Insurers' journeys to build a mastery in the IoT usage
Erm overview of auditing fraud and revenue assurance
1. The Overview of Internal Control
(Auditing), Fraud, and
Revenue Assurance
I Nyoman Wisnu Wardhana
Senior Advisor II – PT. Telkom
28 November 2014
2. 1
2
3
Refreshment Concept of Risk
Fraud in Business
Content
4 Revenue Assurance
5 Risk Based KPIs and KRIs
KRIs and Dashboard
6
Internal Control
3. Refreshment Concept of Risk
Enterprise Risk Management Concept
Risk management is not about
formulas and numbers,
It is
about insight,
And
about seeing the pattern.
4. 1970s
Risk management
gains wider
acceptance
1980s
Companies begin
Risk departments,
typically focused on
insurance
1990s
Risk management
matures as
companies begin to
focus on “business
risk”
19801970 1990 2000
2004
Release of COSO
ERM Integrated
Framework
19601950
1950s-1960s
Traditional Risk
Management
(“TRM”)
1977
Foreign
Corrupt
Practices
Act
(“FCPA”)
Early 1980s
Increased focus
on internal
control and
compliance
1985
National
Commissionon
Fraudulent
Financial
Reporting —
Treadway
Commission
1992
Committee of
Sponsoring
Organizations
(“COSO”)
published
Internal Control
— Integrated
Framework
1990s-2000
Continued focus on
internal control, risk
management, and
responsibilities
(Blue Ribbon Commission,
Competency Framework
for Internal Audit, others)
2002
Sarbanes-Oxley Act
of 2002
Enterprise Risk Management is intertwined with the
development of internal control standards and the
regulatory environment.
Source: Deloitte & Touche LLP
Enterprise Risk Management History
Maturing as a business process
5. Internal Control Backgrounds
Enterprise Risk Management Concept
Fraud
Corporation
SEC Rules
PCAOB standard
S. O. X.
Management Proactive v. its Enhancement
- Corporate Governance
- Implementation of Internal Control (IC)
- Management Disclosure (Assertion)
- Opinion from KAP
Every company
Must have
its control in place
SEC Proposed:
- COSO Frame work (IC)
- COBIT (IT Control)
time frame
AS#2
Proposal
AS#5
Proposal
Introduction of
Governance
Risk Based
Compliances (consent and approval)
It derives from any regulation and rules/law
Of its home country
Too costly
due to broad scope
Risk Based Audit
And IC
6. Internal Control Backgrounds - ERM
18
Growth Will Be
More Risky
It‟s the exact rational behind ERM
Internal Control Backgrounds - ERM
7. Internal Control – Risk Based Audit
Scope of our discussion will be covered some areas,
inter alia:
Role and Function of IC in your organization
Task and Responsibility of IC in your organization
Organization chart (structure)
Scope and coverage
Limitation and segregation of duties
Reporting mechanism
Recommendation and feed back
Follow up
Focus + KPIs Department of Internal Control
8. Internal Control
Organization Structure
Independent unit should
be established.
It may become single
Board of directorate or
Head of Department.
Duties conducted
through ‘task forces’, it
may held annually.
Then, it should be
embedded into any
unit/division related.
Becoming a necessity and
automatically create direct
interdependence with
organization’s
performance.
Development structure Maintenance structure Improvement structure
Organization may create
a project to be assigned
with such tasks; to
devise, and so on.
The Project leader has a
direct report and under
the authority of CEO and
other Boards.
Usually involving
consultants (ICOFR).
1 2 3
Usually it takes 5 -10 years of implementation, depend on
complexity and organization sizes.
9. Source: James Lam, Enterprise Risk Management
CEO
• Financial risks
• Capital
• Statutory &
GAAP
Reporting Risk
• Rating agency
• Tax
• Market risks
- Fixed income
- Equities
- Real estate
• Performance risks
- Tracking error
- Alpha
- VaR
- Risk budget
- Operational Risks
• Liability risks
- P&C
- Life/Health
- Commercial
• Other issues
- Expected
losses
- Unexpected
losses
- Embedded
options
• Interest rate
risks
- Parallel shifts
- Curve twists
- Basis risks
• Other risks
- FX risks
- Liquidity risks
• Operational risks
- Processes
- People
- Contingencies
• Technology risks
- Availability
- Performance
- Security
• Business risks
• Product risks
• Customer risks
• Integrates risks
• Best practices
• Balances
perspectives
• Risk education
• Regulatory Risk
• Legal Risk
• Governance
• Audit
Board
CRO CEO
BOARD
Counsel/
Compliance
EVP Line
Units
C-Financial
Off.
C-Investment
Off.
C-Actuary
Head of
Treasury
Head of
IT/Operation
Internal Control
Organization Structure – cont.’
10. Internal Control
Organization Structure – cont.’
AVP
Risk & Process System
Development
AVP
Process Strategy
AVP
Risk Strategy
VP. Risk & Process
Management
VP. Supply & PlanningSGM. Supply Centre VP. Legal & Compliance
Head of Compliance
Risk Management &
General Affair
Source: Telkom Proprietary
11. Internal Control
· Visi & Misi
· Strategic Direction
· Instruksi Direksi
Compliance Risk Management
& General Affair (CRM & GA)
All Unit
Risk & Process System
Development
BOD / BOC
Process Strategy
All DIT
BOD / BOC
DIT NITS
Risk Strategy
VP Risk & Process Management
DIT CONS, EBiZ, WINS
DIT CONS,
EBiZ & WINS
DIT NITS
· Group Business Plan
· Incident Report
· Recovery Report
· Business Development
· BPO Feedback
· Corporate Policy
· Incident Report
· Recovery Report
· Policy Review & Assesment
· Recovery Report
· BPO Feedback
· Recovery Report
· Incident Report
(Vandalisme, Bencana Alam, Loss, Fraud, dll)
· Best Practise Report
· Environmental Impact
· Contigency Operation Strategy
· Unit Mgt. & Quality Report
· Innovation
· INSYNC
· IT Policy
· IT standard
· Fraud/Revenue Assurance Tools
· Incident Report
· Recovery Report
· IS Application Support
· BPO Feedback
· Draft Quality Management Policy
· Internal Control Policy dan Guideline
· Draft Process Management Policy
· Draft Leadership System & GCG Policy
· Draft SLA, SLG & Transfer Pricing Policy
· Revenue Assurance Policy Implementation
Report
· Potential Fraud Register
· Risk Register / Profile
· Risk Management Policy & Program
· Risk Mitigation Plan
· Risk Reporting
· Framework & Manual Kebijakan
· Enterprise Process Design
· Risk Identification & Mitigation
· Internal Control Design
· Enterprise IT Application
· Business Process Reengineering
· Risk Assessment
Implementation Report
· Standard Business Process
· Business Process
Reengineering
· Business Process ICOFR & DCP
· Draft Anti Fraud Policy & Management
· Draft Revenue Assurance Policy & Management
· Draft Insurance Policy & Decision Guideline
· Draft Leadership System & GCG Policy
· Prosedur/JUKLAK/Guideline
· Methodology Pengelolaan Resiko Perusahaan
· Risk Management Policy & Program
· Risk Register/Profile (termasuk scope risiko ICoFR)
· Risk Assessment Report
· Risk Mitigation Plan
· Risk Reporting Analysis
· Program Sosilalisasi Kebijakan Penanganan Risk Control
· Program Implementasi BCM
· Sensivity Analysis
· Program Fraud Management
· Potential Fraud Register
· Compliance Analysis Consultancy
· Revenue Assurance Policy Implementation Report
· Framework & Manual Kebijakan
· Implementation Report
· Role Map & Functional Business Process
· Lateral/Cross Functional Business Process
· Evaluation of Innovation
· Draft Process Management Policy
· Standard Business Process
· Business Process Reengineering
· Draft Insurance Policy & Decision Guideline
· Business Process ICOFR & DCP
· Enterprise Process Design
All Unit
· Risk IS Application
Request
· Risk IS Application
Requirement
Sample of coverage, segregation, and scoping of ERM
Source: Telkom Proprietary
12. Internal Control
ERM and Internal Control
What are Risk Management Frameworks and
Why have them?
What is a Risk Control Matrix, COSO, COBIT, Risk
Universe, Key Controls, Critical Controls?
Using them in SOA, ERA or Revenue Cycle
13. Internal Control
Business risks are greater today than ever
Source: Protiviti Inc
• Globalization means increased
exposure to international events
• Need for efficiencies, innovation
and differentiation to compete
• We now know the unthinkable can
happen
• Financial reporting is now a risk
area
• Application is uneven at
companies “applying EWRM”
- We live in unpredictable times, isn‟t it?
• Points of view from a recent survey
– Many executives see an array of ever-
increasing business risks
– Business risk management practices
require improvement
– Substantial revisions in business risk
management have either been made or
will be made
– Senior executives want more confidence
that all potentially significant risks are
identified and managed
Why is business risk a priority?
14. Internal Control
Gartner reveals top five business issues
Cost constraints
Security of data and
privacy
Stakeholder returns
Managing business risk
Innovation
Source: The Gartner Group, based upon interviews and surveys
Management wants increased confidence that all
potentially significant risks are identified and managed
Key decisions are made without a systematic
evaluation of risk and reward trade-offs
Risk management isn’t integrated with strategic and
business planning
Risks are not systematically identified, sourced,
measured and managed
Units of the organization are managing similar risks
differently
Inability to measure performance on a risk-adjusted
basis
Capital investment process requires improvement
Increasing demands for more information relating to
risks and internal controls from the board and investors
KeyIndicatorsofNeed
15. Internal Control
A common framework will accelerate progress
• We need a common language
• We need criteria against which to benchmark
• Now we can communicate more effectively
• Familiarity of concepts is useful
• Application guidance is critical piece
• Issuance of framework is only the beginning
Yes, we need a framework!
Source: Protiviti Inc
17. Internal Control
The COSO Framework provides an understanding of the
components of ERM
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
DIVISION
BUSINESSUNIT
SUBSIDIARY
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
ENTITY-LEVEL
Enterprise Risk Management:
Is a process
Is effected by people
Is applied in strategy setting
Is applied across the enterprise
Is designed to identify potential events
Manages risks with risk appetite
Provides reasonable assurance
Supports achievement of objectives
Source: COSO proposed ERM Framework
18. Internal Control
SOA and the COSO Framework
Complying with SOA Section 404 in the Context of
the COSO Framework
The COSO Framework is recommended by the SEC as an
accepted internal control framework to guide corporate
compliance with SOA 404. COSO requires an entity-level
(or “tone at the top”) internal control focus and an
activity or process level focus (the right side of the
cube), with the three objectives of effectiveness and
efficiency of operations (including safeguarding of
assets), reliability of financial reporting, and
compliance with applicable laws and regulations (across
the top of the cube).
Our approach captures the five components of internal
control: the control environment, risk assessment,
control activities, information/communication, and
monitoring.
Source: COSO proposed ERM Framework
19. Internal Control
Control Levels
Source: COSO proposed ERM Framework
• Entity-level Controls
– Entity-level controls are those controls that management relies upon to establish the
appropriate “tone at the top” relative to financial reporting. An entity-level assessment
for each control entity should be conducted as early as possible in the evaluation process
• Process-Level Controls
– Process level controls are usually directly involved with initiating, recording, processing
or reporting transactions
• General IT and Application Controls
– General IT controls typically impact a number of individual applications and data in the
technology environment
– Application controls relate primarily to the controls programmed within an application
that can be relied upon to mitigate business process-level risks
20. COSO Component
Risk Assessment
Control Environment
Information and
Communication
Control Activities
Monitoring
Attributes
• Entity-wide objectives
• Activity-level objectives
• Risk Identification
• Managing Change
• Integrity and ethical values
• Commitment to competence
• Board of Directors or Audit Committee
• Management’s philosophy and operating
style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and procedures
• External and internal information is identified,
captured, processed and reported
• Effective communication down, across, up
the organization
• Policies, procedures, and actions to address
risks to achievement of stated objectives
• Ongoing monitoring
• Separate evaluations
• Reporting deficiencies
Application:
Address attributes for each COSO component -
- For each attribute, evaluate appropriate
points of focus, as illustrated below for ONE
attribute, Human Resource Policies and
Procedures
Points of Focus:
• Is there a process for defining the level of
competence needed for specific jobs, including the
requisite knowledge and skills?
• Are there human resource policies and processes for
acquiring, recognizing, rewarding, and developing
personnel in key positions?
• Is the background of prospective employees checked
and references obtained?
• Are performance expectations clearly defined and
reinforced with appropriate performance measures?
• Are employee retention, promotion and
performance evaluation processes effective?
• Is the established code of conduct reinforced and
disciplinary action taken when warranted?
• Are everyone’s control-related responsibilities clearly
articulated and carried out?
Internal Control
Control Levels – Examples of Entity-Level Controls
Source: COSO proposed ERM Framework
21. Internal Control
Control Types
• Manual vs. System-based controls
– Manual controls predominantly depend upon the manual execution by one or more
individuals
– Automated controls predominantly rely upon programmed applications or IT systems to
execute a step or perhaps prevent a transaction from occurring without manual decision or
interaction
– There are also system-dependant manual controls, e.g., controls that are manual (comparing
one thing to another) but what is being compared is system-generated and not
independently collaborated; therefore, the manual control is dependant on reliability of
system processing
• Preventive vs. Detective controls
– Preventive controls, either people-based or systems-based, are designed to prevent errors or
omissions from occurring and are generally positioned at the source of the risk within a
business process
– Detective controls are processes, either people-based or systems-based, that are designed to
detect and correct an error (or fraud) or an omission within a timely manner prior to
completion of a stated objective (e.g., begin the next transaction processing cycle, close the
books, prepare final financial reports, etc.)
Source: COSO proposed ERM Framework
22. Internal Control
Control Reliability
• As transaction volumes increase and with
increasingly complex calculations, systems-based
controls are often more reliable than people-
based controls because they are less prone to
mistakes than human beings, if designed,
operated, maintained and secured effectively
• A shift toward an anticipatory, proactive
approach to controlling risk requires greater use
of preventive controls than the reactive ‘find and
fix’ approach embodied in a detective control
• Effectively designed controls that prevent risk at
the source free up people resources to focus on
the critical tasks of the business
MORE RELIABLE/
DESIRABLE
LESS RELIABLE/
DESIRABLE
NOTE: The above framework is
intended to apply to process-level
controls. It does not always apply
at the entity-level, e.g., the internal
audit function.
Systems-Based,
Preventive Control
Systems-Based,
Detective Control
People-Based,
Preventive Control
People-Based,
Detective Control
Source: COSO proposed ERM Framework
23. Internal Control
What is a Critical Control?
Definitions:
• KEY CONTROL: An activity or task performed by management or other personnel designed to
provide reasonable assurance regarding the achievement of certain objectives as well as mitigating
the risk of an unanticipated outcome. Significant reliance is placed upon this control’s effective
design and operation. Upon failure of the key control, the risk of occurrence of an undesired
activity would not be mitigated regardless of other controls identified. In other words, reasonable
assurance of achieving the process’ objectives could not be obtained.
• CRITICAL CONTROL: The FIRST subset of key controls; these controls have a pervasive impact
on financial reporting (segregation of duties, system and data access, change controls, physical
safeguards, authorizations, input controls, reconciliations, review process, etc.) and have the most
direct impact on achieving financial statement assertions. Upon failure of a critical control, the risk
of occurrence of an undesired activity would not be mitigated regardless of other controls
identified within ANY process. Failure of critical controls would affect the ability of management
to achieve not only process objectives, but also the company’s financial statement objectives.
Source: COSO proposed ERM Framework
24. Internal Control
Control Types
• Primary vs. secondary controls
– Primary controls are controls that are especially critical to the mitigation of risk and the ultimate
achievement of one or more financial reporting assertions for each significant account balance,
class of transactions and disclosure; these are the controls that managers and process owners
primarily rely on
– Secondary controls are important to the mitigation of risk and the ultimate achievement of one or
more financial reporting assertions, but are not considered “critical” by management and process
owners; while these controls are significant, there are compensating controls that also assist in
achieving the assertions
• Controls over routine processes vs. controls over non-routine processes
– Controls over routine processes are the manual and automated controls over transactions
– Controls over non-routine processes are the manual and automated controls over estimates and
period-end adjustments; these controls often address the greatest risks in the financial reporting
process and are most susceptible to management override
Source: COSO proposed ERM Framework
25. Internal Control
Control Levels – Examples of Common Process-Level
Control Activities
Pervasive Process-Level Controls*
• Establish and communicate objectives
• Authorize and approve
• Establish boundaries and limits
• Assign key tasks to quality people
• Establish accountability for results
• Measure performance
• Facilitate continuous learning
• Segregate incompatible duties
• Restrict process system and data access
• Create physical safeguards
• Implement process/systems change controls
• Maintain redundant/backup capabilities
• Obtain prescribed approvals
• Establish transaction/document control
• Establish processing/transmission control totals
• Establish/verify sequencing
• Validate against predefined parameters
• Test samples/assess process performance
• Recalculate computations
• Perform reconciliations
• Match and compare
• Independently analyze results for
reasonableness
• Independently verify existence
• Verify occurrence with counterparties
• Report and resolve exceptions
• Evaluate reserve requirements
Specific Process-Level Controls**
*Controls affecting multiple processes, including entity-
level and general IT controls
** Controls specific to a process, including programmed
application controls
Source: COSO proposed ERM Framework
26. Internal Control
Best practice
OBJECTIVES
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations.
Entity (ELC)
Controls that have spreading effect, and could also impact on
transaction level controls.
Transaction/Application/Process (TLC)
Controls occur on any process, the organization has been designed,
in the form of; Authorization, Verification, reconciliation, and other
activities related to fraud prevention, error, and assets protection.
PROCESS
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information & Communication
5. Monitoring
ENTITY
Source: COSO proposed ERM Framework
27. Internal Control
Key Concept
• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is affected by people. It’s not merely policy manuals and forms, but people at
every level of an organization.
• Internal control can be expected to provide only reasonable assurance, not absolute assurance,
to an entity’s management and board.
• Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.
DIRECTIVE
CONTROL
DETECTIVE
CONTROL
PREVENTIVE
CONTROL
Directive control are actions taken
to cause or encourage a desirable
event to occur
• Policy & Procedure
• Competence of personal
• Organizational Structure
• Organizational Culture
Detective control are actions taken
to detect and correct undesirable
events which have occurred
Preventive control are actions
taken to deter undesirable events
from occurring
• Reconciliation
• Budget v. actual comparison
• Physical count
• Authorization
• Safeguarding of assets/sensitive
data
• Segregation of Duties
WHAT IS CONTROL ?
“All of the element of an organization that taken together,
support people in achieving the organization‟s objectives” Source: COSO proposed ERM Framework
28. Internal Control
Classification of ICOFR
Entity
Level Control
IT Control
Transaction
Level
Control
Entity Level Control
Is a process designed by or under control management
monitoring to realize the environment that have pervasive
impact on the effectiveness of controls at the process,
transaction or application level
Transactional Level Control
• The objective of an process/transactional level control is to
achieve a specific objective.
• Generally relates to individual business locations or business
processes
IT Control
• The information technology processes and related controls that are applied above the computer application level
• IT controls are controls that exist above and around the computer application, which are designed to:
– Ensure that changes to applications are properly authorized, tested, and approved before they are
implemented, and
– Ensure that only authorized persons and applications have access to data, and then only to perform specifically
defined functions (e.g., inquire, execute, update).
Source: Telkom Proprietary
29. 1. Scoping Process/Identification 2. Risk Identification & Assessment 3. Control Design
Internal Control
Design Stages
Financial Statements
Inherent and Key
Business Risks
Significant
Account
Significant
Processes What can
go wrong?
Controls
Design Process
- To define materiality
- To define account and significant
disclosure
- Financial assertion (based on
account and significant disclosure)
- To define group of transaction and
respective process
- Process mapping
Control must:
- Provide mitigations for any
fraud and error identified
- Applicable
- Verify, in order to be
analyzed
Source: Telkom Proprietary
31. The Challenge: Risk
Source: Insurance InformationInstitute research, 2011
“Nearly 90 percent
of firms do not
conduct a risk
assessment when
outsourcing
production.”
“Supply Chain Risk: It's Time to
Measure It,”
Harvard Business
Review Blog, Feb 5, 2010
32. Fraud in Business
What is Fraud?
GRAPA (Global Revenue Assurance Professional
Association)
o Intentional deception resulting in injury to
another person
o imposter: a person who makes deceitful
pretenses
o something intended to deceive; deliberate
trickery intended to gain an advantage
Etymology
Recorded since 1345, from Old
French fraude, from Latin fraus
'deceit, injury'
Noun
o Any act of deception carried
out for the purpose of unfair,
undeserved and/or unlawful
gain.
o The assumption of a false
identity to such deceptive end
o One who performs any such
trick.
Albrecht
A deception that includes: a representation about a
material point, which is false, and intentionally or
recklessly so, which is believed and acted upon by
the victim to the victim’s damage”
Source: Telkom Proprietary
33. Fraud in Business
What is Fraud?
Based on PT. Telkom definition
TELKOM (KR.05 – 2009)
Fraud adalah perbuatan curang
yang dilakukan dengan sengaja
oleh manajemen, karyawan,
mitra maupun pihak lainnya yang
bersifat penipuan,
ketidakjujuran, penyesatan dan
penyembunyian kebenaran
dengan tujuan mendapatkan
keuntungan bagi orang atau
pihak tersebut yang
menyebabkan kerugian bagi
Perusahaan atau pihak lain.
Source: Telkom Proprietary
34. Fraud in Business
Fraud Categories
GRAPA
Internal fraud
involves activities perpetrated within the organization such as intentional
misrepresentation of financial statements or financial statement transactions, theft,
embezzlement, or improper use of the organization’s resources.
External fraud
involves theft or improper use of the organization’s resources perpetrated by
individuals outside the organization. Some examples of external fraud prevalent in the
government arena include false claims and statements, beneficiary fraud, and
contract and procurement fraud.
Source: Telkom Proprietary
35. Fraud in Business
Fraud Categories – cont.’
TELKOM (KR.05 – 2009)
Corporate fraud
perbuatan curang yang dilakukan dengan sengaja oleh manajemen, karyawan, mitra maupun pihak lainnya
yang bersifat penipuan, ketidakjujuran, penyesatan dan penyembunyian kebenaran dengan tujuan
mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perusahaan atau
pihak lain. Kecurangan termasuk diantaranya namun tidak terbatas pada penggelapan uang/barang,
pencurian uang/barang, penyogokan, pemalsuan, pengalihan, konversi, penyalahgunaan aktiva, membuat
klaim atau pernyataan palsu, pemalsuan dokumen atau kolusi dan/atau konspirasi antara dua orang atau
lebih.
Fraud Telekomunikasi
berbagai tindakan kecurangan, penipuan atau penggelapan dalam penggunaan fasilitas telekomunikasi, yang
dengan sengaja dilakukan oleh orang-orang atau organisasi tertentu, dengan tujuan untuk menghindari biaya
jasa atau pelacakan rekaman percakapan.
Aviation Fraud?
Source: Telkom Proprietary
36. Customer Fraud
Fraud adalah berbagai tindakan
kecurangan, penipuan atau
penggelapan dalam penggunaan
fasilitas telekomunikasi , yang
sengaja dilakukan oleh orang-
orang atau organisasi tertentu,
dengan tujuan untuk menghindari
biaya jasa atau pelacakan
rekaman percakapan.
KD.08/ 2009
Revenue Assurance
Hacking
Illegal Reselling
Pelanggan Nakal
Operator Nakal
Organisasi Kriminal
Karyawan Nakal
Fraud in Business
Fraud Categories – cont.’
Source: Telkom Proprietary
37. Fraud in Business
Fraud Categories – cont.’
Corporate Fraud
Perbuatan yang dilakukan dengan
sengaja oleh seorang pejabat,
karyawan, pihak ketiga maupun
pihak lainnya yang
mengikutsertakan unsur
penipuan, ketidakjujuran,
penyesatan, dan penyembunyian
kebenaran dengan tujuan
mendapatkan keuntungan bagi
orang atau pihak tersebut yang
menyebabkan kerugian bagi
Perseroan.
KD 43/2008
Kebijakan Anti Fraud
penggelapan uang/barang
pencurian uang/barang
pengalihan
penyalahgunaan aktiva
penyogokan
pemalsuan
klaim atau pernyataan palsu
Korupsi, kolusi, nepotisme
Source: Telkom Proprietary
38. Fraud in Business
Fraud Categories – cont.’
The Aviation Industry
Recently, this industry faces numerous financial pressures that impacts on its
profitability, many of which are specific to the sector – the impact of Air Passenger Duty,
increasing security and insurance costs, environmental levies, oil-price volatility,
changes to customer business travel policies and competition from surface travel will all
have had an impact on a company’s profitability during a time of unprecedented
financial uncertainty. These are all costs that the industry identifies and takes into
account, yet another business cost, of equal impact and significance, has never been
accurately quantified by the sector – Fraud.
Source: PKF-Accountants & business advisers
39. Fraud in Business
Fraud Triangle
Pressure in the context of Cressey’s Fraud Triangle relates
specifically to financial difficulties such as large amounts of
credit card debt, an overwhelming burden of unpaid
healthcare bills, large gambling debts, extended
unemployment, or similar financial difficulties.
Opportunity exists when an employee discovers a weakness
in the organization’s antifraud controls.
Rationalization is a psychological process whereby a person
who has committed fraud convinces himself that the act is
either not wrong, or that even though it may be wrong, it will
be “corrected” because he will eventually return the money.One set of factors common
to internal fraudsters at all
levels in any organization is
the Fraud Triangle –
Donald Cressey
Source: Fraud in the Markets
40. Fraud in Business
Fraud Triangle – cont.’
MOTIVE / PRESSURE
Financial Gain
• Remove the motive
– Hard to do, if tariffs are high
• Deny the opportunity
– Physical security, network security
• Fix the mechanism
– New technologies fix some but may
introduce others
Fraud Triangle Solution Overview
Source: Telkom Proprietary
41. Fraud in Business
Various Classification of Fraud
Telecom Service Related Fraud Glossary --- By TMForum.org
Fraud Type Fraud Identifier
Subscription / Identity Theft
CNAM Dip Fee Fraud
“Wangiri” Call Back Fraud
Bypass Tromboning, SIM Boxes, Fixed Cell Terminals, Premicells, GSM/UMTS
Gateways, Landing Fraud, VoIP Bypass, Interconnect Fraud, Toll Bypass, Third
Country, Grey Routing, International Simple Resale
Roaming Fraud
Cloning Fraud
Spam Malware Fraud, Spoofing Fraud, IP/Phishing Fraud
(International) Revenue
Share Fraud (IRSF)
PBX Hacking Fraud
Source: Telkom Proprietary
42. Fraud in Business
Various Classification of Fraud
Fraud Type Fraud Identifier
IP Subscription/Identity Theft, AIT (Artificial Inflation of Traffic), DoS (Denial of
Service), Content Sharing Fraud, Identity Trading Fraud, Spyware Fraud,
Pharming Fraud, Online Brand Threats Fraud
Interconnect (IXC) Arbitrage, Call Looping, QoS (Quality of Service) Exploitation, Technical
Configuration
SMS Fraud Faking, Global Title Scanning, Open SMSC
Pre-paid PIN Theft, PIN Guessing, Stolen Voucher, Altering Free Call Lists, Manual
Recharges, Voucher Modification, Duplicate Voucher Printing, Fraudulent
Voucher Reading, Illegal Credit Card Use for Recharges, IVR Abuse/Hacking, IN
Flag Modifications, Handset Manipulation, Handset Installment, Roaming
Telecom Service Related Fraud Glossary --- By TMForum.org
Source: Telkom Proprietary
46. Revenue Assurance
What is Revenue Assurance?
GRAPA (Global Revenue Assurance Professional
Association)
“The art of finding what you didn’t know was
missing”
Revenue Assurance is the systematic,
independent application of a set of
Standard Methodologies employed to
Identify, Quantify, Report , Remedy,
Contain Risks to Telecoms revenues in its
many forms
TM - Forum
“Data quality and process improvement
methods that improve profits, revenues and
cash flows without influencing demand”
TELKOM (KD.08 – 2009)
Revenue Assurance adalah pengelolaan
risiko kebocoran pendapatan yang dapat
terjadi di sepanjang revenue stream yang
diakibatkan oleh kelemahan sistem dan
prosedur sehingga setiap pendapatan yang
menjadi hak perusahaan dapat diakui,
diterima, dicatat dan dilaporkan secara
lengkap dan akurat
Revas bukan untuk memastikan
pencapaian revenue! Source: Telkom Proprietary
48. Revenue Assurance
What is Revenue Assurance?
Realized Revenue
all network activity
not realized as revenue
(potential revenue)
all network activity
in time (seconds,
minutes, erlangs)
realized revenue
noise
Unrecoverable network
activity
realized revenue
leakage +
unrecoverable +
too expensive to recover
unrecoverable
network activity
additional realized revenue
additional unrecoverable activity
Revenue leakage
Revenue lost
Cost to recover
Source: Telkom Proprietary
49. Revenue Assurance
Revenue Assurance Framework
4 Pillars Revenue Assurance Standard
Disiplines & Revenue Assurance Lifecycle Forensic, Control Management,
Corrective Management, Compliance
Domains
Objectives (Level)
Principles
These pillars may provide
an effective framework for
an organization to
optimize its revenue!
Source: Telkom Proprietary
50. Revenue Assurance
Revenue Assurance Framework
Definition of
Revenue Assurance
Disciplines
Domain Scope
Vertical
Domain Scope
Horizontal
Mission/
Objectives
Ethics and
Principles
Forensic
Control
Corrective
Compliance
Network
Mediation
Interconnect
Roaming
Collection
Postpaid
Prepaid
Channel
Provisioning
Fraud Mgmt.
Rate Plan
Product Dev.
Product Line
Cust. R M
Marketing
Fraud
Containment
Risk Containment
Loss Prevention
Margin
Assurance
Revenue Stream
Ass.
Code of Conduct
Corp Resp.
Competence Req.
Transparency
Rationalization
Consensus
Source: Telkom Proprietary
52. Proses Forensic Analysis
Menyelidiki akar penyebab dari masalah revenue loss (baik yang terjadi dan
berpotensi terjadi)
Mendiagnosis permasalahan yang ada
Menyiapkan rekomendasi untuk menangani permasalahan yang ada
Revenue Assurance
Revenue Assurance Framework
Input
Deksripsi Produk
Deskripsi Teknology
Deskripsi Network dan IT
Kebijakan Tarif Terkait
Kontrak Pelanggan
Kontrak Supplier
Aturan Pemerintah
Proses Bisnis
How
Memahami Product/Service
& Teknologi
Analisis Mapping - Revenue
& Payment
Analisis Risk
Analisis Exchange
Analisis Process
Analisis System
Analisis Numerik
Analisis Statistik
Output
Daftar Risiko
Prioritas Risiko
Proposal Kontrol
Usulan Corrective Action
Rekomendasi
Source: Telkom Proprietary
53. Mengelola dan Memonitor Control yang ada untuk ditindaklanjuti
Input
Control Proposal
Data Source & IT Tools
Output
Alert
Control Performance
Control Management
Revenue Assurance
Revenue Assurance Framework
Mengelola rekomendasi corrective action hasil dari forensic, analysis, dan memantau pelaksanaannya
Corrective Management
Input
Rekomendasi
Corrective
Output
Status dan Hasil dari
Corrective Action
Source: Telkom Proprietary
Mendefinisikan KPI, dan Memastikan terpenuhinya tiga proses lainnya
Compliance & Reporting
Input
Kebijakan
Output
Standard KPI
Laporan Pencapaian KPI
54. Revenue Assurance
Revenue Assurance Maturity Level
1
2
3
4
5
Dependent
Repeatable
Defined
Managed
Optimizing
Ad-hoc, chaotic.
Dependent on
individual heroic.
Basic Project/
Process
management.
Repeatable
tasks.
Standardized
approach
developed.
Designing-in
control
commences.
Leakage
quantitatively
understood and
controlled.
Continuous
improvement via
feedback.
Decentralized
ownership,
holistic control.
Source: Telkom Proprietary
55. 1. Product and offer management
2. Order management and provisioning
3. Network and usage management
4. Rating and billing
5. Receivables management
6. Finance and accounting
7. Customer management
8. Partner management
TMForum menyusun revenue stream
perusahaan Telco dalam 8 Revenue Stream :
(total leakage library dari TMForum = 126)
Revenue Assurance
Revenue Assurance – Revenue streams
How about Rev. Assurance in
Airport administration?
56. the effect of uncertainty on Objectives
- ISO 31000:2009
“the possibility that an event will
occur and adversely affect the
achievement of objectives”
- COSO ERM Framework
57. Risk Based KPIs and KRIs
ERM Maturity Level
Public Relation
Compliance
Protection
Optimization
Value Creation
Risk Maturity Graph
Level Maturity
Excellent Strong Adequate Weak Weak [Nonexistent]
Level 5: Level 4: Level 3: Level 2: Level 1: Nonexistent
Leadership Managed Repeatable Initial Ad hoc
Excellent
Advanced capabilitiesto identify, measure, manage all risk exposures within tolerances
Advanced implementation,development and execution of ERM parameters
Consistentlyoptimizes risk adjusted returns throughout the organization
Strong
Clear vision of risk tolerance and overall risk profile
Risk Control exceeds adequate for most major risks
Has robust processes to identify and prepare for emerging risks
Incorporatesrisk management and decision making to optimize risk adjusted returns
Adequate
Has fully functioningcontrol systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Performing good classical“silo” based risk management
Not fully developed process to optimize risk adjusted returns.
Weak
Incomplete control process for one or more major risks
Inconsistentor limited capabilitiesto identify, measure or manage major risk
exposures
Standard & Poor’s
ERM Quality Classifications
Where does your
organization been
stood?
Source: Telkom Proprietary
58. Risk Based KPIs and KRIs
Company’ Objectives
1. Memastikan reliability Objectives Perusahaan.
2. Memberikan gambaran stepping/milestone
pencapaian Objectives yang terukur.
3. Memberikan alternatives dalam pencapaian
Objectives.
4. Memperhitungkan alokasi resources dalam
pencapaian Objectives.
5. Mengantisipasi terhadap perkembangan yang
berpengaruh pada pencapaian Objectives.
6. Mengoptimalkan potensi dan kesempatan
(Opportunities) dalam pencapaian Objectives.
10 Strategic Initiatives:
1. Optimizing POTS and Strengthening Broadband
2. Consolidate & Grow FWA Business and Manage
Wireless Portfolio
3. Integrated Telkom Group Ecosystem Solutions
4. Invest in IT Services
5. Invest in Media & Edutainment Business
6. Invest in Wholesale and Strategic int’l
Opportunities
7. Invest in Strategic domestic opportunities that
leverage the assets
8. Integrate NGN & OBCE
9. Align Business Structure and Portfolio
Management
10. Transforming Culture
Objectives v. Risk Management
STRATEGIC OBJECTIVE
Creating Superior Position by Strengthening The Legacy &
Growing New Wave
Businesses to Achieve 60% Of Industry Revenue in 2015
Source: Telkom Proprietary
59. Risk Based KPIs and KRIs
Company’ Objectives - Model Pendekatan
Menentukan ‘key business objectives’
berdasarkan strategi korporasi
Identifikasi Risiko-Risiko yang
berpengaruh terhadap
pencapaian objectives.
Menyusun Profil Risiko (a
company-wide risk profile)
Menentukan kriteria/level toleransi risiko
berdasarkan hasil assessment likelihood
and potential impact.
Menentukan alokasi rencana mitigasi
(strategi yang tepat), sumberdaya, dan
akuntabilitas untuk mengelola risiko.
Eksekusi strategi (mitigasi) dan
melakukan identifikasi KRIs dan
KPIs yang terukur secara financial
dan operational.
Monitoring progress untuk identifikasi
potensi peningkatan performansi (kinerja)
dalam pencapaian objectives.
1
2
3
4
5
Source: Thought Leadership Institute-PricewaterhouseCoopers
60. Risk Based KPIs and KRIs
Company’ Objectives - Managing Business Risk within your organization
Business
Objectives
Event
Identification
Significant
Business
Issues
Control
Activities
Risk
Response
Risk
Assessment
Client Mission
Statement
Client Objectives
Business Unit
Objectives
Targets
Performance
Measures
Current MajorIssues
Potential Future Events
CaptureProcess
ImpactsAnalyses
ResponseManagement
Planning Process
Key Drivers
Dependencies
Performance
Management
Track Record
Completeness
Integration
SMART
Roles &
Responsibilities
Data Management
Issues
Management
Integration with
Business Planning
Event Portfolio
Internal/External
CaptureProcess
Repository
Maintenance /
Refresh
Roles &
Responsibilities
Data Management
Event
Management
Integration with
Business Planning
Risk Portfolio
Definitions
Categorizations
Assessment
Criteria
Structure
Roles &
Responsibilities
Timing &
Frequency
Expert
Involvement
Consistency
Client Business
Process Model
Policies
Procedures
ResponsePortfolio
Definitions
Decision Drivers
Decision Criteria
Process
Completeness
Communications
Training
Roles &
Responsibilities
Monitoring
Effectiveness
Process
Roles &
Responsibilities
Decision Protocols
Reporting
Timing
Review Areas Review AreasReview AreasReview AreasReview AreasReview Areas
Focus FocusFocusFocusFocusFocus
Source: Axena, Inc. All rights reserved
61. Risk Based KPIs and KRIs
Company’ Objectives - Managing Business Risk within your organization
1. Management mengetahui secara dini potensi tidak tercapainya
target/objective perusahan karena perkembangan risiko.
2. Management dapat menyusun program mitigasi yang efektif untuk
mengantisipasi perkembangan risiko.
Dengan demikian Objective Perusahaan apabila dikelola tanpa
memperhatikansistem manajemen risiko (ERM), alignment dengan
isu strategis, arah perkembangan bisnis, dan kondisi operasional, maka
sistem tersebut akan kehilangan pijakan dalam operasional perusahaan.
Sehingga, diperlukan penghubung sebagai alat navigasi dan kontrolnya,
dalam hal ini sistem manajemen risiko yang didasarkan pada KRIs dan KPIs.
agar:
Source: Telkom Proprietary
62. Identifikasi Risiko,
Adalah proses untuk menemukenali segala kemungkinan (kejadian) yang muncul
dalam suatu aktivitas usaha yang berhubungan dengan objective perusahaan.
Identifikasi risiko secara akurat dan menyeluruh menjadi sangat vital dalam suatu
manajemen risiko.
Salah satu aspek penting dalam identifikasi risiko adalah melakukan pencatatan
(me-register) risiko-risiko yang mungkin terjadi sebanyak mungkin.
Dalam Framework COSO, dilakukan pem-bedaan antara Risiko dan
Peluang, dimana kemungkinan (kejadian) yang berdampak negatif disebut
Risiko, sedangkan Peluang merupakan kemungkinan (kejadian) yang dapat
berdampak positif (natural offsets/opportunities) yang mendukung strategi
dalam pencapaian objectives.
Risk Based KPIs and KRIs
Risk Identification
Source: Telkom Proprietary
63. Source: Telkom Proprietary
Dengan melakukan identifikasi risiko, akan diperoleh sekumpulan informasi tentang
kejadian risiko, informasi mengenai penyebab risiko, bahkan informasi mengenai
dampak apa saja yang bisa ditimbulkan oleh risiko tersebut. Teknik-teknik yang dapat
digunakan dalam melakukan identifikasi risiko antara lain:
Benchmark
Professional Judgement (Pendapat Para Ahli di Bidangnya)
Wawancara, Survey (Pengamatan)
Informasi historis (analysis data historis)
Kelompok kerja (Brainstorming)
dll.
Risk Based KPIs and KRIs
Risk Identification – The Technique
64. Benchmark
Mencari informasi tentang risiko di tempat atau perusahaan lain yang memiliki
kesamaan pada tataran tertentu. (eg. Kesamaan pasar, portofolio bisnis, industri,
dlsb.)
Data hasil benchmark harus disesuaikan dengan kondisi aktual yang terjadi dan
dihadapi langsung oleh perusahaan.
Contoh:
– dari berita di media massa, atau internet, dapat diketahui bahwa tingkat kejadian
bencana alam di Indonesia memiliki peluang yang sangat tinggi. Hal ini menunjukkan,
bahwa secara umum risiko Business Interruption akibat bencana alam sangat besar.
– Harga minyak dunia naik?......
– Suku bunga perbankan di US turun?.....
– Harga tiket pesawat naik?.....
Risk Based KPIs and KRIs
Risk Identification – The Technique
Source: Telkom Proprietary
65. Risk Based KPIs and KRIs
Risk Identification – The Technique
Professional Judgment (Pendapat Para Ahli di Bidangnya)
Mencari informasi dari ahli di bidang risiko tertentu, terkait risiko yang
berpengaruh terhadap suatu objective perusahaan
Contoh:
Dari bertanya pada bankir, dapat diketahui bahwa ketidak-
stabilan kondisi ekonomi di US memiliki risiko pada Foreign
Exchange terkait transaksi yang menggunakan mata uang asing
(US Dollar)
Dari bertanya pada dokter, dapat diketahui bahwa orang dengan
tingkat kolesterol tinggi berisiko kena penyakit jantung
Source: Telkom Proprietary
66. Risk Based KPIs and KRIs
Risk Identification – The Technique
Pengamatan/Survey
Melakukan investigasi atau pencarian data langsung di tempat kejadian
dengan mengajukan kuesioner atau wawancara (data primer)
Contoh:
Dengan melakukan CSLS (Cust. Loyalty and Satisfaction Survey),
dapat diketahui bahwa tingkat kepuasan yang rendah akan
berisiko pada churn pelanggan
Dengan mengamati proses produksi dan availabilitas dari catu
daya PLN, dapat diketahui bahwa perusahaan menghadapi
risiko lampu mati (Interruptable Power Supply)
Validitas data sekunder?.....
Source: Telkom Proprietary
67. Risk Based KPIs and KRIs
Risk Identification – The Technique
Analisis Data Historis
• Menggunakan berbagai informasi dan data yang tersedia dalam perusahaan
mengenai segala sesuatu yang pernah terjadi
• Biasanya data historis harus menggunakan lebih dari satu periode kebelakang
agar prediksi risiko dapat lebih akurat
• Contoh:
Dari data historis kepegawaian, dapat diketahui bahwa perusahaan
menghadapi risiko kehilangan karyawan yang penting
Dari data historis keuangan, dapat diketahui risiko penurunan growth
revenue
Dari data historis market, dapat diketahui risiko tingkat kompetisi
dalam suatu industri
Source: Telkom Proprietary
68. Risk Based KPIs and KRIs
Risk Identification – The Technique
Kelompok Kerja (Brainstorming)
Menggunakan berbagai informasi dan data, dilakukan diskusi creative
thinking (brainstorming) oleh tim manajemen risiko untuk menemukenali
potensi risiko dari suatu objective
Creative thinking yang sukses, biasanya menghasilkan suatu rumusan
risiko yang tepat dari suatu objective
Contoh:
Dari data global market, dilakukan brainstorming sehingga
dapat diketahui bahwa terkait objective perusahaan untuk
„invest broadband‟ akan menghadapi risiko; teknologi dan
kompetisi, country risk factors, etc.
Source: Telkom Proprietary
69. Alignment KPIs and KRIs
Alignment Process
Dengan demikian, alignment antara KRIs dan KPIs sangat signifikan untuk
dilakukan agar pencapaian objective dapat terlaksana.
Proses Alignment KRIs dan KPIs:
Identify
risks
Quantify
risk
Identify
Actions
required
Monitor
Performance
Monitor
Changes
(internal/
external)
Update
objectives
Agree
Acceptable
Risk levels
Identify
risk related
Actions
Agree
Strategic
objectives
Risk Management
Performance Management
Risk Based KPIs and KRIs
Source: Telkom Proprietary
70. - BF “An ounce of prevention is
worth a pound of cure.”
71. KRIs and Dashboards
Defining Key Risk Indicators
Key Risk Indicator (KRIs), adalah faktor-faktor kunci dari suatu risiko yang digunakan
dalam proses manajemen untuk menentukan tingkat risiko pada suatu aktifitas usaha.
Merupakan indikator dari kemungkinan dampak negative dimasa yang akan datang (the
possibility of future adverse impact).
KRIs memberikan suatu sinyal/tanda ‘Early Warning’ bagi manajemen untuk identifikasi
kejadian yang berpotensi menghambat suatu program/aktifitas.
Biasanya ukuran ini disajikan berupa data statistik atau matriks tertentu dengan formula
atau model tertentu yang menyediakan informasi terkait posisi dari suatu risiko yang
dihadapi oleh perusahaan.
KRIs berbeda dengan Key Performance Indicators (KPIs), dimana KPIs dimaksudkan sebagai
ukuran kesuksesan/keberhasilan dari suatu program kerja (aktifitas usaha terkait
objectives).
Definisi
Source: Telkom Proprietary
72. Defining Key Risk Indicators
Key Risk Indicator (KRIs), pada dasarnya dapat dikelompokan ke dalam 4 (empat) kategori:
Coincident indicators, ukuran yang mewakili kegagalan yang terjadi secara bersamaan pada
proses bisnis internal. Misal, kegagalan penyelesaian proyek pengadaan/investasi yang secara
bersamaan berisiko pada kegagalan pengembangan produk berbasis teknologi.
Causal indicators, Ukuran kegagalan yang berasal dari turunan kegagalan suatu kejadian (root
causes event). Misal, risiko kegagalan teknologi yang menyebabkan terjadinya risiko churn
pelanggan.
Control effectiveness indicators, merupakan ukuran tingkat kegagalan yang berasal dari proses
monitoring performansi. Misal, prosentase kenaikan ARPU pelanggan Flexi.
Volume indicators (Inherent Risk Indicators) biasanya disamakan dengan KPIs, yang dapat
menentukan posisi peluang kejadian dan dampak dari suatu risiko (indikator ini biasanya ber-
korelasi dengan risiko lainnya). Misal, Jumlah pelanggan, Kapasitas bandwidth, dll.
Pengelompokan KRIs
Source: Telkom Proprietary
KRIs and Dashboards
73. Defining Key Risk Indicators
Metode Menentukan KRIs
Untuk dapat menentukan KRIs secara tepat dan efektif dapat menggunakan beberapa
pendekatan. Salah satu pendekatan yang efektif dan terstruktur dengan baik adalah dengan
menggunakan 6 langkah (berhubungan dengan 6-sigma tools):
1. Identify existing metrics.
2. Assess gaps.
3. Improve metrics.
4. Validate and determine trigger levels.
5. Design dashboard.
6. Establish control plan.
Ke-enam langkah tersebut merupakan salah satu pendekatan yang dapat diterapkan untuk
menentukan KRIs, mulai dari proses melakukan Identifikasi KRIs, Validasi, dan meng-
implementasikannya kedalam Early Warning pada segala macam bisnis model.
Source: Telkom Proprietary
KRIs and Dashboards
74. Defining Key Risk Indicators
1. Identify existing metrics.
Untuk menentukan KRIs, langkah pertama yang harus ditempuh adalah dengan Risk Assessment sehingga semua
kejadian (events) dapat di-identifikasi, di-assess, dan di-kelompokan bersama sesuai dengan kriteria tertentu yang
dapat di monitor dan di-analisa berdasarkan root-causes (analisa sebab-akibat). Tools yang dapat digunakan
misalnya, diagram tulang ikan, dll.
Biasanya dalam menentukan KRIs, kejadian penting yang berpengaruh langsung terhadap risiko (inherent risk)
maupun residual risk di-identifikasi
Langkah selanjutnya adalah menentukan metric (calon KRIs) bagi masing-masing kejadian yang ber-risiko tinggi
(high risk potensial events)
Dalam menentukan kRIs, semakin banyak ukuran kejadian (metric) yang mempengaruhi suatu risiko, maka
semakin efektif KRIs dalam memberikan gambaran potensi risiko
Common practice, biasanya untuk penentuan KRIs yang efektif, suatu risiko terdiri atas 5 sampai 10 metric
potensial KRIs dan mengandung minimal 1 atau lebih kategori KRIs (type—coincident, causal, control, and volume).
Contoh:
Menentukan risiko pada operasional call-center.
Risiko yang ter-identifikasi adalah: Pelanggan tidak tertanggani secara profesional dan tidak akuratnya
informasi pelanggan
Source: Telkom Proprietary
KRIs and Dashboards
75. Defining Key Risk Indicators
2. Assess gaps.
Setelah proses inventory seluruh potensi KRIs selesai, langkah berikut adalah melakukan evaluasi
kelayakan dan efektifitas tiap-tiap indicators (metric). Terdapat 2 (dua) tools yang digunakan:
the gap assessment
the design matrix
Gap Assessment akan
memberikan gambaran,
apakah indicators
(metrics) dalam inventory
akan efektif untuk
dijadikan KRIs. Dimana,
ukuran yang digunakan
adalah berdasarkan
composite score tabel,
biasanya score diatas 4
merupakan syarat cukup
untuk dijadikan KRIs.
The Gap Assessment Tool
Source: Telkom Proprietary
KRIs and Dashboards
76. Defining Key Risk Indicators
Design Matrix
Digunakan scoring kriteria 0-1-3-9.
Dengan menggunakan design matrix,
maka tiap-tiap indikator yang mendapat
score 9 akan mendapat rating Y.
Dengan memperhatikan 2 tools ini,
dapat ditentukan indicators (metrics)
yang layak dan efektif untuk dijadikan
KRIs.
Design Matrix merupakan tabel matrik berbasis 6-sigma, dimana akan dilihat keterkaitan Risk Events
Driver (RED)dengan indicators yang terdapat dalam inventory. RED merupakan root-causes yang
berpengaruh pada munculnya kejadian (indicators). Masing-masing RED diberi pembobotan sesuai
dengan prosentase kontribusi.
Source: Telkom Proprietary
KRIs and Dashboards
77. Defining Key Risk Indicators
3. Improve metrics.
Proses ‘improve metric’ dilakukan dengan cara membandingkan hasil assessment dari 2 (dua)
tools gap dan design matrix. Proses komparasi dilakukan dengan cara:
Analisa indicators di design matrix yang mempunyai score ‘9’ , namun mendapat score rendah
di gap assessment. Apabila scoring rendah tersebut dapat dicarikan solusi atau justifikasinya,
maka indicators tersebut dapat dipertimbangkan untuk dijadikan KRIs.
Analisa berikutnya dilakukan pada indicators yang mendapat score tinggi di gap assessment,
namun tidak mendapat ‘9’di design matrix. Apabila terdapat modifikasi yang berpengaruh
pada peningkatan rating di design matrix dan signifikan, maka indicators tersebut juga dapat
dijadikan alternative KRIs. Pada tahap ini, dimungkinkan untuk dilakukan modifikasi pada
potensial KRIs (indicators).
Langkah ini ditutup dengan menghapus seluruh indicators yang tidak mempunyai relasi yang
cukup dari penilaian ke-dua tools tabel.
Source: Telkom Proprietary
KRIs and Dashboards
78. Defining Key Risk Indicators
4. Validation and trigger-level identification.
Langkah sebelumnya biasanya menggunakan ‘subjective judgment’ untuk meng-assess relasi antara the
risk-event drivers dan the metrics. Untuk indicators dimana relasi antara ‘the risk-event drivers dan the
metrics’ dapat dinyatakan secara wajar (dalam tataran operasional –self evident), maka validasi tidak
perlu dilakukan.
Namun bila terdapat Metric baru (lihat
langkah 3-modifikasi metric), maka
diperlukan proses validasi untuk
memastikan bahwa metric tersebut
adalah KRIs.
Validasi, umumnya menggunakan data
historis, bila tidak tersedia maka dapat
dilakukan asumsi yang sesuai untuk
menggambarkan korelasi antara ‘the
risk-event drivers dan the metrics hasil
modifikasi’ sehingga didapat trigger
level identifikasi. (lihat contoh
disamping)
Source: Telkom Proprietary
KRIs and Dashboards
79. Defining Key Risk Indicators
5. Dashboard design.
Sebagai bagian dalam penentuan KRIs yang layak dan efektif untuk memberikan gambaran
perkembangan risiko, maka ‘dashboard’ merupakan bagian yang sangat penting bagi business
managers, process owners, and senior management.
Dashboard adalah bagian dalam proses mamajemen risiko dan bermanfaat dalam ‘monthly business
review’, dan meeting-meeting lainnya terkait pencapaian objective perusahaan.
Dashboard biasanya menggunakan gambar grafik dan tabel yang menunjukkan informasi yang tepat dan
komprehensif terkait kondisi risiko perusahaan dan KRIs yang menjadi konsen manajemen.
Source: Telkom Proprietary
KRIs and Dashboards
80. Defining Key Risk Indicators
6. Control plan and escalation criteria.
Fungsi utama dari ‘Control plan’ adalah memastikan tersedianya kriteria eskalasi (‘escalation criteria
and roles ‘) untuk intervensi terhadap KRIs yang telah disepakati. Sehingga, siapa-pun, dan kapan-pun
dilakukan treatment terhadap KRIs yang berpengaruh terhadap Objective perusahaan tidak
menimbulkan efek perubahan baik proses dan prosedur yang telah ditetapkan diawal.
Umumnya, ‘control plan’ berisi: the KRI metric, the measurement frequency, a description of the
measurement system, goals, trigger levels, escalation criteria, dan the owner for the escalation criteria.
(sebagaimana terlihat pada contoh tabel dibawah).
Source: Telkom Proprietary
KRIs and Dashboards
81. Defining Key Risk Indicators
Source: Telkom Proprietary
Siap jual
Eks cabutan
Repair
Potensi Eksisting
Deployment
Sales
Churn
Net Add &
ARPU
Qualitas produk kurang baik
Layanan purna jual kurang baik
Harga tidak competitif
Usage
Price
Tariff
Gimmick
Tunggakan
Aps
Cabut Manajemen
Omset
Competitor
Voice
Data
SMS
Demand
Pnetrasi
KRIs and Dashboards
82. Structuring Vision-Mission - KRIs
Vision - Mision
STRATEGIC OBJECTIVE
Creating Superior Position by StrengtheningThe Legacy & Growing New Wave
Businesses to Achieve 60% Of Industry Revenue in 2015
Corporate’ 10-Strategy Initiatives
Significant Risks
Notable Significant Risks
Deployment
Thru
Risk Identification& Assessment
Risk Relate to Performance
Financial RiskStrategic Risk Operational Risk
Business Growth Revenue Leakage
Business Interruption
Forex
Interest Rate
Liquidity
Cost Eff. & Effect.
Control Eff. & Effect .Co-Incident Indicators Causal Indicators Volume Indicators
Key Risk Indicators
KRIs and Dashboards
Source: Telkom Proprietary
83. Business Growth
Business Growth
Early Warning SystemRISKS RISK MAP/LEVEL
KEY RISK
INDICATORs
Business Growth
Strategic Risks
Financial Risks
Operational Risks
Market Risks
Minutes of usage
# LIS Current
# LIS Churn
Tariff
FlexiFlexiFlexiFlexiSpeedy
TLKM’ Products
Data
Ware-house
TLKM’
Existing
Applications
TiBs TREMs TiCAREs
External Info.Internal Sources
PTA1 = f [KRI1,KRI2, …,KRIn]
if, for instance
f (x) = KRI1 x (KRI2 - KRI3)
KRI1
KRI2
KRI3
S1
Appetite
S1
S1
S1
S1
Dynamic MAP Indicators
Defining a Dashboard
KRIs and Dashboards
Source: Telkom Proprietary
88. Introduction
The Scope of AA
ERM is defined as a holistic approach and process to identify, prioritize, mitigate, manage,
and monitor current and emerging risks in an integrated way across the breadth of the
enterprise.
What do you think?
Airports are unique in operations, customers, structure, stakeholders, and objectives;
consequently, the approach to ERM implementation should be tailored to each airport.
Then, how to create the ERM framework and
develop ERM processes?
89. Introduction
The Scope of AA – cont.’
AA usually defined its scope as;
Airport policymakers
Stakeholders:
Regulators
Suppliers
Airline partners
Local communities
Public users, and
Auditors
Accountability for managing
uncertainty.
Airports need to demonstrate that risk
is effectively considered and controlled,
especially during strategic decision-
making.
Transparency in the risk management
process.
Policymakers to provide assurance that
the organization’s internal controls and
management decision-making are
effective.
The scope covered some areas v. The purpose of Administration
90. ERM for Aviation – Airport Administration
The rational of implementing ERM for AA
Airports have always focused on
preventing hazards and finding
ways to reduce the risks
associated with their operations.
Many airports face resource
constraints, and staff are stretched
thin by the multitude of activities
they are asked to accomplish.
However, merely promoting safety in operations and
insuring against natural disasters is not sufficient. Airports
must also manage the broad array of strategic and
operational risks facing an ever-changing aviation industry
In such an environment, ERM can be an important
management tool that assists airport staff in driving
decision-making and allocating resources on a risk-based
basis.
Through ERM, potential risks and emerging opportunities are
proactively identified, assessed, monitored, and addressed on an
organization-wide basis. Understanding financial, operational,
strategic, and reputational risks and opportunities, the airport can
capture the full gambit of the uncertainty that is faced in all facets
of airport operations.
91. ERM for Aviation – Airport Administration
What is an ERM?
ERM is a structured, consistent, and continuous system that is applied across an entire
organization to manage uncertainty. Risks are uncertain future events that can influence an
organization’s ability to achieve its objectives. The term “risk” is usually applied in one of
three distinct applications:
Risk as threat versus
exposure.
Risk as variance.
Risk as opportunity.
Risk considered as a threat implies potential negative events that
could result in financial or reputational harm to the organization,
whereas risk considered as exposure could also be positive.
This interpretation of risk includes the distribution of all possible
outcomes, both positive and negative. Stated differently, risk is
synonymous with variance.
This understanding of risk is based on the concept that a relationship
exists between risk and return. The greater the risk, the greater the
potential return and the greater the potential for loss.
92. ERM for Aviation – Airport Administration
ERM v. Traditional Risk Management
ERM Traditional Risk Management
Risk
identification
and assessment
Critical airport risks are identified,quantified, and weighted against
opportunity
Risk/opportunitydrivers are identified
Effectivenessof risk controls is evaluated
Risk/opportunitymaterialityis considered
Risk/opportunityownership is assigned
Focus on hazards and transferable risks
Insurable risks are identifiedand assessed based on the
relative availabilityof insurance
Risk mitigation
strategies
A variety of options are considered, including risk transfer options and
organizationalchange
Strategies are developed for pursuing opportunities that take into account
potential risks
Balance of available insurance policy limits against retained
levels of financialloss (deductibles, retention levels)
Risk management is intuitive and indistinct from standard
operating Process
Monitoringand
reporting
Ongoing
Integral to airport strategy
Helps to ensure the integrity of financial Reporting
Static
Revisited in response to an event or annual audit
How risks are
viewed
There is an aggregated view of risk across the enterprise
The balanced relationshipsbet we en opportunities and risks are evaluated
Entity level portfolio of risks and opportunities
Risks are vie wed in silos
Risks as individualhazards
Risk categories All risk/opportunity categories are considered (e.g., hazard, financial,strategic,
operational, people, legal, regulatory, etc.)
Risk categories tend to focus on hazard, safety, and
financial
Ultimate goal Risk/re ward optimization—preserveand create value Mitigationof insurable risks
Minimize risk transfer spend
Traditional risk management focuses on risks
independent of business concerns and
organizational strategy!
93. ERM for Aviation – Airport Administration
The Value of ERM at AA
Internally, value is created by
helping managers to better
understand their risk profile, better
anticipate financial performance,
mitigate risks, make better-informed
decisions, and leverage
opportunities.
External, an organization to satisfy
policymakers and external
stakeholders’ (auditors, regulators,
partners, public users, and local
communities) expectations of
internal control and risk
management.
Risk Awareness, ERM provides a framework for the aggregation
of risk and opportunities across an airport, resulting in better
visibility.
Proactive Preparation for Catastrophic Events,
ERM also aids airports in developing plans for addressing events
that are very unlikely to occur, but that will have a very significant
impact if they do materialize. natural catastrophes, terrorist
attacks, ash-producing volcanic eruptions, extreme weather, or
airplane crashes, pandemic/infectious disease (Ebola, H1N1
Influenza, H5N1 Influenza, and SARS).
Business Uncertainty, In the aviation industry, the market is
changing; tighter competition, aging infrastructure, increased
reliance on non-aviation revenue, and the increasingly unstable
financial status
Addressing Financial Uncertainty, ERM can identify strategies to
protect an airport’s balance sheet from unexpected losses.
Meet the expectation of Policymaker and Stakeholder
Expectations
94. ERM for Aviation – Airport Administration
The ERM Standards
Numerous best-practice, risk management guidelines, requirements, and standards exist,
varying in content and methodology according to the jurisdiction or governing body that
employs them. Each individual standard exhibits particular strengths and incentives for
adoption, however, all ERM standards aim to:
Ensure appropriate ERM accountability,
Enhance organization flexibility and resiliency, and
Account for the full spectrum of risks.
COSO ERM Integrated Framework
ISO 31000
AIRMIC-ALARM-IRM
Basel II
95. ERM for Aviation – Airport Administration
The ERM Framework
Airports are both quasi-public entities and business operations and therefore are directed by
policymaking bodies, may be part of a larger governmental entity, and must tailor their
operating activities and business decisions to satisfy multiple stakeholder agendas.
Each airport has a unique combination of operating environment, governance structure,and
organizational culture. An airport’s ERM framework should reflect this. Nonetheless, there
are also a number of common fundamental elements that every airport should consider
when implementing an ERM framework:
Governance and Infrastructure An enterprise-wide approach
Identification and Prioritization Risks and opportunities
Controls and Risk Response Current controls are assessed
Monitoring and Reporting A strong governance to facilitate risk reporting & monitoring
Implementation A plan is in place to guide and drive ERM implementation
Integration with key processes The ERM framework is aligned with key processes
Continuous Improvement and Sustainability The ERM is reviewed against performance
96. The Governance and Its Structures
The ERM’ Platform and Structure
It will provide the platform and structure on which to build and develop ERM across an
airport administration. It is important to consider each step to ensure that the pillars
providing the foundation for ERM are established and tailored to the airport
administration’ culture, structure, and objectives.
1. ERM policy and strategy
2. Risk appetite
3. Executive sponsorship
4. Appropriate positioning
5. Developing a governance structure.
Senior management support and participation is
critical for these activities!
97. The Governance and Its Structures
The ERM’ policy and strategy
ERM Policy
The ERM policy is a formal acknowledgement of the AA’s commitment to take an enterprise-
wide approach to managing risk and strives to accomplish uniformity across the ERM
implementation process. The ERM policy should include (at a minimum):
The rationale for ERM
A reference to the risk appetite of the airport
The role of employees in the ERM framework
Sign-off by the CEO or board
ERM Strategy
The purpose of the ERM strategy is to provide an overview of the AA’s ERM framework. The
strategy should act as a reference policy for those with risk management responsibilities. It
may contains:
Outline the purpose of the AA‟s ERM strategy
Outline the aims of the ERM framework
Include a statement on risk appetite
Provide an overview of the ERM process
Outline roles and responsibilities
Include performance management
98. The Governance and Its Structures
The Risk Appetite and Tolerance
An organization’s risk philosophy is a set of shared beliefs and attitudes characterizing how
the organization considers risk in its business operations, from strategic planning andimplementation
to day-to-day activities.
Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It
reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and
operating style
Risk tolerance is arguably a more empirical measure of how much loss an organization can withstand
on its balance sheet before certain parameters are breached (COSO, 2004)
Area Sample Risk Appetite Statement
Financial To maintain an investment grade of IDR 25 T annually (Until 2020)
Safety To achieve recordable case rate or lost time injuries not more than 1 per 1000 hours worked (within 3-year
timeframe)
Zero tolerance on loss of life or serious injury
Energy efficiency To ensure reduction in energy consumption per unit produced by no less than X% in 10 years
Regulatory Zero tolerance on compliance breaches
Reputation To reduce the number of national media negative press coverage incidents
Market To maintain 2 Million Passenger/customer monthly
Customer growth by 5% annually
99. The Governance and Its Structures
Management Commitment
Successful ERM implementation requires airport administrator’ senior management to be
fully committed to the ERM framework and processes.
Questions from Senior Leader:
At this airport, I am too busy dealing with today‟s issues; I don‟t have the time
and energy for ERM. Do I have to get involved?
What will be the immediate results and efficiencies?
We don‟t have the people or resources to do ERM; how can I possibly do this?
Management is aware of what the top risks and opportunities are. It is common
sense. Why is a risk register needed?
We focus on proactive management of safety risks and respond to other risks
when they occur, and we have never had any problems. Why introduce ERM
now?
I am not a risk management professional; how do you expect me to do ERM?
ERM seems to simply be documenting what we already do. Isn‟t that just
bureaucracy?
100. The Governance and Its Structures
The Structure
Airports vary in their size and organizational structure; therefore, there is no prescribed
ERM governance structure.
The structure most
appropriate for a
particular airport will be
influenced by the
maturity of the current
risk management
processes, resource
capabilities, skill sets,
existing processes, size,
and structure.
101. The Governance and Its Structures
The Structure and its Roles
Role Example Responsibilities
Board Approve the ERM policy, strategy, and framework
Review the key risks to the airport and the controls that are in place and provide assurance to stakeholders that the
risks and opportunities are being effectively mitigated
Promote their support of ERM
AA’ Senior Leader
Team/ERM Committee
Provide guidance and oversight to the ERM frame work
Challenge the effectiveness of the ERM frame work
Regularly review the E RM policy and strategy to ensure that it underpins the airport’s strategy and objectives
Agree on the risk appetite for the airport
Ensure all emerging risks are appropriately managed
Allocate sufficient resources to address top risks
Create an environment and culture where ERM is promoted, facilitated, and appropriately undertaken by the
organization
Audit Committee Gain assurance for the organization that ERM is being properly undertaken
Review risks arising through key third-party relationships and ensure that these risks are adequately managed
Ensure insurance and other risk financing is used effectively within the ERM process
Risk Champions Communicate the benefits of ERM across their operational area
Help facilitate the ERM process and risk reporting procedures across their operational area
Help ensure that the commitment of key stakeholders is obtained
Share best practices across the Risk Champion Network
All Staff Take due care to understand and comply with the ERM processes
Monitor their own area on an ongoing basis to identify new and emerging risks and opportunities and escalate as
required
An example of AA’ Senior Leaders role.
102. The Process of Implementing ERM at AA
The Basic PDCA of ERM
The ERM process is a continuous process
that involves the identification and
prioritization of risks and opportunities
and the implementation of actions to
mitigate top risks and capture
opportunities.
In addition, the ERM process focuses on
reporting on risk and opportunities across
the organization to allow for an aggregated
view of risk and opportunities.
This builds on the concept of the
Plan-Do-Check-Act (PDCA) cycle also
known as the Deming Cycle of
continuous improvement.
103. The Process of Implementing ERM at AA
Risk Identification Techniques
Risk identification sessions can and should occur at any level of the airport administration:
the board level, departmental level, even at the single team level. Risk identification
techniques to consider include the following:
Analysis of previous losses,
events, incidents, or lessons
learned
Process flow analysis
Business impact analysis
Questionnaires
Interviews
Facilitated workshop
Scenario analysis
Review the previous risk register
(if one exists)
Might use these questions:
What are the top five risks facing the
airport or your department?
What are the causes of each of these
risks?
What are the consequences of each
of these risks?
What are the top three current controls in
place against each of the risks identified?
How effective are these controls?
How are the risks currently monitored?
104. The Process of Implementing ERM at AA
Categories Risk
In terms of the types of risk that an airport should be considering during this process, it
is not possible to develop a set of risks, opportunities, and categories that would fit all
airports. Likewise, there in no one right way for listing or categorizing risk.
Some example opportunities are the
following:
Attracting new service, frequencies,
and destinations
Enhance business model through new
airline agreement
Commercial development of available
land
Community partnerships
Renewable energy
Further optimization of internal
process
Optimizing terminal concessions
Attracting new internal service
105. The Process of Implementing ERM at AA
Prioritization of Risk
To assess each risk in terms of impact and likelihood, assessment scales should be
developed. It is important for each airport administrator to develop assessment criteria
that are tailored to its operations, strategy, and size. In terms of customizing the
assessment criteria, the following should be considered:
Materiality: the airport administrator‟s risk appetite and tolerance statements
can be used to inform the development of the assessment criteria.
Number of assessment scales: this will depend on the desired level of
complexity.
Financial impact: the risk appetite can be used to determine the financial impact
scales.
Impact descriptors: financial impact is not always the only impact a risk can
have for an airport. Impact to reputation, disruption to operations, or
environmental damage may also be significant.
Likelihood horizon: it is recommended that the likelihood scale is aligned to the
time horizon of the airport administrator‟s strategy.
106. The Process of Implementing ERM at AA
Risk Acceptance Criteria
Developing risk-
assessment criteria is
essential to improving
consistency in risk
prioritization across the
organization and
removing subjectivity
from the process.
Risk Score = Impact x Likelihood
Example of
Impact
Criteria
Example of
Likelihood
Criteria
107. The Process of Implementing ERM at AA
Risk Map
Impact and likelihood assessments also allow
for a risk map (or heat map) to be created. This
is a simple illustration of the airport
administration‟s risk profile and can be used for
communicating with boards, senior
management, and other stakeholders.
O6; O7
S3;
O1; F1
S4; S5; S7;
O2; O3;
F4
F2
F3O4
S2S6 S1;O5
Appetite
Likelihood
Impact
Very Low Low Medium High Very High
VeryLowLowMediumHighVeryHigh
VL L M H VH
S.1. Business Growth
S.2 Merger & Acquisition
S.3. Regulatory
S.4. Technology Shift
S.5. Culture Transformation
S.6. Legal/Litigation
S.7. Customer Profiling
O.1. Return on Investment
O.2. Fixed Assets Mgt
O.3. Information Technology
O.4. Compliance
O.5 Revenue Leakage
O.6. Human Resources
O.7. Business Interruption
F.1 Foreign Exchange
F.2 Interest rate
F.3 Liquidity
F.4 Cost Efficiency & Effectiveness
108. Failure to shift the business
model from minutes to
bytes
Disengagement
from the changing
customer mindset
Lack of confidence
in return on
investment
Insufficient information to
turn demand into value
Lack of regulatory
certainty on new
market structures
Failure to capitalize on
new types of
connectivity
Poorly managed
M&A and
Partnership
Failure to improve
business metrics
Privacy, security,
and resilience
Lack
organization
al adaptation
to changing
strategic
needs
The Process of Implementing ERM at AA
Risk Map cont.’
Top 10 business risks for telecoms
operators:
1. Failure to shift the business model
from minutes to bytes
2. Disengagement from the changing
customer mindset
3. Lack of confidence in return on
investment
4. Insufficient information to turn
demand into value
5. Lack of regulatory certainty on new
market structures
6. Failure to capitalize on new types of
connectivity
7. Poorly managed M&A and
Partnership
8. Failure to improve business metrics
9. Privacy, security, and resilience
10. Lack organizational adaptation to
changing strategic needs
Below the radar:
A more pressing green agenda
Concentration of equipment vendors
Difficulties in managing debt and cash
Evolving service cannibalization scenarios
Prioritize
109. The Process of Implementing ERM at AA
Review of Risk Controls
The majority of airports that complete the ERM process will find that they already have various
controls in place for the identified risks. This stage in the process is focused on reviewing and assessing
whether these controls effectively mitigate those risks to the required level so that a decision can be
made about whether additional controls may be required. During this review, opportunities should
also be evaluated to ensure that strategies are in place to maximize value.
The controls in place
for each of the top
risks should be
identified and
recorded in the risk
register.
Then, a small group of people with a good understanding of the risk and the controls should use
control assessment criteria to decide whether those controls are (1) completely effective and no
additional controls are required, (2) partially effective and additional controls need to be considered,
or (3) not effective and additional controls must be put in place to control the risk.
110. The Process of Implementing ERM at AA
Risk Response Planning – Treatment Options
Risk response planning is essential to ensure that steps are taken to mitigate key risks
to the airport. The aim is to reduce the risk profile of the airport to an acceptable level,
based on the amount of risk the airport is willing to accept.
This does not mean that every risk can or indeed needs to be mitigated until it falls
into the green area on the risk map. Some risks, by their nature, cannot be mitigated
to a very low impact or likelihood, and others the airport may decide to accept at a
higher level. The benefits (reduced likelihood or reduced impact) of proposed
treatments should be considered against the cost of implementing them.
Retain the risk. Decide
to accept the risk as it is
and does nothing further
to mitigate it. Risks that
are accepted may still
require monitoring and
review.
Avoid the risk. If the risk
is undesirable, or the
organization does not
have the capability to
manage the risk. One
example of how to avoid
a risk is stopping a certain
process or activity
completely.
Modify the risk. This
involves putting in place
additional risk control
measures that reduce
the likelihood and/or the
impact of the risk to an
acceptable level.
Transfer the risk. This
involves transferring the
cost of the risk to a third
party through
insurance, contracts, or
outsourcing the activity.
111. The Process of Implementing ERM at AA
Developing Risk Response Plans
A risk response plan is a
tool to record, assign
responsibility for, and
monitor those additional
mitigation measures that
the airport deems
necessary to have in
place to ensure the risk
is managed to an
acceptable level. The risk
response plan should be
developed by the risk
owner in
collaboration with
relevant stakeholders
112. The Process of Implementing ERM at AA
Risk Monitoring and Reporting
Few risks and opportunities or action plans remain static. Risks and opportunities change,
priorities change, actions are completed, risk responses that were once effective may become
irrelevant, and so on. Therefore, it is important to monitor risk response plan effectiveness
and risk profile.
Monitoring Risk Response Plan Effectiveness.
Monitoring Risk Profile.
There is no prescribed format for risk reporting, but it is one of the most important elements
of the ERM framework. Risk reports should be formatted so as to be user-friendly, actionable,
and usable in decision-making. The reports should also capture both risks and opportunities.
Determining a Risk Reporting Process. To develop a risk reporting process that is
sustainable and ensures the necessary risk information reaches the right people in a timely
manner:
o Determine what information needs to be reported.
o Define a reporting structure linking into overall governance structure.
o Decide the frequency of reporting, This will vary by airport, but formal risk reporting
to the board should take place at least annually.
113. The Process of Implementing ERM at AA
Risk Monitoring and Reporting
Example of Risk Reporting Format
114. The Process of Implementing ERM at AA
Develop an Implementation Plan
Example of
Implementation Plan
As with any other process
implementation, an
implementation plan
should be developed.
Further, define:
Scalability
The Maturity Measurement
Establish an ERM Culture:
Risk Champions
Training and
Education
Communication Plan