One of the biggest mistakes of failure in implementing risk management is taking the risk management framework as it is without considering the organization culture

Risk Management is implemented to pursue opportunities and effectively exploit the limited internal capability instead only managing the adverse affects due to uncertainties. It is important to identify up-front the organization expectation when implementing risk management such as improved decision making process in setting corporate strategy, reduced risk exposure in key areas, improve compliance, enhance efficiency on operations and profitability, etc. Organization that is struggling to effectively implement risk management or have not implemented a formal, proactive, structured risk management framework could use ISO 31000 as a useful guidance. ISO 31000 acknowledge the importance of continually enhance the risk management framework using 5 attributes as follows:

  • Continual Improvement
  • Full Accountability for Risks
  • Application of Risk Management in all Decision Making Processes
  • Continual Communications
  • Full Integration in the Organization’s Governance Structure


One of the biggest mistakes of failure in implementing risk management is taking the risk management framework as it is without considering the organization culture. In order to enhance or get the risk management right on track using ISO 31000, here is the suggested “to do list” for smooth transition.

the example of transition process on ISO31000

  • Refine the Benefits/Impact of implementing ERM throughout the organization lead by the Boards and ERM Unit/Project Team and create a measurement process to determine to what extent these objectives will be achieved
  • Review and Update the existing risk management framework and amend the documentation to align with prerequisite elements in ISO 31000. Keep a record of enhancement as evidence of continual improvement.
  • Communicate the key changes to all organization personnel and notify them that the organization now follows an international risk management standard
  • Appoint the key risk owner for risk management ‘refresher’ training in order to encourage the risk owners to undertake a review of their risks and update their risk register


[slideshare id=6936987&doc=gettingourriskmanagementrightontrack2011dc-110215130318-phpapp01]


    Legitimasi Peranan Internal Audit dalam rangka Penerapan Manajemen Risiko Korporasi

    Menurut IIA (The Institute of Internal Auditors) on “The Role of Internal Auditing in Enterprise-wide Risk Management”, September 29, 2004

    IA Role in ERM Implementation based on IIA

    Peranan Internal Audit di dalam Penerapan Manajemen Risiko Korporasi

    • Memberikan jaminan yang memadai bahwa proses manajemen risiko yang telah berjalan sesuai dengan metodologi dan pendekatan yang telah ditetapkan oleh organisasi
    • Memberikan jaminan yang memadai bahwa risiko telah dievaluasi dengan metodologi dan pendekatan benar
    • Melakukan evaluasi kesesuaian atas proses manajemen risiko yang telah berjalan dengan metodologi dan pendekatan yang telah ditetapkan oleh organisasi
    • Melakukan evaluasi pengendalian internal atas pelaporan risiko-risiko kunci yang teridentifikasi dan diukur
    • Melakukan penelaahan pengelolaan risiko-risiko kunci sesuai dengan rencana mitigasi risiko yang telah ditetapkan

    Peranan Internal Audit yang dapat dilakukan hanya pada tahap awal Penerapan Manajemen Risiko Korporasi

    (bilamana penerapan manajemen risiko sudah berjalan, internal audit tidak boleh melakukan hal-hal berikut)

    • Memberikan fasilitasi proses identifikasi dan penilaian atas risiko kepada pemilik risiko di organisasi
    • Memberikan fasilitasi proses pengelolaan risiko kepada pemilik risiko di organisasi
    • Melakukan koordinasi aktivitas ERM
    • Melakukan konsolidasi pelaporan atas risiko
    • Memastikan dan mengembangkan kerangka kerja ERM yang sesuai dengan kebutuhan organisasi
    • Membangun perintis awal yang akan bertanggung jawab dalam penerapan ERM selanjutnya di organisasi
    • Mengembangkan strategi pengelolaan risiko di organisasi dan mendapatkan persetujuan Direksi maupun dewan Komisaris atas strategi yang telah dikembangkan

    Peranan yang tidak boleh dilakukan oleh Internal Audit

    (disarankan untuk dilakukan oleh unit manajemen risiko sebagai unit yang independen)

    • Menetapkan batasan dan selera risiko (risk appetite)
    • Memastikan terjadinya proses manajemen risiko di organisasi
    • Melakukan validasi atas risiko yang telah teridentifikasi dan terukur
    • Peranan yang tidak boleh dilakukan oleh Internal Audit ataupun unit manajemen risiko
    • Melakukan pengambilan keputusan atas bentuk pengelolaan/respon risiko
    • Menerapkan respon risiko dengan mengatasnamakan manajemen
    • Mengambil bentuk pertanggungjawaban atas penerapan manajemen risiko

    A New Horizon in Managing Risks

    What is the mean of Risk Management Standard to your organization?

    In the rising concern of Risk Management today, we have numbers of Risk Management implementation frameworks established by various nationwide bodies. Without one worldwide consensus on standard of Risk Management Implementation, the situation may lead us to various challenging and debating perspectives in deciding the most proper Risk Management implementation standard for our organization. Besides that, International Standard can also help an organization to comply with legal and regulatory requirements and international norms as well. Risk Management standard indeed contribute to the bottom line of organization but Risk Management standard provide only general description of the elements, processes, and activities required for risk management.

    ISO 31000 provides a high level concept of Risk Management implementation that should not be in conflict with the existing and specific frameworks or methods of Risk Management implementation. Existing frameworks or methods may be different particularly in that they may not have as broad a perspective as ISO 31000. The most important thing highlighted in ISO 31000 is corporate culture since risk management cannot be implemented as a template; it goes along with the company’s specific needs and circumstances among others: the industry where they do business, complexity, size, strategy, and governance of the company.

    In that ISO 31000 Seminar held by APB Group-Indonesia on August 6th, all of us were encouraged to have a new horizon in managing risks, means that Standard is a good guidance in implementing risk management and standard contribute in increasing visibility of the balance between opportunities and risk but standard itself is not a one-size-fits-all solution.


    ISO 31000 Risk Management Standard, Jakarta, 06 August 2008

    ISO 31000 Risk Management Standard, Jakarta, 06 August 2008