Rabu, Juni 30, 2010

Implementation of Enterprise Risk Management in Guarantee Business


Guarantee Business as well as the Insurance services are categorized as risky business because its main product is to ensure the risk of failure to pay its customers (Guaranteed) which utilize banking services or projects from other parties. Business risk guarantee is estimated larger than the banking business because of the effort involves three parties namely the guarantee of the Guarantors, Accepting Warranty and Guaranteed while the banking business at its main products involve only two parties ie. creditors and debtors.

Assurance agencies in Indonesia and in Asia that run credit guarantee programs for supporting government in UMKM ( SME’s ) development based on experience and empirical data mostly losers. On the other hand, the guarantee institution shaped Limited Liability Company (PT) in Indonesia is required remains sustainable and provide economic benefits to the government and the national economy. Strategies of Insurance/Guarantee Company in the form of PT and the Public Corporation (Perum) to remain sustainable is to conduct commercial profit-oriented business diversification and manage risk of underwriting business in order to reduce losses at the level received by the company.

Consequences underwriting business consisting of three parties demanding risk management sourced from third parties. Third party possesses the potential hazard that could affect the magnitude of risks and opportunities emerging impact the Company. Insurance Agency as Guarantor party who provides a guarantee has its own potential hazard that could impact the insurance (premium increases and lower claims rate) such as the existence of collusion, corruption and negligence in the process of underwriting and other business support processes. Similarly Recipients Assurance (eg banking) and Guaranteed to have a relatively high potential hazard that could impact the credit guarantee itself. Not to mention if there is a potential hazard from external parties arising from the guarantee industry and regulators, is certainly the risk management become so important and can not be ignored role.

Potential hazard came from the third parties involved in businesses underwriting can improve your chances of future occurrence risk thus affects the performance guarantee of business. Effective risk management and efficient and involves all components of the company ranging from BOD, senior management and all employees necessary to enable the business losses incurred in credit guarantee can be controlled and can be accepted by the company.

Urgency to the implementation of corporate risk management is now a requirement of companies for underwriting and risk control to meet regulatory demands related to the implementation of good corporate governance (Good Corporate Governance (GCG)).

Corporate risk management is one important pillar of GCG implementation that can provide great opportunities that the company is driven to fulfill all aspects of the rules and regulations internal and external (complies) with due regard to the risks identified with the good of all aspects of the business and its supporters.

ERM model will be described below is adopted from the case of ERM Indonesian Credit Insurance Company (PT Askrindo) which carries on business guarantee insurance business as well as COSO framework (Committee of Sponsoring Organization).
PT Askrindo is a business entity in Indonesia which is unique and probably the only one in Indonesia can be a good collaboration between business-oriented profit-oriented to public service in the form of underwriting and insurance/guarantee businesses. PT Askrindo is said to run the insurance/guarantee business because of regulations in Indonesia is still considered that the Surety Bond, customs bonds, trade credit insurance and credit guarantee insurance business, although classified in the scheme used is the guarantee scheme. Currently the guarantee is still at the level of regulation of government regulation or decision of finance ministers pledge Whereas regulatory level Law is in the process of preparation. On one side of the PT Askrindo trying to support government programs to develop SMEs with credit guarantee products with characteristics that tend to lose business, but on the other side of PT Askrindo required to obtain and remain sustainable profit runs businesses in the form of underwriting and insurance products that includes product diversification Surety Bond, customs bonds, trade credit insurance (Askredag) and reinsurance. So complex that the business is run by PT Askrindo and to meet the demands of the regulator, which requires the state-run companies have a risk management unit, PT Askrindo beginning in 2010 must be and have started implementing Enterprise Risk Management (ERM is) with the approach of the rules and principles and insurance underwriting. Development process and the search for appropriate forms of ERM with the corporate goal is still ongoing.


Enterprise Risk Management (ERM) is a process involving the company, including BOD, management and all employees of the Company in identifying events or potential events that create an impact (losses), comprehensively manage the quantity / size that can be accepted by the company, and to ensure attainment of corporate objectives. In various economic enterprises in the world known various ERM framework in accordance with the viewpoint of risk management and social culture of a nation. ERM framework model that is used by many industries today is BS, British Standarts - IRGC (BS6079-3) (2000), International Risk Governance Council (IRGC) in 2004, COSO (Committee of Sponsoring Organizations), AS / NZ, Australia & New Zealand Standard (AS / NZS) 4360, ISO (International Organization Standarts) 31 000 (2009). Differences in the ERM framework can be seen in the table below.

Table 1. Framework (Framework) Risk Management

In the framework of the five models above, there are basic similarities of the implementation of the ERM process includes risk identification, risk measurement, risk mapping and risk mitigation. Basic risk management process will be actualized and implied by the company in accordance with the goals, company size and regulation set by the government.

Various ERM framework used by companies in different economic sectors has its own characteristics and is built on the basis Management and social point of view of local culture. Election ERM framework consistent with best practice where the company conducts business activities can be based on the following considerations:

1. The purpose and mission
2. Organizational needs and characteristics of existing business
3. Demands and regulatory requirements & regulations
4. Company size (size of company), including the resources available in the implementation of ERM


The successful implementation of ERM is dependent on the human resources involved in the activities of the ERM (effective by people). Sophistication of systems and mechanisms for the implementation of ERM will not guarantee that the objectives would be achieved if not supported by the quality and integrity of corporate human resources. The main key to success in the implementation of ERM is dependent on the quality and integrity of human resources. The successful implementation of ERM in general will be determined by several important factors, namely:

1. There are a commitment from the Board of Directors (BOD), the Board of Commisioner (BOC) and senior management. BOD commitment is the dominant factor determining the successful implementation of ERM for the ERM can not be applied if the BOD is not fully supported.
2. existence of policies, systems and process controls that are supported by the culture of risk (risk culture) (regardless of risk) is strong.
3. The existence of clarity in determining the risk appetite and risk tolerance in accordance with the company's ability (clear limits on delegated authority).
4. Communication and continuous learning.
5. The integration between the ERM into the strategic planning, business processes, assessing the work / performance and competence (rewards associated with the risk based system performance).
6. The existence of a permanent organization of risk management
7. The existence of a clear accountability and responsibility (including clear ownership of risk)

The Integrity and quality of human resources will determine the successful implementation of ERM so we need education and training that can increase Intelegencia Quotient (IQ), Emotional Quotient (EQ) and Spiritual Quotient (SQ) via the character of religious training and motivation of the work ethic and loyalty of employees to the company. Similar training should be conducted regularly and periodically so that HR always given awareness of the integrity and capacity contribution of HR in achieving corporate goals.


In the construction of the ERM, there are 3 (three) elements that must be built and prepared for the implementation of ERM can be run effectively as in the picture below, namely:

1. Framework (Risk Governance)

Elements of development frameworks that must be drawn between other include the Directors commitment, cultural awareness of the risks and implementation risks, determining risk appetite and risk tolerance, structure and functions of the organization and policy. Elements of this framework is the basic element to determine the success of the implementation of ERM that it all depends on the quality and integrity of human resources.

2. Infrastructures

ERM Implementation requires infrastructure in facilitating the implementation of ERM in the company. Infrastructure required to implement ERM is the methodology, information systems technology primarily used for data processing risk, Procedures (SOPs guide the implementation of ERM and ERM) and information systems that can provide a continuous ERM reporting to management.

3. Process

ERM is a process that is done continuously, integrated and involve all staff in managing the risks that may increase the odds of achieving goals. The principal risk management process carried out within the ERM is the process of identifying, measuring, mapping and risk mitigation. Other risk management processes that are not less important is the process of monitoring, communication, reporting and risk management controls. To implement the risk management process is crucial in a system and a relatively adequate resources both in technology or manual.

At this time, PT Askrindo already have elements of ERM implementations are relatively complete and start implementing ERM involves risk taking units with the help of risk management information system based on Web.


ERM PT Askrindo can be considered as models in an effort to guarantee the implementation of ERM. PT Askrindo since mid-2010 already has elements of ERM is a relatively complete implementation and management including the BOD has given a commitment for the implementation of ERM in the company and continue to develop the concept of ERM implemntasi appropriate for the company. In addition, PT Askrindo also has a Contact Person or Risk Risk Champion in all work units both at central and branch offices to support the implementation of the ERM with the assistance of risk management information system based on Web.

The concept of risk management is applied in PT Askrindo is insightful and principled on integrated enterprise risk management. Risk management is an integrated corporate risk management process that starts from the process of identifying, measuring, mapping, mitigation and monitoring and evaluation involving company management in the process of determining the strategy in all work units in an integrated manner. The concept of risk management designed to identify events (events) that has a negative for the company and manage risk in order to always be within the limit of tolerance of risk management.
For company, the above objectives, the management of building and integrating risk management into corporate values and business processes to adhere to basic principles:

a. Alignment between management strategy and risk tolerance will always take into account and consider the company's risk tolerance in determining a variety of alternative business strategies, business goals, and develop risk management mechanisms.
b. Continuously improve the quality awareness of a risk and create a culture of risk.
c. Reduce to lowest possible level of the surprises and losses that could affect the company's operational decisions.
d. Consistently identify and manage multiple risks and risks among units. Companies will face a lot of different forms of risk, which directly or indirectly affect the various activities of work units in conducting operations. Therefore, companies applying risk management to be able to facilitate the determination of an effective response on the effects of interrelated and determination of the integrated responses of multiple risks.
e. Capturing the opportunity to learn a variety of potential risks, management will be in a position to proactively identify and easy to catch any possible risk in the company.
f. Improving the quality and effectiveness of the use of company resources with the availability of diverse information complete and accurate risk management will help to effectively measure the possible risks associated with the company's business.


In the early development of ERM systems and mechanisms in the PT Askrindo, performed three stages of ERM implementation phase, as follows:

Third phase of these activities can be described in more detail in the steps following the implementation of ERM as follows:

1) Identify all the risks associated
2) Designing risk criteria and sub criteria of risk
3) Designing a system of risk management controls and establish the Risk Owner
4) Undertake an assessment of residual risks with the Risk Owner
5) Prepare detailed activity is a significant risk for reduced
6) To report significant risks to the management and mitigation suggestions
7) Allocate resources to mitigate significant risks
8) Monitor the mitigation process and the development of significant risk mitigation.
9) Evaluate the risk management and analysis of risk mitigation activities
10) Develop risk management in the deal work (Key Performance Indicator (KPI))

If depicted in chart form, the steps ERM Implementation at PT Askrindo can be illustrated as follows:

Figure 2 ERM Implementation Steps

After preparing the implementation of ERM as above elements then the next step in managing the risks continuously in accordance with the framework set by the ERM-based computerized system.


ERM-based PT Askrindo can be said of the guarantee because there are some characteristics of the guarantee in the process of risk management among others:

1. In the process of determining the risk appetite and risk tolerance, the foundation that can be used is Risk Based Capital (RBC), gearing ratio, or the minimum solvency margin (less). The amount of claims that can be received by the company can be used as a basis to decide Risk Appetite and Risk Tolerance. Risk Appetite is the basis for determining adjusted to the capacity of firms in the maximum risk will occur and the ability to handle risk management and regulatory requirements and applicable regulations. PT Askrindo in determining the risk appetite to use the gearing ratio indicators in addition to considering the risk appetite of the Board Of Directors (BOD).

2. In the process of identifying and measuring risk, the risk-assessment is in comes from the underwriting business conducted by the entire work unit operations or production, so would have recorded the risks associated with the risk classification of business processes in the underwriting business. The result of this risk assessment would provide a signal that risk mitigation efforts are also based on underwriting and policy provisions and regulations that govern.


Risk management conducted by PT Askrindo with COSO Framework has eight components that are interrelated. These parts are constructed of corporate governance that integrates with management processes.
Eight components of the COSO framework as in the picture below is integrated with strategy, operations, reporting systems, and compliance and the presence of various units involved in the process of corporate risk management at the head office or branch office. Election COSO framework by PT Askrindo the basis, among others, that the framework can accommodate the implementation of ERM to the branch office / SERVICES OFFICE. In developing and implementing ERM PT Askrindo conduct risk management processes such as the COSO framework as follows:

Figure 3 ERM Framework components COSO

i. Internal Environment
Internal environment that is conducive, supportive, and positively affect the company's working culture directly in view, and mitigate the risks, including risk management philosophy, risk tolerance, the values of integrity and ethics and environment.
ii. Targeting (target)
Setting objectives and targets, should be done by first considering the potential risks that negatively affect efforts to achieve goals / targets. Management will always set a business target in the corridors of corporate risk tolerance.
iii. Risk Identification
Management will identify the risks of internal and external that may affect the achievement of business objectives. Management always tries to position itself at a level that can easily distinguish between the risks and opportunities. Any chance of a successful arrest will be incorporated into the process of goal setting Company.
iv. Risk assessment
These risks are analyzed and considered the probability of occurrence (likelihood) and the potential impact of the loss (impact) as a reference to manage them. Risk is measured based approach inherent risk and residual risk.
v. Follow-up Risk
Management will set a follow-up and effective response to a risk. Spectral response of avoiding, accepting, reducing, or transferring risk. Response options will be influenced by a desire for tolerance and risk management and corporate.
vi. Control and Supervision of risk
A number of policies and guidelines established, defined and implemented to create a system of effective monitoring and control to facilitate risk management choose the response that effectively and efficiently.
vii. Reporting systems and risk management software
Various relevant information identified, captured, and communicated in the form of an informative, well structured and timely manner so that each organization can be responsible for carrying out their respective responsibilities in achieving corporate goals. This reporting system will be supported by computer-based information system using Web facilities. Management has a high priority to develop and have activities that are integrated, effective and connected online to all work units at headquarters and branch offices.
viii. Monitoring
Monitoring is important so that effectiveness can be known modifications and repairs needed on integrated enterprise risk management system. Monitoring is carried out through ongoing management activities, special evaluations, or both.


Identification of activities could be done with the approach through the list of past loss events that influence the future (loss event), the internal analysis, indicators of certain conditions, and the company's business process flow analysis. Risk Owner / Risk Contact Person who has been appointed from all risk taking units can be delivered / proposed a categorization of risk and incidence of new risks that have not been informed by the corporation to the Risk Management unit. In general the risk identification process in PT Askrindo described as follows:

Figure 4. Risk Identification Process

At the risk identification, PT Askrindo especially risk management unit conducted interviews with risk taking units with the help of the risk owner / risk contact person at the head office and branch office / SERVICES OFFICE. The results of this risk identification and inventory will be inputted in the system of risk management information.

Risk Classification

Classification of risk into risk management objectives in the implementation of the ERM can vary depending on the result of inherent risk assessment in the company. Classification of risk into risk management objectives in the ERM implementation PT Askrindo has its own characteristics, which in accordance with the results of risk assessment and product characteristics. Based on the risk assessment conducted by risk management unit of PT Askrindo, generally found the risks from the business process, business support activity and the external environment consists of:

a. Financial Risk
Namely fluctuations in the target company's financial or monetary measures since turmoil various macro variables may include policy changes, fluctuations in cash flow, market risk, product risk. Based on risk assessment, financial risk Askrindo which includes:
1. Risk Policy
2. Fluctuations Risk Cash Flow
3. Risk Reporting
4. Taxation Risk
5. Marketing Risks
6. Risk Product.

b. Operational Risk.
Is the potential deviation from expected results due to a system malfunction, human resources, technology or other factors. Operational risks can be caused by several factors such as: human resources (HR), the achievement of performance and regulatory compliance procedures and policies in the industry guarantee / insurance. Based on risk assessment, operational risks Askrindo include:

1. Human Resources (HR)
2. Achieving Performance
3. Compliance with Regulations and Procedures
4. Policies in the Industrial Risk Guarantee / Insurance.

c. Strategic Risk
Is a risk that can affect the exposure of corporate and strategic exposure as a result of strategic decisions that do not conform with changes in the external environment and internal operations. Strategic risk may be caused by investment companies, changes teknologi and information, decreasing the company's reputation, and not the company realize its strategic goal. Based on risk assessment, strategic risks PT Askrindo include:
1. Investment company
2. Changes in technology and information,
3. Decline in corporate reputation, and
4. Failure to achieve corporate strategic goals.
d. External Risk
Is the potential deviation results on corporate exposure and the potential strategic impact on the business closure due to state / external pressure. Which includes external risks PT Askrindo is the law and government policy changes.


In the process of risk measurement, the ERM-based implementation of the guarantee business will be obviously based on indicators that have relevance to the business of underwriting. Here's risk measurement process the guarantee business approach:

a. Measuring Risk Probability.

To measure the probability of risk can be used various statistical methods which are as follows:

(1) Risk Probability Poisson Method
(2) Binomial Approach
(3) Approximation Method

Used if not available past data that can be used to explore the possibilities of something happening of an accident. This method requires 3 (three) estimated the possibility (probability) of a risk to others and are formulated with a weighted average approach.

The third assessment of the results incorporated into the formula below to get the value of the probability of an event risk:

Probability = O+4M+P

O = Optimistic values, the highest value obtained.
M = The value of moderate or middle value.
P = Pessimistic value or lowest value.

(4) Comparative Method
Used if not available past data and other data that can be used to explore the possibilities of something happening of an accident. This method requires a comparison possibility (probability) of a risk that has ever happened in other places and similar and equal to the probability of risks facing companies today.

(5) Frequency Indication Method Approach.
To facilitate the filling of data / information on the probability of risk at the beginning of the process of risk identification activities can use the frequency approach. Following probability table using the frequency approach:

Table 2, requency indication
b. Impact Risk.

Impact of risk is a consideration of the quantitative assessment of the extent of loss (severity) that would be suffered by the company for an event risk.
Criteria risk impact is the total loss suffered in the aggregate or total of each risk event (loss of opportunities / or opportunity loss) of a category of risk the same.

The Magnitude of Risk Tolerance can be calculated on basis of :

• Scale of capital (risk-based capital)
• Scale business turnover (gearing ratio)
• Scale the minimum solvency margin requirements (less)
• Scale revenues (underwriting premiums)
• Scale operating costs (underwriting)

In determining risk appetite and risk tolerance in PT Askrindo, There are two ways to do that are:

1. Perception Board Of Directors of the company's risk. Based on interviews with the BOD results obtained a description and an indication that can be used as the basis for the preparation of risk appetite.
2. Of several indicators used in connection with the underwriting business, PT Askrindo has determined that the gearing ratio as an indicator approach to measuring the impact of risk. Method of calculating the impact of risk based on the gearing ratio is as:

Net equity based on financial statements (balance sheet) in 2009 was Rp. 1.011 trillion.
Outstanding value of the guarantee is USD. 12.426 trillion.
The gearing ratio of 10 times it was set with the assumption that the level of congestion or non-performance of credit guarantee (NPG) by 10% thus guaranteeing capacity to clean its own capital owned by PT Askrindo of Rp. 1.011 trillion is USD. 10.11 trillion.

In the year 2009 the value of collateral amounted to USD. 12.426 trillion, or have reached the gearing ratio = (IDR 12.426 trillion / USD. 1.011 trillion) = 12.29 times.
Values that do not guarantee in-bacServices Office with its own capital reserves or net is
= IDR. 12,29 trillion – IDR. 10,11 trillion
= IDR. 2,19 trillion

So that is not at risk with a bacServices Office with the assumption NPG 10% of the value of the guarantee amount to IDR. 2.19 trillion is IDR. 219 billion
or rounded IDR. 220 billion.

In 2009, underwriting income is IDR. 190 billion and underwriting expenses are IDR. 67 billion, resulting in net income was IDR 124 billion.

Risk level that will serve as the basis for calculating the impact of risk-based companies are gearing ratio

= Risk Level IDR. 220 billion – Net income IDR. 124 billion
= IDR. 96 billion

or rounded up to IDR. 100 billion. Interpretation of the IDR. 100 billion is that the company expected to experience critical or catastrophic situation if you have a loss of IDR. 100 billion.

Risk worth IDR. 100 billion is the maximum risk or a corporate catastrophic. Risk can be a risk of breakdown in risk-taking unit-level branches or units supporting management or performance based on the perception of premium revenue realization / STM unit at a certain period.

Based on the risk assessment conducted by risk management unit, the size of the impact of financial risk Askrindo at the corporate level there are five criteria by using the interval of the risk impact is as follows:

Measuring the impact of corporate financial risk-breakdown can be a financial risk at the branch level and Services Office based on perception management or performance of premium revenue realization / STM. Measuring the impact of financial risk Askrindo at Branch level and services office (in millions of rupiah) and the supporting units (supporting units) are as follows: adjust.

Impact of risk can also be stated in a matter of financial or non financial range.

The impact of financial risk, meaning that the impact of a risk can be measured in units of a particular currency, for example rupiah or dollars.

Furthermore, impact of financial risk can be separated into two, namely a direct financial impact and indirect financial impact.

Direct financial impact, is the size of a risk impact when viewed from the perspective of those risks actually occur, the impact would cause direct losses for companies of all USD / $. The count is measured in terms of direct costs incurred by the company.

Indirect financial impact, is a measure of the impact of risk if viewed from the perspective of those risks actually occurs, its impact will cause indirect losses for the company of so many USD / $ because there are activities that are missing / can not be done or the lost time / opportunity. The count is measured from the company's costs associated with the event such risks.

Besides measuring the impact of financial risk, PT Askrindo also measure the impact of non-financial risks in accordance with established risk classification of risk assessment results. Impact of non-financial risks, which means that the impact of these risks can not be measured in financial terms, for example: the impact on Strategy, Operations, Policy and Marketing and External.
The following are examples ofthe impact of non financial risk in PT Askrindo based on management perception of risk taking units involved and the opinion of experts in the field.

1. Risk Impact Investment Placement
Level Explanation Aspect
5 Very high /Catastrophic To an error in the placement of investment company that does not complies with rules / regulations, causing loss and can not be pulled placements principal investment company with a value ≥ IDR. 100 billion
4 High To an error in the placement of investment companies that do not comply to the rules / regulations, causing loss and can not be withdrawn principal investment placement firm with a value ≥ Idr. 80 billion and ≤ Idr. 100 billion.
3 Medium To an error in the placement of investment company that does not complies with rules / regulations, causing loss and can not be pulled placements principal investment company with a value ≥ Idr. 50 billion and ≤ Idr.80 billion
2 Low To an error in the placement of investment companies that do not comply to the rules / regulations causing kerugiandan placement can not be withdrawn principal investment company with a value ≥ Idr.. 5 billion and ≤ Idr 20 billion
1 Very Low To an error in the placement of investment companies that do not comply to the rules / regulations, causing loss and can not be withdrawn principal investment placement firm with a value with a value ≤ Idr.5 billion

2. Impact of Information and Technology Risk
Level Keterangan Aspek
5 Very High The existence of a significant disruption to the network / software / hardware is causing the affected company lawsuits because the service is closed (can not be served by ≥ 3 days).
4 High The presence of significant disruption to the network / software / hardware is causing the company incur a fine / penalty as the system can not run normally (can not be served two days but ≤ ≥ 3 days).
3 Medium The existence of a significant disruption to the network / software / hardware that causes the company to recover costs (can not be served ≥ a day but ≤ 2 days).
2 Low The existence of disruption to the network / software / hardware that caused the company lost some customers because not served (can not be served by ≥ 4 hours but ≤ 24 hours).
1 Very Low The existence of disruption to the network / software / hardware that caused the company to the customer service disrupted for several hours (≤ 4 hours).

3. Impact of Corporate Reputation Risk
Level Keterangan Aspek
5 Very High The existence of negative news in several print and electronic media about the news organization of underwriting and KUR, which causes the entire Customers do not want to use the services of the company.
4 High The existence of negative news in several print and electronic media about the news organization of underwriting and KUR, which causes most of the customers do not want to use a service company.
3 Medium The existence of negative news in several print and electronic media about the news organization of underwriting and KUR, causing a small portion Customers do not want to use the services of the company.
2 Low The existence of negative news in several print and electronic media concerning the implementation of the guarantee and KUR news cause the company to get a warning from a small portion Customer.
1 Very Low The existence of negative news in print and electronic media about the news organization of underwriting and KUR. Where the news has received confirmation from the company.

After setting the risk appetite as the beginning of measurement of risk, the risk must be evaluated and adjusted to the actual development of the risk perception of the management of risk tolerance that must be faced by the company. Risk tolerance which is inputted to have the procedure for determining tolerance (limit) the risk that can be described as follows:

Figure 5. Risk tolerance Determination Procedure

Factors that can be considered in determining the magnitude of risk tolerance are:

(1) Adequacy of the Reserve Fund Risk.
Magnitude of tolerance allocation is calculated based on the amount of reserves to cover the risk of loss if the worst scenario happens. One consideration that can be used is a risk reserve fund budget for the company based on the average ratio of the Minimum Solvency Margin (less/BTSM) or Risk-Based Capital in accordance with laws and regulations that apply.
The better the methodology and measurement system used, the better the resulting risk measurement, particularly in describing the real situation. Thus the allocation of reserves to be more proportionate to risk, not an excess or shortage.

(2) Business Performance .
Magnitude of tolerance can also be calculated based on the level of a certain percentage of one component in the company's financial statements. Example applications of this approach is by established risk tolerance percentage of the premium / Guarantee Fee (IJP) produced in accordance with laws and regulations that apply.

(3) Quality of Internal Control .
Internal Audit Unit in collaboration with other business units should ensure that the Risk Owner really know, understand and comply with the risk tolerance limits set by the BOD. Therefore, the Risk Management Unit are always developing information and reporting system whereby each holder of risk (Risk Owner) can easily measure their own risks that exist in their units respectively compared with the risk tolerance limits have been specified. In the event of violation of the limits of risk tolerance, it is necessary to consider the increase in the risk tolerance limits or risk reserve company. In the system the company had applied intrenal control system, so all the data / information on business processes related to risk management is already well managed.

(4) Ability to resolve problems of internal systems and business transactions .
The better ability to resolve any internal system problems and risks that occur, the lower the risk reserve funds allocated and lighter burden of the company. Conversely, the internal systems that are not effective in solving the problem then there are risks inherent in business processes that will lead to greater risk tolerance and the increasingly burdensome corporate risk reserve fund.

(5) Speed of companies responding to the threat of external .
Management companies need to create effective information systems and quickly so that they can anticipate with external changes that threaten the company. The faster the risk awarness built, the sooner the company carries out calculations to changes in existing risks and to know the adequacy and strength of a reserve fund. So that management can quickly anticipate all the surprises that happen, even when necessary to provide support in the form of a new risk reserve fund.


Controlling risk is shared among units with the Risk Management Unit to ensure that the current risk management process in accordance with the goals and company needs. Risk control process carried out by considering several important aspects, such as:

a. A true risk data input, which is equiped with an accuracy of records and supporting data for every risk event.
b. Selection accuracy of risk measurement methods:

1. Probability of risk: in accordance with the approach used (Poisson, binomial approximation and comparison).
2. Impact of risk: the accuracy of calculations based on the financial impact or non-financial approach

c. Speed to take the decision to be approved (approval) for some risk event.
d. The accuracy of selecting risk mitigation and its application to reduce the level of probability and risk impact until it becomes an inherent risk.

Early stages of risk oversight is done by involving the Risk Owner of each work unit both operational and non operational (supporting unit). After the Risk Owner to fill an risk event, it must be approved (approve) by their respective superiors. The purpose of this activity is to ensure the truth of the data and information on risks and mitigation measures are appropriate to deal with risk events.
Risk Management Unit conducts a review of data accuracy and precision of the measurement method selection and relationship with other risk events.


Risk reporting is done in various ways to facilitate the work of all units involved in the implementation of ERM. There are 3 (three) main types of risk management reports that will be applied at PT Askrindo namely:

1) The Report made any time through the corporate risk management information system integrated with the approach of information technology (software risk management), which have been proposed together.
2) Monthly report, presented by the Risk Management Unit in the form of risk register, suggestions, mitigation, risk transfer and risk mapping of the entire risk events.
3) Quarterly Report / quarter, which was presented by the Risk Management Unit. Form of risk register, risk mapping and risk mitigation and analysis of inherent risk.


In general, PT Askrindo implement risk mitigation of the four types of risk management, adjusted for risk classification and into the impact of risk as follows:

a. Avoid risk, which means not implement or continue activities that pose a risk.

b. Share the Risk, ie a move to reduce the possibility of risk or Risk Impact. Activities that can be done among others through insurance, outsourcing, subcontracting, hedging transactions.

c. Reducing risk is to do actions / activities to reduce the potential risk if there is in terms of probability and / impact risk.

d. Accept the risk, ie. do not do anything to avoid it, share or reduce such risks.

Figure 6. Probability and Impact of Risk


The process of risk monitoring is done through various stages of activity, as illustrated in the chart of internal and external review process below. The risk monitoring process carried out by PT Askrindo through several stages, namely:

a. Determination of risk management strategies, in every step of the strategy chosen by the company must contain a risk. Therefore, each selection and development of alternative assessment strategies is needed concerning the risk to the company's decision.
b. Tolerance of risk, risk in the process of making manual so needed some form of restrictions on risk assessment, causes, effects and impact of risk. Risk tolerance should be considered every 2 (two) years or if there is an urgent situation that needs improvement.
c. . Strategy execution, is the first security measures undertaken by companies in response to input of each selection and development of alternative strategies.

Figure 7. Internal dan External Review Process

d. Operational execution, the execution of every step taken by the company's strategy required the input of operational security measures of any risks that might occured. Added information about the risks undertaken by the Risk Owner, which would then be reviewed by each work unit and guided by the Risk Management Unit. Operational safety measures this can be a reduction, decrease or avoidance of a risk or mitigation measures are called ordinary.
e. Control Systems, through an assessment of business performance can describe the achievement of the Company as well as costs in any operational activities. In practice each of these activities should already incorporate elements of provision against every possible risk. However, if is still happening is also a risk event, then the next control step is seeking mitigation measures. This control system is a continuous process and consistently implemented so as to achieve an inherent risk.
f. Risk preferences, a step the final part of the implementation of risk management activities. From some parts of the activities and steps that have been described above, then the risks will arise preferences prevailing in the corporate environment. Risk preference is of course from time to time will change and development, to be able to mediate between the needs of internal and external changes and the willingness of corporate existence in the present and future.


The data processing risks and the risk of making periodic reports to the BOD requires computer-based information systems. In the development of risk management information system in the form of Web-based application program made some initial steps namely;

The first step is to learn about the company wishes the purpose built software. In this step is to include any data that can be processed, how the process of data input, anyone who should be involved in the process of data input.

The second step is to create a basic framework of the program. Activities undertaken is to build the basic foundation (foundation) course, which consists of dimensional measurement and data grouping. Then create a program to process the data buffer, which consists of data types, data formats, the system of approval and the type of report. Thus, the roof of the building design courses in the form of output, such as risk management reporting system. If this process is described, it can be illustrated as shown below.

Figure 8 The Design of Risk Management Application Software

The third step is to test and socialization programs. Step test done to reduce the possibility of errors and lack of precision of risk management programs. Socialization program is done so that every Champion Risk / Risk Contact Person understand how the procedure opens the program, input the data / information risk events, attach the data / information necessary, process of risk events to be consolidated and use the program for purposes of evaluation / monitoring.

Risk management software purpose of making among others:

a. Accelerate the process of inputting and recording data / information. Manajemen Risk identification. In order for Champion Risk / Risk Contact Person faster in the risk of entering the data, then the required uniformity aids, and manual systems of information technology tools such as software.

b. Facilitate the measurement of probability and risk impact.
To uniform as well as providing tools to facilitate the work Risk Champion / Risk Contact Person and persons responsible Unit, then needed the same tools in the process of measuring the probability and risk impact.

c. Accelerating the cartography of risks, and make risk register.
The process of recording risk events that starts from the risk of data input, set the probability of risk to calculate the impact of risk, has been done through software. Therefore the risk of a data base that has been in the input will be mapped, and also in the record into a list of risks is called risk register.

d. Facilitate the process of recording risk mitigation through the risk register.
Risk register is a record of all information containing data / information about risk events complete with risk mitigation measures that will and already do, including the end result.

e. Integrating corporate risk.
That is an effort to manage all the risks that exist in the event organization, communicating in information technology to every working unit, thus achieving an integrated system of corporate control.


One of key to get a success in implementation of ERM is that there are organizations that manage risk management in an integrated risk management, involving the entire company from the BOD and all employees. Organization of risk management units are usually on par with best practice division, but if the size is very large and complex, enterprise risk management unit can be set at Directorate level.

Risk management unit of the Division level to be more effective and independent should be directly under the Main Director.
This is necessary so the risk management unit is positioned to avoid intervention from other Directors and can easily coordinate with cross-directorate. ERM organization can be determined by looking at the prevailing corporate culture.

ERM within the organization, there is an important organ of the organization that is known as Risk Owner Contact Person or Risk Owner. Understanding risk is all the vice owner of the work units that have been designated in all work units directly involved with the risks and act as a risk owner who is (as a real risk the Owner) of any transactions or activities that are done. Risk Owner act independently of the Risk Management Unit.


ERM units harmony with other work units is indispensable and became one of the success key of implementation of ERM. It is necessary to establish in formal and informal relationships between business units and risk management unit. PT Askrindo has built an organizational structure chart of risk management related to other work units that describe the relationship between the Strategic Policy, Guidelines, Operational Procedures and Risk Management Information System Architecture as shown below.

Figure 9. Relationship Between Strategic Policy, guidelines, Operational Procedures and Risk Management Information System Architecture

By Mulyono

Tidak ada komentar:

Posting Komentar