www.pwc.

com

Governance and
Enterprise Risk
Management
Corporate Governance & Risk
Good Corporate Governance in State-Owned
Company

Increasing demand from regulator in APAC and SEA

region(Australia, Singapore, Malaysia and Thailand) regarding
the accountability and transparency on how company
(public and private) manage themselves and operate on
stakeholders behalf.
Expect more stringent and thorough scrutiny from URL:https://www.pwc.com/
gx/en/psrc/publications/asse
regulator! ts/pwc-state-owned-
enterprise-psrc.pdf
How about Indonesia?
Regulations Issued by Relevant for Content
PER-01/MBU/2011 BUMN
(Penerapan GCG pada BUMN) Kementrian BUMN
UU No. 23 Tahun 2014, pasal 343 BUMD (Perseroan dan Umum)
(UU Pemerintahan Daerah) Pemerintah Indonesia Requirement to
UU No. 40 Tahun 2007 practice or have
BUMN dan BUMD (Perseroan)
(UU Perseroan Terbatas) Pemerintah Indonesia GCG infrastructure

Kep. Gub DKI No.96 Tahun 2004

Gubernur DKI Jakarta BUMD DKI
(Penerapan Praktik GCG pada BUMD)

Governance and Enterprise Risk Management June 2017

PwC 3
Corporate Governance

Corporate governance refers to the set of systems, principles and

processes by which a company is governed in which:
 the objectives of the company are set,
 means of attaining those objectives and
 monitoring performance are determined

The objective of corporate governance is two-fold:

Conformance: To safeguard shareholders’ interests through compliance with
legislation, regulation and codes of practice.

Performance: To ensure that the assets of the company are used efficiently
and productively and in the best interests of its investors and other
stakeholders.

Governance and Enterprise Risk Management June 2017

PwC 4
ORCA Framework
Transforming Corporate Governance “Common Sense’ into “Common
Practice”

Objectives
O Articulate organization objectives

Risk
Acknowledge and asses risk R
C Control
Build in control and adhere compliance

Alignment
Ensure alignment of ORC across enterprise
A

Governance and Enterprise Risk Management June 2017

PwC 5
 Key Elements of an Effective Corporate
Governance Framework
I II III IV V VI

Board Strategy, Risk

Board Structure Transparency Corporate
Operation and Planning and Management
& Composition and Disclosure Citizenship
Effectiveness Monitoring and Compliance

• Composition & • Boardroom • Vision & mission • Risk management • Financial • Code of conduct
organisation conduct & • Strategic / framework reporting • Business ethics
• Induction & relationship corporate plan • Internal control • Enhanced • Employee relations /
training • Audit committee • Corporate & reporting Health and safety
• Board • Nomination management • Social
remuneration committee performance responsibilities,
• Succession • Remuneration monitoring including
planning / committee • Information environment
identification & • Other committees technology strategy
nomination of • Human Resources
directors

Governance and Enterprise Risk Management

PwC 6
Top Speed Requires Great and Reliable Brakes

“I trust my car, I trust my team.

I just need to go out there and win”
Sebastian Vettel at 2008 Italian Grand Prix

Governance and Enterprise Risk Management June 2017

PwC 7
Risk Governance

Risk governance is the architecture within which risk management operates in a

company.

It defines the way in which a company undertakes risk management. It is

essential for the company to have clarity about what risks are being managed
and how.

It provides guidance for sound and informed decision-making and effective

allocation of resources.

Governance and Enterprise Risk Management June 2017

PwC 8
What makes for effective Risk Governance

Effective risk governance provides the appropriate level of direction and

control in:
1. determining the goals and strategy of the company;
2. pursuing those goals;
3. identifying the risks which are present or which may arise when the
company
4. pursues its goals; and
5. determining measures to mitigate the risks.

Governance and Enterprise Risk Management June 2017

PwC 9
How do Boards Organise themselves with regard
to Risk Governance?

PwC
 The Three Lines of Defence Executive management
must firmly own the first
and second lines. The
business must be ready to
take action when risks
emerge.

Multiple layer of activities

that help ensure risks are
efficiently and effectively managed Responsible for providing
and monitored in the manner objective assurance and advice
intended by executives and non- on governance, risk and
executives. compliance.

Governance and Enterprise Risk Management June 2017

PwC 11
The 3 Lines of Defence

Board of Directors

Board Risk Audit

ExCO Committee
Committee

CEO

Group Risk Committee

Group / Corporate Internal

Operational Level
Audit
Risk Committees

Risk Management Function

BU 1 BU 2 Chief Risk Officer

BU Risk BU Risk
Coordinator Coordinator

1st Line of Defence 2nd Line of Defence 3rd Line of Defence

Governance and Enterprise Risk Management June 2017
PwC 12
Introduction to Risk and Uncertainty

Governance and Enterprise Risk Management June 2017

PwC 13
What is risk and uncertainty?
“ Risk is the effect of uncertainty
on objectives…
where uncertainty is the state,
even partial, or deficiency of
information related to a future
event, consequence or likelihood
”
ISO 31000:2009
Questions heard round the boardroom table

What is our
universe of risks? What are our top risks?

How can I be
happy all key risks
are suitably
What is our addressed by What is the basis of
risk appetite? effective controls? any reporting we give
on Governance, Risk
and Controls?

Governance and Enterprise Risk Management June 2017

PwC 16
What executive are saying about Risk

92% CEOs recognise the importance of risk

information to the success of their
organisations …

…but lack actionable information

to allow for effective risk decisions
with clarity and confidence

Governance and Enterprise Risk Management June 2017

PwC 17
 Illustration of typical categorisation of risks into
“Level 1” and “Level 2” risks

Level 1 Business / Strategic Operational Financial Compliance

Macro- Capital
Competitive Alliances Compliance Efficiency Regulatory
Economy Adequacy

Intellectual Liability
Customer Industry Engineering Environment Commodity
Property lawsuits

Legal / Ethics & Information Product Interest

Shareholder Integrity Technology Quality Rate
Dispute
Level 2
Process Credit
Political Regulatory People Sourcing
Design

Product Worker Foreign

Technology Strategy Security Exchange
Safety Safety

Supply Equipment / Investment

Tax
Chain Facilities

Governance and Enterprise Risk Management June 2017

PwC 18
Strategy cannot eliminate
risks. Because we cannot
predict the future, risks must
be taken.

The purpose of strategy is not

to eliminate risk, but to take
the "right risks."

- Peter Drucker
Enterprise Risk Management

PwC
A Systematic Approach to Addressing Risk offers
Considerable Potential Benefits

Clear understanding of
Avoid unwelcome organisations key risks Seize opportunities
surprises and losses

Enhance business planning, Improve integrated

decision making & forecasting responses to multiple risks

Making sure all Improved allocation of

angles are covered limited resources

Align risk appetite Improved collective

and strategy response to similar risks

Governance and Enterprise Risk Management June 2017

PwC 21
Train Hairline Cracks
• Hairline cracks were found in structural components of the trains
• From LTA’s laboratory tests, hairline cracks were due to localised impurity in the
aluminium car-body material that occurred during manufacturing process
• LTA engineers and its contractors assessed that the hairline cracks would not
affect operational safety of the trains
• Trains are being sent back in batches and repairs should be finished within four
years
Enterprise Risk Management

ERM is a process, effected by an entity’s board of directors,

management and other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives

To Survive The ability to quickly resume a former

Resilience (value preservation) shape and recover functionality following
an adverse impact

To Thrive
The ability to move quickly, even to
Agility (value creation) assume a new configuration, to achieve a
desired outcome

Governance and Enterprise Risk Management June 2017

PwC 23
ERM Frameworks

• ERM frameworks help codify and integrate a structured and

disciplined approach towards managing risk into the company’s
core business processes and decision-making activities

• Although there is no definitive model of an ERM framework

that fits all companies, there are certain common characteristics
embodied in internationally recognised risk management standards
and in the leading risk management frameworks operating in
practice

Governance and Enterprise Risk Management June 2017

PwC 24
 The key components 8 Elements Description

of COSO ERM 2004 Internal

Environment
An organization’s ethical values, competence and
development of employees, management’s operating
style, delegation and accountability
Business
Objective A process to set objectives and align them with an
Objectives
Setting organization’s mission and risk appetite
Event A process to identify how potential events might impact
Identification the achievement of these objectives; broadly focused on
all significant risks across the enterprise

Activities
Business
Risk A consistent and integrated approach across all business
Assessment units to consider how potential events might affect the
Components

achievement of objectives in terms of probability and

impact
Risk Response Appropriate risk responses are determined to mitigate
risks to acceptable levels at a reasonable cost. Responses
may include avoidance, mitigation, transfer and
acceptance
Control Policies and other procedures that help ensure risk
Activities responses are executed properly
Information & Opinions, facts, statistics, measurements and other
“Enterprise Risk Management – Communication material used to assess and monitor risks and risk
Integrated Framework” responses and prepare management reports
Committee of Sponsoring Monitoring Assessment of the presence and functioning of each
Organisations 2004 framework component and the quality of their
performance
 PwC’s ERM Framework
Business Strategy Business Management
1 Risk is a core consideration when setting strategy, 1 Risk
strategy 4 Governance structure (“three lines of defence” model
formulating business plans, managing performance
emerging as industry norm). Senior management
2Strategy
and reward.
accountability and responsibility for “top tier” risks.
Risk appetite clearly articulates the organisation’s Risk appetite
2 risk-carrying capacity, business strategy and 5 Clear risk management policies and procedures
financial goals. 3 for managing all material risks.
Risk profile
3 Identification and assessment of all (current
and emerging/ desired and undesired) risks 4 Governance structure 6 Business performance measured on a risk-
faced by the organisation. adjusted basis. Capital allocated to operating
5 Risk policies entities and transaction opportunities are
Business Platform based on risk/reward designs & pricing and
post-sale portfolio management.
6 Monitoring & Reporting
8 People behaviour aligned with group
risk, capital and performance strategy /
ERM Review Internal risk and capital models at
7
business plans through balanced score Guide
7 the heart of the framework, which
cards, MBOs and incentives and meet highest quality standards.
rewards schemes. Required level of
skill, experience and knowledge
exhibited by majority of staff. Modelling & Analysis
(Risk) Business Strategy
9 Core technology to support
fully integrated ERM Business
approach. Focus on Management
organisational span, data
8 9
quality and automated Business Platform
processing.
Risk culture Risk technology

Governance and Enterprise Risk Management June 2017

PwC 26
Defining your ERM strategy

“It is not the strongest of

species that survives, nor
the most intelligent, but
the one that is most
adaptable to change. ”
Charles Darwin
Defining your ERM approach
ERM objectives

Governance Operational Strategic

Enhance risk awareness to Embed risk management Link risk management to
Senior Management and the activities in the business strategic planning and the
Board strategic objectives of the
organization

Value Desired
outcome
Balancing value and the desired outcome of your ERM Program

Key stakeholder objectives

Board of
Executive Leadership Risk/Audit/Compliance
Directors/Audit and/or
and Management programmes
Risk Committee
Confidence that risks are being Well informed strategic Increase risk awareness and
properly managed decision-making streamline risk reporting

Governance and Enterprise Risk Management June 2017

PwC 28
Defining your ERM approach
Transition to ERM Implementation Is Based On Maturity Levels

5.1 Integration
with Existing
Organisation
Systems

4.1 Capture 5.2 Risk-

Internal Return
Loss Data Metrics

2.1 Risk 3.1 Self Assessment 4.2 Consideration 5.3 Management

Identification Tools of External Controls and
and Risk Maps Data Corrective Actions

1.1 Awareness of 2.2 Risk 3.2 Key Risk 4.3 Internal Model 5.4 Reporting to
Importance of Risk Organisation and Indicators to Quantify Risk Management and
Policy Design and Exposure Stakeholders
Management

2. Risk 3. Qualitative 4. Quantitative 5. Integrated

1. Culture
Identification Management Measurement Management

Maturity Level
Governance and Enterprise Risk Management June 2017
PwC 29
Where to Start
Governance Structure: Risk Organization and Policy Design

Audit & Risk Committee

This approach is the most common whereby risk Increasingly, Boards are establishing a separate Board
governance is allocated to the Audit committee. Risk committee that focuses more risk management.

Board of Board of
Commissioner Commissioner

Audit & Risk

Committee Audit Committee Risk Committee

Key advantages: Key advantages:

 Provides provides integrated oversight of the financial  Focus on risk; Risk agenda items not briefly
reporting process, the audit process, the system of mentioned
internal controls, compliance with laws and regulations  Committee member have adequate risk knowledge
and risks and expertise

Illustrative Illustrative

Governance and Enterprise Risk Management June 2017

PwC 30
Where to Start
Risk Policy: Risk Organization and Policies Design

A sound system of risk management and internal controls

contributes to the safeguarding of the organisation’s assets
and consequently shareholder’s investments.

Set appropriate policies on the organisation’s system of risk

management and internal controls so as to provide guidance
to Management and employees on what constitutes a suitable
sound system of risk management and internal controls.

Governance and Enterprise Risk Management June 2017

PwC 31
 Where to Start
Risk Workshop: Risk Identifications and Risk Map
Do you know the risks affecting your business? How do you identify these risks? How do you prioritise ?

Template Tool
Risk identification

• Independent moderator prepopulates the Brainstorm Tool

workshop database with industry specific best
practice information from its internal databases Discussion Tool
• Assists in selecting the most suitable candidates
for the assessment exercise
• Ensures participation by all through facilitation Rating Tool
of the workshop
• Ensures every idea is treated with equal Presentation Tool
importance before a decision is made on
inclusion or rejection Action Tracker
Risk Prioritisation
• The participants are provided with full Instant Reporting
anonymity and equal airtime do decide on each
and every risk identified.
Impact likelihood analysis
• The assessment for each risk is made
individually but the decision on overall priority
to the organisation is made jointly Brainstorming of Risk rating tool Likelihood

• The facilitation continues during this phase too. risks

Independent moderator could provides the Risks
Risks
templates on impact and likelihood including
Financial
definitions and clarifications during this phase.
Impact
Likelihood
Risk Reporting Non - Financial
• The heat map is generated instantly, in the
workshop. The top ranked risks are discussed Risk heat map
and agreed.
Impact Residual Risk Profile (or Risk Map)
• Mitigation measures for the top risks are also
discussed and identified at the workshop.
A2
Very High I1 G1
D5 A4
B3

• A report suitable for sharing with the Board or High

G3
F2 C2
C1

A3
C3
E1
D1

B2

its sub committee is generated almost Medium G2

D2

C4 G1
C5 E2 A1 B1

immediately. Low
B4 D3 F3
F1
D4

• The journey to proper risk management can

A5

commence effortlessly.
Very Low E3

Very
Low Medium High Very
Likelihood
PwC
Low
High

Extreme Continuous
events Risks
Where to Start
Risk Register: Risk Identifications and Risk Map

Risk Impact Likelihood

Risk of disruption of operation / loss of

Strategy /
1 income due to unstable government, 3.71 2.00
External
change of government, or militant activities
Risk of lack of qualified employees at sea
2 Operational 3.54 1.00
or ashore to meet customer's requirement
Risk of fraud, unauthorized transactions,
Regulatory /
3 bribery & corruption due to lack of 2.83 2.20
Compliance
approval or deviation from authorized level

4 Etc

Risk Treatment Plan

Technical Managers Internal
Business Unit FLM Risk Owner QMS 00.340.01.100x
/ Fleet Supervision REF
Fleet Risk Analysis
Might also include risk root causes, Risk Area
Management Coordinator
XXX
date
xx-xx-xxx

key risk indicators, risk target Nature of risk Risk of lack of qualified employees at sea or ashore to meet customer's requirement
levels, commentary on effectiveness Existing measures to address risks
of existing countermeasures etc Strategy Description Effectiveness
Effective management of officer's qualifications matrix
Prevent by the marine personnel department using the Q88 Medium
programme and/or OCS in the future
Maintain high officer retention statistics through
Prevent Medium
competitive terms & condition and safe working
Additional required measures
Strategy Description By whom Due date
Develop comprehensive crew competence
management matrix supported by professional
Prevent XXX Q1 FY 17
development in specialized marine training
centres and reinforced by onboard training

Governance and Enterprise Risk Management June 2017

PwC 33
What is Best Practices looks like?
Risk Dashboard: Risk-Return Metric, Risk-based decision making

Risk Reporting Dashboard/Report/Template

Risk reporting dashboard/report/Template which will present granular or high-level views of risk, key risk indicators and trends over
time. The Risk reporting will ensure that the subsidaries report consistent key risk information/results.

Risk /
Appetite Statements Dashboard Critical Measure Key Risk Indicators
Issue

Measure Status Limit Capacity

Current
Health and

OHS 80& 90% 10%

No appetite for death, permanent
Safety

Training
disability or time lost because of Outlook completed
insufficient safety protocols (%)
Trend Project Safety Ave. 10 Over
Assessment 5.0

Measure Status Limit Capacity

Min.
Moderate risk appetite with manual
systems and outage of non-critical Alpha system 95% 90% 5%
Current tests
IT Failure

internal systems.

There is a low risk for risks associated Outlook

with the integrity of financial reporting
systems that may result in reporting of Trend
information that is inaccurate and/or Beta system 50% 80% Over
tests 30%
not timely.

Governance and Enterprise Risk Management June 2017

PwC 34
Conclusion: Benefits of an Effective ERM Program

• Alignment of corporate strategy with risk and performance

• Reduced risk surprises, fines and penalties
• Risk management ownership and accountability embedded into
business process and planning
• Improved risk and performance information availability, timeliness
and transparency
• Sustainable cost-efficiency and operational effectiveness
• Enhance value through effective risk taking in pursuance of
opportunity.

Governance and Enterprise Risk Management June 2017

PwC 35
Thank You

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the
information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the
accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members,
employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to
act, in reliance on the information contained in this publication or for any decision based on it.

© 2017 KAP Tanudiredja, Wibisana, Rintis & Rekan. Semua hak cipta dilindungi oleh Undang-Undang. Dalam dokumen ini, “PwC” mengacu kepada KAP
Tanudiredja, Wibisana, Rintis & Rekan, yang merupakan anggota firma PricewaterhouseCoopers International Limited, dan masing-masing merupakan badan
hukum terpisah.
Curriculum Vitae

Yuliana Sudjonno Marcel Irawan

Partner– PwC Indonesia Associate Partner – PwC Indonesia
[email protected] [email protected]

• Yuliana is a Certified Public Accountant from Indonesian Institute of • Marcel is an Indonesian CA and CPA who has more than 16 years
Certified Public Accountants who has extensive understanding and of experience working with Assurance of major retail and
in-depth knowledge of financial accounting standards, US GAAP, consumer products, technology companies, industrial
IFRS, auditing standards (Indonesia and PCAOB), and stock manufacturing, & infrastructure clients in Indonesia and ten
exchange regulations (Bapepam and US SEC) as well as SOX years of experience in the Internal Control over Financial
includes detailed dealing with PCAOB during their inspection in Reporting under PCAOB Standards. He is also part of PwC
2008 & 2011. Indonesia Infrastructure Group, Entrepreneurial & Private
• She specialises in control optimisation for financial reporting and
Clients, and Risk Assurance team mainly in the Enterprise Risk
financial reporting related risk & control and has vast experience in Management area.
performing financial audits under various accounting frameworks,
• He has some short term working experiences in PwC
namely IFAS (Indonesian Financial Accounting Standards), IFRS,
Switzerland, Australia, United States, and in PwC Indonesia
and US GAAP. She also has extensive knowledge and experience
over governance as well as risk and controls in Technology, Media & Accounting Consulting Services (ACS).
Telecommunication industries. She worked with several related
• Marcel graduated from University of Indonesia. Marcel worked
companies like Telkom, PT Telekomunikasi Selular, Indosat, HPM,
with several key engagements with Hutama Karya, MRT Jakarta,
Yakult, Unicharm, TMMIN, Yahoo, First Media, Kapanlagi.com,
Tokobagus, Yamaha Music Manufacturing, Peruri and Yutaka
L’Oreal Group, HM Sampoerna, G4S Group, Tokopedia,
Manufacturing. She is also a subject matter expert for various risk Traveloka, Bukit Makmur Mandiri Utama, Alstom Group,
and controls projects. ThyssenKrupp Group, Jasa Marga, and Astratel.

• She was active conducting and participating in various governance

and risk and controls seminars for corporations and government
bodies (BPK, BPKP)

Governance and Enterprise Risk Management June 2017

PwC 37