar-dasar ENTERPRISE RISK MANAGEMENT Untuk Direktur dan Komisaris 13

1. Why ERM is important for both Directors and Commissioners?

2. The following gives the correct understanding of risk set out by

3. The following gives the correct understanding of enterprise risk