UNIVERSITAS INDONESIA

BOARD AND RISK CONTROL (III)

CASE: EVALUATION OF PT PUPUK KALIMANTAN TIMUR TBK’S
2016 RISK MANAGEMENT POLICIES

PRESENTATION PAPER

ALYA RANA ARIFA (1606873076)

KENNY WIYARTA TIONATAN (1606829781)
KANIA MARETI DWIBAGJA (1606833513)

FAKULTAS EKONOMI DAN BISNIS

DEPOK
NOVEMBER 2019
 STATEMENT OF AUTHORSHIP

We the undersigned declare to the best of our ability that the paper herewith is an
authentic writing carried out by ourselves. No other authors or work of other authors have
been used without any reference to its sources.
This paper has never been presented or used as paper’s assignment for other courses
except if we clearly stated otherwise.
We fully understand that this paper can be reproduced and/or communicated for the
purpose of detecting plagiarism.

Course : Corporate Governance and Risk Management

Paper Title : Board and Risk Control (III)-Case: Evaluation of PT Pupuk

Kalimantan Timur Tbk’s 2016 Risk Management Policies

Date : 20 November 2019

Lecturer : Prof. Akhmad Syakhroza S.E., MAFIS., Ph.D./Siti Nuryanah

S.E., M.S.M., M.Bus(Acc.)., Ph.D..

Name : Alya Rana Arifa

Student’s ID Number : 1606873076

Signature :

Name : Kenny Wiyarta Tionatan

Student’s ID Number : 1606829781

Signature :

Name : Kania Mareti Dwibagja

Student’s ID Number : 1606833513

Signature :
A. Identification of Evaluation Object
PT Pupuk Kalimantan Timur (Pupuk Kaltim) is a subsidiary of PT Pupuk
Indonesia (Persero). The company was officially established on December 7, 1977 and
located in Bontang, East Kalimantan. The main business of the Company is producing
and selling Ammonia, Urea, NPK Fertilizers with domestic and foreign market
segments.
The case began when a pension fund of PT. Pupuk Kaltim with PT. Anugerah
Pratama Internasional (PT. API) and PT. Strategic Management (PT. SMS) has entered
into an agreement to sell and repurchase shares of PT. Dwi Aneka Jaya Kemasindo (PT.
DAJK) and PT. Eureka Prima Jakarta (LCGP) which can be categorized as a repurchase
agreement (repo) where the purchase of a repo is contrary to the Minister of Finance
Regulation Number: 199 / PMK-010/2008 concerning pension fund investments. As a
result of repo transactions, the pension fund of PT. Pupuk Kaltim suffered an estimated
loss of Rp. 229,883,141,293.
In this paper, we will discuss about the effectiveness of risk management policy at
PT. Pupuk Kaltim. Corporate governance plays a significant role in managing business.
PT. Pupuk Kaltim has a corporate governance in the structure that consists of:
1. Board of Directors
- President director
- Production director
- Technical and development director
- Commercial director
- HR and GA director
2. Board of Commissioners
- President commissioner
- Independent commissioner
3. Supporting Committees
- Audit committee
- Nomination and remuneration committee
- GCG risk management committee
- HR development committee
- Investment committee
 - Secretary of the board of commissioners
4. Internal Auditor
- Head of Internal Audit
- Managers
- Staff
5. Corporate Secretary
- Integrity and GCG team
- Gratification and control unit
- WBS Officer
- Department of Corporate Governance and Risk Management

B. Framework used in the Evaluation

The framework we used in evaluating the effectiveness of PT Pupuk Kaltim Tbk’s
2016 risk management policies is ISO 31000 2018 revised version (ISO 31000:2018).
We choose this ISO as the framework of our evaluation because the company stated in its
2016 annual report that it implemented ISO 31000 for its risk management process, and
the 2018 revised version of ISO 31000 is not very different from the original version of
that ISO, but is explained in more simple and streamlined way. Moreover, in general,
there are three components of this ISO. They are risk management principles, risk
management framework, and risk management process.
ISO 31000:2018 provides 8 statement of risk management principles (principles).
Those principles are as follows (IRM, 2018).
1. Framework and processes should be customised and proportionate.
2. Appropriate and timely involvement of stakeholders is necessary.
3. Structured and comprehensive approach is required.
4. Risk management is an integral part of all organisational activities.
5. Risk management anticipates, detects, acknowledges and responds to changes.
6. Risk management explicitly considers any limitations of available information.
7. Human and cultural factors influence all aspects of risk management.
8. Risk management is continually improved through learning and experience.
The first five principles guide companies in designing a risk management initiatives.
Whereas, principles six, seven, and eight guide companies in operating risk management
initiative.
Risk management framework of ISO 31000:2018 (framework) consists of 6
components. They are as follows (IRM, 2018).
1. Leadership and commitment, including:
● aligning risk management with the strategy, objectives and culture of the
organisation;
● issuing a statement or policy that establishes a risk management approach, plan
or course of action;
● making necessary resources available for managing risk; and
● establishing the amount and type of risk that may or may not be taken (risk
appetite).
2. Integration, including:
● determining management accountability and oversight roles and responsibilities;
and
● ensuring risk management is part of, and not separate from, all aspects of the
organisation.
3. Design, including:
● understanding the organisation and its internal and external context;
● articulating risk management commitment and allocating resources; and
● establishing communication and consultation arrangements.
4. Implementation, including:
● developing an appropriate implementation plan including deadlines;
● identifying where, when and how different types of decisions are made, and by
whom; and
● modifying the applicable decision-making processes where necessary.
5. Evaluation, including:
● measuring framework performance against its purpose, implementation and
behaviours; and
● determining whether it remains suitable to support achievement of objectives.
6. Improvement, including:
● continually monitoring and adapting the framework to address external and
internal changes;
● taking actions to improve the value of risk management; and
● improving the suitability, adequacy and effectiveness of the risk management
framework.
The framework aims to assist companies in integrating risk management into all
functions and activities. Moreover, the framework is closely related to the principles. The
principles state objectives that must be achieved and the framework states how to achieve
those objectives.
Risk management process of ISO 31000:2018 (process) relates to the
implementation of practices, policies, and procedures in a systematic way to activities of
consulting and communicating, context establishment, as well as risk assessment,
treatment, monitoring, reviewing, recording, and reporting. The process is part of the risk
management context and thus, should be part of the framework (IRM, 2018). Moreover,
the process consists of the following 6 components (IRM, 2018).
1. Communication and consultation, including:
● bringing different areas of expertise together for each step of the risk
management process;
● ensuring different views are considered when defining risk criteria and
evaluating risks;
● providing sufficient information to facilitate risk oversight and decision-making;
and
● building a sense of inclusiveness and ownership among those affected by risk.
2. Scope, context and criteria, including:
● defining the purpose and scope of risk management activities;
● identifying the external and internal context for the organisation;
● defining risk criteria by specifying the acceptable amount and type of risk; and
● defining criteria to evaluate the significance of risk and to support
decision-making;
3. Risk assessment, including:
● risk identification to find, recognise and describe risks that might help or
prevent achievement of objectives and the variety of tangible or intangible
consequences;
● risk analysis of the nature and characteristics of risk, including the level of risk,
risk sources, consequences, likelihood, events, scenarios, controls and their
effectiveness; and
● risk evaluation to support decisions by comparing the results of the risk analysis
with the established risk criteria to determine the significance of risk.
4. Risk treatment, including:
● selecting the most appropriate risk treatment option(s); and
● designing risk treatment plans specifying how the treatment options will be
implemented.
5. Monitoring and review, including:
● improving the quality and effectiveness of process design, implementation and
outcomes;
● monitoring the risk management process and its outcomes, with responsibilities
clearly defined;
● planning, gathering and analysing information, recording results and providing
feedback; and
● incorporating the results in performance management, measurement and
reporting activities.
6. Recording and reporting, including:
● communicating risk management activities and outcomes across the
organisation;
● providing information for decision-making;
● improving risk management activities; and
● providing risk information and interacting with stakeholders.
C. Framework-based Analysis
1. Risk Management Principle
Pupuk Kaltim is committed to pull through by applying GCG implementation
as the principles which underlie to Company mechanism and management process.
Pupuk Kaltim also strives to socialize basic principles of GCG in its operational
activities such as transparency, accountability, responsibility, independency, and
fairness. Aside from a form of compliance to the regulator, Pupuk Kaltim believes
that GCG implementation is also a key to maintain the trust from the Stakeholders in
the effort to achieve business success. Therefore, the Company refers to related
policies in manifesting GCG, as followed:
1) Indonesia’s GCG General Guidelines issued by the National Committee on
Governance Policy (KNKG) as a reference for developing the management and
implementation of GCG;
2) Pupuk Kaltim GMS on 30 May 2004, after which Pupuk Kaltim started
applying GCG in its business practices. Guidelines for GCG implementation at
Pupuk Kaltim have been applied since the issuance of Decree No. 28/DIR/
VI.2005 on GCG Implementation and Guidelines at Pupuk Kaltim;
3) Directive from the General Meeting of Shareholders on 5 June 2012 and
Circular of PT Pupuk Indonesia (Persero) No. SE-08/VI/2012 of 27 November
2012 about GCG Implementation Guidelines in Subsidiaries of PT Pupuk
Indonesia (Persero). The Shareholders requested that all subsidiaries refer to the
following regulations:
a. SOE Minister Regulation No. PER-01/MBU/2011 on the Implementation of
GCG in SOEs.
b. The Decree of the Secretary of the Ministry of State-Owned Enterprises No.
SK- 16/S.MBU/2012 dated 6 June 2012 on the Assessment and Evaluation
of the Implementation of Good Corporate Governance (GCG) in SOEs;
4) The Decree of the BOD No. 54/ DIR/XII.2014 on the Amendment to the Decree
of the BOD No. 40/DIR/VII.2013 on GCG Implementation in Pupuk Kaltim
reflects the Company’s commitment to the development of GCG
implementation by businesses in Indonesia;
 5) The Decree of the BOD No. 4/DIR/VII.2015 on Integrity and GCG Team of PT
Pupuk Kalimantan Timur for the period of 2015-2018 dated 27 July 2015.

2. Risk Management Framework

● Leadership and commitment
PT Pupuk Kaltim has been clearly stated risk management structure and risk
management policy in 2016 annual report (see page 444 – 445).
● Integration
PT Pupuk Kaltim has established the Department as a Risk Management Unit
with their functions based on the Risk Management Guideline and the Job
Description of TKP and MR Department (see page 447 – 448 of 2016 annual
report).
● Design
Has not been stated.
● Implementation
Throughout 2016, TKP and MR Department of PT Pupuk Kaltim as the risk
management unit has performed several risk management application (see page
454 of 2016 annual report).
● Evaluation
Evaluation towards risk management implementation in Pupuk Kaltim for the
period of 2016 was performed from 8 to 30 December 2016 by Pupuk Kaltim
IAU. Based on the evaluation result, it is concluded that the risk maturity level
(RML) of risk management implementation of Pupuk Kaltim in 2016 is 4.1 with
the percentage of accordance with ISO 31000:2011 amounted to 84% or in
Managed level, or in other words, the risks have been measured and managed
quantitatively.
● Improvement
Has not been stated.
3. Risk Management Process
● Communication and consultation
SIMERI is a web-based information system utilized by Pupuk Kaltim to manage
and report the risks from all work units and projects in Pupuk Kaltim. SIMERI
is available to be accessed in simeri.pupukkaltim.com by the key person in risk
management and Pupuk Kaltim Management according to authority level. The
main focus of this application is to accommodate the function, approval, and
reporting of risk assessment.
● Scope, context and criteria
Has not been stated but the management claim that optimal implementation of
risk management in the entire business activities are expected to identify and
mitigate every possibility as well as impacts from the risks correctly and
efficiently.
● Risk assessment
PT Pupuk Kaltim has performed risk management through risk assessment in all
operational activities as well as projects by the risk owner to probe for risk
potentials throughout 2016. However, management did not disclose information
about risk analysis of the nature and characteristics of risk, including the level of
risk, risk sources, consequences, likelihood, events, scenarios, controls and their
effectiveness; and risk evaluation (see page 454 – 456 of 2016 annual report).
● Risk treatment
Pupuk Kaltim Risk Profile Report contains the risk levels embedded in all
business activities (both strategic and operational risks) and the measures to
handle such risks (see page 455 – 459 of 2016 annual report).
● Monitoring and review
Has not been disclosed but there was statement that risk review and
identification performed through 2016 amounted to 31 risk reviews regarding
investment project development, raw material availability, unscheduled
shutdown, divestments and stock addition by subsidiaries or joint venture
companies, service contracts, fertilizer price, procurement, and cooperation
plans with other companies.
 ● Recording and reporting
Has not been clearly stated but the results of risk management reporting from
SIMERI is Working Unit Risk Management Profile Report which will then be
processed into Company Risk Management Profile Report to be used as
considerations for business decision making.

4. Overall Evaluation
In general, base on PT Pupuk Kaltim Annual Report, its risk assessment has
been prepared and in accordance. Evaluation towards risk management
implementation in Pupuk Kaltim for the period of 2016, concluded that the risk
maturity level (RML) of risk management implementation of Pupuk Kaltim in 2016
is 4.1 with the percentage of accordance with ISO 31000:2011 amounted to 84% or
in Managed level. However, their risk assessment wasn’t discuss the risk of fraud as
happened in the 2016 corruption case. Pupuk Kaltim failed to detect and prevent risk
regarding their pension fund investment. Based on its annual report, there is also no
risk assessment in management of pension fund. Risk assessment in finance just
discuss about the risk of difficulty in liquidity. So we conclude that risk management
policy in PT Pupuk Kaltim is not effective.

D. Recommended Actions
1. Internal Auditor
● Asking the internal auditor to audit the effectiveness of the entity risk
management process
● Asking for recommendation from internal auditor based on the internal audit
process conducted by them to improve the effectiveness of the entity
management process
● Overseeing the implementation of recommendation given by internal auditors
that aimed to improve the effectiveness of the entity risk management process
2. Corporate Governance and Risk Management Department
● Accompanying event identification process in the future with following event
identification tools: interview and surveys to the stakeholder, facilitated
workshops, loss event data tracking, process flow analysis
 ● Giving regular training or workshop related to risk management to directors and
members of GCG and risk oversight committee
● Making risk assessment, risk mapping, and risk mitigation for each risk
3. Using SIMERI and I-risk effectively for :
● Carefully investing the company’s assets and assessing the risk of each
investment done by the company
● Carefully review the investing regulation that applied to prevent violating the
rules
● Improve monitoring activity not only in the middle lower level but also to high
level
4. Other
● Hiring risk advisors to help director in performing risk management process in
the future if necessary, especially in identifying risks and determining
appropriate response to the identified significant risks

E. Comparison with PT Indofarma’s 2016 Risk Management Policies

PT Pupuk Kaltim PT Indofarma

The commitment of Pupuk Kaltim Since November 9, 2012 President

employees in implementing risk Commissioner and President Director
management based on ​ISO 31000 is made and signed a declaration on
stipulated in the Risk Management Company Risk Management Policy,
Policies signed by the BOD on 20 namely:
November 2013. The Risk Management 1. To fully support the implementation
Policies contains: of Risk management on every
1. Implement risk management in an business implementation of the
integrated manner in accordance with Company in order to reach the
GCG to achieve the goals and Company’s goal is integrated in all
objectives of the Company; level of the Company.
2. Raise awareness of risk culture in the 2. To determine the implementation of
everyday work so that it becomes an Risk Management in synergy and
integrated part of the Company’s accountable manner with the other
 business practices and decision management systems as an early
making; warning system.
3. Make risk management the basis for
risk-based budgeting to achieve the
realization of every business process
effectively and efficiently;
4. Make the results of risk identification,
analysis, evaluation and management
the basis of inspection and
supervision (risk-based audit) to
improve performance and
accountability;
5. Always provide information about the
occurrence of risk events which cause
loss for the Company and manage
risks in each unit, as well as regular
report on risk control (mitigation) and
management, as review material for
the continuous risk management
process.

Case: Intentionally, investing repo shares Case: Accidentally, overstatement of the

that are contrary to regulations WIP

Risk Mitigation & Management Risk Mitigation & Management

● general manager - overseeing
implementation risk management
units
● The risk management policy is not
effective
● risk taking unit - conducting risk
management for each unit
● The risk management policy is
effective conduct risk mapping,
stock opname and meeting
regularly. But, incorrect in expense
correcting
References
IRM. (2018). ​A Risk Practitioners Guide to ISO 31000:2018​. Retrieved from ​https://www.
theirm.org/media/3513119/IRM-Report-ISO-31000-2018-v3.pdf.
PT Indofarma Tbk. (2017). ​2016 Annual Report​. Retrieved from ​https://www.idx.co.id/
Portals/0/StaticData/ListedCompanies/Corporate_Actions/New_Info_JSX/Jenis_Inform
asi/01_Laporan_Keuangan/04_Annual%20Report//2016/INAF/INAF_Annual%20Repo
rt_2016.pdf
PT Pupuk Kalimantan Timur. (2017). ​2016 Annual Report​. Retrieved from ​https://www.
pupukkaltim.com/id/download&mod=annualreport&cb=1&attachment=attc__D237597
9760F7A4FA2FC1BA9B4944D8F.pdf&attachment_name=ar_2016_v1.pdf
Poskota News. 2018. ​Satu Lagi Tersangka Korupsi Dana Pensiun PT Pupuk Kaltim Ditahan.​
Retrieved from ​https://poskotanews.com/2018/12/04/satu-lagi-tersangka-
korupsi-dana-pensiun-pt-pupuk-kaltim-ditahan/