Pembelajaran Manajemen Risiko dari Sebuah Cerita Kecil…

Risk Management Ice Breaker for Today

“the other side of learning risk management….”

Sebuah cerita tentang bagaimana pendekatan manajemen risiko mempengaruhi pengelolaan risiko dan proses pencapaian tujuan akhir dari suatu proses. Ada tiga orang risk professional dan tiga orang akuntan bepergian dengan kereta api untuk mengunjungi sebuah ‘Konferensi Manajemen Risiko’. 

Cerita Awal Sebelum Konferensi Manajemen Risiko…

Di stasiun, ketiga akuntan tsb masing-masing membeli 1 tiket tetapi ketiga risk professional hanya membeli satu tiket.

“Hal ini terlihat sangat berisiko. Bagaimana tiga orang akan melakukan perjalanan dengan hanya satu tiket?” tanya salah satu akuntan. “Watch and you’ll see! Kami mempunyai pendekatan manajemen risiko yang baru” jawab salah satu risk professional.

Mereka semua naik kereta. Para akuntan duduk di kelas satu, tetapi ketiga risk professional pergi 1 ke kamar kecil dan menutup pintunya. Tak lama setelah kereta telah berangkat, kondektur datang sekitar mengumpulkan tiket. Dia mengetuk pintu toilet dan berkata, “Tiket.” Pintu terbuka kecil dan hanya satu lengan muncul dengan tiket di tangan dan Kondektur mengambil tiket tersebut dan bergegas pergi melanjutkan pemeriksaan tiket. Para akuntan itu sangat terkesan dengan pendekatan ketiga risk professional dan sepakat bahwa itu merupakan ide cerdas yang cukup tanpa risiko yang besar.

Cerita Lanjutan Setelah Konferensi Manajemen Risiko…

Sepulang dari “Konferensi Manajemen Risiko”, para akuntan sangat percaya diri akan keterampilan mengelola risiko yang diperoleh di Konferensi tersebut, sehingga para akuntan memutuskan untuk meniru pendekatan risiko para risk professional pada perjalanan pulang mereka dan menghemat uangnya (sesuai pepatah.. akuntan selalu pintar dengan uang mereka!). Ketika mereka sampai ke stasiun, mereka membeli 1 tiket saja untuk perjalanan pulang.

Tetapi mereka heran, kali ini para risk professional tidak membeli tiket sama sekali. ”Ini suatu kecerobohan, bagaimana Anda akan bepergian tanpa tiket satupun?” tanya salah satu akuntan dengan bingungnya. “Watch and you’ll see! Kami sudah mempunyai pendekatan manajemen risiko yang terbaru hasil dari Konferensi Manajemen Risiko” jawab salah satu risk professional. Ketika mereka semua naik kereta ketiga akuntan menjejalkan diri ke 1 kamar kecil dan tiga risk professional lain ikut masuk di kamar kecil tersebut lalu Kereta itu berangkat.

Catatan Kecil dari Cerita ini…

  • Manajemen Risiko adalah sebuah proses pembelajaran yang tidak akan pernah ada akhirnya karena kehidupan kita baik personal maupun bisnis penuh dengan ketidakpastian, yang tetap harus dijalani dalam rangka mencapai suatu tujuan tertentu
  • Risk professional harus mempunyai integritas dan kreativitas yang dapat dipergunakan untuk mengeksploitasi peluang dan mengelola risiko pada saat yang sama
  • Nilai terbesar dari penerapan manajemen risiko hanya dapat diperoleh bilamana risk professional dan aktuaris bekerja sama (tidak berkompetisi) karena mereka mempunyai tujuan yang sama, Sama halnya dalam pengelolaan manajemen risiko di perusahaan, diperlukan kombinasi keahlian para professional di bidang manajemen risiko untuk mendukung pencapaian tujuan perusahaan.

Legitimasi Peranan Internal Audit dalam rangka Penerapan Manajemen Risiko Korporasi

Menurut IIA (The Institute of Internal Auditors) on “The Role of Internal Auditing in Enterprise-wide Risk Management”, September 29, 2004


IA Role in ERM Implementation based on IIA

Peranan Internal Audit di dalam Penerapan Manajemen Risiko Korporasi

  • Memberikan jaminan yang memadai bahwa proses manajemen risiko yang telah berjalan sesuai dengan metodologi dan pendekatan yang telah ditetapkan oleh organisasi
  • Memberikan jaminan yang memadai bahwa risiko telah dievaluasi dengan metodologi dan pendekatan benar
  • Melakukan evaluasi kesesuaian atas proses manajemen risiko yang telah berjalan dengan metodologi dan pendekatan yang telah ditetapkan oleh organisasi
  • Melakukan evaluasi pengendalian internal atas pelaporan risiko-risiko kunci yang teridentifikasi dan diukur
  • Melakukan penelaahan pengelolaan risiko-risiko kunci sesuai dengan rencana mitigasi risiko yang telah ditetapkan

Peranan Internal Audit yang dapat dilakukan hanya pada tahap awal Penerapan Manajemen Risiko Korporasi

(bilamana penerapan manajemen risiko sudah berjalan, internal audit tidak boleh melakukan hal-hal berikut)

  • Memberikan fasilitasi proses identifikasi dan penilaian atas risiko kepada pemilik risiko di organisasi
  • Memberikan fasilitasi proses pengelolaan risiko kepada pemilik risiko di organisasi
  • Melakukan koordinasi aktivitas ERM
  • Melakukan konsolidasi pelaporan atas risiko
  • Memastikan dan mengembangkan kerangka kerja ERM yang sesuai dengan kebutuhan organisasi
  • Membangun perintis awal yang akan bertanggung jawab dalam penerapan ERM selanjutnya di organisasi
  • Mengembangkan strategi pengelolaan risiko di organisasi dan mendapatkan persetujuan Direksi maupun dewan Komisaris atas strategi yang telah dikembangkan

Peranan yang tidak boleh dilakukan oleh Internal Audit

(disarankan untuk dilakukan oleh unit manajemen risiko sebagai unit yang independen)

  • Menetapkan batasan dan selera risiko (risk appetite)
  • Memastikan terjadinya proses manajemen risiko di organisasi
  • Melakukan validasi atas risiko yang telah teridentifikasi dan terukur
  • Peranan yang tidak boleh dilakukan oleh Internal Audit ataupun unit manajemen risiko
  • Melakukan pengambilan keputusan atas bentuk pengelolaan/respon risiko
  • Menerapkan respon risiko dengan mengatasnamakan manajemen
  • Mengambil bentuk pertanggungjawaban atas penerapan manajemen risiko

Dissecting the Anatomy of ISO 31000

ISO 31000: The New International Risk Management Standard

In a world of risk management, many companies juggling on the framework that suitable to their environment for implementing risk management.

On November 2009, the International Organization for Standardization (ISO) published ISO 31000:2009, Risk Management — Principles and Guidelines, a new management standard intended to help organizations of all types and sizes across the silos/domains of risk scattered across the enterprise. It is just as relevant to areas not only for financial risk but also for also non-financial risk such as legal risk management as it is to information security, quality, or environmental, health & safety.

THE PORTRAIT OF ISO 31000

ISO 31000:2009 is the new international standard on risk management and largely foundation on AS/NZS 4360:2004, the Australian standard originally published in 1995. ISO 31000 provides a generic framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring and communicating risk. It is the first document published in the ISO 31000 Risk Management series, which also includes the following:

  • ISO Guide 73:2009, Risk management — Vocabulary: Provides the definitions of generic terms related to risk management and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, as well as uniform risk management terminology.
  • ISO/IEC 31010, Risk management — Risk assessment techniques: A supporting standard for ISO 31000 offering guidance on the selection and application of systematic techniques for risk assessment.

THE COMPATIBILITY OF ISO 31000 vs COSO ERM

The good news is that ISO 31000 is compatible with COSO ERM. It is considered an update to COSO ERM that reflects current risk management thinking internationally. In general, ISO 31000 has some significant advantages over COSO:

  • More practical and less theoretical with detail provided and explicitly defined
  • A concise 24 pages, ISO 31000:2009 is noteworthy for its simplicity and adaptability used by public and private companies, organizations and individuals also applied to a range of activities, from operations and processes to services and assets
  • Plainly written, the document is accessible to Boards (CEOs, CIOs, CROs, Commissioners, Audit Committee, Risk Oversight Committee), risk practitioners, also controllers, to understand how to managing risk whilst exploit opportunity
  • The information in the standard can be adapted to develop guidelines to assess existing risk management methodologies

The essential  difference between ISO 31000 and COSO ERM is in the focus of assessing and managing risk.

  • ISO 31000 is focused on consequences provides a framework to help consider the ‘flow on’ consequences of an event occurring. It shown through risk definition as the “effect of uncertainty on objectives”
  • COSO ERM is focused more on the events rather the consequences of events. It shown through risk definition as “the possibility that an event will occur and adversely affect the achievement of objectives.”

THE ANATOMY OF ISO 31000

The ISO 31000 has three interrelated building block of general principles, framework, and process risk management to be effective implemented.

The First Building Block of ISO 31000 states that risk management should contain the following principles:

  • Creates value
  • Integral part of organizational processes
  • Part of decision-making
  • Explicitly addresses uncertainty
  • Systematic, structured and timely
  • Based on the best available information
  • Tailored
  • Takes human and cultural factors into account
  • Transparent and inclusive
  • Dynamic, iterative and responsive to change
  • Facilitates continual improvement of the organization

The Second Building Block of ISO 31000 is having the right risk framework through Boards’ commitment. Once commitment is established, there is a loop of actions that include: 1) design the framework, 2) implement risk management, 3) monitor and review the framework, and 4) continual improvement of the framework.

The Third Building Block of ISO 31000 is adopted originally from AS/NZS 4360:2004 that assure the communication and monitoring is doing through the process of establishing the context, risk assessment, until risk treatment.

REMARKS

ISO 31000 is concise and well-written standard that reflect current international thinking as a very positive development in the risk management standards landscape. It defines risk as the “effect of uncertainty on objectives,” acknowledging both the positive opportunities and negative consequences associated with it.

In my point of view, as a risk practitioner we should discover on the application of new ISO 31000 standard in the organization to streamlining risk management on a global scale based on 3-prerequsite pillars of effective risk management as illustrated below since “not pursuing an opportunity” is a risk identified in ISO 31000.

3pillars vs iso31000framework

The Linkage on Essential Role of RM and IA in ERM Implementation

Most of the initiation of ERM implementation start from internal audit since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Enterprise Risk Management–Integrated Framework in September 2004. Based on COSO ERM, internal audit play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. Internal audit assist management and the board or audit committee ONLY in the process of monitoring, evaluating, examining, reporting, recommending improvements.  They support for establishing enterprise risk management groundwork in the organization and should be continued by the risk management group. The issue sometimes comes up from the transition from IA to RMG since it could be critical to ensure that the audit function takes on an appropriate level of responsibility for ERM.

Illustration below is described the linkage between the role of Risk Manager and Internal Auditor.

RMU vs IA Role in ERM

The interlink roles

In regard to ERM implementation there are some roles that need to be applied with cautious by internal audit function such as facilitating identification and evaluation of risks, coaching management in responding to risks, coordinating ERM activities, consolidating the reporting on risks, maintaining and developing the ERM framework, championing establishment of ERM, developing risk management strategy for board approval.

Finally, the main role of RMG that cannot be undertake by IA are setting the risk appetite, imposing risk management processes, management assurance on risks, taking decisions on risk responses, implementing risk responses on management’s behalf, accountability for risk management. ©DC_2009

Sharing Practice on Enterprise Risk Management

Managing risk is something that we used to do in life and that also happen in corporation (generally we used enterprise term instead of corporate ). IT’S NOT SOMETHING NEW.

The term ERM is used to make it more systematic refer to how we manage risk that could make our objective unachievable. The way we manage risk must consider all knowledge available such as  managerial finance, human capital, strategic management, and legal.

The point is when you want to implement enterprise risk management (ERM) you should

  1. GET THE RIGHT START by building strong risk governance as the foundation
  2. CHOOSE THE MOST SUITABLE RISK FRAMEWORK according to corporate’s characteristic and used it as guideline
  3. MAKE  RISK MANAGEMENT EMBEDDED IN CORPORATE CULTURE by making it integrated with corporate’s and employee’s Key Performance Indicator (KPI)

[slideshare id=1700089&doc=sharingpracticesonerm-090709052938-phpapp01]


<div style=”width:425px;text-align:left” id=”__ss_1700089″><a style=”font:14px Helvetica,Arial,Sans-serif;display:block;margin:12px 0 3px 0;text-decoration:underline;” href=”http://www.slideshare.net/dianechristina/sharing-practice-on-enterprise-risk-management-erm” title=”Sharing Practice on Enterprise Risk Management (ERM)”>Sharing Practice on Enterprise Risk Management (ERM)</a><object style=”margin:0px” width=”425″ height=”355″><param name=”movie” value=”http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=sharingpracticesonerm-090709052938-phpapp01&stripped_title=sharing-practice-on-enterprise-risk-management-erm” /><param name=”allowFullScreen” value=”true”/><param name=”allowScriptAccess” value=”always”/><embed src=”http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=sharingpracticesonerm-090709052938-phpapp01&stripped_title=sharing-practice-on-enterprise-risk-management-erm” type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”425″ height=”355″></embed></object><div style=”font-size:11px;font-family:tahoma,arial;height:26px;padding-top:2px;”>View more <a style=”text-decoration:underline;” href=”http://www.slideshare.net/”>presentations</a> from <a style=”text-decoration:underline;” href=”http://www.slideshare.net/dianechristina”>Diane  Christina</a>.</div></div>