Board Risk and Control

● Putu Merra Sri Diana (1606823531)

● Qurri Cempaka A P (1606890510)
● Iffatu Azmi (1606830083)
● Khairunnisa Ismah Lutfi (1606878171)
Organization’s Risks
& Opportunities Using Introduction to
A Risk Management ISO 31000
Framework
Case: Evaluate PT
Indofarma’s Risk
Management Policies
 Organization’s Risks &
Opportunities Using A Risk
Management Framework
Enterprise Risk Management (ERM)
… process effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives
 Consideration in the context of business
strategy
The key underlying principles Everyone’s responsibility, with the tone set
of ERM include: from the top

Focused strategy, led by the board

Active management of risk

Consideration of a broad range of risks

Creation of a risk aware cult

Implementation through a risk management
framework or system
Comprehensive and holistic approach to risk
management
Application- Development
of Risk Strategy
The purpose of developing a risk strategy
is to articulate clearly how risk should be
approached in an organisation. A risk
strategy is important to embed risk within
the organisation’s culture. Such a strategy
must be consistent with and reviewed
alongside the organisation’s business
strategy.
Application- ERM Framework
The COSO ERM Framework is presented
here in more detail to introduce some key
risk terms. It comprises a three
dimensional matrix in the form of a cube
which reflects the relationships between
four objectives, seven components and
four different organisational levels.
ERM Framework (Cont.) The four objectives are:

● Strategic (high level goals, aligned with and

supporting the organisation’s mission)
● Operations (efficient and effective use of resources)
● Reporting (reliability of reporting)
● Compliance (compliance with laws and regulations).

The four organisational levels are:

● Entity level
● Division
● Business unit
● Subsidiary.
ERM Framework (Cont.)
Components Description

Internal Environment Including the risk management philosophy and risk appetite. Risk management philosophy is
the general attitude or approach an organisation takes in dealing with risks. Risk appetite is level
of risk that a company can undertake and successfully manage over an extended time period.

Objective Setting Objectives should be aligned with the organisation’s mission and need to be consistent with the
organisation’s defined risk appetite.

Event Identification These are internal and external events (both positive and negative) which impact upon the
achievement of an entity’s objectives and must be identified.

Risk Assessment Risks are analysed to consider their likelihood and impact as a basis for determining how they
should be managed. Risks are assessed on an inherent and a residual basis.

Risk Response Management selects risk response(s) to avoid, accept, reduce or share risk. The intention is to
develop a set of actions to align risks with the entity’s risk tolerances and risk appetite.
ERM Framework (Cont.)
Components Description

Control Activities Policies and procedures help ensure the risk responses are effectively carried out. Examples
of control activities include segregation of duties, physical controls, IT controls, etc.

Information and Communication The relevant information is identified, captured and communicated in a form and
timeframe that enables people to carry out their responsibilities.

Monitoring The entire ERM process is monitored and modifications made as necessary. A combination
of ongoing and specific interval monitoring activities is required. Activities can include:
reviewing operating reports for inaccuracies; identifying weaknesses in control activities by
internal and external auditors; and senior management assessments of risk responses
against targets.
 Implementing ERM in practice
1 Set the risk appetite and philosophy of the
organisation. 5
Holding risk workshops with senior
management

2 Establish a risk strategy

6
Identify, assess and respond to risk,
tools and techniques are used.

Develop the ERM structure

3 Embedding risk into the culture of the

An individual (‘risk champion’) or small team

7 organisation involves many activities.

4 is appointed with the primary responsibility

for implementing depend on the size and Measuring, monitoring and reporting
nature of the organization.
8 risk management effectiveness.
Roles and responsibilities
Position Responsibilities

CEO The CEO must assess the organisation’s enterprise risk management capabilities and lead any
related major initiatives or changes.

Board of Directors The board has ultimate responsibility for the oversight of risk management, including reviewing
risk management processes and providing direction on matters related to risk and internal
control.

Audit Committee This is the committee responsible for examining the effectiveness of the internal control
function. It has an important role to play in examining the exposure of the organisation to a
variety of risks.

Chief risk officer or risk This position leads the process of establishing and maintaining effective risk management
manager activities across the organisation.
Roles and responsibilities (Cont.)
Position Responsibilities

Senior management They have responsibility for assessing key risks, for reviewing risk management capabilities and
for initiating any necessary changes.

Internal Audit This has responsibility for internal control and for providing independent assurance concerning
the risk management process. Internal audit forms an opinion about the soundness of internal
controls to manage the agreed level of risk.

Managers and business units They manage day to day risks within their allocated areas of responsibility within agreed risk
tolerances. Manager should also promote the organisation’s risk management philosophy and
compliance with risk appetite to staff.
 Protecting and building shareholder value
through enhanced decision making by
integrating risks and building investor
confidence

Focusing management attention on the most

significant risks
The benefits of effective ERM
include: A common language which is understood
throughout the organisation

Improved capital efficiencies and resource

allocation

Reduced cost of capital through managing

risk.
Introduction to
ISO 31000
Executive Summary: ISO 31000
Overall, ISO 31000 provides detailed guidelines on the plan, implement,
measure and learn features of a risk management system, but less explicit
information on the context, leadership and support features required of a
management system standard.

ISO 31000 contains much valuable information and it represents

robust, high-level guidelines for the management of risk. However,
there is no step-by-step checklist to implementation of the risk
management initiative.
Principles, Framework, and Risk Management Process
ISO 31000 states that the
guidelines should be used by
people who create and protect
value in organisations by
managing risks, making
decisions, setting and
achieving objectives and
improving performance. The
guidelines are applicable to all
types and sizes of
organisations and relevant to
all external and internal
factors and influences.
Guidance provided in ISO 31000 – principles
ISO 31000 states that the purpose of risk management is the creation and protection of value. The principles
set out in ISO 31000 provide guidance on the characteristics of effective and efficient risk management,
communicating its value and explaining its intention and purpose.

Principle Description

Proportionate Risk management activities must be proportionate to the level of risk faced by the organisation.

Aligned Risk management activities need to be aligned with the other activities in the organisation.

Comperhensive In order to be fully effective, the risk management approach must be comprehensive.

Embedded Risk management activities need to be embedded within the organisation.

Dynamic Risk management activities must be dynamic and responsive to emerging and changing risks.
Guidance provided in ISO 31000 – framework
Risk Management
Architecture
● Committee structure and terms of
reference
● Roles and responsibilities
● Internal reporting requirements
● External reporting controls
● Risk management assurance
arrangements
Risk Management
Strategy
● Risk management philosophy
● Arrangements for embedding risk
management
● Risk appetite and attitude to risk
● Benchmark tests for significance
● Specific risk statements/policies
● Risk assessment techniques
● Risk priorities for the present year
Risk Management
Protocols
● Tools and techniques
● Risk classification system
● Risk assessment procedures
● Risk control rules and procedures
● Responding to incidents, issues and events
● Documentation and record keeping
● Training and communications
● Audit procedures and protocols
● Reporting/disclosures/certification
Guidance provided in ISO 31000 – process
The section of ISO 31000 concerned with the risk management process describes risk assessment
and risk treatment as being at the centre of the risk management process. This section also includes
guidance on: (1) scope, context and criteria; (2) communication and consultation; (3) monitoring and
review; and (4) recording and reporting.

In many organisations, these latter four related activities are more closely aligned with
the framework. It could be argued that these four activities are part of the risk
management context and, therefore, should be part of the risk management
framework. The risk management framework is often described as the risk
architecture, strategy and protocols of the organisation.
Guidance provided in ISO 31000 – process (cont.)
The nature and extent of risk management activities in an organisation are influenced by risk
attitude and risk appetite. The risk attitude and risk appetite of the organisation, as
supported by the risk criteria for different types of risks, helps to define the risk
management context of the organisation. Risk attitude and risk appetite also provide the
foundations for undertaking risk assessments and recording the results in the risk register.
The nature and extent of communication of the information contained in the risk register
throughout the risk architecture of the organisation also helps define the risk management
context.
The risk management context is part of the internal context of an organisation. The
internal context refers to the organisation itself, the activities it undertakes, the range
of skills and capabilities available within the organisation, and how it is structured.
Internal stakeholders and their expectations are part of the internal context.
Guidance provided in ISO 31000 – Process (cont.)
Communication and
Consultation
● bringing different areas of expertise
together for each step of the RM process;
● ensuring different views are considered
when defining risk criteria and evaluating
risks;
● providing sufficient information to
facilitate risk oversight and
decision-making; and
● building a sense of inclusiveness and
ownership among those affected by risk.
Scope, Context, and
Criteria
● defining the purpose and scope of risk
management activities;
● identifying the external and internal
context for the organisation;
● defining risk criteria by specifying the
acceptable amount and type of risk; and
● defining criteria to evaluate the significance
of risk and to support decision-making;
Risk Assessment
● risk identification to find, recognise and
describe risks that might help or prevent
achievement of objectives and the variety of
tangible or intangible consequences;
● risk analysis of the nature and characteristics
of risk, including the level of risk, risk sources,
consequences
● likelihood, events, scenarios, controls and
their effectiveness; and
● risk evaluation to support decisions by
comparing the results of the risk analysis with
the established risk criteria to determine the
significance of risk.
Guidance provided in ISO 31000 – Process (cont.)
Risk Treatment Monitoring and Recording and
Review Reporting

● selecting the most appropriate risk ● improving the quality and ● communicating risk management
treatment option(s); and effectiveness of process design, activities and outcomes across the
● designing risk treatment plans specifying implementation and outcomes; organisation;
how the treatment options will be ● monitoring the RM process and its ● providing information for
implemented. outcomes, with responsibilities clearly decision-making;
defined; ● improving risk management activities;
● planning, gathering and analysing and
information, recording results and ● providing risk information and
providing feedback; and interacting with stakeholders.
● incorporating the results in
performance management,
measurement and reporting activities.
 Case: Evaluate PT
Indofarma’s Risk
Management Policies
Organizational Structure of Risk Management
 RISK TYPE AND
MITIGATION
OF THE COMPANY
PT INDOFARMA RISK MANAGEMENT
In the implementation of risk management process, PT INDOFARMA
refers to The Committee of Sponsoring Organizations of Treadway
Commission (COSO-ERM) which is a series process of risk
management including risk identification, risk measuring, respon
determination, risk, activity of risk management, informing and
communicating risk and risk monitoring of every activities conducted by
the Company. Risk Management is also risk management system and
protection of property, property rights and profits of the Company from
the possibility of loss due to the risk.
PROBLEM

Incurring huge loss about Rp 30 Billion

the cost of goods sold increased in that

period to Rp. 641.18 billion from Rp.
588.94 billion.
RECOMMENDATION
- CPRM Unit should annually carry out Risk Assessment to ensure that the goals and objectives
of the Company can be achieved optimally within the Company by :
1. identifying the risks or mapping risks
2. assessing the likelihood of risk occurrence and its impact if the risk occurs
3. to identify responses and control activities to mitigate the risks to the corporate risk or
direct or indirect process impacting the achievement of the Work Plan and Budget (RKAP)
in 2016
- the CPRM Unit also should conducts risk assessments regarding the information on events that
potentially harm the Company and related to business development and product.
- Intensify evaluation of the adequacy of implementation of Risk Management conducted by SPI
to determine the level of maturity of the implementation of Risk Management and to provide
recommendations for improvement on implementation of Risk Management.