MOHAMAD HASSAN, MAFIS, QIA, CRMP, CRMA

APAKAH RISIKO?
ISO 31000:2009
Pengaruh ketidakpastian terhadap tujuan
Penyimpangan dari
yang diharapkan -
positif atau negatif
Kekurangan informasi yang terkait
dengan suatu peristiwa,
dampaknya, atau
kemungkinannya
Berbagai aspek, misal
keuangan, keselamatan,
lingkungan
Berbagai level: strategi,
projek, divisi
3
How to explain Risks
Register Risiko

Sumber risiko
(hazard)

Peristiwa
(kapan & dimana?)
Outcome
(konsekuensi)
Penyebab
(bagaimana,
mengapa)

Api
(kebakaran)

Kebakaran di kantor
pusat
Kerugian Rp. 500
juta
Arus pendek

Virus

Wabah H1N1 Gangguan operasi
Pegawai
terkena kontak
4
JENIS
RISIKO
SUMBER
RISIKO
PERISTIWA
ATAU
EKSPOSURE
KONSEKUENSI SEBAB RISK FACTOR
Safety
Bekerja di
ketinggian
Jatuh
Luka atau
meninggal
Disain yang
jelek
Ketinggian
(dari tanah)
Kesehatan Chemical Kontak Cancer
Tidak
memahami
bahan kimia
Jumlah bahan
kimia
Keuangan
Suku
bunga
Naik lebih dari
2% dalam satu
tahun
Penurunan
profit
Tekanan
inflasi
Besarnya
pinjaman
Proyek
Sumber
pasokan
Pengiriman
spare part
terlambat
Projek delay
Kebakaran di
gudang
pemasok
Ada tidaknya
pemasok
alternatif
Understanding of Risks ..
ENTERPRISE RISK MANAGEMENT APPROACH
SILO APPROACH HOLISTIC APPROACH
DEPT A
DEPT B
DEPT C
DEPT D
EWRM
EWRM
DEPT A DEPT C
DEPT B DEPT D
ENTERPRISE RISK MANAGEMENT APPROACHES
INTEGRATED SYSTEM & PROCESS SCATTERED SYSTEM & PROCESS
HOLISTIC APPROACH SILO APPROACH
CENTRALIZED RISK
MANAGEMENT STRUCTURE AND
SYSTEM
DECENTRALIZED RISK
MANAGEMENT STRUCTURE AND
SYSTEM
DEPARTMENTAL BASED BUSINESS PROCESSES BASED
RELATIVELY HOMOGEN RISK
MANAGEMENT ACTIVITIES
HETEROGEN RISK MANAGEMENT
ACTIVITIES
ENTERPRISE RISK MANAGEMENT APPROACHES
HOLISTIC APPROACH SILO APPROACH
SINGLE RISK LIBRARY (USE OF A
COMMON LANGUAGE)
ASSURED CONSISTENCY
MULTIPLE RISK LIBRARY
SCATTERED ACROSS DEPTS
INCONSISTENCIES POSSIBLY
OCCURED
RISK MANAGEMENT OPINION
AGGREGATION ISSUES
RISK MANAGEMENT OPINION
DIRECTLY CATCHES FROM THE
RISK REGISTERS
RISK MANAGEMENT OPINION
AGGREGATION ISSUES
ENTERPRISE RISK MANAGEMENT MODEL
CONTROL PROCESS MODEL MEASUREMENT MODEL
FOCUS ON CONTROL OVER
IMPORTANT BUSINESS
PROCESSES
FOCUS ON SIGNIFICANT
MEASURABLE RISKS IN TERMS
OF IMPACT MATERIALITY &
LIKELIHOOD OF OCCURENCE
Traditional RM vs. ERM: Essential Differences
Traditional risk management ERM
Risk as individual hazards Risk in the context of business
strategy
Risk identification and assessment Risk portfolio development
Focus on discrete risks Focus on critical risks
Risk mitigation Risk optimization
Risk limits Risk strategy
Risks with no owners Defined risk responsibilities
Haphazard risk quantification Monitoring and measuring of risks
Risk is not my responsibility Risk is everyones responsibility
Source: KPMG LLP.
Integrated versus silo
EWRM should
provide a strategic
and consolidated
picture from two
perspectives:
individual risk
classes across
business lines
all key risk classes
across the
organization
Executive Management
SENIOR
MGMT.
CRO
credit
risk
market
risk
ops
risk
liquidity
risk
liquidity
risk
ops
risk
market
risk
credit
risk
LOB 1
liquidity
risk
ops
risk
market
risk
credit
risk
LOB 2
liquidity
risk
ops
risk
market
risk
credit
risk
LOB 3
credit
risk
ops
risk
market
risk
liquidity
risk
LOB 4
Risk Management as a Process
Establish Business Risk
Management Process
Goals and Objectives
Common Language
Oversight Structure
Information
for Decision-
Making
Develop Business Risk
Management Strategies
Avoid
Transfer
Retain
Exploit
Reduce
Assess Business Risks
Identify
Source
Measure
Continuously Improve
Risk Management
Capabilities
Design/Implement
Risk Management
Capabilities
Monitor Risk
Management
Performance
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
1. Mantapkan kelembagaan & oversight:
a. Common language dan standards
b. Organisasi (oversight)
c. Tetapkan kebijakan (limit)
2. Process yang seragam
a. Tetapkan risk owners
b. Integrasi dengan strategi perusahaan
Lesson Learned
1. Kembangkan RM capabilities
2. Lakukan selangkah demi selangkah
3. Fokus pada semua sumber value
4. Kembangkan (latih) fasilitator
5. Tetapkan strategi manajemen risiko yang jelas
Lesson Learned
Development of Risk Management Capability
Capabilities
are
characteristic
of individuals,
not of the
organization
Process
established
and
repeating;
reliance
on people is
reduced
Policies,
processes and
standards
defined and
formalized
across the
company
Risks
measured and
managed
quantitatively
and aggregated
on an
enterprise-wide
basis
Organization
focused
on continuous
improvement of
business risk
management
Initial Repeatable Defined Managed Optimizing
Source: Derived from Carnegie Mellon model for inclusion in Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Systematically Build and Improve Risk Management Capabilities
Risk Identification
Improved ERM Capabilities:
Initial Repeatable Defined
Managed/
Optimizing
Defined process
EWRM responsibilities
Policy guidelines
followed across the
organization
Risk measurement
Consistent risk
reporting
Enterprise-wide limits
Common language
Dedicated resources
Risk management
policy
Risk sourcing
Enterprise-wide risk
strategies
Risk diversification
exploited competitively
Quantification of risk
versus tolerances
Integrated risk
measurement systems
Risk measures applied
to business
performance goals
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Initial Repeatable Defined Managed Optimizing
L
e
v
e
l

o
f

R
i
s
k

M
a
n
a
g
e
m
e
n
t

C
a
p
a
b
i
l
i
t
y

Desired level
Current level
STAGE 1
STAGE 2
Operations
Finance
Technology
Human resources
Competition
Regulatory
Environmental
Global expansion
Reputation
From:
Finance function
To:
Entire enterprise
Financial risks
Risk insurance
Treasury risk
Foreign exchange
Source:
FutureBrand
Source: Enterprise-wide Risk Management: Strategies for linking risk and opportunity
Systems
and data
Methodologies
Management
reports
People
Business
and Risk
Management
processes
Business
strategies
and policies
Risk if component is deficient:
Process does
not achieve
strategy
People cannot
perform
process
Reports do not
provide
information for
effective
management
Methodologies
do not
adequately
analyze
information
Information is
not available
for analysis
and reporting
Governance Oversight Roles Highlight Key Questions
Relating to Risk Management
Make
Policy Execution
Policy
Strategy Reporting
Is there a process for
reporting risk and
performance?
Does the organization
structure support risk
reporting?
All key uncertainties
being managed?
Are there assurances
that our capabilities
are effective?
Is risk-sensitive
culture in place?
Is there a process
for assessing risk
and capabilities?
Is Board advising on
mission-critical
risks?
Is opportunity-
seeking behavior
balanced with risk-
taking?
Are boundaries and
limits adequately
defined ?
12 Top ERM Implementation Challenges
Defining Risk
Terminology
Selecting a
Framework
Articulating ERM
Benefits/Impacts
Identifying Risk
Assessing Risk
Evaluating Risk Treating Risk
Monitoring Risk
Creating a Risk-
aware Culture
Deploying
Technology
Effectively
Integrating
Strategy & HR
into ERM
Successfully
Leveraging the
Impact of
Sarbanes-Oxley