SlideShare a Scribd company logo

Erm overview of auditing fraud and revenue assurance

wisnu wardhana, i nyoman
wisnu wardhana, i nyoman

an Overview of ERM implementation - Internal Control, Fraud, and Revenue Assurance

Business
1 of 115
Download to read offline
The Overview of Internal Control (Auditing), Fraud, and Revenue Assurance I Nyoman Wisnu Wardhana Senior Advisor II – PT. Telkom 28 November 2014
1 2 3 Refreshment Concept of Risk Fraud in Business Content 4 Revenue Assurance 5 Risk Based KPIs and KRIs KRIs and Dashboard 6 Internal Control
Refreshment Concept of Risk Enterprise Risk Management Concept Risk management is not about formulas and numbers, It is about insight, And about seeing the pattern.
1970s Risk management gains wider acceptance 1980s Companies begin Risk departments, typically focused on insurance 1990s Risk management matures as companies begin to focus on “business risk” 19801970 1990 2000 2004 Release of COSO ERM Integrated Framework 19601950 1950s-1960s Traditional Risk Management (“TRM”) 1977 Foreign Corrupt Practices Act (“FCPA”) Early 1980s Increased focus on internal control and compliance 1985 National Commissionon Fraudulent Financial Reporting — Treadway Commission 1992 Committee of Sponsoring Organizations (“COSO”) published Internal Control — Integrated Framework 1990s-2000 Continued focus on internal control, risk management, and responsibilities (Blue Ribbon Commission, Competency Framework for Internal Audit, others) 2002 Sarbanes-Oxley Act of 2002 Enterprise Risk Management is intertwined with the development of internal control standards and the regulatory environment. Source: Deloitte & Touche LLP Enterprise Risk Management History Maturing as a business process
Internal Control Backgrounds Enterprise Risk Management Concept Fraud Corporation SEC Rules PCAOB standard S. O. X. Management Proactive v. its Enhancement - Corporate Governance - Implementation of Internal Control (IC) - Management Disclosure (Assertion) - Opinion from KAP Every company Must have its control in place SEC Proposed: - COSO Frame work (IC) - COBIT (IT Control) time frame AS#2 Proposal AS#5 Proposal Introduction of  Governance  Risk Based  Compliances (consent and approval) It derives from any regulation and rules/law Of its home country Too costly due to broad scope Risk Based Audit And IC
Internal Control Backgrounds - ERM 18 Growth Will Be More Risky It‟s the exact rational behind ERM Internal Control Backgrounds - ERM
Internal Control – Risk Based Audit Scope of our discussion will be covered some areas, inter alia:  Role and Function of IC in your organization  Task and Responsibility of IC in your organization  Organization chart (structure)  Scope and coverage  Limitation and segregation of duties  Reporting mechanism  Recommendation and feed back  Follow up  Focus + KPIs Department of Internal Control
Internal Control Organization Structure  Independent unit should be established.  It may become single Board of directorate or Head of Department.  Duties conducted through ‘task forces’, it may held annually.  Then, it should be embedded into any unit/division related.  Becoming a necessity and automatically create direct interdependence with organization’s performance. Development structure Maintenance structure Improvement structure  Organization may create a project to be assigned with such tasks; to devise, and so on.  The Project leader has a direct report and under the authority of CEO and other Boards.  Usually involving consultants (ICOFR). 1 2 3 Usually it takes 5 -10 years of implementation, depend on complexity and organization sizes.
Source: James Lam, Enterprise Risk Management CEO • Financial risks • Capital • Statutory & GAAP Reporting Risk • Rating agency • Tax • Market risks - Fixed income - Equities - Real estate • Performance risks - Tracking error - Alpha - VaR - Risk budget - Operational Risks • Liability risks - P&C - Life/Health - Commercial • Other issues - Expected losses - Unexpected losses - Embedded options • Interest rate risks - Parallel shifts - Curve twists - Basis risks • Other risks - FX risks - Liquidity risks • Operational risks - Processes - People - Contingencies • Technology risks - Availability - Performance - Security • Business risks • Product risks • Customer risks • Integrates risks • Best practices • Balances perspectives • Risk education • Regulatory Risk • Legal Risk • Governance • Audit Board CRO CEO BOARD Counsel/ Compliance EVP Line Units C-Financial Off. C-Investment Off. C-Actuary Head of Treasury Head of IT/Operation Internal Control Organization Structure – cont.’
Internal Control Organization Structure – cont.’ AVP Risk & Process System Development AVP Process Strategy AVP Risk Strategy VP. Risk & Process Management VP. Supply & PlanningSGM. Supply Centre VP. Legal & Compliance Head of Compliance Risk Management & General Affair Source: Telkom Proprietary
Internal Control · Visi & Misi · Strategic Direction · Instruksi Direksi Compliance Risk Management & General Affair (CRM & GA) All Unit Risk & Process System Development BOD / BOC Process Strategy All DIT BOD / BOC DIT NITS Risk Strategy VP Risk & Process Management DIT CONS, EBiZ, WINS DIT CONS, EBiZ & WINS DIT NITS · Group Business Plan · Incident Report · Recovery Report · Business Development · BPO Feedback · Corporate Policy · Incident Report · Recovery Report · Policy Review & Assesment · Recovery Report · BPO Feedback · Recovery Report · Incident Report (Vandalisme, Bencana Alam, Loss, Fraud, dll) · Best Practise Report · Environmental Impact · Contigency Operation Strategy · Unit Mgt. & Quality Report · Innovation · INSYNC · IT Policy · IT standard · Fraud/Revenue Assurance Tools · Incident Report · Recovery Report · IS Application Support · BPO Feedback · Draft Quality Management Policy · Internal Control Policy dan Guideline · Draft Process Management Policy · Draft Leadership System & GCG Policy · Draft SLA, SLG & Transfer Pricing Policy · Revenue Assurance Policy Implementation Report · Potential Fraud Register · Risk Register / Profile · Risk Management Policy & Program · Risk Mitigation Plan · Risk Reporting · Framework & Manual Kebijakan · Enterprise Process Design · Risk Identification & Mitigation · Internal Control Design · Enterprise IT Application · Business Process Reengineering · Risk Assessment Implementation Report · Standard Business Process · Business Process Reengineering · Business Process ICOFR & DCP · Draft Anti Fraud Policy & Management · Draft Revenue Assurance Policy & Management · Draft Insurance Policy & Decision Guideline · Draft Leadership System & GCG Policy · Prosedur/JUKLAK/Guideline · Methodology Pengelolaan Resiko Perusahaan · Risk Management Policy & Program · Risk Register/Profile (termasuk scope risiko ICoFR) · Risk Assessment Report · Risk Mitigation Plan · Risk Reporting Analysis · Program Sosilalisasi Kebijakan Penanganan Risk Control · Program Implementasi BCM · Sensivity Analysis · Program Fraud Management · Potential Fraud Register · Compliance Analysis Consultancy · Revenue Assurance Policy Implementation Report · Framework & Manual Kebijakan · Implementation Report · Role Map & Functional Business Process · Lateral/Cross Functional Business Process · Evaluation of Innovation · Draft Process Management Policy · Standard Business Process · Business Process Reengineering · Draft Insurance Policy & Decision Guideline · Business Process ICOFR & DCP · Enterprise Process Design All Unit · Risk IS Application Request · Risk IS Application Requirement Sample of coverage, segregation, and scoping of ERM Source: Telkom Proprietary
Internal Control ERM and Internal Control What are Risk Management Frameworks and Why have them? What is a Risk Control Matrix, COSO, COBIT, Risk Universe, Key Controls, Critical Controls? Using them in SOA, ERA or Revenue Cycle
Internal Control Business risks are greater today than ever Source: Protiviti Inc • Globalization means increased exposure to international events • Need for efficiencies, innovation and differentiation to compete • We now know the unthinkable can happen • Financial reporting is now a risk area • Application is uneven at companies “applying EWRM” - We live in unpredictable times, isn‟t it? • Points of view from a recent survey – Many executives see an array of ever- increasing business risks – Business risk management practices require improvement – Substantial revisions in business risk management have either been made or will be made – Senior executives want more confidence that all potentially significant risks are identified and managed Why is business risk a priority?
Internal Control Gartner reveals top five business issues  Cost constraints  Security of data and privacy  Stakeholder returns  Managing business risk  Innovation Source: The Gartner Group, based upon interviews and surveys  Management wants increased confidence that all potentially significant risks are identified and managed Key decisions are made without a systematic evaluation of risk and reward trade-offs  Risk management isn’t integrated with strategic and business planning  Risks are not systematically identified, sourced, measured and managed  Units of the organization are managing similar risks differently  Inability to measure performance on a risk-adjusted basis  Capital investment process requires improvement  Increasing demands for more information relating to risks and internal controls from the board and investors KeyIndicatorsofNeed
Internal Control A common framework will accelerate progress • We need a common language • We need criteria against which to benchmark • Now we can communicate more effectively • Familiarity of concepts is useful • Application guidance is critical piece • Issuance of framework is only the beginning Yes, we need a framework! Source: Protiviti Inc
Internal Control Traditional Risk Universe Framework Source: Protiviti Inc
Internal Control The COSO Framework provides an understanding of the components of ERM Monitoring Information & Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment DIVISION BUSINESSUNIT SUBSIDIARY STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY-LEVEL Enterprise Risk Management:  Is a process  Is effected by people  Is applied in strategy setting  Is applied across the enterprise  Is designed to identify potential events  Manages risks with risk appetite  Provides reasonable assurance  Supports achievement of objectives Source: COSO proposed ERM Framework
Internal Control SOA and the COSO Framework Complying with SOA Section 404 in the Context of the COSO Framework The COSO Framework is recommended by the SEC as an accepted internal control framework to guide corporate compliance with SOA 404. COSO requires an entity-level (or “tone at the top”) internal control focus and an activity or process level focus (the right side of the cube), with the three objectives of effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (across the top of the cube). Our approach captures the five components of internal control: the control environment, risk assessment, control activities, information/communication, and monitoring. Source: COSO proposed ERM Framework
Internal Control Control Levels Source: COSO proposed ERM Framework • Entity-level Controls – Entity-level controls are those controls that management relies upon to establish the appropriate “tone at the top” relative to financial reporting. An entity-level assessment for each control entity should be conducted as early as possible in the evaluation process • Process-Level Controls – Process level controls are usually directly involved with initiating, recording, processing or reporting transactions • General IT and Application Controls – General IT controls typically impact a number of individual applications and data in the technology environment – Application controls relate primarily to the controls programmed within an application that can be relied upon to mitigate business process-level risks
COSO Component Risk Assessment Control Environment Information and Communication Control Activities Monitoring Attributes • Entity-wide objectives • Activity-level objectives • Risk Identification • Managing Change • Integrity and ethical values • Commitment to competence • Board of Directors or Audit Committee • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and procedures • External and internal information is identified, captured, processed and reported • Effective communication down, across, up the organization • Policies, procedures, and actions to address risks to achievement of stated objectives • Ongoing monitoring • Separate evaluations • Reporting deficiencies Application: Address attributes for each COSO component - - For each attribute, evaluate appropriate points of focus, as illustrated below for ONE attribute, Human Resource Policies and Procedures Points of Focus: • Is there a process for defining the level of competence needed for specific jobs, including the requisite knowledge and skills? • Are there human resource policies and processes for acquiring, recognizing, rewarding, and developing personnel in key positions? • Is the background of prospective employees checked and references obtained? • Are performance expectations clearly defined and reinforced with appropriate performance measures? • Are employee retention, promotion and performance evaluation processes effective? • Is the established code of conduct reinforced and disciplinary action taken when warranted? • Are everyone’s control-related responsibilities clearly articulated and carried out? Internal Control Control Levels – Examples of Entity-Level Controls Source: COSO proposed ERM Framework
Internal Control Control Types • Manual vs. System-based controls – Manual controls predominantly depend upon the manual execution by one or more individuals – Automated controls predominantly rely upon programmed applications or IT systems to execute a step or perhaps prevent a transaction from occurring without manual decision or interaction – There are also system-dependant manual controls, e.g., controls that are manual (comparing one thing to another) but what is being compared is system-generated and not independently collaborated; therefore, the manual control is dependant on reliability of system processing • Preventive vs. Detective controls – Preventive controls, either people-based or systems-based, are designed to prevent errors or omissions from occurring and are generally positioned at the source of the risk within a business process – Detective controls are processes, either people-based or systems-based, that are designed to detect and correct an error (or fraud) or an omission within a timely manner prior to completion of a stated objective (e.g., begin the next transaction processing cycle, close the books, prepare final financial reports, etc.) Source: COSO proposed ERM Framework
Internal Control Control Reliability • As transaction volumes increase and with increasingly complex calculations, systems-based controls are often more reliable than people- based controls because they are less prone to mistakes than human beings, if designed, operated, maintained and secured effectively • A shift toward an anticipatory, proactive approach to controlling risk requires greater use of preventive controls than the reactive ‘find and fix’ approach embodied in a detective control • Effectively designed controls that prevent risk at the source free up people resources to focus on the critical tasks of the business MORE RELIABLE/ DESIRABLE LESS RELIABLE/ DESIRABLE NOTE: The above framework is intended to apply to process-level controls. It does not always apply at the entity-level, e.g., the internal audit function. Systems-Based, Preventive Control Systems-Based, Detective Control People-Based, Preventive Control People-Based, Detective Control Source: COSO proposed ERM Framework
Internal Control What is a Critical Control? Definitions: • KEY CONTROL: An activity or task performed by management or other personnel designed to provide reasonable assurance regarding the achievement of certain objectives as well as mitigating the risk of an unanticipated outcome. Significant reliance is placed upon this control’s effective design and operation. Upon failure of the key control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified. In other words, reasonable assurance of achieving the process’ objectives could not be obtained. • CRITICAL CONTROL: The FIRST subset of key controls; these controls have a pervasive impact on financial reporting (segregation of duties, system and data access, change controls, physical safeguards, authorizations, input controls, reconciliations, review process, etc.) and have the most direct impact on achieving financial statement assertions. Upon failure of a critical control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified within ANY process. Failure of critical controls would affect the ability of management to achieve not only process objectives, but also the company’s financial statement objectives. Source: COSO proposed ERM Framework
Internal Control Control Types • Primary vs. secondary controls – Primary controls are controls that are especially critical to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance, class of transactions and disclosure; these are the controls that managers and process owners primarily rely on – Secondary controls are important to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered “critical” by management and process owners; while these controls are significant, there are compensating controls that also assist in achieving the assertions • Controls over routine processes vs. controls over non-routine processes – Controls over routine processes are the manual and automated controls over transactions – Controls over non-routine processes are the manual and automated controls over estimates and period-end adjustments; these controls often address the greatest risks in the financial reporting process and are most susceptible to management override Source: COSO proposed ERM Framework
Internal Control Control Levels – Examples of Common Process-Level Control Activities Pervasive Process-Level Controls* • Establish and communicate objectives • Authorize and approve • Establish boundaries and limits • Assign key tasks to quality people • Establish accountability for results • Measure performance • Facilitate continuous learning • Segregate incompatible duties • Restrict process system and data access • Create physical safeguards • Implement process/systems change controls • Maintain redundant/backup capabilities • Obtain prescribed approvals • Establish transaction/document control • Establish processing/transmission control totals • Establish/verify sequencing • Validate against predefined parameters • Test samples/assess process performance • Recalculate computations • Perform reconciliations • Match and compare • Independently analyze results for reasonableness • Independently verify existence • Verify occurrence with counterparties • Report and resolve exceptions • Evaluate reserve requirements Specific Process-Level Controls** *Controls affecting multiple processes, including entity- level and general IT controls ** Controls specific to a process, including programmed application controls Source: COSO proposed ERM Framework
Internal Control Best practice OBJECTIVES • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations.  Entity (ELC) Controls that have spreading effect, and could also impact on transaction level controls.  Transaction/Application/Process (TLC) Controls occur on any process, the organization has been designed, in the form of; Authorization, Verification, reconciliation, and other activities related to fraud prevention, error, and assets protection. PROCESS 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring ENTITY Source: COSO proposed ERM Framework
Internal Control Key Concept • Internal control is a process. It is a means to an end, not an end in itself. • Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization. • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. DIRECTIVE CONTROL DETECTIVE CONTROL PREVENTIVE CONTROL Directive control are actions taken to cause or encourage a desirable event to occur • Policy & Procedure • Competence of personal • Organizational Structure • Organizational Culture Detective control are actions taken to detect and correct undesirable events which have occurred Preventive control are actions taken to deter undesirable events from occurring • Reconciliation • Budget v. actual comparison • Physical count • Authorization • Safeguarding of assets/sensitive data • Segregation of Duties WHAT IS CONTROL ? “All of the element of an organization that taken together, support people in achieving the organization‟s objectives” Source: COSO proposed ERM Framework
Internal Control Classification of ICOFR Entity Level Control IT Control Transaction Level Control Entity Level Control Is a process designed by or under control management monitoring to realize the environment that have pervasive impact on the effectiveness of controls at the process, transaction or application level Transactional Level Control • The objective of an process/transactional level control is to achieve a specific objective. • Generally relates to individual business locations or business processes IT Control • The information technology processes and related controls that are applied above the computer application level • IT controls are controls that exist above and around the computer application, which are designed to: – Ensure that changes to applications are properly authorized, tested, and approved before they are implemented, and – Ensure that only authorized persons and applications have access to data, and then only to perform specifically defined functions (e.g., inquire, execute, update). Source: Telkom Proprietary
1. Scoping Process/Identification 2. Risk Identification & Assessment 3. Control Design Internal Control Design Stages Financial Statements Inherent and Key Business Risks Significant Account Significant Processes What can go wrong? Controls Design Process - To define materiality - To define account and significant disclosure - Financial assertion (based on account and significant disclosure) - To define group of transaction and respective process - Process mapping Control must: - Provide mitigations for any fraud and error identified - Applicable - Verify, in order to be analyzed Source: Telkom Proprietary
Internal Control Sample control Source: Telkom Proprietary
The Challenge: Risk Source: Insurance InformationInstitute research, 2011 “Nearly 90 percent of firms do not conduct a risk assessment when outsourcing production.” “Supply Chain Risk: It's Time to Measure It,” Harvard Business Review Blog, Feb 5, 2010
Fraud in Business What is Fraud? GRAPA (Global Revenue Assurance Professional Association) o Intentional deception resulting in injury to another person o imposter: a person who makes deceitful pretenses o something intended to deceive; deliberate trickery intended to gain an advantage Etymology Recorded since 1345, from Old French fraude, from Latin fraus 'deceit, injury' Noun o Any act of deception carried out for the purpose of unfair, undeserved and/or unlawful gain. o The assumption of a false identity to such deceptive end o One who performs any such trick. Albrecht A deception that includes: a representation about a material point, which is false, and intentionally or recklessly so, which is believed and acted upon by the victim to the victim’s damage” Source: Telkom Proprietary
Fraud in Business What is Fraud? Based on PT. Telkom definition TELKOM (KR.05 – 2009) Fraud adalah perbuatan curang yang dilakukan dengan sengaja oleh manajemen, karyawan, mitra maupun pihak lainnya yang bersifat penipuan, ketidakjujuran, penyesatan dan penyembunyian kebenaran dengan tujuan mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perusahaan atau pihak lain. Source: Telkom Proprietary
Fraud in Business Fraud Categories GRAPA Internal fraud involves activities perpetrated within the organization such as intentional misrepresentation of financial statements or financial statement transactions, theft, embezzlement, or improper use of the organization’s resources. External fraud involves theft or improper use of the organization’s resources perpetrated by individuals outside the organization. Some examples of external fraud prevalent in the government arena include false claims and statements, beneficiary fraud, and contract and procurement fraud. Source: Telkom Proprietary
Fraud in Business Fraud Categories – cont.’ TELKOM (KR.05 – 2009) Corporate fraud perbuatan curang yang dilakukan dengan sengaja oleh manajemen, karyawan, mitra maupun pihak lainnya yang bersifat penipuan, ketidakjujuran, penyesatan dan penyembunyian kebenaran dengan tujuan mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perusahaan atau pihak lain. Kecurangan termasuk diantaranya namun tidak terbatas pada penggelapan uang/barang, pencurian uang/barang, penyogokan, pemalsuan, pengalihan, konversi, penyalahgunaan aktiva, membuat klaim atau pernyataan palsu, pemalsuan dokumen atau kolusi dan/atau konspirasi antara dua orang atau lebih. Fraud Telekomunikasi berbagai tindakan kecurangan, penipuan atau penggelapan dalam penggunaan fasilitas telekomunikasi, yang dengan sengaja dilakukan oleh orang-orang atau organisasi tertentu, dengan tujuan untuk menghindari biaya jasa atau pelacakan rekaman percakapan. Aviation Fraud? Source: Telkom Proprietary
Customer Fraud Fraud adalah berbagai tindakan kecurangan, penipuan atau penggelapan dalam penggunaan fasilitas telekomunikasi , yang sengaja dilakukan oleh orang- orang atau organisasi tertentu, dengan tujuan untuk menghindari biaya jasa atau pelacakan rekaman percakapan. KD.08/ 2009 Revenue Assurance Hacking Illegal Reselling Pelanggan Nakal Operator Nakal Organisasi Kriminal Karyawan Nakal Fraud in Business Fraud Categories – cont.’ Source: Telkom Proprietary
Fraud in Business Fraud Categories – cont.’ Corporate Fraud Perbuatan yang dilakukan dengan sengaja oleh seorang pejabat, karyawan, pihak ketiga maupun pihak lainnya yang mengikutsertakan unsur penipuan, ketidakjujuran, penyesatan, dan penyembunyian kebenaran dengan tujuan mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perseroan. KD 43/2008 Kebijakan Anti Fraud penggelapan uang/barang pencurian uang/barang pengalihan penyalahgunaan aktiva penyogokan pemalsuan klaim atau pernyataan palsu Korupsi, kolusi, nepotisme Source: Telkom Proprietary
Fraud in Business Fraud Categories – cont.’ The Aviation Industry Recently, this industry faces numerous financial pressures that impacts on its profitability, many of which are specific to the sector – the impact of Air Passenger Duty, increasing security and insurance costs, environmental levies, oil-price volatility, changes to customer business travel policies and competition from surface travel will all have had an impact on a company’s profitability during a time of unprecedented financial uncertainty. These are all costs that the industry identifies and takes into account, yet another business cost, of equal impact and significance, has never been accurately quantified by the sector – Fraud. Source: PKF-Accountants & business advisers
Fraud in Business Fraud Triangle Pressure in the context of Cressey’s Fraud Triangle relates specifically to financial difficulties such as large amounts of credit card debt, an overwhelming burden of unpaid healthcare bills, large gambling debts, extended unemployment, or similar financial difficulties. Opportunity exists when an employee discovers a weakness in the organization’s antifraud controls. Rationalization is a psychological process whereby a person who has committed fraud convinces himself that the act is either not wrong, or that even though it may be wrong, it will be “corrected” because he will eventually return the money.One set of factors common to internal fraudsters at all levels in any organization is the Fraud Triangle – Donald Cressey Source: Fraud in the Markets
Fraud in Business Fraud Triangle – cont.’ MOTIVE / PRESSURE Financial Gain • Remove the motive – Hard to do, if tariffs are high • Deny the opportunity – Physical security, network security • Fix the mechanism – New technologies fix some but may introduce others Fraud Triangle Solution Overview Source: Telkom Proprietary
Fraud in Business Various Classification of Fraud Telecom Service Related Fraud Glossary --- By TMForum.org Fraud Type Fraud Identifier Subscription / Identity Theft CNAM Dip Fee Fraud “Wangiri” Call Back Fraud Bypass Tromboning, SIM Boxes, Fixed Cell Terminals, Premicells, GSM/UMTS Gateways, Landing Fraud, VoIP Bypass, Interconnect Fraud, Toll Bypass, Third Country, Grey Routing, International Simple Resale Roaming Fraud Cloning Fraud Spam Malware Fraud, Spoofing Fraud, IP/Phishing Fraud (International) Revenue Share Fraud (IRSF) PBX Hacking Fraud Source: Telkom Proprietary
Fraud in Business Various Classification of Fraud Fraud Type Fraud Identifier IP Subscription/Identity Theft, AIT (Artificial Inflation of Traffic), DoS (Denial of Service), Content Sharing Fraud, Identity Trading Fraud, Spyware Fraud, Pharming Fraud, Online Brand Threats Fraud Interconnect (IXC) Arbitrage, Call Looping, QoS (Quality of Service) Exploitation, Technical Configuration SMS Fraud Faking, Global Title Scanning, Open SMSC Pre-paid PIN Theft, PIN Guessing, Stolen Voucher, Altering Free Call Lists, Manual Recharges, Voucher Modification, Duplicate Voucher Printing, Fraudulent Voucher Reading, Illegal Credit Card Use for Recharges, IVR Abuse/Hacking, IN Flag Modifications, Handset Manipulation, Handset Installment, Roaming Telecom Service Related Fraud Glossary --- By TMForum.org Source: Telkom Proprietary
Fraud in Business Case HackersPremiu m Services Victims 1 Resgistered to premium service provider 2 Hacked customer’s PBX 3 Made a huge call earned $$$$ 4 Share revenue/fee s PBX HACKING FRAUD -- BUSSINESS SCHEMA Source: Telkom Proprietary
Fraud in Business How to preserve Fraud? KR. 05/HK.290/COP-D031000/2009 Source: Telkom Proprietary
“The greatest risk of all is to take no risk at all” – Forbes, 2012
Revenue Assurance What is Revenue Assurance? GRAPA (Global Revenue Assurance Professional Association) “The art of finding what you didn’t know was missing” Revenue Assurance is the systematic, independent application of a set of Standard Methodologies employed to Identify, Quantify, Report , Remedy, Contain Risks to Telecoms revenues in its many forms TM - Forum “Data quality and process improvement methods that improve profits, revenues and cash flows without influencing demand” TELKOM (KD.08 – 2009) Revenue Assurance adalah pengelolaan risiko kebocoran pendapatan yang dapat terjadi di sepanjang revenue stream yang diakibatkan oleh kelemahan sistem dan prosedur sehingga setiap pendapatan yang menjadi hak perusahaan dapat diakui, diterima, dicatat dan dilaporkan secara lengkap dan akurat Revas bukan untuk memastikan pencapaian revenue! Source: Telkom Proprietary
Revenue Assurance What is Revenue Assurance? Source: KPMG’s Global Revenue Assurance Survey, 2009
Revenue Assurance What is Revenue Assurance? Realized Revenue all network activity not realized as revenue (potential revenue) all network activity in time (seconds, minutes, erlangs) realized revenue noise Unrecoverable network activity realized revenue leakage + unrecoverable + too expensive to recover unrecoverable network activity additional realized revenue additional unrecoverable activity  Revenue leakage  Revenue lost  Cost to recover Source: Telkom Proprietary
Revenue Assurance Revenue Assurance Framework 4 Pillars Revenue Assurance Standard  Disiplines & Revenue Assurance Lifecycle Forensic, Control Management, Corrective Management, Compliance  Domains  Objectives (Level)  Principles These pillars may provide an effective framework for an organization to optimize its revenue! Source: Telkom Proprietary
Revenue Assurance Revenue Assurance Framework Definition of Revenue Assurance Disciplines Domain Scope Vertical Domain Scope Horizontal Mission/ Objectives Ethics and Principles Forensic Control Corrective Compliance Network Mediation Interconnect Roaming Collection Postpaid Prepaid Channel Provisioning Fraud Mgmt. Rate Plan Product Dev. Product Line Cust. R M Marketing Fraud Containment Risk Containment Loss Prevention Margin Assurance Revenue Stream Ass. Code of Conduct Corp Resp. Competence Req. Transparency Rationalization Consensus Source: Telkom Proprietary
Cases Domains Management Internal Audit Customer Complaints Internal Incidents External Incidents Operational Monitoring F o r e n s i c s Assessment Recommended Corrections Coverage Plan Report to: -Management -Internal Audit -Operational Management Correction Controls Management R e p o r t i n g M a n a g e m e n t COMPLIANCE Revenue Assurance Revenue Assurance Framework Source: Telkom Proprietary
Proses Forensic Analysis  Menyelidiki akar penyebab dari masalah revenue loss (baik yang terjadi dan berpotensi terjadi)  Mendiagnosis permasalahan yang ada  Menyiapkan rekomendasi untuk menangani permasalahan yang ada Revenue Assurance Revenue Assurance Framework Input  Deksripsi Produk  Deskripsi Teknology  Deskripsi Network dan IT  Kebijakan Tarif Terkait  Kontrak Pelanggan  Kontrak Supplier  Aturan Pemerintah  Proses Bisnis How  Memahami Product/Service & Teknologi  Analisis Mapping - Revenue & Payment  Analisis Risk  Analisis Exchange  Analisis Process  Analisis System  Analisis Numerik  Analisis Statistik Output  Daftar Risiko  Prioritas Risiko  Proposal Kontrol  Usulan Corrective Action  Rekomendasi Source: Telkom Proprietary
Mengelola dan Memonitor Control yang ada untuk ditindaklanjuti Input  Control Proposal  Data Source & IT Tools Output  Alert  Control Performance Control Management Revenue Assurance Revenue Assurance Framework Mengelola rekomendasi corrective action hasil dari forensic, analysis, dan memantau pelaksanaannya Corrective Management Input  Rekomendasi Corrective Output  Status dan Hasil dari Corrective Action Source: Telkom Proprietary Mendefinisikan KPI, dan Memastikan terpenuhinya tiga proses lainnya Compliance & Reporting Input  Kebijakan Output  Standard KPI  Laporan Pencapaian KPI
Revenue Assurance Revenue Assurance Maturity Level 1 2 3 4 5 Dependent Repeatable Defined Managed Optimizing Ad-hoc, chaotic. Dependent on individual heroic. Basic Project/ Process management. Repeatable tasks. Standardized approach developed. Designing-in control commences. Leakage quantitatively understood and controlled. Continuous improvement via feedback. Decentralized ownership, holistic control. Source: Telkom Proprietary
1. Product and offer management 2. Order management and provisioning 3. Network and usage management 4. Rating and billing 5. Receivables management 6. Finance and accounting 7. Customer management 8. Partner management TMForum menyusun revenue stream perusahaan Telco dalam 8 Revenue Stream : (total leakage library dari TMForum = 126) Revenue Assurance Revenue Assurance – Revenue streams How about Rev. Assurance in Airport administration?
the effect of uncertainty on Objectives - ISO 31000:2009 “the possibility that an event will occur and adversely affect the achievement of objectives” - COSO ERM Framework
Risk Based KPIs and KRIs ERM Maturity Level Public Relation Compliance Protection Optimization Value Creation Risk Maturity Graph Level Maturity Excellent Strong Adequate Weak Weak [Nonexistent] Level 5: Level 4: Level 3: Level 2: Level 1: Nonexistent Leadership Managed Repeatable Initial Ad hoc Excellent  Advanced capabilitiesto identify, measure, manage all risk exposures within tolerances  Advanced implementation,development and execution of ERM parameters  Consistentlyoptimizes risk adjusted returns throughout the organization Strong  Clear vision of risk tolerance and overall risk profile  Risk Control exceeds adequate for most major risks  Has robust processes to identify and prepare for emerging risks  Incorporatesrisk management and decision making to optimize risk adjusted returns Adequate  Has fully functioningcontrol systems in place for all of their major risks  May lack a robust process for identifying and preparing for emerging risks  Performing good classical“silo” based risk management  Not fully developed process to optimize risk adjusted returns. Weak  Incomplete control process for one or more major risks  Inconsistentor limited capabilitiesto identify, measure or manage major risk exposures Standard & Poor’s ERM Quality Classifications Where does your organization been stood? Source: Telkom Proprietary
Risk Based KPIs and KRIs Company’ Objectives 1. Memastikan reliability Objectives Perusahaan. 2. Memberikan gambaran stepping/milestone pencapaian Objectives yang terukur. 3. Memberikan alternatives dalam pencapaian Objectives. 4. Memperhitungkan alokasi resources dalam pencapaian Objectives. 5. Mengantisipasi terhadap perkembangan yang berpengaruh pada pencapaian Objectives. 6. Mengoptimalkan potensi dan kesempatan (Opportunities) dalam pencapaian Objectives. 10 Strategic Initiatives: 1. Optimizing POTS and Strengthening Broadband 2. Consolidate & Grow FWA Business and Manage Wireless Portfolio 3. Integrated Telkom Group Ecosystem Solutions 4. Invest in IT Services 5. Invest in Media & Edutainment Business 6. Invest in Wholesale and Strategic int’l Opportunities 7. Invest in Strategic domestic opportunities that leverage the assets 8. Integrate NGN & OBCE 9. Align Business Structure and Portfolio Management 10. Transforming Culture Objectives v. Risk Management STRATEGIC OBJECTIVE Creating Superior Position by Strengthening The Legacy & Growing New Wave Businesses to Achieve 60% Of Industry Revenue in 2015 Source: Telkom Proprietary
Risk Based KPIs and KRIs Company’ Objectives - Model Pendekatan Menentukan ‘key business objectives’ berdasarkan strategi korporasi  Identifikasi Risiko-Risiko yang berpengaruh terhadap pencapaian objectives.  Menyusun Profil Risiko (a company-wide risk profile) Menentukan kriteria/level toleransi risiko berdasarkan hasil assessment likelihood and potential impact. Menentukan alokasi rencana mitigasi (strategi yang tepat), sumberdaya, dan akuntabilitas untuk mengelola risiko. Eksekusi strategi (mitigasi) dan melakukan identifikasi KRIs dan KPIs yang terukur secara financial dan operational. Monitoring progress untuk identifikasi potensi peningkatan performansi (kinerja) dalam pencapaian objectives. 1 2 3 4 5 Source: Thought Leadership Institute-PricewaterhouseCoopers
Risk Based KPIs and KRIs Company’ Objectives - Managing Business Risk within your organization Business Objectives Event Identification Significant Business Issues Control Activities Risk Response Risk Assessment Client Mission Statement Client Objectives Business Unit Objectives Targets Performance Measures Current MajorIssues Potential Future Events CaptureProcess ImpactsAnalyses ResponseManagement Planning Process Key Drivers Dependencies Performance Management Track Record Completeness Integration SMART Roles & Responsibilities Data Management Issues Management Integration with Business Planning Event Portfolio Internal/External CaptureProcess Repository Maintenance / Refresh Roles & Responsibilities Data Management Event Management Integration with Business Planning Risk Portfolio Definitions Categorizations Assessment Criteria Structure Roles & Responsibilities Timing & Frequency Expert Involvement Consistency Client Business Process Model Policies Procedures ResponsePortfolio Definitions Decision Drivers Decision Criteria Process Completeness Communications Training Roles & Responsibilities Monitoring Effectiveness Process Roles & Responsibilities Decision Protocols Reporting Timing Review Areas Review AreasReview AreasReview AreasReview AreasReview Areas Focus FocusFocusFocusFocusFocus Source: Axena, Inc. All rights reserved
Risk Based KPIs and KRIs Company’ Objectives - Managing Business Risk within your organization 1. Management mengetahui secara dini potensi tidak tercapainya target/objective perusahan karena perkembangan risiko. 2. Management dapat menyusun program mitigasi yang efektif untuk mengantisipasi perkembangan risiko. Dengan demikian Objective Perusahaan apabila dikelola tanpa memperhatikansistem manajemen risiko (ERM), alignment dengan isu strategis, arah perkembangan bisnis, dan kondisi operasional, maka sistem tersebut akan kehilangan pijakan dalam operasional perusahaan. Sehingga, diperlukan penghubung sebagai alat navigasi dan kontrolnya, dalam hal ini sistem manajemen risiko yang didasarkan pada KRIs dan KPIs. agar: Source: Telkom Proprietary
Identifikasi Risiko,  Adalah proses untuk menemukenali segala kemungkinan (kejadian) yang muncul dalam suatu aktivitas usaha yang berhubungan dengan objective perusahaan.  Identifikasi risiko secara akurat dan menyeluruh menjadi sangat vital dalam suatu manajemen risiko.  Salah satu aspek penting dalam identifikasi risiko adalah melakukan pencatatan (me-register) risiko-risiko yang mungkin terjadi sebanyak mungkin. Dalam Framework COSO, dilakukan pem-bedaan antara Risiko dan Peluang, dimana kemungkinan (kejadian) yang berdampak negatif disebut Risiko, sedangkan Peluang merupakan kemungkinan (kejadian) yang dapat berdampak positif (natural offsets/opportunities) yang mendukung strategi dalam pencapaian objectives. Risk Based KPIs and KRIs Risk Identification Source: Telkom Proprietary
Source: Telkom Proprietary Dengan melakukan identifikasi risiko, akan diperoleh sekumpulan informasi tentang kejadian risiko, informasi mengenai penyebab risiko, bahkan informasi mengenai dampak apa saja yang bisa ditimbulkan oleh risiko tersebut. Teknik-teknik yang dapat digunakan dalam melakukan identifikasi risiko antara lain: Benchmark Professional Judgement (Pendapat Para Ahli di Bidangnya) Wawancara, Survey (Pengamatan) Informasi historis (analysis data historis) Kelompok kerja (Brainstorming) dll. Risk Based KPIs and KRIs Risk Identification – The Technique
Benchmark  Mencari informasi tentang risiko di tempat atau perusahaan lain yang memiliki kesamaan pada tataran tertentu. (eg. Kesamaan pasar, portofolio bisnis, industri, dlsb.)  Data hasil benchmark harus disesuaikan dengan kondisi aktual yang terjadi dan dihadapi langsung oleh perusahaan.  Contoh: – dari berita di media massa, atau internet, dapat diketahui bahwa tingkat kejadian bencana alam di Indonesia memiliki peluang yang sangat tinggi. Hal ini menunjukkan, bahwa secara umum risiko Business Interruption akibat bencana alam sangat besar. – Harga minyak dunia naik?...... – Suku bunga perbankan di US turun?..... – Harga tiket pesawat naik?..... Risk Based KPIs and KRIs Risk Identification – The Technique Source: Telkom Proprietary
Risk Based KPIs and KRIs Risk Identification – The Technique Professional Judgment (Pendapat Para Ahli di Bidangnya)  Mencari informasi dari ahli di bidang risiko tertentu, terkait risiko yang berpengaruh terhadap suatu objective perusahaan  Contoh:  Dari bertanya pada bankir, dapat diketahui bahwa ketidak- stabilan kondisi ekonomi di US memiliki risiko pada Foreign Exchange terkait transaksi yang menggunakan mata uang asing (US Dollar)  Dari bertanya pada dokter, dapat diketahui bahwa orang dengan tingkat kolesterol tinggi berisiko kena penyakit jantung Source: Telkom Proprietary
Risk Based KPIs and KRIs Risk Identification – The Technique Pengamatan/Survey  Melakukan investigasi atau pencarian data langsung di tempat kejadian dengan mengajukan kuesioner atau wawancara (data primer)  Contoh:  Dengan melakukan CSLS (Cust. Loyalty and Satisfaction Survey), dapat diketahui bahwa tingkat kepuasan yang rendah akan berisiko pada churn pelanggan  Dengan mengamati proses produksi dan availabilitas dari catu daya PLN, dapat diketahui bahwa perusahaan menghadapi risiko lampu mati (Interruptable Power Supply)  Validitas data sekunder?..... Source: Telkom Proprietary
Risk Based KPIs and KRIs Risk Identification – The Technique Analisis Data Historis • Menggunakan berbagai informasi dan data yang tersedia dalam perusahaan mengenai segala sesuatu yang pernah terjadi • Biasanya data historis harus menggunakan lebih dari satu periode kebelakang agar prediksi risiko dapat lebih akurat • Contoh:  Dari data historis kepegawaian, dapat diketahui bahwa perusahaan menghadapi risiko kehilangan karyawan yang penting  Dari data historis keuangan, dapat diketahui risiko penurunan growth revenue  Dari data historis market, dapat diketahui risiko tingkat kompetisi dalam suatu industri Source: Telkom Proprietary
Risk Based KPIs and KRIs Risk Identification – The Technique Kelompok Kerja (Brainstorming)  Menggunakan berbagai informasi dan data, dilakukan diskusi creative thinking (brainstorming) oleh tim manajemen risiko untuk menemukenali potensi risiko dari suatu objective  Creative thinking yang sukses, biasanya menghasilkan suatu rumusan risiko yang tepat dari suatu objective  Contoh:  Dari data global market, dilakukan brainstorming sehingga dapat diketahui bahwa terkait objective perusahaan untuk „invest broadband‟ akan menghadapi risiko; teknologi dan kompetisi, country risk factors, etc. Source: Telkom Proprietary
Alignment KPIs and KRIs Alignment Process Dengan demikian, alignment antara KRIs dan KPIs sangat signifikan untuk dilakukan agar pencapaian objective dapat terlaksana. Proses Alignment KRIs dan KPIs: Identify risks Quantify risk Identify Actions required Monitor Performance Monitor Changes (internal/ external) Update objectives Agree Acceptable Risk levels Identify risk related Actions Agree Strategic objectives Risk Management Performance Management Risk Based KPIs and KRIs Source: Telkom Proprietary
- BF “An ounce of prevention is worth a pound of cure.”
KRIs and Dashboards Defining Key Risk Indicators  Key Risk Indicator (KRIs), adalah faktor-faktor kunci dari suatu risiko yang digunakan dalam proses manajemen untuk menentukan tingkat risiko pada suatu aktifitas usaha. Merupakan indikator dari kemungkinan dampak negative dimasa yang akan datang (the possibility of future adverse impact).  KRIs memberikan suatu sinyal/tanda ‘Early Warning’ bagi manajemen untuk identifikasi kejadian yang berpotensi menghambat suatu program/aktifitas.  Biasanya ukuran ini disajikan berupa data statistik atau matriks tertentu dengan formula atau model tertentu yang menyediakan informasi terkait posisi dari suatu risiko yang dihadapi oleh perusahaan.  KRIs berbeda dengan Key Performance Indicators (KPIs), dimana KPIs dimaksudkan sebagai ukuran kesuksesan/keberhasilan dari suatu program kerja (aktifitas usaha terkait objectives). Definisi Source: Telkom Proprietary
Defining Key Risk Indicators Key Risk Indicator (KRIs), pada dasarnya dapat dikelompokan ke dalam 4 (empat) kategori:  Coincident indicators, ukuran yang mewakili kegagalan yang terjadi secara bersamaan pada proses bisnis internal. Misal, kegagalan penyelesaian proyek pengadaan/investasi yang secara bersamaan berisiko pada kegagalan pengembangan produk berbasis teknologi.  Causal indicators, Ukuran kegagalan yang berasal dari turunan kegagalan suatu kejadian (root causes event). Misal, risiko kegagalan teknologi yang menyebabkan terjadinya risiko churn pelanggan.  Control effectiveness indicators, merupakan ukuran tingkat kegagalan yang berasal dari proses monitoring performansi. Misal, prosentase kenaikan ARPU pelanggan Flexi.  Volume indicators (Inherent Risk Indicators) biasanya disamakan dengan KPIs, yang dapat menentukan posisi peluang kejadian dan dampak dari suatu risiko (indikator ini biasanya ber- korelasi dengan risiko lainnya). Misal, Jumlah pelanggan, Kapasitas bandwidth, dll. Pengelompokan KRIs Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators Metode Menentukan KRIs Untuk dapat menentukan KRIs secara tepat dan efektif dapat menggunakan beberapa pendekatan. Salah satu pendekatan yang efektif dan terstruktur dengan baik adalah dengan menggunakan 6 langkah (berhubungan dengan 6-sigma tools): 1. Identify existing metrics. 2. Assess gaps. 3. Improve metrics. 4. Validate and determine trigger levels. 5. Design dashboard. 6. Establish control plan. Ke-enam langkah tersebut merupakan salah satu pendekatan yang dapat diterapkan untuk menentukan KRIs, mulai dari proses melakukan Identifikasi KRIs, Validasi, dan meng- implementasikannya kedalam Early Warning pada segala macam bisnis model. Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators 1. Identify existing metrics.  Untuk menentukan KRIs, langkah pertama yang harus ditempuh adalah dengan Risk Assessment sehingga semua kejadian (events) dapat di-identifikasi, di-assess, dan di-kelompokan bersama sesuai dengan kriteria tertentu yang dapat di monitor dan di-analisa berdasarkan root-causes (analisa sebab-akibat). Tools yang dapat digunakan misalnya, diagram tulang ikan, dll.  Biasanya dalam menentukan KRIs, kejadian penting yang berpengaruh langsung terhadap risiko (inherent risk) maupun residual risk di-identifikasi  Langkah selanjutnya adalah menentukan metric (calon KRIs) bagi masing-masing kejadian yang ber-risiko tinggi (high risk potensial events)  Dalam menentukan kRIs, semakin banyak ukuran kejadian (metric) yang mempengaruhi suatu risiko, maka semakin efektif KRIs dalam memberikan gambaran potensi risiko  Common practice, biasanya untuk penentuan KRIs yang efektif, suatu risiko terdiri atas 5 sampai 10 metric potensial KRIs dan mengandung minimal 1 atau lebih kategori KRIs (type—coincident, causal, control, and volume). Contoh:  Menentukan risiko pada operasional call-center.  Risiko yang ter-identifikasi adalah: Pelanggan tidak tertanggani secara profesional dan tidak akuratnya informasi pelanggan Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators 2. Assess gaps. Setelah proses inventory seluruh potensi KRIs selesai, langkah berikut adalah melakukan evaluasi kelayakan dan efektifitas tiap-tiap indicators (metric). Terdapat 2 (dua) tools yang digunakan:  the gap assessment  the design matrix Gap Assessment akan memberikan gambaran, apakah indicators (metrics) dalam inventory akan efektif untuk dijadikan KRIs. Dimana, ukuran yang digunakan adalah berdasarkan composite score tabel, biasanya score diatas 4 merupakan syarat cukup untuk dijadikan KRIs. The Gap Assessment Tool Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators Design Matrix Digunakan scoring kriteria 0-1-3-9. Dengan menggunakan design matrix, maka tiap-tiap indikator yang mendapat score 9 akan mendapat rating Y. Dengan memperhatikan 2 tools ini, dapat ditentukan indicators (metrics) yang layak dan efektif untuk dijadikan KRIs. Design Matrix merupakan tabel matrik berbasis 6-sigma, dimana akan dilihat keterkaitan Risk Events Driver (RED)dengan indicators yang terdapat dalam inventory. RED merupakan root-causes yang berpengaruh pada munculnya kejadian (indicators). Masing-masing RED diberi pembobotan sesuai dengan prosentase kontribusi. Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators 3. Improve metrics. Proses ‘improve metric’ dilakukan dengan cara membandingkan hasil assessment dari 2 (dua) tools gap dan design matrix. Proses komparasi dilakukan dengan cara:  Analisa indicators di design matrix yang mempunyai score ‘9’ , namun mendapat score rendah di gap assessment. Apabila scoring rendah tersebut dapat dicarikan solusi atau justifikasinya, maka indicators tersebut dapat dipertimbangkan untuk dijadikan KRIs.  Analisa berikutnya dilakukan pada indicators yang mendapat score tinggi di gap assessment, namun tidak mendapat ‘9’di design matrix. Apabila terdapat modifikasi yang berpengaruh pada peningkatan rating di design matrix dan signifikan, maka indicators tersebut juga dapat dijadikan alternative KRIs. Pada tahap ini, dimungkinkan untuk dilakukan modifikasi pada potensial KRIs (indicators).  Langkah ini ditutup dengan menghapus seluruh indicators yang tidak mempunyai relasi yang cukup dari penilaian ke-dua tools tabel. Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators 4. Validation and trigger-level identification.  Langkah sebelumnya biasanya menggunakan ‘subjective judgment’ untuk meng-assess relasi antara the risk-event drivers dan the metrics. Untuk indicators dimana relasi antara ‘the risk-event drivers dan the metrics’ dapat dinyatakan secara wajar (dalam tataran operasional –self evident), maka validasi tidak perlu dilakukan.  Namun bila terdapat Metric baru (lihat langkah 3-modifikasi metric), maka diperlukan proses validasi untuk memastikan bahwa metric tersebut adalah KRIs.  Validasi, umumnya menggunakan data historis, bila tidak tersedia maka dapat dilakukan asumsi yang sesuai untuk menggambarkan korelasi antara ‘the risk-event drivers dan the metrics hasil modifikasi’ sehingga didapat trigger level identifikasi. (lihat contoh disamping) Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators 5. Dashboard design.  Sebagai bagian dalam penentuan KRIs yang layak dan efektif untuk memberikan gambaran perkembangan risiko, maka ‘dashboard’ merupakan bagian yang sangat penting bagi business managers, process owners, and senior management.  Dashboard adalah bagian dalam proses mamajemen risiko dan bermanfaat dalam ‘monthly business review’, dan meeting-meeting lainnya terkait pencapaian objective perusahaan.  Dashboard biasanya menggunakan gambar grafik dan tabel yang menunjukkan informasi yang tepat dan komprehensif terkait kondisi risiko perusahaan dan KRIs yang menjadi konsen manajemen. Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators 6. Control plan and escalation criteria.  Fungsi utama dari ‘Control plan’ adalah memastikan tersedianya kriteria eskalasi (‘escalation criteria and roles ‘) untuk intervensi terhadap KRIs yang telah disepakati. Sehingga, siapa-pun, dan kapan-pun dilakukan treatment terhadap KRIs yang berpengaruh terhadap Objective perusahaan tidak menimbulkan efek perubahan baik proses dan prosedur yang telah ditetapkan diawal.  Umumnya, ‘control plan’ berisi: the KRI metric, the measurement frequency, a description of the measurement system, goals, trigger levels, escalation criteria, dan the owner for the escalation criteria. (sebagaimana terlihat pada contoh tabel dibawah). Source: Telkom Proprietary KRIs and Dashboards
Defining Key Risk Indicators Source: Telkom Proprietary Siap jual Eks cabutan Repair Potensi Eksisting Deployment Sales Churn Net Add & ARPU Qualitas produk kurang baik Layanan purna jual kurang baik Harga tidak competitif Usage Price Tariff Gimmick Tunggakan Aps Cabut Manajemen Omset Competitor Voice Data SMS Demand Pnetrasi KRIs and Dashboards
Structuring Vision-Mission - KRIs Vision - Mision STRATEGIC OBJECTIVE Creating Superior Position by StrengtheningThe Legacy & Growing New Wave Businesses to Achieve 60% Of Industry Revenue in 2015 Corporate’ 10-Strategy Initiatives Significant Risks Notable Significant Risks Deployment Thru Risk Identification& Assessment Risk Relate to Performance Financial RiskStrategic Risk Operational Risk Business Growth Revenue Leakage Business Interruption Forex Interest Rate Liquidity Cost Eff. & Effect. Control Eff. & Effect .Co-Incident Indicators Causal Indicators Volume Indicators Key Risk Indicators KRIs and Dashboards Source: Telkom Proprietary
Business Growth Business Growth Early Warning SystemRISKS RISK MAP/LEVEL KEY RISK INDICATORs Business Growth Strategic Risks Financial Risks Operational Risks Market Risks Minutes of usage # LIS Current # LIS Churn Tariff FlexiFlexiFlexiFlexiSpeedy TLKM’ Products Data Ware-house TLKM’ Existing Applications TiBs TREMs TiCAREs External Info.Internal Sources PTA1 = f [KRI1,KRI2, …,KRIn] if, for instance f (x) = KRI1 x (KRI2 - KRI3) KRI1 KRI2 KRI3 S1 Appetite S1 S1 S1 S1 Dynamic MAP Indicators Defining a Dashboard KRIs and Dashboards Source: Telkom Proprietary
HP. 082140035418 EM. wisnuw@telkom.co.id
The Application of Enterprise Risk Management at ‘Airport Administrator’ or ‘Aviation Administration’ i nyoman wisnu wardhana 28 November 2014
1 2 3 Introduction The Governance and Its Structures Content 4 The Process of Implementing ERM at AA ERM for Aviation – Airport Administration
Introduction Source: Federal Aviation Administration - US The Legislation of AA How about in Indonesia?
Introduction The Scope of AA ERM is defined as a holistic approach and process to identify, prioritize, mitigate, manage, and monitor current and emerging risks in an integrated way across the breadth of the enterprise. What do you think? Airports are unique in operations, customers, structure, stakeholders, and objectives; consequently, the approach to ERM implementation should be tailored to each airport. Then, how to create the ERM framework and develop ERM processes?
Introduction The Scope of AA – cont.’ AA usually defined its scope as;  Airport policymakers  Stakeholders:  Regulators  Suppliers  Airline partners  Local communities  Public users, and  Auditors  Accountability for managing uncertainty.  Airports need to demonstrate that risk is effectively considered and controlled, especially during strategic decision- making.  Transparency in the risk management process.  Policymakers to provide assurance that the organization’s internal controls and management decision-making are effective. The scope covered some areas v. The purpose of Administration
ERM for Aviation – Airport Administration The rational of implementing ERM for AA  Airports have always focused on preventing hazards and finding ways to reduce the risks associated with their operations.  Many airports face resource constraints, and staff are stretched thin by the multitude of activities they are asked to accomplish. However, merely promoting safety in operations and insuring against natural disasters is not sufficient. Airports must also manage the broad array of strategic and operational risks facing an ever-changing aviation industry In such an environment, ERM can be an important management tool that assists airport staff in driving decision-making and allocating resources on a risk-based basis. Through ERM, potential risks and emerging opportunities are proactively identified, assessed, monitored, and addressed on an organization-wide basis. Understanding financial, operational, strategic, and reputational risks and opportunities, the airport can capture the full gambit of the uncertainty that is faced in all facets of airport operations.
ERM for Aviation – Airport Administration What is an ERM? ERM is a structured, consistent, and continuous system that is applied across an entire organization to manage uncertainty. Risks are uncertain future events that can influence an organization’s ability to achieve its objectives. The term “risk” is usually applied in one of three distinct applications: Risk as threat versus exposure. Risk as variance. Risk as opportunity.  Risk considered as a threat implies potential negative events that could result in financial or reputational harm to the organization, whereas risk considered as exposure could also be positive.  This interpretation of risk includes the distribution of all possible outcomes, both positive and negative. Stated differently, risk is synonymous with variance.  This understanding of risk is based on the concept that a relationship exists between risk and return. The greater the risk, the greater the potential return and the greater the potential for loss.
ERM for Aviation – Airport Administration ERM v. Traditional Risk Management ERM Traditional Risk Management Risk identification and assessment  Critical airport risks are identified,quantified, and weighted against opportunity  Risk/opportunitydrivers are identified  Effectivenessof risk controls is evaluated  Risk/opportunitymaterialityis considered  Risk/opportunityownership is assigned  Focus on hazards and transferable risks  Insurable risks are identifiedand assessed based on the relative availabilityof insurance Risk mitigation strategies  A variety of options are considered, including risk transfer options and organizationalchange  Strategies are developed for pursuing opportunities that take into account potential risks  Balance of available insurance policy limits against retained levels of financialloss (deductibles, retention levels)  Risk management is intuitive and indistinct from standard operating Process Monitoringand reporting  Ongoing  Integral to airport strategy  Helps to ensure the integrity of financial Reporting  Static  Revisited in response to an event or annual audit How risks are viewed  There is an aggregated view of risk across the enterprise  The balanced relationshipsbet we en opportunities and risks are evaluated  Entity level portfolio of risks and opportunities  Risks are vie wed in silos  Risks as individualhazards Risk categories  All risk/opportunity categories are considered (e.g., hazard, financial,strategic, operational, people, legal, regulatory, etc.)  Risk categories tend to focus on hazard, safety, and financial Ultimate goal  Risk/re ward optimization—preserveand create value  Mitigationof insurable risks  Minimize risk transfer spend Traditional risk management focuses on risks independent of business concerns and organizational strategy!
ERM for Aviation – Airport Administration The Value of ERM at AA Internally, value is created by helping managers to better understand their risk profile, better anticipate financial performance, mitigate risks, make better-informed decisions, and leverage opportunities. External, an organization to satisfy policymakers and external stakeholders’ (auditors, regulators, partners, public users, and local communities) expectations of internal control and risk management. Risk Awareness, ERM provides a framework for the aggregation of risk and opportunities across an airport, resulting in better visibility. Proactive Preparation for Catastrophic Events, ERM also aids airports in developing plans for addressing events that are very unlikely to occur, but that will have a very significant impact if they do materialize.  natural catastrophes, terrorist attacks, ash-producing volcanic eruptions, extreme weather, or airplane crashes, pandemic/infectious disease (Ebola, H1N1 Influenza, H5N1 Influenza, and SARS). Business Uncertainty, In the aviation industry, the market is changing; tighter competition, aging infrastructure, increased reliance on non-aviation revenue, and the increasingly unstable financial status Addressing Financial Uncertainty, ERM can identify strategies to protect an airport’s balance sheet from unexpected losses. Meet the expectation of Policymaker and Stakeholder Expectations
ERM for Aviation – Airport Administration The ERM Standards Numerous best-practice, risk management guidelines, requirements, and standards exist, varying in content and methodology according to the jurisdiction or governing body that employs them. Each individual standard exhibits particular strengths and incentives for adoption, however, all ERM standards aim to:  Ensure appropriate ERM accountability,  Enhance organization flexibility and resiliency, and  Account for the full spectrum of risks. COSO ERM Integrated Framework ISO 31000 AIRMIC-ALARM-IRM Basel II
ERM for Aviation – Airport Administration The ERM Framework Airports are both quasi-public entities and business operations and therefore are directed by policymaking bodies, may be part of a larger governmental entity, and must tailor their operating activities and business decisions to satisfy multiple stakeholder agendas. Each airport has a unique combination of operating environment, governance structure,and organizational culture. An airport’s ERM framework should reflect this. Nonetheless, there are also a number of common fundamental elements that every airport should consider when implementing an ERM framework:  Governance and Infrastructure  An enterprise-wide approach  Identification and Prioritization  Risks and opportunities  Controls and Risk Response  Current controls are assessed  Monitoring and Reporting  A strong governance to facilitate risk reporting & monitoring  Implementation  A plan is in place to guide and drive ERM implementation  Integration with key processes  The ERM framework is aligned with key processes  Continuous Improvement and Sustainability  The ERM is reviewed against performance
The Governance and Its Structures The ERM’ Platform and Structure It will provide the platform and structure on which to build and develop ERM across an airport administration. It is important to consider each step to ensure that the pillars providing the foundation for ERM are established and tailored to the airport administration’ culture, structure, and objectives. 1. ERM policy and strategy 2. Risk appetite 3. Executive sponsorship 4. Appropriate positioning 5. Developing a governance structure. Senior management support and participation is critical for these activities!
The Governance and Its Structures The ERM’ policy and strategy ERM Policy The ERM policy is a formal acknowledgement of the AA’s commitment to take an enterprise- wide approach to managing risk and strives to accomplish uniformity across the ERM implementation process. The ERM policy should include (at a minimum):  The rationale for ERM  A reference to the risk appetite of the airport  The role of employees in the ERM framework  Sign-off by the CEO or board ERM Strategy The purpose of the ERM strategy is to provide an overview of the AA’s ERM framework. The strategy should act as a reference policy for those with risk management responsibilities. It may contains:  Outline the purpose of the AA‟s ERM strategy  Outline the aims of the ERM framework  Include a statement on risk appetite  Provide an overview of the ERM process  Outline roles and responsibilities  Include performance management
The Governance and Its Structures The Risk Appetite and Tolerance An organization’s risk philosophy is a set of shared beliefs and attitudes characterizing how the organization considers risk in its business operations, from strategic planning andimplementation to day-to-day activities. Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style Risk tolerance is arguably a more empirical measure of how much loss an organization can withstand on its balance sheet before certain parameters are breached (COSO, 2004) Area Sample Risk Appetite Statement Financial  To maintain an investment grade of IDR 25 T annually (Until 2020) Safety  To achieve recordable case rate or lost time injuries not more than 1 per 1000 hours worked (within 3-year timeframe)  Zero tolerance on loss of life or serious injury Energy efficiency  To ensure reduction in energy consumption per unit produced by no less than X% in 10 years Regulatory  Zero tolerance on compliance breaches Reputation  To reduce the number of national media negative press coverage incidents Market  To maintain 2 Million Passenger/customer monthly  Customer growth by 5% annually
The Governance and Its Structures Management Commitment Successful ERM implementation requires airport administrator’ senior management to be fully committed to the ERM framework and processes. Questions from Senior Leader:  At this airport, I am too busy dealing with today‟s issues; I don‟t have the time and energy for ERM. Do I have to get involved?  What will be the immediate results and efficiencies?  We don‟t have the people or resources to do ERM; how can I possibly do this?  Management is aware of what the top risks and opportunities are. It is common sense. Why is a risk register needed?  We focus on proactive management of safety risks and respond to other risks when they occur, and we have never had any problems. Why introduce ERM now?  I am not a risk management professional; how do you expect me to do ERM?  ERM seems to simply be documenting what we already do. Isn‟t that just bureaucracy?
The Governance and Its Structures The Structure Airports vary in their size and organizational structure; therefore, there is no prescribed ERM governance structure. The structure most appropriate for a particular airport will be influenced by the maturity of the current risk management processes, resource capabilities, skill sets, existing processes, size, and structure.
The Governance and Its Structures The Structure and its Roles Role Example Responsibilities Board  Approve the ERM policy, strategy, and framework  Review the key risks to the airport and the controls that are in place and provide assurance to stakeholders that the risks and opportunities are being effectively mitigated  Promote their support of ERM AA’ Senior Leader Team/ERM Committee  Provide guidance and oversight to the ERM frame work  Challenge the effectiveness of the ERM frame work  Regularly review the E RM policy and strategy to ensure that it underpins the airport’s strategy and objectives  Agree on the risk appetite for the airport  Ensure all emerging risks are appropriately managed  Allocate sufficient resources to address top risks  Create an environment and culture where ERM is promoted, facilitated, and appropriately undertaken by the organization Audit Committee  Gain assurance for the organization that ERM is being properly undertaken  Review risks arising through key third-party relationships and ensure that these risks are adequately managed  Ensure insurance and other risk financing is used effectively within the ERM process Risk Champions  Communicate the benefits of ERM across their operational area  Help facilitate the ERM process and risk reporting procedures across their operational area  Help ensure that the commitment of key stakeholders is obtained  Share best practices across the Risk Champion Network All Staff  Take due care to understand and comply with the ERM processes  Monitor their own area on an ongoing basis to identify new and emerging risks and opportunities and escalate as required An example of AA’ Senior Leaders role.
The Process of Implementing ERM at AA The Basic PDCA of ERM The ERM process is a continuous process that involves the identification and prioritization of risks and opportunities and the implementation of actions to mitigate top risks and capture opportunities. In addition, the ERM process focuses on reporting on risk and opportunities across the organization to allow for an aggregated view of risk and opportunities. This builds on the concept of the Plan-Do-Check-Act (PDCA) cycle also known as the Deming Cycle of continuous improvement.
The Process of Implementing ERM at AA Risk Identification Techniques Risk identification sessions can and should occur at any level of the airport administration: the board level, departmental level, even at the single team level. Risk identification techniques to consider include the following:  Analysis of previous losses, events, incidents, or lessons learned  Process flow analysis  Business impact analysis  Questionnaires  Interviews  Facilitated workshop  Scenario analysis  Review the previous risk register (if one exists) Might use these questions:  What are the top five risks facing the airport or your department?  What are the causes of each of these risks?  What are the consequences of each of these risks?  What are the top three current controls in place against each of the risks identified?  How effective are these controls?  How are the risks currently monitored?
The Process of Implementing ERM at AA Categories Risk In terms of the types of risk that an airport should be considering during this process, it is not possible to develop a set of risks, opportunities, and categories that would fit all airports. Likewise, there in no one right way for listing or categorizing risk. Some example opportunities are the following:  Attracting new service, frequencies, and destinations  Enhance business model through new airline agreement  Commercial development of available land  Community partnerships  Renewable energy  Further optimization of internal process  Optimizing terminal concessions  Attracting new internal service
The Process of Implementing ERM at AA Prioritization of Risk To assess each risk in terms of impact and likelihood, assessment scales should be developed. It is important for each airport administrator to develop assessment criteria that are tailored to its operations, strategy, and size. In terms of customizing the assessment criteria, the following should be considered:  Materiality: the airport administrator‟s risk appetite and tolerance statements can be used to inform the development of the assessment criteria.  Number of assessment scales: this will depend on the desired level of complexity.  Financial impact: the risk appetite can be used to determine the financial impact scales.  Impact descriptors: financial impact is not always the only impact a risk can have for an airport. Impact to reputation, disruption to operations, or environmental damage may also be significant.  Likelihood horizon: it is recommended that the likelihood scale is aligned to the time horizon of the airport administrator‟s strategy.
The Process of Implementing ERM at AA Risk Acceptance Criteria Developing risk- assessment criteria is essential to improving consistency in risk prioritization across the organization and removing subjectivity from the process. Risk Score = Impact x Likelihood Example of Impact Criteria Example of Likelihood Criteria
The Process of Implementing ERM at AA Risk Map Impact and likelihood assessments also allow for a risk map (or heat map) to be created. This is a simple illustration of the airport administration‟s risk profile and can be used for communicating with boards, senior management, and other stakeholders. O6; O7 S3; O1; F1 S4; S5; S7; O2; O3; F4 F2 F3O4 S2S6 S1;O5 Appetite Likelihood Impact Very Low Low Medium High Very High VeryLowLowMediumHighVeryHigh VL L M H VH S.1. Business Growth S.2 Merger & Acquisition S.3. Regulatory S.4. Technology Shift S.5. Culture Transformation S.6. Legal/Litigation S.7. Customer Profiling O.1. Return on Investment O.2. Fixed Assets Mgt O.3. Information Technology O.4. Compliance O.5 Revenue Leakage O.6. Human Resources O.7. Business Interruption F.1 Foreign Exchange F.2 Interest rate F.3 Liquidity F.4 Cost Efficiency & Effectiveness
Failure to shift the business model from minutes to bytes Disengagement from the changing customer mindset Lack of confidence in return on investment Insufficient information to turn demand into value Lack of regulatory certainty on new market structures Failure to capitalize on new types of connectivity Poorly managed M&A and Partnership Failure to improve business metrics Privacy, security, and resilience Lack organization al adaptation to changing strategic needs The Process of Implementing ERM at AA Risk Map cont.’ Top 10 business risks for telecoms operators: 1. Failure to shift the business model from minutes to bytes 2. Disengagement from the changing customer mindset 3. Lack of confidence in return on investment 4. Insufficient information to turn demand into value 5. Lack of regulatory certainty on new market structures 6. Failure to capitalize on new types of connectivity 7. Poorly managed M&A and Partnership 8. Failure to improve business metrics 9. Privacy, security, and resilience 10. Lack organizational adaptation to changing strategic needs Below the radar:  A more pressing green agenda  Concentration of equipment vendors  Difficulties in managing debt and cash  Evolving service cannibalization scenarios Prioritize
The Process of Implementing ERM at AA Review of Risk Controls The majority of airports that complete the ERM process will find that they already have various controls in place for the identified risks. This stage in the process is focused on reviewing and assessing whether these controls effectively mitigate those risks to the required level so that a decision can be made about whether additional controls may be required. During this review, opportunities should also be evaluated to ensure that strategies are in place to maximize value. The controls in place for each of the top risks should be identified and recorded in the risk register. Then, a small group of people with a good understanding of the risk and the controls should use control assessment criteria to decide whether those controls are (1) completely effective and no additional controls are required, (2) partially effective and additional controls need to be considered, or (3) not effective and additional controls must be put in place to control the risk.
The Process of Implementing ERM at AA Risk Response Planning – Treatment Options Risk response planning is essential to ensure that steps are taken to mitigate key risks to the airport. The aim is to reduce the risk profile of the airport to an acceptable level, based on the amount of risk the airport is willing to accept. This does not mean that every risk can or indeed needs to be mitigated until it falls into the green area on the risk map. Some risks, by their nature, cannot be mitigated to a very low impact or likelihood, and others the airport may decide to accept at a higher level. The benefits (reduced likelihood or reduced impact) of proposed treatments should be considered against the cost of implementing them. Retain the risk. Decide to accept the risk as it is and does nothing further to mitigate it. Risks that are accepted may still require monitoring and review. Avoid the risk. If the risk is undesirable, or the organization does not have the capability to manage the risk. One example of how to avoid a risk is stopping a certain process or activity completely. Modify the risk. This involves putting in place additional risk control measures that reduce the likelihood and/or the impact of the risk to an acceptable level. Transfer the risk. This involves transferring the cost of the risk to a third party through insurance, contracts, or outsourcing the activity.
The Process of Implementing ERM at AA Developing Risk Response Plans A risk response plan is a tool to record, assign responsibility for, and monitor those additional mitigation measures that the airport deems necessary to have in place to ensure the risk is managed to an acceptable level. The risk response plan should be developed by the risk owner in collaboration with relevant stakeholders
The Process of Implementing ERM at AA Risk Monitoring and Reporting Few risks and opportunities or action plans remain static. Risks and opportunities change, priorities change, actions are completed, risk responses that were once effective may become irrelevant, and so on. Therefore, it is important to monitor risk response plan effectiveness and risk profile.  Monitoring Risk Response Plan Effectiveness.  Monitoring Risk Profile. There is no prescribed format for risk reporting, but it is one of the most important elements of the ERM framework. Risk reports should be formatted so as to be user-friendly, actionable, and usable in decision-making. The reports should also capture both risks and opportunities.  Determining a Risk Reporting Process. To develop a risk reporting process that is sustainable and ensures the necessary risk information reaches the right people in a timely manner: o Determine what information needs to be reported. o Define a reporting structure linking into overall governance structure. o Decide the frequency of reporting, This will vary by airport, but formal risk reporting to the board should take place at least annually.
The Process of Implementing ERM at AA Risk Monitoring and Reporting Example of Risk Reporting Format
The Process of Implementing ERM at AA Develop an Implementation Plan Example of Implementation Plan As with any other process implementation, an implementation plan should be developed. Further, define:  Scalability  The Maturity Measurement  Establish an ERM Culture:  Risk Champions  Training and Education  Communication Plan
HP. 082140035418 EM. wisnuw@telkom.co.id

Recommended

Metode Pelaksanaan FRAUD RISK ASSESSMENT
Metode Pelaksanaan FRAUD RISK ASSESSMENTMetode Pelaksanaan FRAUD RISK ASSESSMENT
Metode Pelaksanaan FRAUD RISK ASSESSMENTKanaidi ken
 
Fraud Risk Management
Fraud Risk ManagementFraud Risk Management
Fraud Risk ManagementSujatmiko Wibowo
 
Risk Management Procedure PowerPoint Presentation Slides
Risk Management Procedure PowerPoint Presentation Slides Risk Management Procedure PowerPoint Presentation Slides
Risk Management Procedure PowerPoint Presentation Slides SlideTeam
 
09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicators09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicatorswisnu wardhana, i nyoman
 
Enterprise risk management in practice telkom 2016
Enterprise risk management in practice telkom 2016Enterprise risk management in practice telkom 2016
Enterprise risk management in practice telkom 2016wisnu wardhana, i nyoman
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Risk indicators
Risk indicatorsRisk indicators
Risk indicatorsSravani Varma
 
Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"
Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"
Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"Kanaidi ken
 

Recommended

Metode Pelaksanaan FRAUD RISK ASSESSMENT
Metode Pelaksanaan FRAUD RISK ASSESSMENTMetode Pelaksanaan FRAUD RISK ASSESSMENT
Metode Pelaksanaan FRAUD RISK ASSESSMENTKanaidi ken
 
Fraud Risk Management
Fraud Risk ManagementFraud Risk Management
Fraud Risk ManagementSujatmiko Wibowo
 
Risk Management Procedure PowerPoint Presentation Slides
Risk Management Procedure PowerPoint Presentation Slides Risk Management Procedure PowerPoint Presentation Slides
Risk Management Procedure PowerPoint Presentation Slides SlideTeam
 
09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicators09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicatorswisnu wardhana, i nyoman
 
Enterprise risk management in practice telkom 2016
Enterprise risk management in practice telkom 2016Enterprise risk management in practice telkom 2016
Enterprise risk management in practice telkom 2016wisnu wardhana, i nyoman
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Risk indicators
Risk indicatorsRisk indicators
Risk indicatorsSravani Varma
 
Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"
Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"
Mitigasi Risiko Fraud _"Training Fraud RISK ASSESSMENT"Kanaidi ken
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Audit berpeduli risiko
Audit berpeduli risikoAudit berpeduli risiko
Audit berpeduli risikoInspektorat
 
Operational risk management and measurement
Operational risk management and measurementOperational risk management and measurement
Operational risk management and measurementRahmat Mulyana
 
Riskpro - Operational Risk Management
Riskpro - Operational Risk ManagementRiskpro - Operational Risk Management
Riskpro - Operational Risk ManagementManoj Jain
 
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".Kanaidi ken
 
ISO 22301:2019 BCMS Awareness
ISO 22301:2019 BCMS AwarenessISO 22301:2019 BCMS Awareness
ISO 22301:2019 BCMS AwarenessAli Fuad R
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017Jorge A. Gomez P.
 
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...Pangeran Sitompul
 
Proses Fraud RISK ASSESSMENT pada Entitas & Transaksional
Proses Fraud RISK ASSESSMENT pada Entitas & TransaksionalProses Fraud RISK ASSESSMENT pada Entitas & Transaksional
Proses Fraud RISK ASSESSMENT pada Entitas & TransaksionalKanaidi ken
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
Strategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processesStrategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processesGlobalStrategyTribe
 
Mnajemen risiko kemenkeu radin
Mnajemen risiko kemenkeu radinMnajemen risiko kemenkeu radin
Mnajemen risiko kemenkeu radinDr .Maizar Radjin, SE., M.Ak., QIA., QRMA, CRGP
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITMax Neira Schliemann
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Fasilitasi dan Implementasi Manajemen Risiko
Fasilitasi dan Implementasi Manajemen RisikoFasilitasi dan Implementasi Manajemen Risiko
Fasilitasi dan Implementasi Manajemen RisikoSujatmiko Wibowo
 
ISO 31000:2018 vs COSO ERM:2017
ISO 31000:2018 vs COSO ERM:2017ISO 31000:2018 vs COSO ERM:2017
ISO 31000:2018 vs COSO ERM:2017Eduardo Poggi
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Eric Campbell
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 

More Related Content

What's hot

How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Audit berpeduli risiko
Audit berpeduli risikoAudit berpeduli risiko
Audit berpeduli risikoInspektorat
 
Operational risk management and measurement
Operational risk management and measurementOperational risk management and measurement
Operational risk management and measurementRahmat Mulyana
 
Riskpro - Operational Risk Management
Riskpro - Operational Risk ManagementRiskpro - Operational Risk Management
Riskpro - Operational Risk ManagementManoj Jain
 
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".Kanaidi ken
 
ISO 22301:2019 BCMS Awareness
ISO 22301:2019 BCMS AwarenessISO 22301:2019 BCMS Awareness
ISO 22301:2019 BCMS AwarenessAli Fuad R
 
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...Pangeran Sitompul
 
Proses Fraud RISK ASSESSMENT pada Entitas & Transaksional
Proses Fraud RISK ASSESSMENT pada Entitas & TransaksionalProses Fraud RISK ASSESSMENT pada Entitas & Transaksional
Proses Fraud RISK ASSESSMENT pada Entitas & TransaksionalKanaidi ken
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
Strategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processesStrategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processesGlobalStrategyTribe
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Fasilitasi dan Implementasi Manajemen Risiko
Fasilitasi dan Implementasi Manajemen RisikoFasilitasi dan Implementasi Manajemen Risiko
Fasilitasi dan Implementasi Manajemen RisikoSujatmiko Wibowo
 
ISO 31000:2018 vs COSO ERM:2017
ISO 31000:2018 vs COSO ERM:2017ISO 31000:2018 vs COSO ERM:2017
ISO 31000:2018 vs COSO ERM:2017Eduardo Poggi
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Eric Campbell
 

What's hot (20)

How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Audit berpeduli risiko
Audit berpeduli risikoAudit berpeduli risiko
Audit berpeduli risiko
 
Operational risk management and measurement
Operational risk management and measurementOperational risk management and measurement
Operational risk management and measurement
 
Riskpro - Operational Risk Management
Riskpro - Operational Risk ManagementRiskpro - Operational Risk Management
Riskpro - Operational Risk Management
 
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
Overview_ Fraud Risk Management _Training "FRAUD & INVESTIGATIVE AUDITING".
 
ISO 22301:2019 BCMS Awareness
ISO 22301:2019 BCMS AwarenessISO 22301:2019 BCMS Awareness
ISO 22301:2019 BCMS Awareness
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017
 
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
INTEGRATED ENTERPRISE RISK MANAGEMENT (Based on ISO 31000: 2018 & COSO ERM 20...
 
Proses Fraud RISK ASSESSMENT pada Entitas & Transaksional
Proses Fraud RISK ASSESSMENT pada Entitas & TransaksionalProses Fraud RISK ASSESSMENT pada Entitas & Transaksional
Proses Fraud RISK ASSESSMENT pada Entitas & Transaksional
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard
 
Strategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processesStrategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processes
 
Mnajemen risiko kemenkeu radin
Mnajemen risiko kemenkeu radinMnajemen risiko kemenkeu radin
Mnajemen risiko kemenkeu radin
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
 
Fasilitasi dan Implementasi Manajemen Risiko
Fasilitasi dan Implementasi Manajemen RisikoFasilitasi dan Implementasi Manajemen Risiko
Fasilitasi dan Implementasi Manajemen Risiko
 
ISO 31000:2018 vs COSO ERM:2017
ISO 31000:2018 vs COSO ERM:2017ISO 31000:2018 vs COSO ERM:2017
ISO 31000:2018 vs COSO ERM:2017
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
 

Similar to Erm overview of auditing fraud and revenue assurance

Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyИван Вали-Пур
 
Kaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentKaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentavinashchauhan70462
 
Operational Risk Management & Strategic Planning
Operational Risk Management & Strategic PlanningOperational Risk Management & Strategic Planning
Operational Risk Management & Strategic PlanningEneni Oduwole
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk TransferCBIZ, Inc.
 
FX Risk Management – Best Practice Standards for Good Corporate Governance
FX Risk Management – Best Practice Standards for Good Corporate GovernanceFX Risk Management – Best Practice Standards for Good Corporate Governance
FX Risk Management – Best Practice Standards for Good Corporate GovernanceExpoco
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity managementUjjwal 'Shanu'
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guideCenapSerdarolu
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guideAstalapulosListestos
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinsteinRamaica Ona
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinsteinAahil Malik
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinsteinSukumar Reddy
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationDavid Fernandes
 

Similar to Erm overview of auditing fraud and revenue assurance (20)

Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
 
Kaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentKaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managent
 
Operational Risk Management & Strategic Planning
Operational Risk Management & Strategic PlanningOperational Risk Management & Strategic Planning
Operational Risk Management & Strategic Planning
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
FX Risk Management – Best Practice Standards for Good Corporate Governance
FX Risk Management – Best Practice Standards for Good Corporate GovernanceFX Risk Management – Best Practice Standards for Good Corporate Governance
FX Risk Management – Best Practice Standards for Good Corporate Governance
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity management
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Gestión de Riesgos y Control Interno en el Sector Público
Gestión de Riesgos y Control Interno en el Sector PúblicoGestión de Riesgos y Control Interno en el Sector Público
Gestión de Riesgos y Control Interno en el Sector Público
 

More from wisnu wardhana, i nyoman

Risk and governance presentation telkom indonesia
Risk and governance presentation telkom indonesia Risk and governance presentation telkom indonesia
Risk and governance presentation telkom indonesia wisnu wardhana, i nyoman
 
Legal presentation konsepsi business judgment rule doctrine - telkom indon...
Legal presentation konsepsi business judgment rule doctrine - telkom indon...Legal presentation konsepsi business judgment rule doctrine - telkom indon...
Legal presentation konsepsi business judgment rule doctrine - telkom indon...wisnu wardhana, i nyoman
 

More from wisnu wardhana, i nyoman (20)

Business law module 10
Business law module 10Business law module 10
Business law module 10
 
Business law module 9
Business law module 9Business law module 9
Business law module 9
 
Business law module 8
Business law module 8Business law module 8
Business law module 8
 
Business law module 7
Business law module 7Business law module 7
Business law module 7
 
Business law module 6
Business law module 6Business law module 6
Business law module 6
 
Business law module 5
Business law module 5Business law module 5
Business law module 5
 
Business law module 4
Business law module 4Business law module 4
Business law module 4
 
Business law module 3
Business law module 3Business law module 3
Business law module 3
 
Business law module 2
Business law module 2Business law module 2
Business law module 2
 
Business law module 1
Business law module 1Business law module 1
Business law module 1
 
Mergers & Acquisitions XII
Mergers & Acquisitions XIIMergers & Acquisitions XII
Mergers & Acquisitions XII
 
Mergers & Acquisitions X dan XI
Mergers & Acquisitions X dan XIMergers & Acquisitions X dan XI
Mergers & Acquisitions X dan XI
 
Mergers & Acquisitions IX
Mergers & Acquisitions IXMergers & Acquisitions IX
Mergers & Acquisitions IX
 
Mergers & Acquisitions VIII
Mergers & Acquisitions VIIIMergers & Acquisitions VIII
Mergers & Acquisitions VIII
 
Mergers & Acquisitions VII
Mergers & Acquisitions VIIMergers & Acquisitions VII
Mergers & Acquisitions VII
 
Mergers & Acquisitions VI
Mergers & Acquisitions VIMergers & Acquisitions VI
Mergers & Acquisitions VI
 
Mergers & Acquisitions III
Mergers & Acquisitions IIIMergers & Acquisitions III
Mergers & Acquisitions III
 
Merger & Acquisition I-II
Merger & Acquisition I-IIMerger & Acquisition I-II
Merger & Acquisition I-II
 
Risk and governance presentation telkom indonesia
Risk and governance presentation telkom indonesia Risk and governance presentation telkom indonesia
Risk and governance presentation telkom indonesia
 
Legal presentation konsepsi business judgment rule doctrine - telkom indon...
Legal presentation konsepsi business judgment rule doctrine - telkom indon...Legal presentation konsepsi business judgment rule doctrine - telkom indon...
Legal presentation konsepsi business judgment rule doctrine - telkom indon...
 

Recently uploaded

Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...Any kyc Account
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 

Recently uploaded (20)

Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 

Erm overview of auditing fraud and revenue assurance

  • 1. The Overview of Internal Control (Auditing), Fraud, and Revenue Assurance I Nyoman Wisnu Wardhana Senior Advisor II – PT. Telkom 28 November 2014
  • 2. 1 2 3 Refreshment Concept of Risk Fraud in Business Content 4 Revenue Assurance 5 Risk Based KPIs and KRIs KRIs and Dashboard 6 Internal Control
  • 3. Refreshment Concept of Risk Enterprise Risk Management Concept Risk management is not about formulas and numbers, It is about insight, And about seeing the pattern.
  • 4. 1970s Risk management gains wider acceptance 1980s Companies begin Risk departments, typically focused on insurance 1990s Risk management matures as companies begin to focus on “business risk” 19801970 1990 2000 2004 Release of COSO ERM Integrated Framework 19601950 1950s-1960s Traditional Risk Management (“TRM”) 1977 Foreign Corrupt Practices Act (“FCPA”) Early 1980s Increased focus on internal control and compliance 1985 National Commissionon Fraudulent Financial Reporting — Treadway Commission 1992 Committee of Sponsoring Organizations (“COSO”) published Internal Control — Integrated Framework 1990s-2000 Continued focus on internal control, risk management, and responsibilities (Blue Ribbon Commission, Competency Framework for Internal Audit, others) 2002 Sarbanes-Oxley Act of 2002 Enterprise Risk Management is intertwined with the development of internal control standards and the regulatory environment. Source: Deloitte & Touche LLP Enterprise Risk Management History Maturing as a business process
  • 5. Internal Control Backgrounds Enterprise Risk Management Concept Fraud Corporation SEC Rules PCAOB standard S. O. X. Management Proactive v. its Enhancement - Corporate Governance - Implementation of Internal Control (IC) - Management Disclosure (Assertion) - Opinion from KAP Every company Must have its control in place SEC Proposed: - COSO Frame work (IC) - COBIT (IT Control) time frame AS#2 Proposal AS#5 Proposal Introduction of  Governance  Risk Based  Compliances (consent and approval) It derives from any regulation and rules/law Of its home country Too costly due to broad scope Risk Based Audit And IC
  • 6. Internal Control Backgrounds - ERM 18 Growth Will Be More Risky It‟s the exact rational behind ERM Internal Control Backgrounds - ERM
  • 7. Internal Control – Risk Based Audit Scope of our discussion will be covered some areas, inter alia:  Role and Function of IC in your organization  Task and Responsibility of IC in your organization  Organization chart (structure)  Scope and coverage  Limitation and segregation of duties  Reporting mechanism  Recommendation and feed back  Follow up  Focus + KPIs Department of Internal Control
  • 8. Internal Control Organization Structure  Independent unit should be established.  It may become single Board of directorate or Head of Department.  Duties conducted through ‘task forces’, it may held annually.  Then, it should be embedded into any unit/division related.  Becoming a necessity and automatically create direct interdependence with organization’s performance. Development structure Maintenance structure Improvement structure  Organization may create a project to be assigned with such tasks; to devise, and so on.  The Project leader has a direct report and under the authority of CEO and other Boards.  Usually involving consultants (ICOFR). 1 2 3 Usually it takes 5 -10 years of implementation, depend on complexity and organization sizes.
  • 9. Source: James Lam, Enterprise Risk Management CEO • Financial risks • Capital • Statutory & GAAP Reporting Risk • Rating agency • Tax • Market risks - Fixed income - Equities - Real estate • Performance risks - Tracking error - Alpha - VaR - Risk budget - Operational Risks • Liability risks - P&C - Life/Health - Commercial • Other issues - Expected losses - Unexpected losses - Embedded options • Interest rate risks - Parallel shifts - Curve twists - Basis risks • Other risks - FX risks - Liquidity risks • Operational risks - Processes - People - Contingencies • Technology risks - Availability - Performance - Security • Business risks • Product risks • Customer risks • Integrates risks • Best practices • Balances perspectives • Risk education • Regulatory Risk • Legal Risk • Governance • Audit Board CRO CEO BOARD Counsel/ Compliance EVP Line Units C-Financial Off. C-Investment Off. C-Actuary Head of Treasury Head of IT/Operation Internal Control Organization Structure – cont.’
  • 10. Internal Control Organization Structure – cont.’ AVP Risk & Process System Development AVP Process Strategy AVP Risk Strategy VP. Risk & Process Management VP. Supply & PlanningSGM. Supply Centre VP. Legal & Compliance Head of Compliance Risk Management & General Affair Source: Telkom Proprietary
  • 11. Internal Control · Visi & Misi · Strategic Direction · Instruksi Direksi Compliance Risk Management & General Affair (CRM & GA) All Unit Risk & Process System Development BOD / BOC Process Strategy All DIT BOD / BOC DIT NITS Risk Strategy VP Risk & Process Management DIT CONS, EBiZ, WINS DIT CONS, EBiZ & WINS DIT NITS · Group Business Plan · Incident Report · Recovery Report · Business Development · BPO Feedback · Corporate Policy · Incident Report · Recovery Report · Policy Review & Assesment · Recovery Report · BPO Feedback · Recovery Report · Incident Report (Vandalisme, Bencana Alam, Loss, Fraud, dll) · Best Practise Report · Environmental Impact · Contigency Operation Strategy · Unit Mgt. & Quality Report · Innovation · INSYNC · IT Policy · IT standard · Fraud/Revenue Assurance Tools · Incident Report · Recovery Report · IS Application Support · BPO Feedback · Draft Quality Management Policy · Internal Control Policy dan Guideline · Draft Process Management Policy · Draft Leadership System & GCG Policy · Draft SLA, SLG & Transfer Pricing Policy · Revenue Assurance Policy Implementation Report · Potential Fraud Register · Risk Register / Profile · Risk Management Policy & Program · Risk Mitigation Plan · Risk Reporting · Framework & Manual Kebijakan · Enterprise Process Design · Risk Identification & Mitigation · Internal Control Design · Enterprise IT Application · Business Process Reengineering · Risk Assessment Implementation Report · Standard Business Process · Business Process Reengineering · Business Process ICOFR & DCP · Draft Anti Fraud Policy & Management · Draft Revenue Assurance Policy & Management · Draft Insurance Policy & Decision Guideline · Draft Leadership System & GCG Policy · Prosedur/JUKLAK/Guideline · Methodology Pengelolaan Resiko Perusahaan · Risk Management Policy & Program · Risk Register/Profile (termasuk scope risiko ICoFR) · Risk Assessment Report · Risk Mitigation Plan · Risk Reporting Analysis · Program Sosilalisasi Kebijakan Penanganan Risk Control · Program Implementasi BCM · Sensivity Analysis · Program Fraud Management · Potential Fraud Register · Compliance Analysis Consultancy · Revenue Assurance Policy Implementation Report · Framework & Manual Kebijakan · Implementation Report · Role Map & Functional Business Process · Lateral/Cross Functional Business Process · Evaluation of Innovation · Draft Process Management Policy · Standard Business Process · Business Process Reengineering · Draft Insurance Policy & Decision Guideline · Business Process ICOFR & DCP · Enterprise Process Design All Unit · Risk IS Application Request · Risk IS Application Requirement Sample of coverage, segregation, and scoping of ERM Source: Telkom Proprietary
  • 12. Internal Control ERM and Internal Control What are Risk Management Frameworks and Why have them? What is a Risk Control Matrix, COSO, COBIT, Risk Universe, Key Controls, Critical Controls? Using them in SOA, ERA or Revenue Cycle
  • 13. Internal Control Business risks are greater today than ever Source: Protiviti Inc • Globalization means increased exposure to international events • Need for efficiencies, innovation and differentiation to compete • We now know the unthinkable can happen • Financial reporting is now a risk area • Application is uneven at companies “applying EWRM” - We live in unpredictable times, isn‟t it? • Points of view from a recent survey – Many executives see an array of ever- increasing business risks – Business risk management practices require improvement – Substantial revisions in business risk management have either been made or will be made – Senior executives want more confidence that all potentially significant risks are identified and managed Why is business risk a priority?
  • 14. Internal Control Gartner reveals top five business issues  Cost constraints  Security of data and privacy  Stakeholder returns  Managing business risk  Innovation Source: The Gartner Group, based upon interviews and surveys  Management wants increased confidence that all potentially significant risks are identified and managed Key decisions are made without a systematic evaluation of risk and reward trade-offs  Risk management isn’t integrated with strategic and business planning  Risks are not systematically identified, sourced, measured and managed  Units of the organization are managing similar risks differently  Inability to measure performance on a risk-adjusted basis  Capital investment process requires improvement  Increasing demands for more information relating to risks and internal controls from the board and investors KeyIndicatorsofNeed
  • 15. Internal Control A common framework will accelerate progress • We need a common language • We need criteria against which to benchmark • Now we can communicate more effectively • Familiarity of concepts is useful • Application guidance is critical piece • Issuance of framework is only the beginning Yes, we need a framework! Source: Protiviti Inc
  • 16. Internal Control Traditional Risk Universe Framework Source: Protiviti Inc
  • 17. Internal Control The COSO Framework provides an understanding of the components of ERM Monitoring Information & Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment DIVISION BUSINESSUNIT SUBSIDIARY STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY-LEVEL Enterprise Risk Management:  Is a process  Is effected by people  Is applied in strategy setting  Is applied across the enterprise  Is designed to identify potential events  Manages risks with risk appetite  Provides reasonable assurance  Supports achievement of objectives Source: COSO proposed ERM Framework
  • 18. Internal Control SOA and the COSO Framework Complying with SOA Section 404 in the Context of the COSO Framework The COSO Framework is recommended by the SEC as an accepted internal control framework to guide corporate compliance with SOA 404. COSO requires an entity-level (or “tone at the top”) internal control focus and an activity or process level focus (the right side of the cube), with the three objectives of effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (across the top of the cube). Our approach captures the five components of internal control: the control environment, risk assessment, control activities, information/communication, and monitoring. Source: COSO proposed ERM Framework
  • 19. Internal Control Control Levels Source: COSO proposed ERM Framework • Entity-level Controls – Entity-level controls are those controls that management relies upon to establish the appropriate “tone at the top” relative to financial reporting. An entity-level assessment for each control entity should be conducted as early as possible in the evaluation process • Process-Level Controls – Process level controls are usually directly involved with initiating, recording, processing or reporting transactions • General IT and Application Controls – General IT controls typically impact a number of individual applications and data in the technology environment – Application controls relate primarily to the controls programmed within an application that can be relied upon to mitigate business process-level risks
  • 20. COSO Component Risk Assessment Control Environment Information and Communication Control Activities Monitoring Attributes • Entity-wide objectives • Activity-level objectives • Risk Identification • Managing Change • Integrity and ethical values • Commitment to competence • Board of Directors or Audit Committee • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and procedures • External and internal information is identified, captured, processed and reported • Effective communication down, across, up the organization • Policies, procedures, and actions to address risks to achievement of stated objectives • Ongoing monitoring • Separate evaluations • Reporting deficiencies Application: Address attributes for each COSO component - - For each attribute, evaluate appropriate points of focus, as illustrated below for ONE attribute, Human Resource Policies and Procedures Points of Focus: • Is there a process for defining the level of competence needed for specific jobs, including the requisite knowledge and skills? • Are there human resource policies and processes for acquiring, recognizing, rewarding, and developing personnel in key positions? • Is the background of prospective employees checked and references obtained? • Are performance expectations clearly defined and reinforced with appropriate performance measures? • Are employee retention, promotion and performance evaluation processes effective? • Is the established code of conduct reinforced and disciplinary action taken when warranted? • Are everyone’s control-related responsibilities clearly articulated and carried out? Internal Control Control Levels – Examples of Entity-Level Controls Source: COSO proposed ERM Framework
  • 21. Internal Control Control Types • Manual vs. System-based controls – Manual controls predominantly depend upon the manual execution by one or more individuals – Automated controls predominantly rely upon programmed applications or IT systems to execute a step or perhaps prevent a transaction from occurring without manual decision or interaction – There are also system-dependant manual controls, e.g., controls that are manual (comparing one thing to another) but what is being compared is system-generated and not independently collaborated; therefore, the manual control is dependant on reliability of system processing • Preventive vs. Detective controls – Preventive controls, either people-based or systems-based, are designed to prevent errors or omissions from occurring and are generally positioned at the source of the risk within a business process – Detective controls are processes, either people-based or systems-based, that are designed to detect and correct an error (or fraud) or an omission within a timely manner prior to completion of a stated objective (e.g., begin the next transaction processing cycle, close the books, prepare final financial reports, etc.) Source: COSO proposed ERM Framework
  • 22. Internal Control Control Reliability • As transaction volumes increase and with increasingly complex calculations, systems-based controls are often more reliable than people- based controls because they are less prone to mistakes than human beings, if designed, operated, maintained and secured effectively • A shift toward an anticipatory, proactive approach to controlling risk requires greater use of preventive controls than the reactive ‘find and fix’ approach embodied in a detective control • Effectively designed controls that prevent risk at the source free up people resources to focus on the critical tasks of the business MORE RELIABLE/ DESIRABLE LESS RELIABLE/ DESIRABLE NOTE: The above framework is intended to apply to process-level controls. It does not always apply at the entity-level, e.g., the internal audit function. Systems-Based, Preventive Control Systems-Based, Detective Control People-Based, Preventive Control People-Based, Detective Control Source: COSO proposed ERM Framework
  • 23. Internal Control What is a Critical Control? Definitions: • KEY CONTROL: An activity or task performed by management or other personnel designed to provide reasonable assurance regarding the achievement of certain objectives as well as mitigating the risk of an unanticipated outcome. Significant reliance is placed upon this control’s effective design and operation. Upon failure of the key control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified. In other words, reasonable assurance of achieving the process’ objectives could not be obtained. • CRITICAL CONTROL: The FIRST subset of key controls; these controls have a pervasive impact on financial reporting (segregation of duties, system and data access, change controls, physical safeguards, authorizations, input controls, reconciliations, review process, etc.) and have the most direct impact on achieving financial statement assertions. Upon failure of a critical control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified within ANY process. Failure of critical controls would affect the ability of management to achieve not only process objectives, but also the company’s financial statement objectives. Source: COSO proposed ERM Framework
  • 24. Internal Control Control Types • Primary vs. secondary controls – Primary controls are controls that are especially critical to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance, class of transactions and disclosure; these are the controls that managers and process owners primarily rely on – Secondary controls are important to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered “critical” by management and process owners; while these controls are significant, there are compensating controls that also assist in achieving the assertions • Controls over routine processes vs. controls over non-routine processes – Controls over routine processes are the manual and automated controls over transactions – Controls over non-routine processes are the manual and automated controls over estimates and period-end adjustments; these controls often address the greatest risks in the financial reporting process and are most susceptible to management override Source: COSO proposed ERM Framework
  • 25. Internal Control Control Levels – Examples of Common Process-Level Control Activities Pervasive Process-Level Controls* • Establish and communicate objectives • Authorize and approve • Establish boundaries and limits • Assign key tasks to quality people • Establish accountability for results • Measure performance • Facilitate continuous learning • Segregate incompatible duties • Restrict process system and data access • Create physical safeguards • Implement process/systems change controls • Maintain redundant/backup capabilities • Obtain prescribed approvals • Establish transaction/document control • Establish processing/transmission control totals • Establish/verify sequencing • Validate against predefined parameters • Test samples/assess process performance • Recalculate computations • Perform reconciliations • Match and compare • Independently analyze results for reasonableness • Independently verify existence • Verify occurrence with counterparties • Report and resolve exceptions • Evaluate reserve requirements Specific Process-Level Controls** *Controls affecting multiple processes, including entity- level and general IT controls ** Controls specific to a process, including programmed application controls Source: COSO proposed ERM Framework
  • 26. Internal Control Best practice OBJECTIVES • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations.  Entity (ELC) Controls that have spreading effect, and could also impact on transaction level controls.  Transaction/Application/Process (TLC) Controls occur on any process, the organization has been designed, in the form of; Authorization, Verification, reconciliation, and other activities related to fraud prevention, error, and assets protection. PROCESS 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring ENTITY Source: COSO proposed ERM Framework
  • 27. Internal Control Key Concept • Internal control is a process. It is a means to an end, not an end in itself. • Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization. • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. DIRECTIVE CONTROL DETECTIVE CONTROL PREVENTIVE CONTROL Directive control are actions taken to cause or encourage a desirable event to occur • Policy & Procedure • Competence of personal • Organizational Structure • Organizational Culture Detective control are actions taken to detect and correct undesirable events which have occurred Preventive control are actions taken to deter undesirable events from occurring • Reconciliation • Budget v. actual comparison • Physical count • Authorization • Safeguarding of assets/sensitive data • Segregation of Duties WHAT IS CONTROL ? “All of the element of an organization that taken together, support people in achieving the organization‟s objectives” Source: COSO proposed ERM Framework
  • 28. Internal Control Classification of ICOFR Entity Level Control IT Control Transaction Level Control Entity Level Control Is a process designed by or under control management monitoring to realize the environment that have pervasive impact on the effectiveness of controls at the process, transaction or application level Transactional Level Control • The objective of an process/transactional level control is to achieve a specific objective. • Generally relates to individual business locations or business processes IT Control • The information technology processes and related controls that are applied above the computer application level • IT controls are controls that exist above and around the computer application, which are designed to: – Ensure that changes to applications are properly authorized, tested, and approved before they are implemented, and – Ensure that only authorized persons and applications have access to data, and then only to perform specifically defined functions (e.g., inquire, execute, update). Source: Telkom Proprietary
  • 29. 1. Scoping Process/Identification 2. Risk Identification & Assessment 3. Control Design Internal Control Design Stages Financial Statements Inherent and Key Business Risks Significant Account Significant Processes What can go wrong? Controls Design Process - To define materiality - To define account and significant disclosure - Financial assertion (based on account and significant disclosure) - To define group of transaction and respective process - Process mapping Control must: - Provide mitigations for any fraud and error identified - Applicable - Verify, in order to be analyzed Source: Telkom Proprietary
  • 31. The Challenge: Risk Source: Insurance InformationInstitute research, 2011 “Nearly 90 percent of firms do not conduct a risk assessment when outsourcing production.” “Supply Chain Risk: It's Time to Measure It,” Harvard Business Review Blog, Feb 5, 2010
  • 32. Fraud in Business What is Fraud? GRAPA (Global Revenue Assurance Professional Association) o Intentional deception resulting in injury to another person o imposter: a person who makes deceitful pretenses o something intended to deceive; deliberate trickery intended to gain an advantage Etymology Recorded since 1345, from Old French fraude, from Latin fraus 'deceit, injury' Noun o Any act of deception carried out for the purpose of unfair, undeserved and/or unlawful gain. o The assumption of a false identity to such deceptive end o One who performs any such trick. Albrecht A deception that includes: a representation about a material point, which is false, and intentionally or recklessly so, which is believed and acted upon by the victim to the victim’s damage” Source: Telkom Proprietary
  • 33. Fraud in Business What is Fraud? Based on PT. Telkom definition TELKOM (KR.05 – 2009) Fraud adalah perbuatan curang yang dilakukan dengan sengaja oleh manajemen, karyawan, mitra maupun pihak lainnya yang bersifat penipuan, ketidakjujuran, penyesatan dan penyembunyian kebenaran dengan tujuan mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perusahaan atau pihak lain. Source: Telkom Proprietary
  • 34. Fraud in Business Fraud Categories GRAPA Internal fraud involves activities perpetrated within the organization such as intentional misrepresentation of financial statements or financial statement transactions, theft, embezzlement, or improper use of the organization’s resources. External fraud involves theft or improper use of the organization’s resources perpetrated by individuals outside the organization. Some examples of external fraud prevalent in the government arena include false claims and statements, beneficiary fraud, and contract and procurement fraud. Source: Telkom Proprietary
  • 35. Fraud in Business Fraud Categories – cont.’ TELKOM (KR.05 – 2009) Corporate fraud perbuatan curang yang dilakukan dengan sengaja oleh manajemen, karyawan, mitra maupun pihak lainnya yang bersifat penipuan, ketidakjujuran, penyesatan dan penyembunyian kebenaran dengan tujuan mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perusahaan atau pihak lain. Kecurangan termasuk diantaranya namun tidak terbatas pada penggelapan uang/barang, pencurian uang/barang, penyogokan, pemalsuan, pengalihan, konversi, penyalahgunaan aktiva, membuat klaim atau pernyataan palsu, pemalsuan dokumen atau kolusi dan/atau konspirasi antara dua orang atau lebih. Fraud Telekomunikasi berbagai tindakan kecurangan, penipuan atau penggelapan dalam penggunaan fasilitas telekomunikasi, yang dengan sengaja dilakukan oleh orang-orang atau organisasi tertentu, dengan tujuan untuk menghindari biaya jasa atau pelacakan rekaman percakapan. Aviation Fraud? Source: Telkom Proprietary
  • 36. Customer Fraud Fraud adalah berbagai tindakan kecurangan, penipuan atau penggelapan dalam penggunaan fasilitas telekomunikasi , yang sengaja dilakukan oleh orang- orang atau organisasi tertentu, dengan tujuan untuk menghindari biaya jasa atau pelacakan rekaman percakapan. KD.08/ 2009 Revenue Assurance Hacking Illegal Reselling Pelanggan Nakal Operator Nakal Organisasi Kriminal Karyawan Nakal Fraud in Business Fraud Categories – cont.’ Source: Telkom Proprietary
  • 37. Fraud in Business Fraud Categories – cont.’ Corporate Fraud Perbuatan yang dilakukan dengan sengaja oleh seorang pejabat, karyawan, pihak ketiga maupun pihak lainnya yang mengikutsertakan unsur penipuan, ketidakjujuran, penyesatan, dan penyembunyian kebenaran dengan tujuan mendapatkan keuntungan bagi orang atau pihak tersebut yang menyebabkan kerugian bagi Perseroan. KD 43/2008 Kebijakan Anti Fraud penggelapan uang/barang pencurian uang/barang pengalihan penyalahgunaan aktiva penyogokan pemalsuan klaim atau pernyataan palsu Korupsi, kolusi, nepotisme Source: Telkom Proprietary
  • 38. Fraud in Business Fraud Categories – cont.’ The Aviation Industry Recently, this industry faces numerous financial pressures that impacts on its profitability, many of which are specific to the sector – the impact of Air Passenger Duty, increasing security and insurance costs, environmental levies, oil-price volatility, changes to customer business travel policies and competition from surface travel will all have had an impact on a company’s profitability during a time of unprecedented financial uncertainty. These are all costs that the industry identifies and takes into account, yet another business cost, of equal impact and significance, has never been accurately quantified by the sector – Fraud. Source: PKF-Accountants & business advisers
  • 39. Fraud in Business Fraud Triangle Pressure in the context of Cressey’s Fraud Triangle relates specifically to financial difficulties such as large amounts of credit card debt, an overwhelming burden of unpaid healthcare bills, large gambling debts, extended unemployment, or similar financial difficulties. Opportunity exists when an employee discovers a weakness in the organization’s antifraud controls. Rationalization is a psychological process whereby a person who has committed fraud convinces himself that the act is either not wrong, or that even though it may be wrong, it will be “corrected” because he will eventually return the money.One set of factors common to internal fraudsters at all levels in any organization is the Fraud Triangle – Donald Cressey Source: Fraud in the Markets
  • 40. Fraud in Business Fraud Triangle – cont.’ MOTIVE / PRESSURE Financial Gain • Remove the motive – Hard to do, if tariffs are high • Deny the opportunity – Physical security, network security • Fix the mechanism – New technologies fix some but may introduce others Fraud Triangle Solution Overview Source: Telkom Proprietary
  • 41. Fraud in Business Various Classification of Fraud Telecom Service Related Fraud Glossary --- By TMForum.org Fraud Type Fraud Identifier Subscription / Identity Theft CNAM Dip Fee Fraud “Wangiri” Call Back Fraud Bypass Tromboning, SIM Boxes, Fixed Cell Terminals, Premicells, GSM/UMTS Gateways, Landing Fraud, VoIP Bypass, Interconnect Fraud, Toll Bypass, Third Country, Grey Routing, International Simple Resale Roaming Fraud Cloning Fraud Spam Malware Fraud, Spoofing Fraud, IP/Phishing Fraud (International) Revenue Share Fraud (IRSF) PBX Hacking Fraud Source: Telkom Proprietary
  • 42. Fraud in Business Various Classification of Fraud Fraud Type Fraud Identifier IP Subscription/Identity Theft, AIT (Artificial Inflation of Traffic), DoS (Denial of Service), Content Sharing Fraud, Identity Trading Fraud, Spyware Fraud, Pharming Fraud, Online Brand Threats Fraud Interconnect (IXC) Arbitrage, Call Looping, QoS (Quality of Service) Exploitation, Technical Configuration SMS Fraud Faking, Global Title Scanning, Open SMSC Pre-paid PIN Theft, PIN Guessing, Stolen Voucher, Altering Free Call Lists, Manual Recharges, Voucher Modification, Duplicate Voucher Printing, Fraudulent Voucher Reading, Illegal Credit Card Use for Recharges, IVR Abuse/Hacking, IN Flag Modifications, Handset Manipulation, Handset Installment, Roaming Telecom Service Related Fraud Glossary --- By TMForum.org Source: Telkom Proprietary
  • 43. Fraud in Business Case HackersPremiu m Services Victims 1 Resgistered to premium service provider 2 Hacked customer’s PBX 3 Made a huge call earned $$$$ 4 Share revenue/fee s PBX HACKING FRAUD -- BUSSINESS SCHEMA Source: Telkom Proprietary
  • 44. Fraud in Business How to preserve Fraud? KR. 05/HK.290/COP-D031000/2009 Source: Telkom Proprietary
  • 45. “The greatest risk of all is to take no risk at all” – Forbes, 2012
  • 46. Revenue Assurance What is Revenue Assurance? GRAPA (Global Revenue Assurance Professional Association) “The art of finding what you didn’t know was missing” Revenue Assurance is the systematic, independent application of a set of Standard Methodologies employed to Identify, Quantify, Report , Remedy, Contain Risks to Telecoms revenues in its many forms TM - Forum “Data quality and process improvement methods that improve profits, revenues and cash flows without influencing demand” TELKOM (KD.08 – 2009) Revenue Assurance adalah pengelolaan risiko kebocoran pendapatan yang dapat terjadi di sepanjang revenue stream yang diakibatkan oleh kelemahan sistem dan prosedur sehingga setiap pendapatan yang menjadi hak perusahaan dapat diakui, diterima, dicatat dan dilaporkan secara lengkap dan akurat Revas bukan untuk memastikan pencapaian revenue! Source: Telkom Proprietary
  • 47. Revenue Assurance What is Revenue Assurance? Source: KPMG’s Global Revenue Assurance Survey, 2009
  • 48. Revenue Assurance What is Revenue Assurance? Realized Revenue all network activity not realized as revenue (potential revenue) all network activity in time (seconds, minutes, erlangs) realized revenue noise Unrecoverable network activity realized revenue leakage + unrecoverable + too expensive to recover unrecoverable network activity additional realized revenue additional unrecoverable activity  Revenue leakage  Revenue lost  Cost to recover Source: Telkom Proprietary
  • 49. Revenue Assurance Revenue Assurance Framework 4 Pillars Revenue Assurance Standard  Disiplines & Revenue Assurance Lifecycle Forensic, Control Management, Corrective Management, Compliance  Domains  Objectives (Level)  Principles These pillars may provide an effective framework for an organization to optimize its revenue! Source: Telkom Proprietary
  • 50. Revenue Assurance Revenue Assurance Framework Definition of Revenue Assurance Disciplines Domain Scope Vertical Domain Scope Horizontal Mission/ Objectives Ethics and Principles Forensic Control Corrective Compliance Network Mediation Interconnect Roaming Collection Postpaid Prepaid Channel Provisioning Fraud Mgmt. Rate Plan Product Dev. Product Line Cust. R M Marketing Fraud Containment Risk Containment Loss Prevention Margin Assurance Revenue Stream Ass. Code of Conduct Corp Resp. Competence Req. Transparency Rationalization Consensus Source: Telkom Proprietary
  • 52. Proses Forensic Analysis  Menyelidiki akar penyebab dari masalah revenue loss (baik yang terjadi dan berpotensi terjadi)  Mendiagnosis permasalahan yang ada  Menyiapkan rekomendasi untuk menangani permasalahan yang ada Revenue Assurance Revenue Assurance Framework Input  Deksripsi Produk  Deskripsi Teknology  Deskripsi Network dan IT  Kebijakan Tarif Terkait  Kontrak Pelanggan  Kontrak Supplier  Aturan Pemerintah  Proses Bisnis How  Memahami Product/Service & Teknologi  Analisis Mapping - Revenue & Payment  Analisis Risk  Analisis Exchange  Analisis Process  Analisis System  Analisis Numerik  Analisis Statistik Output  Daftar Risiko  Prioritas Risiko  Proposal Kontrol  Usulan Corrective Action  Rekomendasi Source: Telkom Proprietary
  • 53. Mengelola dan Memonitor Control yang ada untuk ditindaklanjuti Input  Control Proposal  Data Source & IT Tools Output  Alert  Control Performance Control Management Revenue Assurance Revenue Assurance Framework Mengelola rekomendasi corrective action hasil dari forensic, analysis, dan memantau pelaksanaannya Corrective Management Input  Rekomendasi Corrective Output  Status dan Hasil dari Corrective Action Source: Telkom Proprietary Mendefinisikan KPI, dan Memastikan terpenuhinya tiga proses lainnya Compliance & Reporting Input  Kebijakan Output  Standard KPI  Laporan Pencapaian KPI
  • 54. Revenue Assurance Revenue Assurance Maturity Level 1 2 3 4 5 Dependent Repeatable Defined Managed Optimizing Ad-hoc, chaotic. Dependent on individual heroic. Basic Project/ Process management. Repeatable tasks. Standardized approach developed. Designing-in control commences. Leakage quantitatively understood and controlled. Continuous improvement via feedback. Decentralized ownership, holistic control. Source: Telkom Proprietary
  • 55. 1. Product and offer management 2. Order management and provisioning 3. Network and usage management 4. Rating and billing 5. Receivables management 6. Finance and accounting 7. Customer management 8. Partner management TMForum menyusun revenue stream perusahaan Telco dalam 8 Revenue Stream : (total leakage library dari TMForum = 126) Revenue Assurance Revenue Assurance – Revenue streams How about Rev. Assurance in Airport administration?
  • 56. the effect of uncertainty on Objectives - ISO 31000:2009 “the possibility that an event will occur and adversely affect the achievement of objectives” - COSO ERM Framework
  • 57. Risk Based KPIs and KRIs ERM Maturity Level Public Relation Compliance Protection Optimization Value Creation Risk Maturity Graph Level Maturity Excellent Strong Adequate Weak Weak [Nonexistent] Level 5: Level 4: Level 3: Level 2: Level 1: Nonexistent Leadership Managed Repeatable Initial Ad hoc Excellent  Advanced capabilitiesto identify, measure, manage all risk exposures within tolerances  Advanced implementation,development and execution of ERM parameters  Consistentlyoptimizes risk adjusted returns throughout the organization Strong  Clear vision of risk tolerance and overall risk profile  Risk Control exceeds adequate for most major risks  Has robust processes to identify and prepare for emerging risks  Incorporatesrisk management and decision making to optimize risk adjusted returns Adequate  Has fully functioningcontrol systems in place for all of their major risks  May lack a robust process for identifying and preparing for emerging risks  Performing good classical“silo” based risk management  Not fully developed process to optimize risk adjusted returns. Weak  Incomplete control process for one or more major risks  Inconsistentor limited capabilitiesto identify, measure or manage major risk exposures Standard & Poor’s ERM Quality Classifications Where does your organization been stood? Source: Telkom Proprietary
  • 58. Risk Based KPIs and KRIs Company’ Objectives 1. Memastikan reliability Objectives Perusahaan. 2. Memberikan gambaran stepping/milestone pencapaian Objectives yang terukur. 3. Memberikan alternatives dalam pencapaian Objectives. 4. Memperhitungkan alokasi resources dalam pencapaian Objectives. 5. Mengantisipasi terhadap perkembangan yang berpengaruh pada pencapaian Objectives. 6. Mengoptimalkan potensi dan kesempatan (Opportunities) dalam pencapaian Objectives. 10 Strategic Initiatives: 1. Optimizing POTS and Strengthening Broadband 2. Consolidate & Grow FWA Business and Manage Wireless Portfolio 3. Integrated Telkom Group Ecosystem Solutions 4. Invest in IT Services 5. Invest in Media & Edutainment Business 6. Invest in Wholesale and Strategic int’l Opportunities 7. Invest in Strategic domestic opportunities that leverage the assets 8. Integrate NGN & OBCE 9. Align Business Structure and Portfolio Management 10. Transforming Culture Objectives v. Risk Management STRATEGIC OBJECTIVE Creating Superior Position by Strengthening The Legacy & Growing New Wave Businesses to Achieve 60% Of Industry Revenue in 2015 Source: Telkom Proprietary
  • 59. Risk Based KPIs and KRIs Company’ Objectives - Model Pendekatan Menentukan ‘key business objectives’ berdasarkan strategi korporasi  Identifikasi Risiko-Risiko yang berpengaruh terhadap pencapaian objectives.  Menyusun Profil Risiko (a company-wide risk profile) Menentukan kriteria/level toleransi risiko berdasarkan hasil assessment likelihood and potential impact. Menentukan alokasi rencana mitigasi (strategi yang tepat), sumberdaya, dan akuntabilitas untuk mengelola risiko. Eksekusi strategi (mitigasi) dan melakukan identifikasi KRIs dan KPIs yang terukur secara financial dan operational. Monitoring progress untuk identifikasi potensi peningkatan performansi (kinerja) dalam pencapaian objectives. 1 2 3 4 5 Source: Thought Leadership Institute-PricewaterhouseCoopers
  • 60. Risk Based KPIs and KRIs Company’ Objectives - Managing Business Risk within your organization Business Objectives Event Identification Significant Business Issues Control Activities Risk Response Risk Assessment Client Mission Statement Client Objectives Business Unit Objectives Targets Performance Measures Current MajorIssues Potential Future Events CaptureProcess ImpactsAnalyses ResponseManagement Planning Process Key Drivers Dependencies Performance Management Track Record Completeness Integration SMART Roles & Responsibilities Data Management Issues Management Integration with Business Planning Event Portfolio Internal/External CaptureProcess Repository Maintenance / Refresh Roles & Responsibilities Data Management Event Management Integration with Business Planning Risk Portfolio Definitions Categorizations Assessment Criteria Structure Roles & Responsibilities Timing & Frequency Expert Involvement Consistency Client Business Process Model Policies Procedures ResponsePortfolio Definitions Decision Drivers Decision Criteria Process Completeness Communications Training Roles & Responsibilities Monitoring Effectiveness Process Roles & Responsibilities Decision Protocols Reporting Timing Review Areas Review AreasReview AreasReview AreasReview AreasReview Areas Focus FocusFocusFocusFocusFocus Source: Axena, Inc. All rights reserved
  • 61. Risk Based KPIs and KRIs Company’ Objectives - Managing Business Risk within your organization 1. Management mengetahui secara dini potensi tidak tercapainya target/objective perusahan karena perkembangan risiko. 2. Management dapat menyusun program mitigasi yang efektif untuk mengantisipasi perkembangan risiko. Dengan demikian Objective Perusahaan apabila dikelola tanpa memperhatikansistem manajemen risiko (ERM), alignment dengan isu strategis, arah perkembangan bisnis, dan kondisi operasional, maka sistem tersebut akan kehilangan pijakan dalam operasional perusahaan. Sehingga, diperlukan penghubung sebagai alat navigasi dan kontrolnya, dalam hal ini sistem manajemen risiko yang didasarkan pada KRIs dan KPIs. agar: Source: Telkom Proprietary
  • 62. Identifikasi Risiko,  Adalah proses untuk menemukenali segala kemungkinan (kejadian) yang muncul dalam suatu aktivitas usaha yang berhubungan dengan objective perusahaan.  Identifikasi risiko secara akurat dan menyeluruh menjadi sangat vital dalam suatu manajemen risiko.  Salah satu aspek penting dalam identifikasi risiko adalah melakukan pencatatan (me-register) risiko-risiko yang mungkin terjadi sebanyak mungkin. Dalam Framework COSO, dilakukan pem-bedaan antara Risiko dan Peluang, dimana kemungkinan (kejadian) yang berdampak negatif disebut Risiko, sedangkan Peluang merupakan kemungkinan (kejadian) yang dapat berdampak positif (natural offsets/opportunities) yang mendukung strategi dalam pencapaian objectives. Risk Based KPIs and KRIs Risk Identification Source: Telkom Proprietary
  • 63. Source: Telkom Proprietary Dengan melakukan identifikasi risiko, akan diperoleh sekumpulan informasi tentang kejadian risiko, informasi mengenai penyebab risiko, bahkan informasi mengenai dampak apa saja yang bisa ditimbulkan oleh risiko tersebut. Teknik-teknik yang dapat digunakan dalam melakukan identifikasi risiko antara lain: Benchmark Professional Judgement (Pendapat Para Ahli di Bidangnya) Wawancara, Survey (Pengamatan) Informasi historis (analysis data historis) Kelompok kerja (Brainstorming) dll. Risk Based KPIs and KRIs Risk Identification – The Technique
  • 64. Benchmark  Mencari informasi tentang risiko di tempat atau perusahaan lain yang memiliki kesamaan pada tataran tertentu. (eg. Kesamaan pasar, portofolio bisnis, industri, dlsb.)  Data hasil benchmark harus disesuaikan dengan kondisi aktual yang terjadi dan dihadapi langsung oleh perusahaan.  Contoh: – dari berita di media massa, atau internet, dapat diketahui bahwa tingkat kejadian bencana alam di Indonesia memiliki peluang yang sangat tinggi. Hal ini menunjukkan, bahwa secara umum risiko Business Interruption akibat bencana alam sangat besar. – Harga minyak dunia naik?...... – Suku bunga perbankan di US turun?..... – Harga tiket pesawat naik?..... Risk Based KPIs and KRIs Risk Identification – The Technique Source: Telkom Proprietary
  • 65. Risk Based KPIs and KRIs Risk Identification – The Technique Professional Judgment (Pendapat Para Ahli di Bidangnya)  Mencari informasi dari ahli di bidang risiko tertentu, terkait risiko yang berpengaruh terhadap suatu objective perusahaan  Contoh:  Dari bertanya pada bankir, dapat diketahui bahwa ketidak- stabilan kondisi ekonomi di US memiliki risiko pada Foreign Exchange terkait transaksi yang menggunakan mata uang asing (US Dollar)  Dari bertanya pada dokter, dapat diketahui bahwa orang dengan tingkat kolesterol tinggi berisiko kena penyakit jantung Source: Telkom Proprietary
  • 66. Risk Based KPIs and KRIs Risk Identification – The Technique Pengamatan/Survey  Melakukan investigasi atau pencarian data langsung di tempat kejadian dengan mengajukan kuesioner atau wawancara (data primer)  Contoh:  Dengan melakukan CSLS (Cust. Loyalty and Satisfaction Survey), dapat diketahui bahwa tingkat kepuasan yang rendah akan berisiko pada churn pelanggan  Dengan mengamati proses produksi dan availabilitas dari catu daya PLN, dapat diketahui bahwa perusahaan menghadapi risiko lampu mati (Interruptable Power Supply)  Validitas data sekunder?..... Source: Telkom Proprietary
  • 67. Risk Based KPIs and KRIs Risk Identification – The Technique Analisis Data Historis • Menggunakan berbagai informasi dan data yang tersedia dalam perusahaan mengenai segala sesuatu yang pernah terjadi • Biasanya data historis harus menggunakan lebih dari satu periode kebelakang agar prediksi risiko dapat lebih akurat • Contoh:  Dari data historis kepegawaian, dapat diketahui bahwa perusahaan menghadapi risiko kehilangan karyawan yang penting  Dari data historis keuangan, dapat diketahui risiko penurunan growth revenue  Dari data historis market, dapat diketahui risiko tingkat kompetisi dalam suatu industri Source: Telkom Proprietary
  • 68. Risk Based KPIs and KRIs Risk Identification – The Technique Kelompok Kerja (Brainstorming)  Menggunakan berbagai informasi dan data, dilakukan diskusi creative thinking (brainstorming) oleh tim manajemen risiko untuk menemukenali potensi risiko dari suatu objective  Creative thinking yang sukses, biasanya menghasilkan suatu rumusan risiko yang tepat dari suatu objective  Contoh:  Dari data global market, dilakukan brainstorming sehingga dapat diketahui bahwa terkait objective perusahaan untuk „invest broadband‟ akan menghadapi risiko; teknologi dan kompetisi, country risk factors, etc. Source: Telkom Proprietary
  • 69. Alignment KPIs and KRIs Alignment Process Dengan demikian, alignment antara KRIs dan KPIs sangat signifikan untuk dilakukan agar pencapaian objective dapat terlaksana. Proses Alignment KRIs dan KPIs: Identify risks Quantify risk Identify Actions required Monitor Performance Monitor Changes (internal/ external) Update objectives Agree Acceptable Risk levels Identify risk related Actions Agree Strategic objectives Risk Management Performance Management Risk Based KPIs and KRIs Source: Telkom Proprietary
  • 70. - BF “An ounce of prevention is worth a pound of cure.”
  • 71. KRIs and Dashboards Defining Key Risk Indicators  Key Risk Indicator (KRIs), adalah faktor-faktor kunci dari suatu risiko yang digunakan dalam proses manajemen untuk menentukan tingkat risiko pada suatu aktifitas usaha. Merupakan indikator dari kemungkinan dampak negative dimasa yang akan datang (the possibility of future adverse impact).  KRIs memberikan suatu sinyal/tanda ‘Early Warning’ bagi manajemen untuk identifikasi kejadian yang berpotensi menghambat suatu program/aktifitas.  Biasanya ukuran ini disajikan berupa data statistik atau matriks tertentu dengan formula atau model tertentu yang menyediakan informasi terkait posisi dari suatu risiko yang dihadapi oleh perusahaan.  KRIs berbeda dengan Key Performance Indicators (KPIs), dimana KPIs dimaksudkan sebagai ukuran kesuksesan/keberhasilan dari suatu program kerja (aktifitas usaha terkait objectives). Definisi Source: Telkom Proprietary
  • 72. Defining Key Risk Indicators Key Risk Indicator (KRIs), pada dasarnya dapat dikelompokan ke dalam 4 (empat) kategori:  Coincident indicators, ukuran yang mewakili kegagalan yang terjadi secara bersamaan pada proses bisnis internal. Misal, kegagalan penyelesaian proyek pengadaan/investasi yang secara bersamaan berisiko pada kegagalan pengembangan produk berbasis teknologi.  Causal indicators, Ukuran kegagalan yang berasal dari turunan kegagalan suatu kejadian (root causes event). Misal, risiko kegagalan teknologi yang menyebabkan terjadinya risiko churn pelanggan.  Control effectiveness indicators, merupakan ukuran tingkat kegagalan yang berasal dari proses monitoring performansi. Misal, prosentase kenaikan ARPU pelanggan Flexi.  Volume indicators (Inherent Risk Indicators) biasanya disamakan dengan KPIs, yang dapat menentukan posisi peluang kejadian dan dampak dari suatu risiko (indikator ini biasanya ber- korelasi dengan risiko lainnya). Misal, Jumlah pelanggan, Kapasitas bandwidth, dll. Pengelompokan KRIs Source: Telkom Proprietary KRIs and Dashboards
  • 73. Defining Key Risk Indicators Metode Menentukan KRIs Untuk dapat menentukan KRIs secara tepat dan efektif dapat menggunakan beberapa pendekatan. Salah satu pendekatan yang efektif dan terstruktur dengan baik adalah dengan menggunakan 6 langkah (berhubungan dengan 6-sigma tools): 1. Identify existing metrics. 2. Assess gaps. 3. Improve metrics. 4. Validate and determine trigger levels. 5. Design dashboard. 6. Establish control plan. Ke-enam langkah tersebut merupakan salah satu pendekatan yang dapat diterapkan untuk menentukan KRIs, mulai dari proses melakukan Identifikasi KRIs, Validasi, dan meng- implementasikannya kedalam Early Warning pada segala macam bisnis model. Source: Telkom Proprietary KRIs and Dashboards
  • 74. Defining Key Risk Indicators 1. Identify existing metrics.  Untuk menentukan KRIs, langkah pertama yang harus ditempuh adalah dengan Risk Assessment sehingga semua kejadian (events) dapat di-identifikasi, di-assess, dan di-kelompokan bersama sesuai dengan kriteria tertentu yang dapat di monitor dan di-analisa berdasarkan root-causes (analisa sebab-akibat). Tools yang dapat digunakan misalnya, diagram tulang ikan, dll.  Biasanya dalam menentukan KRIs, kejadian penting yang berpengaruh langsung terhadap risiko (inherent risk) maupun residual risk di-identifikasi  Langkah selanjutnya adalah menentukan metric (calon KRIs) bagi masing-masing kejadian yang ber-risiko tinggi (high risk potensial events)  Dalam menentukan kRIs, semakin banyak ukuran kejadian (metric) yang mempengaruhi suatu risiko, maka semakin efektif KRIs dalam memberikan gambaran potensi risiko  Common practice, biasanya untuk penentuan KRIs yang efektif, suatu risiko terdiri atas 5 sampai 10 metric potensial KRIs dan mengandung minimal 1 atau lebih kategori KRIs (type—coincident, causal, control, and volume). Contoh:  Menentukan risiko pada operasional call-center.  Risiko yang ter-identifikasi adalah: Pelanggan tidak tertanggani secara profesional dan tidak akuratnya informasi pelanggan Source: Telkom Proprietary KRIs and Dashboards
  • 75. Defining Key Risk Indicators 2. Assess gaps. Setelah proses inventory seluruh potensi KRIs selesai, langkah berikut adalah melakukan evaluasi kelayakan dan efektifitas tiap-tiap indicators (metric). Terdapat 2 (dua) tools yang digunakan:  the gap assessment  the design matrix Gap Assessment akan memberikan gambaran, apakah indicators (metrics) dalam inventory akan efektif untuk dijadikan KRIs. Dimana, ukuran yang digunakan adalah berdasarkan composite score tabel, biasanya score diatas 4 merupakan syarat cukup untuk dijadikan KRIs. The Gap Assessment Tool Source: Telkom Proprietary KRIs and Dashboards
  • 76. Defining Key Risk Indicators Design Matrix Digunakan scoring kriteria 0-1-3-9. Dengan menggunakan design matrix, maka tiap-tiap indikator yang mendapat score 9 akan mendapat rating Y. Dengan memperhatikan 2 tools ini, dapat ditentukan indicators (metrics) yang layak dan efektif untuk dijadikan KRIs. Design Matrix merupakan tabel matrik berbasis 6-sigma, dimana akan dilihat keterkaitan Risk Events Driver (RED)dengan indicators yang terdapat dalam inventory. RED merupakan root-causes yang berpengaruh pada munculnya kejadian (indicators). Masing-masing RED diberi pembobotan sesuai dengan prosentase kontribusi. Source: Telkom Proprietary KRIs and Dashboards
  • 77. Defining Key Risk Indicators 3. Improve metrics. Proses ‘improve metric’ dilakukan dengan cara membandingkan hasil assessment dari 2 (dua) tools gap dan design matrix. Proses komparasi dilakukan dengan cara:  Analisa indicators di design matrix yang mempunyai score ‘9’ , namun mendapat score rendah di gap assessment. Apabila scoring rendah tersebut dapat dicarikan solusi atau justifikasinya, maka indicators tersebut dapat dipertimbangkan untuk dijadikan KRIs.  Analisa berikutnya dilakukan pada indicators yang mendapat score tinggi di gap assessment, namun tidak mendapat ‘9’di design matrix. Apabila terdapat modifikasi yang berpengaruh pada peningkatan rating di design matrix dan signifikan, maka indicators tersebut juga dapat dijadikan alternative KRIs. Pada tahap ini, dimungkinkan untuk dilakukan modifikasi pada potensial KRIs (indicators).  Langkah ini ditutup dengan menghapus seluruh indicators yang tidak mempunyai relasi yang cukup dari penilaian ke-dua tools tabel. Source: Telkom Proprietary KRIs and Dashboards
  • 78. Defining Key Risk Indicators 4. Validation and trigger-level identification.  Langkah sebelumnya biasanya menggunakan ‘subjective judgment’ untuk meng-assess relasi antara the risk-event drivers dan the metrics. Untuk indicators dimana relasi antara ‘the risk-event drivers dan the metrics’ dapat dinyatakan secara wajar (dalam tataran operasional –self evident), maka validasi tidak perlu dilakukan.  Namun bila terdapat Metric baru (lihat langkah 3-modifikasi metric), maka diperlukan proses validasi untuk memastikan bahwa metric tersebut adalah KRIs.  Validasi, umumnya menggunakan data historis, bila tidak tersedia maka dapat dilakukan asumsi yang sesuai untuk menggambarkan korelasi antara ‘the risk-event drivers dan the metrics hasil modifikasi’ sehingga didapat trigger level identifikasi. (lihat contoh disamping) Source: Telkom Proprietary KRIs and Dashboards
  • 79. Defining Key Risk Indicators 5. Dashboard design.  Sebagai bagian dalam penentuan KRIs yang layak dan efektif untuk memberikan gambaran perkembangan risiko, maka ‘dashboard’ merupakan bagian yang sangat penting bagi business managers, process owners, and senior management.  Dashboard adalah bagian dalam proses mamajemen risiko dan bermanfaat dalam ‘monthly business review’, dan meeting-meeting lainnya terkait pencapaian objective perusahaan.  Dashboard biasanya menggunakan gambar grafik dan tabel yang menunjukkan informasi yang tepat dan komprehensif terkait kondisi risiko perusahaan dan KRIs yang menjadi konsen manajemen. Source: Telkom Proprietary KRIs and Dashboards
  • 80. Defining Key Risk Indicators 6. Control plan and escalation criteria.  Fungsi utama dari ‘Control plan’ adalah memastikan tersedianya kriteria eskalasi (‘escalation criteria and roles ‘) untuk intervensi terhadap KRIs yang telah disepakati. Sehingga, siapa-pun, dan kapan-pun dilakukan treatment terhadap KRIs yang berpengaruh terhadap Objective perusahaan tidak menimbulkan efek perubahan baik proses dan prosedur yang telah ditetapkan diawal.  Umumnya, ‘control plan’ berisi: the KRI metric, the measurement frequency, a description of the measurement system, goals, trigger levels, escalation criteria, dan the owner for the escalation criteria. (sebagaimana terlihat pada contoh tabel dibawah). Source: Telkom Proprietary KRIs and Dashboards
  • 81. Defining Key Risk Indicators Source: Telkom Proprietary Siap jual Eks cabutan Repair Potensi Eksisting Deployment Sales Churn Net Add & ARPU Qualitas produk kurang baik Layanan purna jual kurang baik Harga tidak competitif Usage Price Tariff Gimmick Tunggakan Aps Cabut Manajemen Omset Competitor Voice Data SMS Demand Pnetrasi KRIs and Dashboards
  • 82. Structuring Vision-Mission - KRIs Vision - Mision STRATEGIC OBJECTIVE Creating Superior Position by StrengtheningThe Legacy & Growing New Wave Businesses to Achieve 60% Of Industry Revenue in 2015 Corporate’ 10-Strategy Initiatives Significant Risks Notable Significant Risks Deployment Thru Risk Identification& Assessment Risk Relate to Performance Financial RiskStrategic Risk Operational Risk Business Growth Revenue Leakage Business Interruption Forex Interest Rate Liquidity Cost Eff. & Effect. Control Eff. & Effect .Co-Incident Indicators Causal Indicators Volume Indicators Key Risk Indicators KRIs and Dashboards Source: Telkom Proprietary
  • 83. Business Growth Business Growth Early Warning SystemRISKS RISK MAP/LEVEL KEY RISK INDICATORs Business Growth Strategic Risks Financial Risks Operational Risks Market Risks Minutes of usage # LIS Current # LIS Churn Tariff FlexiFlexiFlexiFlexiSpeedy TLKM’ Products Data Ware-house TLKM’ Existing Applications TiBs TREMs TiCAREs External Info.Internal Sources PTA1 = f [KRI1,KRI2, …,KRIn] if, for instance f (x) = KRI1 x (KRI2 - KRI3) KRI1 KRI2 KRI3 S1 Appetite S1 S1 S1 S1 Dynamic MAP Indicators Defining a Dashboard KRIs and Dashboards Source: Telkom Proprietary
  • 85. The Application of Enterprise Risk Management at ‘Airport Administrator’ or ‘Aviation Administration’ i nyoman wisnu wardhana 28 November 2014
  • 86. 1 2 3 Introduction The Governance and Its Structures Content 4 The Process of Implementing ERM at AA ERM for Aviation – Airport Administration
  • 87. Introduction Source: Federal Aviation Administration - US The Legislation of AA How about in Indonesia?
  • 88. Introduction The Scope of AA ERM is defined as a holistic approach and process to identify, prioritize, mitigate, manage, and monitor current and emerging risks in an integrated way across the breadth of the enterprise. What do you think? Airports are unique in operations, customers, structure, stakeholders, and objectives; consequently, the approach to ERM implementation should be tailored to each airport. Then, how to create the ERM framework and develop ERM processes?
  • 89. Introduction The Scope of AA – cont.’ AA usually defined its scope as;  Airport policymakers  Stakeholders:  Regulators  Suppliers  Airline partners  Local communities  Public users, and  Auditors  Accountability for managing uncertainty.  Airports need to demonstrate that risk is effectively considered and controlled, especially during strategic decision- making.  Transparency in the risk management process.  Policymakers to provide assurance that the organization’s internal controls and management decision-making are effective. The scope covered some areas v. The purpose of Administration
  • 90. ERM for Aviation – Airport Administration The rational of implementing ERM for AA  Airports have always focused on preventing hazards and finding ways to reduce the risks associated with their operations.  Many airports face resource constraints, and staff are stretched thin by the multitude of activities they are asked to accomplish. However, merely promoting safety in operations and insuring against natural disasters is not sufficient. Airports must also manage the broad array of strategic and operational risks facing an ever-changing aviation industry In such an environment, ERM can be an important management tool that assists airport staff in driving decision-making and allocating resources on a risk-based basis. Through ERM, potential risks and emerging opportunities are proactively identified, assessed, monitored, and addressed on an organization-wide basis. Understanding financial, operational, strategic, and reputational risks and opportunities, the airport can capture the full gambit of the uncertainty that is faced in all facets of airport operations.
  • 91. ERM for Aviation – Airport Administration What is an ERM? ERM is a structured, consistent, and continuous system that is applied across an entire organization to manage uncertainty. Risks are uncertain future events that can influence an organization’s ability to achieve its objectives. The term “risk” is usually applied in one of three distinct applications: Risk as threat versus exposure. Risk as variance. Risk as opportunity.  Risk considered as a threat implies potential negative events that could result in financial or reputational harm to the organization, whereas risk considered as exposure could also be positive.  This interpretation of risk includes the distribution of all possible outcomes, both positive and negative. Stated differently, risk is synonymous with variance.  This understanding of risk is based on the concept that a relationship exists between risk and return. The greater the risk, the greater the potential return and the greater the potential for loss.
  • 92. ERM for Aviation – Airport Administration ERM v. Traditional Risk Management ERM Traditional Risk Management Risk identification and assessment  Critical airport risks are identified,quantified, and weighted against opportunity  Risk/opportunitydrivers are identified  Effectivenessof risk controls is evaluated  Risk/opportunitymaterialityis considered  Risk/opportunityownership is assigned  Focus on hazards and transferable risks  Insurable risks are identifiedand assessed based on the relative availabilityof insurance Risk mitigation strategies  A variety of options are considered, including risk transfer options and organizationalchange  Strategies are developed for pursuing opportunities that take into account potential risks  Balance of available insurance policy limits against retained levels of financialloss (deductibles, retention levels)  Risk management is intuitive and indistinct from standard operating Process Monitoringand reporting  Ongoing  Integral to airport strategy  Helps to ensure the integrity of financial Reporting  Static  Revisited in response to an event or annual audit How risks are viewed  There is an aggregated view of risk across the enterprise  The balanced relationshipsbet we en opportunities and risks are evaluated  Entity level portfolio of risks and opportunities  Risks are vie wed in silos  Risks as individualhazards Risk categories  All risk/opportunity categories are considered (e.g., hazard, financial,strategic, operational, people, legal, regulatory, etc.)  Risk categories tend to focus on hazard, safety, and financial Ultimate goal  Risk/re ward optimization—preserveand create value  Mitigationof insurable risks  Minimize risk transfer spend Traditional risk management focuses on risks independent of business concerns and organizational strategy!
  • 93. ERM for Aviation – Airport Administration The Value of ERM at AA Internally, value is created by helping managers to better understand their risk profile, better anticipate financial performance, mitigate risks, make better-informed decisions, and leverage opportunities. External, an organization to satisfy policymakers and external stakeholders’ (auditors, regulators, partners, public users, and local communities) expectations of internal control and risk management. Risk Awareness, ERM provides a framework for the aggregation of risk and opportunities across an airport, resulting in better visibility. Proactive Preparation for Catastrophic Events, ERM also aids airports in developing plans for addressing events that are very unlikely to occur, but that will have a very significant impact if they do materialize.  natural catastrophes, terrorist attacks, ash-producing volcanic eruptions, extreme weather, or airplane crashes, pandemic/infectious disease (Ebola, H1N1 Influenza, H5N1 Influenza, and SARS). Business Uncertainty, In the aviation industry, the market is changing; tighter competition, aging infrastructure, increased reliance on non-aviation revenue, and the increasingly unstable financial status Addressing Financial Uncertainty, ERM can identify strategies to protect an airport’s balance sheet from unexpected losses. Meet the expectation of Policymaker and Stakeholder Expectations
  • 94. ERM for Aviation – Airport Administration The ERM Standards Numerous best-practice, risk management guidelines, requirements, and standards exist, varying in content and methodology according to the jurisdiction or governing body that employs them. Each individual standard exhibits particular strengths and incentives for adoption, however, all ERM standards aim to:  Ensure appropriate ERM accountability,  Enhance organization flexibility and resiliency, and  Account for the full spectrum of risks. COSO ERM Integrated Framework ISO 31000 AIRMIC-ALARM-IRM Basel II
  • 95. ERM for Aviation – Airport Administration The ERM Framework Airports are both quasi-public entities and business operations and therefore are directed by policymaking bodies, may be part of a larger governmental entity, and must tailor their operating activities and business decisions to satisfy multiple stakeholder agendas. Each airport has a unique combination of operating environment, governance structure,and organizational culture. An airport’s ERM framework should reflect this. Nonetheless, there are also a number of common fundamental elements that every airport should consider when implementing an ERM framework:  Governance and Infrastructure  An enterprise-wide approach  Identification and Prioritization  Risks and opportunities  Controls and Risk Response  Current controls are assessed  Monitoring and Reporting  A strong governance to facilitate risk reporting & monitoring  Implementation  A plan is in place to guide and drive ERM implementation  Integration with key processes  The ERM framework is aligned with key processes  Continuous Improvement and Sustainability  The ERM is reviewed against performance
  • 96. The Governance and Its Structures The ERM’ Platform and Structure It will provide the platform and structure on which to build and develop ERM across an airport administration. It is important to consider each step to ensure that the pillars providing the foundation for ERM are established and tailored to the airport administration’ culture, structure, and objectives. 1. ERM policy and strategy 2. Risk appetite 3. Executive sponsorship 4. Appropriate positioning 5. Developing a governance structure. Senior management support and participation is critical for these activities!
  • 97. The Governance and Its Structures The ERM’ policy and strategy ERM Policy The ERM policy is a formal acknowledgement of the AA’s commitment to take an enterprise- wide approach to managing risk and strives to accomplish uniformity across the ERM implementation process. The ERM policy should include (at a minimum):  The rationale for ERM  A reference to the risk appetite of the airport  The role of employees in the ERM framework  Sign-off by the CEO or board ERM Strategy The purpose of the ERM strategy is to provide an overview of the AA’s ERM framework. The strategy should act as a reference policy for those with risk management responsibilities. It may contains:  Outline the purpose of the AA‟s ERM strategy  Outline the aims of the ERM framework  Include a statement on risk appetite  Provide an overview of the ERM process  Outline roles and responsibilities  Include performance management
  • 98. The Governance and Its Structures The Risk Appetite and Tolerance An organization’s risk philosophy is a set of shared beliefs and attitudes characterizing how the organization considers risk in its business operations, from strategic planning andimplementation to day-to-day activities. Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style Risk tolerance is arguably a more empirical measure of how much loss an organization can withstand on its balance sheet before certain parameters are breached (COSO, 2004) Area Sample Risk Appetite Statement Financial  To maintain an investment grade of IDR 25 T annually (Until 2020) Safety  To achieve recordable case rate or lost time injuries not more than 1 per 1000 hours worked (within 3-year timeframe)  Zero tolerance on loss of life or serious injury Energy efficiency  To ensure reduction in energy consumption per unit produced by no less than X% in 10 years Regulatory  Zero tolerance on compliance breaches Reputation  To reduce the number of national media negative press coverage incidents Market  To maintain 2 Million Passenger/customer monthly  Customer growth by 5% annually
  • 99. The Governance and Its Structures Management Commitment Successful ERM implementation requires airport administrator’ senior management to be fully committed to the ERM framework and processes. Questions from Senior Leader:  At this airport, I am too busy dealing with today‟s issues; I don‟t have the time and energy for ERM. Do I have to get involved?  What will be the immediate results and efficiencies?  We don‟t have the people or resources to do ERM; how can I possibly do this?  Management is aware of what the top risks and opportunities are. It is common sense. Why is a risk register needed?  We focus on proactive management of safety risks and respond to other risks when they occur, and we have never had any problems. Why introduce ERM now?  I am not a risk management professional; how do you expect me to do ERM?  ERM seems to simply be documenting what we already do. Isn‟t that just bureaucracy?
  • 100. The Governance and Its Structures The Structure Airports vary in their size and organizational structure; therefore, there is no prescribed ERM governance structure. The structure most appropriate for a particular airport will be influenced by the maturity of the current risk management processes, resource capabilities, skill sets, existing processes, size, and structure.
  • 101. The Governance and Its Structures The Structure and its Roles Role Example Responsibilities Board  Approve the ERM policy, strategy, and framework  Review the key risks to the airport and the controls that are in place and provide assurance to stakeholders that the risks and opportunities are being effectively mitigated  Promote their support of ERM AA’ Senior Leader Team/ERM Committee  Provide guidance and oversight to the ERM frame work  Challenge the effectiveness of the ERM frame work  Regularly review the E RM policy and strategy to ensure that it underpins the airport’s strategy and objectives  Agree on the risk appetite for the airport  Ensure all emerging risks are appropriately managed  Allocate sufficient resources to address top risks  Create an environment and culture where ERM is promoted, facilitated, and appropriately undertaken by the organization Audit Committee  Gain assurance for the organization that ERM is being properly undertaken  Review risks arising through key third-party relationships and ensure that these risks are adequately managed  Ensure insurance and other risk financing is used effectively within the ERM process Risk Champions  Communicate the benefits of ERM across their operational area  Help facilitate the ERM process and risk reporting procedures across their operational area  Help ensure that the commitment of key stakeholders is obtained  Share best practices across the Risk Champion Network All Staff  Take due care to understand and comply with the ERM processes  Monitor their own area on an ongoing basis to identify new and emerging risks and opportunities and escalate as required An example of AA’ Senior Leaders role.
  • 102. The Process of Implementing ERM at AA The Basic PDCA of ERM The ERM process is a continuous process that involves the identification and prioritization of risks and opportunities and the implementation of actions to mitigate top risks and capture opportunities. In addition, the ERM process focuses on reporting on risk and opportunities across the organization to allow for an aggregated view of risk and opportunities. This builds on the concept of the Plan-Do-Check-Act (PDCA) cycle also known as the Deming Cycle of continuous improvement.
  • 103. The Process of Implementing ERM at AA Risk Identification Techniques Risk identification sessions can and should occur at any level of the airport administration: the board level, departmental level, even at the single team level. Risk identification techniques to consider include the following:  Analysis of previous losses, events, incidents, or lessons learned  Process flow analysis  Business impact analysis  Questionnaires  Interviews  Facilitated workshop  Scenario analysis  Review the previous risk register (if one exists) Might use these questions:  What are the top five risks facing the airport or your department?  What are the causes of each of these risks?  What are the consequences of each of these risks?  What are the top three current controls in place against each of the risks identified?  How effective are these controls?  How are the risks currently monitored?
  • 104. The Process of Implementing ERM at AA Categories Risk In terms of the types of risk that an airport should be considering during this process, it is not possible to develop a set of risks, opportunities, and categories that would fit all airports. Likewise, there in no one right way for listing or categorizing risk. Some example opportunities are the following:  Attracting new service, frequencies, and destinations  Enhance business model through new airline agreement  Commercial development of available land  Community partnerships  Renewable energy  Further optimization of internal process  Optimizing terminal concessions  Attracting new internal service
  • 105. The Process of Implementing ERM at AA Prioritization of Risk To assess each risk in terms of impact and likelihood, assessment scales should be developed. It is important for each airport administrator to develop assessment criteria that are tailored to its operations, strategy, and size. In terms of customizing the assessment criteria, the following should be considered:  Materiality: the airport administrator‟s risk appetite and tolerance statements can be used to inform the development of the assessment criteria.  Number of assessment scales: this will depend on the desired level of complexity.  Financial impact: the risk appetite can be used to determine the financial impact scales.  Impact descriptors: financial impact is not always the only impact a risk can have for an airport. Impact to reputation, disruption to operations, or environmental damage may also be significant.  Likelihood horizon: it is recommended that the likelihood scale is aligned to the time horizon of the airport administrator‟s strategy.
  • 106. The Process of Implementing ERM at AA Risk Acceptance Criteria Developing risk- assessment criteria is essential to improving consistency in risk prioritization across the organization and removing subjectivity from the process. Risk Score = Impact x Likelihood Example of Impact Criteria Example of Likelihood Criteria
  • 107. The Process of Implementing ERM at AA Risk Map Impact and likelihood assessments also allow for a risk map (or heat map) to be created. This is a simple illustration of the airport administration‟s risk profile and can be used for communicating with boards, senior management, and other stakeholders. O6; O7 S3; O1; F1 S4; S5; S7; O2; O3; F4 F2 F3O4 S2S6 S1;O5 Appetite Likelihood Impact Very Low Low Medium High Very High VeryLowLowMediumHighVeryHigh VL L M H VH S.1. Business Growth S.2 Merger & Acquisition S.3. Regulatory S.4. Technology Shift S.5. Culture Transformation S.6. Legal/Litigation S.7. Customer Profiling O.1. Return on Investment O.2. Fixed Assets Mgt O.3. Information Technology O.4. Compliance O.5 Revenue Leakage O.6. Human Resources O.7. Business Interruption F.1 Foreign Exchange F.2 Interest rate F.3 Liquidity F.4 Cost Efficiency & Effectiveness
  • 108. Failure to shift the business model from minutes to bytes Disengagement from the changing customer mindset Lack of confidence in return on investment Insufficient information to turn demand into value Lack of regulatory certainty on new market structures Failure to capitalize on new types of connectivity Poorly managed M&A and Partnership Failure to improve business metrics Privacy, security, and resilience Lack organization al adaptation to changing strategic needs The Process of Implementing ERM at AA Risk Map cont.’ Top 10 business risks for telecoms operators: 1. Failure to shift the business model from minutes to bytes 2. Disengagement from the changing customer mindset 3. Lack of confidence in return on investment 4. Insufficient information to turn demand into value 5. Lack of regulatory certainty on new market structures 6. Failure to capitalize on new types of connectivity 7. Poorly managed M&A and Partnership 8. Failure to improve business metrics 9. Privacy, security, and resilience 10. Lack organizational adaptation to changing strategic needs Below the radar:  A more pressing green agenda  Concentration of equipment vendors  Difficulties in managing debt and cash  Evolving service cannibalization scenarios Prioritize
  • 109. The Process of Implementing ERM at AA Review of Risk Controls The majority of airports that complete the ERM process will find that they already have various controls in place for the identified risks. This stage in the process is focused on reviewing and assessing whether these controls effectively mitigate those risks to the required level so that a decision can be made about whether additional controls may be required. During this review, opportunities should also be evaluated to ensure that strategies are in place to maximize value. The controls in place for each of the top risks should be identified and recorded in the risk register. Then, a small group of people with a good understanding of the risk and the controls should use control assessment criteria to decide whether those controls are (1) completely effective and no additional controls are required, (2) partially effective and additional controls need to be considered, or (3) not effective and additional controls must be put in place to control the risk.
  • 110. The Process of Implementing ERM at AA Risk Response Planning – Treatment Options Risk response planning is essential to ensure that steps are taken to mitigate key risks to the airport. The aim is to reduce the risk profile of the airport to an acceptable level, based on the amount of risk the airport is willing to accept. This does not mean that every risk can or indeed needs to be mitigated until it falls into the green area on the risk map. Some risks, by their nature, cannot be mitigated to a very low impact or likelihood, and others the airport may decide to accept at a higher level. The benefits (reduced likelihood or reduced impact) of proposed treatments should be considered against the cost of implementing them. Retain the risk. Decide to accept the risk as it is and does nothing further to mitigate it. Risks that are accepted may still require monitoring and review. Avoid the risk. If the risk is undesirable, or the organization does not have the capability to manage the risk. One example of how to avoid a risk is stopping a certain process or activity completely. Modify the risk. This involves putting in place additional risk control measures that reduce the likelihood and/or the impact of the risk to an acceptable level. Transfer the risk. This involves transferring the cost of the risk to a third party through insurance, contracts, or outsourcing the activity.
  • 111. The Process of Implementing ERM at AA Developing Risk Response Plans A risk response plan is a tool to record, assign responsibility for, and monitor those additional mitigation measures that the airport deems necessary to have in place to ensure the risk is managed to an acceptable level. The risk response plan should be developed by the risk owner in collaboration with relevant stakeholders
  • 112. The Process of Implementing ERM at AA Risk Monitoring and Reporting Few risks and opportunities or action plans remain static. Risks and opportunities change, priorities change, actions are completed, risk responses that were once effective may become irrelevant, and so on. Therefore, it is important to monitor risk response plan effectiveness and risk profile.  Monitoring Risk Response Plan Effectiveness.  Monitoring Risk Profile. There is no prescribed format for risk reporting, but it is one of the most important elements of the ERM framework. Risk reports should be formatted so as to be user-friendly, actionable, and usable in decision-making. The reports should also capture both risks and opportunities.  Determining a Risk Reporting Process. To develop a risk reporting process that is sustainable and ensures the necessary risk information reaches the right people in a timely manner: o Determine what information needs to be reported. o Define a reporting structure linking into overall governance structure. o Decide the frequency of reporting, This will vary by airport, but formal risk reporting to the board should take place at least annually.
  • 113. The Process of Implementing ERM at AA Risk Monitoring and Reporting Example of Risk Reporting Format
  • 114. The Process of Implementing ERM at AA Develop an Implementation Plan Example of Implementation Plan As with any other process implementation, an implementation plan should be developed. Further, define:  Scalability  The Maturity Measurement  Establish an ERM Culture:  Risk Champions  Training and Education  Communication Plan