Manajemen Risiko Publik (Public Risk Management in Brief)

Public Risk Management

Two side of coin by looking beyond the Enterprise Risk Management (ERM)

Manajemen Risiko Publik adalah proses pengelolaan risiko bagi perusahaan yang mempunyai tanggung jawab terhadap pelayanan umum yang dalam hal ini tidak hanya harus memperhitungkan risiko organisasi tetapi juga risiko sosial dalam melakukan identifikasi, pengukuran, pengendalian, dan pengawasan risikonya.

Saat ini manajemen risiko mulai dirasakan menjadi kebutuhan yang strategis dalam proses pengambilan keputusan dan penentuan arah perbaikan kinerja perusahaan melalui laporan profil risiko. Laporan profil risiko memberikan gambaran prioritas risiko, sebab risiko, dan pengendalian internal yang sudah dilakukan agar perusahaan dapat mengoptimalkan penggunaan sumber daya perusahaan yang terbatas dan melakukan monitoring atas setiap rencana mitigasi risiko sehingga tujuan perusahaan dapat tercapai dengan risiko yang paling minimal dan peluang bisnis dapat tereksploitasi.

Keunikan manajemen risiko publik yang tidak ditemui pada manajemen risiko korporasi (ERM) antara lain:

  • Sektor publik biasanya didominasi oleh Badan Usaha Milik Negara seperti Pupuk Sriwidjaya, Kereta Api Indonesia, Perusahaan Listrik Negara, Pertamina, Perusahaan Gas Negara, dll yang mempunyai tanggung jawab untuk menghasilkan keuntungan dalam menjalankan fungsinya sebagai korporasi sesuai dengan UU PT No 40 Tahun 2007 dan memberikan deviden bagi Negara yang dikoordinasi oleh Kementerian Negara BUMN sebagai bentuk kontribusi penghasilan bukan pajak, BUMN sektor publik juga harus bertanggung jawab sebagai institusi sosial yang mempunyai eksposur risiko sosial.
  • Keterbatasan dalam memilih alat mitigasi risiko, pilihan respons untuk menghindari risiko seperti yang dimiliki oleh sektor privat, tidak bisa menjadi pilihan untuk setiap risiko yang teridentifikasi dan terukur.
  • Kompleksitas kebijakan dan tata kelola publik (Public Policy & Governance) yang membuat ketidakpastian yang tinggi sehingga eksposur risiko juga berbeda dengan risiko korporasi pada umumnya

Kesadaran akan pentingnya manajemen risiko publik ini diharapkan dapat mengurangi kegagalan pencapaian tujuan dan misi perusahaan publik yang berdampak pada ketidakpercayaan publik atas pelayanan yang diberikan dan pada akhirnya dapat mengakibatkan ketidakstabilan ekonomi secara sistematis.

Merujuk pada pernyataan di atas, penerapan manajemen risiko publik di Indonesia sudah harus mulai dipertimbangkan antara lain karena telah banyak kritikan dan keluhan dari:

  • masyarakat atas pelayanan bumn sektor publik maupun instansi pemerintah dan perkembangan demokrasi yang menuntut transparansi dan akuntabilitas peningkatan pelayanan publik
  • investor asing atas pelayanan birokrasi terutama dari segi waktu dan biaya dibandingkan negara berkembang lain di kawasan yang samaUntuk insitusi pemerintah, penerapan manajemen risiko publik telah dimulai di Departemen Keuangan melalui penugasan Inspektorat Jenderal sebagai compliance office for risk management sejak tahun anggaran 2007 untuk membantu memastikan transparansi dan akuntabilitas pengelolaan keuangan negara.

Penerapan manajemen risiko publik ini sebenarnya juga sudah mulai dituangkan dalam bentuk peraturan baik undang-undang (UU), maupun keputusan menteri dan Arsitektur Perbankan Indonesia (API) untuk sektor perbankan nasional dengan menggunakan pendekatan internal audit dan kerangka kerja manajemen risiko dari COSO, antara lain:

  • UU No. 1 tahun 2004 tentang Perbendaharaan Negara pasal 58 menekankan perlunya sistem pengendalian intern (SPI) di lingkungan Pemerintah dan adanya manajemen risiko.
  • Keputusan Menteri Keuangan (Kepmenkeu) No. 464/KMK.01/2005 tanggal 29 September 2005 tentang Pedoman Strategi dan Kebijakan Departemen Keuangan (Road-map Departemen Keuangan) tahun 2005-2009, dengan manajemen risiko sebagai salah program utamanya.
  • Surat Edaran (SE) Menteri Pendayagunaan Aparatur Negara (Menpan) No. SE/15/M.PAN/9/2005 tentang Peningkatan Intensitas Pengawasan dalam Upaya Perbaikan Pelayanan Publik dengan mengurangi risiko seperti biaya ekstra atau pungutan liar dalam pemberian pelayanan publik.
  • Peraturan Bank Indonesia (PBI) No 11/25/PBI/2009 tentang Penerapan Manajemen Risiko bagi Bank Umum, yang termasuk program ke empat dari Arsitektur Perbankan Indonesia (API) berkenaan dengan Program Peningkatan Kualitas Manajemen dan Operasional Perbankan.

Contoh nyata saat ini adalah isu hangat mengenai kenaikan tarif dasar listrik (TDL) menjadi risiko yang tidak hanya harus dihadapi oleh PLN sebagai isu korporasi yang cukup ditangani dengan menggunakan pendekatan manajemen risiko korporasi (ERM) tetapi PLN harus mempu menerapkan beyond ERM dengan menggunakan pendekatan manajemen risiko publik yang juga memperhitungkan risiko sosial dan politik. Mitigasi atas risiko yang teridentifikasi dan terukur harus disesuaikan dengan kapabilitas internal terutama dalam melakukan komunikasi dan edukasi dengan pihak-pihak terkait. DC2010

Posted with WordPress for BlackBerry.

Dissecting the Anatomy of ISO 31000

ISO 31000: The New International Risk Management Standard

In a world of risk management, many companies juggling on the framework that suitable to their environment for implementing risk management.

On November 2009, the International Organization for Standardization (ISO) published ISO 31000:2009, Risk Management — Principles and Guidelines, a new management standard intended to help organizations of all types and sizes across the silos/domains of risk scattered across the enterprise. It is just as relevant to areas not only for financial risk but also for also non-financial risk such as legal risk management as it is to information security, quality, or environmental, health & safety.

THE PORTRAIT OF ISO 31000

ISO 31000:2009 is the new international standard on risk management and largely foundation on AS/NZS 4360:2004, the Australian standard originally published in 1995. ISO 31000 provides a generic framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring and communicating risk. It is the first document published in the ISO 31000 Risk Management series, which also includes the following:

  • ISO Guide 73:2009, Risk management — Vocabulary: Provides the definitions of generic terms related to risk management and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, as well as uniform risk management terminology.
  • ISO/IEC 31010, Risk management — Risk assessment techniques: A supporting standard for ISO 31000 offering guidance on the selection and application of systematic techniques for risk assessment.

THE COMPATIBILITY OF ISO 31000 vs COSO ERM

The good news is that ISO 31000 is compatible with COSO ERM. It is considered an update to COSO ERM that reflects current risk management thinking internationally. In general, ISO 31000 has some significant advantages over COSO:

  • More practical and less theoretical with detail provided and explicitly defined
  • A concise 24 pages, ISO 31000:2009 is noteworthy for its simplicity and adaptability used by public and private companies, organizations and individuals also applied to a range of activities, from operations and processes to services and assets
  • Plainly written, the document is accessible to Boards (CEOs, CIOs, CROs, Commissioners, Audit Committee, Risk Oversight Committee), risk practitioners, also controllers, to understand how to managing risk whilst exploit opportunity
  • The information in the standard can be adapted to develop guidelines to assess existing risk management methodologies

The essential  difference between ISO 31000 and COSO ERM is in the focus of assessing and managing risk.

  • ISO 31000 is focused on consequences provides a framework to help consider the ‘flow on’ consequences of an event occurring. It shown through risk definition as the “effect of uncertainty on objectives”
  • COSO ERM is focused more on the events rather the consequences of events. It shown through risk definition as “the possibility that an event will occur and adversely affect the achievement of objectives.”

THE ANATOMY OF ISO 31000

The ISO 31000 has three interrelated building block of general principles, framework, and process risk management to be effective implemented.

The First Building Block of ISO 31000 states that risk management should contain the following principles:

  • Creates value
  • Integral part of organizational processes
  • Part of decision-making
  • Explicitly addresses uncertainty
  • Systematic, structured and timely
  • Based on the best available information
  • Tailored
  • Takes human and cultural factors into account
  • Transparent and inclusive
  • Dynamic, iterative and responsive to change
  • Facilitates continual improvement of the organization

The Second Building Block of ISO 31000 is having the right risk framework through Boards’ commitment. Once commitment is established, there is a loop of actions that include: 1) design the framework, 2) implement risk management, 3) monitor and review the framework, and 4) continual improvement of the framework.

The Third Building Block of ISO 31000 is adopted originally from AS/NZS 4360:2004 that assure the communication and monitoring is doing through the process of establishing the context, risk assessment, until risk treatment.

REMARKS

ISO 31000 is concise and well-written standard that reflect current international thinking as a very positive development in the risk management standards landscape. It defines risk as the “effect of uncertainty on objectives,” acknowledging both the positive opportunities and negative consequences associated with it.

In my point of view, as a risk practitioner we should discover on the application of new ISO 31000 standard in the organization to streamlining risk management on a global scale based on 3-prerequsite pillars of effective risk management as illustrated below since “not pursuing an opportunity” is a risk identified in ISO 31000.

3pillars vs iso31000framework

The Linkage on Essential Role of RM and IA in ERM Implementation

Most of the initiation of ERM implementation start from internal audit since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Enterprise Risk Management–Integrated Framework in September 2004. Based on COSO ERM, internal audit play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. Internal audit assist management and the board or audit committee ONLY in the process of monitoring, evaluating, examining, reporting, recommending improvements.  They support for establishing enterprise risk management groundwork in the organization and should be continued by the risk management group. The issue sometimes comes up from the transition from IA to RMG since it could be critical to ensure that the audit function takes on an appropriate level of responsibility for ERM.

Illustration below is described the linkage between the role of Risk Manager and Internal Auditor.

RMU vs IA Role in ERM

The interlink roles

In regard to ERM implementation there are some roles that need to be applied with cautious by internal audit function such as facilitating identification and evaluation of risks, coaching management in responding to risks, coordinating ERM activities, consolidating the reporting on risks, maintaining and developing the ERM framework, championing establishment of ERM, developing risk management strategy for board approval.

Finally, the main role of RMG that cannot be undertake by IA are setting the risk appetite, imposing risk management processes, management assurance on risks, taking decisions on risk responses, implementing risk responses on management’s behalf, accountability for risk management. ©DC_2009